Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

Data Protection Compliance in Turkey


On April 7th 2016, the long awaited Law on the Protection of Personal Data was enacted (the “Law”) in Turkey to regulate process and transfer of personal data. Some of the provisions of the Law entered into force immediately upon its enactment whereas some of them entered into force after six months as of its enactment, and currently the Law is fully in force including a transition period of two years, during which the companies must bring the personal data that has been processed unlawfully prior to the enactment of the Law in compliance with the Law. Otherwise, the Law envisages administrative fines.

As per the Law the members of the Data Protection Authority (“DPA”) have been elected although with some delays, and we are now waiting for the enactment of secondary regulations which were stated to be prepared within one year as of the enactment of the Law. For the time being, neither the DPA has been fully established nor the regulations have been issued and there is confusion as to how to fulfil the obligations stipulated under the Law.

Although the enactment of the Law has created a great awareness particularly among the multinational companies and the companies have started to take actions to bring their activities in line with the Law in Turkey, they need guidance of the DPA and the secondary legislation to be in full compliance. The lack of guidance in legal infrastructure affects the data protection compliance projects particularly in terms of transfer of personal data to abroad, as the exceptions to explicit consent for data transfer, such as determination of countries with sufficient safeguards, requires further regulations and actions of the DPA. In the absence of such regulations, companies struggle with obtaining explicit consent for all data transfers to abroad although there is a possibility that relevant companies can be classified as countries with sufficient safeguards after DPA issues a decision on that.

Notwithstanding with this uncertainty, getting started with the data protection compliance projects is of course advantageous to the companies since such projects consists of very long and detailed processes. In additional to the multinational companies which have started paying attention to data protection issues, local companies are also advised to give due consideration to the compliance with the Law since there is no more excuse for not be compliant in the presence of a fully enforceable law. Accordingly, we recommend all companies

  • to give particular attention and plan their data protection compliance projects asap,
  • to identify their needs and where necessary to obtain services in relation to legal, IT or organizational/ operational aspects of the data protection projects,
  • to create awareness within the company and
  • to closely the watch latest developments in this area.


Article provided by:

  • Begüm Yavuzdoğan Okumuş, Managing Associate, Gun+Partners
  • Selin Başaran Savuran, Associate, Gun+Partners


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarth,



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.