- What is the purpose of Law on the Protection of Personal Data?
Law No. 6698 that was prepared by the Personal Data Protection Authority
that came into effect after it was published in the Official Gazette on
April 7th, 2016 is an adjustment law that aims to protect
fundamental rights and liberties of persons, primarily the right to privacy
and determine the obligations of real and legal persons that process
personal data and the processes and principles that they will comply with
and that aims to protect personal data of employees and customers of firms.
Protection of privacy and ensuring of data security are also evaluated in
this scope. With the aforementioned law, prevention of collecting of
personal data in an unlimited and arbitrary manner and violation of
personal liberties as a result of enabling access of unauthorized persons
to such data or their disclosure or misuse or abuse is intended.
- As employees and citizens, what will change in our lives with the Law
on the Protection of Personal Data?
After the Law on the Protection of Personal Data came into effect in Turkey
nearly two years ago, in line with the obligations imposed by the law,
companies have started to implement some procedures within the company and
with regard to their customers.
Considering that the Law on the Protection of Personal Data is a law that
is dynamic and continuously updated by regulations, in order to ensure data
security of employees and customers, each department should control and
update their business processes and would need to make operational changes
such as establishing new departments and employment.
In order to avoid becoming subject to administrative and penal sanctions of
the law, as employees, while carrying out our existing duties and
responsibilities, we have to perform our business processes in a much more
careful manner at each point we are in contact with personal data and being
fully aware of the importance of personal data and obviously, this means
implementation of new procedures in our existing business processes.
Most important change as citizens is that now we shall be able to make an
official application to all organizations that maintain our personal
information and obtain answers to our inquiries regarding for which legal
reason and by which method our personal information is being collected, for
what reason they are being processed and to whom and for what reason our
processed personal information is conveyed to.
Moreover, we shall not only be content with receiving answers but we shall
be able to demand deleting of our information. If the institution that we
have made an application does not reply within 30 workdays, you will be
entitled to place a complaint with The Organization for the Protection of
- What is personal information and what is specific personal
Personal information means all types of information about a real person
whose identity is determined or that can be determined easily. In this
context, not only the name, surname, date and place of birth that enable
definite identification of a person but also information regarding that
persons physical, family, economic and social characteristics are also
considered personal information.
Name, telephone number, license plate number of a person’s motor vehicle,
social security number, passport number, CV, picture, audio and visual
recordings are also personal information since, although indirectly, they
have features that enable identification of a person.
Specific personal information is information that could cause a person’s
unjust suffering or discrimination if learnt by others. In above mentioned
law, each specific personal data are indicated separately and other data
not indicated in law may not be considered as specific personal data.
Data on persons race, ethnic origins, political views, religion, sect or
other beliefs, attire or appearance, health, sexual life, penal sentences
and security measures, genetic and biometrical data and information on
foundation or labor union memberships are defined as “personal data of
specific nature” and it is stipulated that that saving for the data
regarding health and sexual life, other “personal data of specific nature”
could not be processed without explicit consent of the related person
except for exceptional circumstances explicitly indicated in law.
- Under which circumstances can institutions may demand and use our
Pursuant to Labor Law, institutions are obliged to obtain some personal
information of their employees; apart from that it is also stipulated that
personal data can be processed provided that related persons fundamental
rights and liberties are not harmed and if procession of data is necessary
for legitimate interests of the institution.
- What are the sanctions stipulated for those that do not comply with
Other than the exceptions stipulated in law, personal data could not be
processed without obtaining explicit consent of the related person and
could not be conveyed to third persons or abroad. In case of failure to
comply with these rules that are indicated in several different articles of
the law, institutions could be penalized with administrative penalty fines.
1 to 3 years of prison sentence is stipulated by law for people who violate
personal data. Moreover, 2 years to 4 years of prison sentence may also be
given to those persons who have acquired such personal data through
violation of law. Administrative penalty fines vary between 5,000 TL and up
to 1,000,000 TL, depending on the article or articles of law that were
failed to comply with.
- Could you please brief us about the Adjustment Works carried out at
TAV Group and companies?
Within the scope of “Law on the Protection of Personal Data”, a program has
been started in order to evaluate the obligations of TAV Airports Holding
and Group Companies with regard to aforementioned law, to determine the
needs and to ensure TAV Airports Holding and Group Companies to comply with
In line with the Law on the Protection of Personal Data Adjustment Program
that we have started under the leadership of TAV Airports Holding, we are
carrying out a joint and simultaneous study as TAV Airports Holding and 11
TAV Group Companies. For this adjustment law, in which I have undertaken
the responsibility of program management, we have established three
committees with the Program Sponsor Hakan Öker, as well as Melis Erkun
Kartal under Legal Committee Presidency, Emre Onan under IT Committee
Presidency, Zeynep Derya Levent and Saliha Güneş under Personnel/Human
Resources Committee Presidency and 12 project managers from each subsidiary
(Ömer Sezgi, Canan İnce, Ezgi Doğu Öcal, Begüm Yılmaz, Başak Helen Taşkan,
Emre Onan, Ufuk Kavlak, Emre Demircioğlu, Ozan Olgaç, Yasemin Elverici,
Çağkan Koru) and with one person in charge of each department selected from
the companies participating in the projects. The team consists of a total
of 240 people, who carry out TAV’s Law on the Protection of Personal Data
The most important reasons why we have preferred to manage this critical
process based on TAV Airports Holding and the Group Companies are as
Any penalty fine that to be received within the scope of the Law on the
Protection of Personal Data Adjustment would affect TAV’s brand perception;
Pursuant to Law, obligation to comply with the law is on the level of
members of the Board of Directors,
Sharing of experiences and evaluating synergy opportunities
- Could you please brief us what kind of regulations are in effect in
other countries TAV is operating?
The Law on the Protection of Personal Data is a new law in Turkey but
relatively old in other countries. In 1995, with coming into effect of
European Union Data Protection Directive No. 95/46/AT served as the
foundation of GDPR (General Data Protection Regulation), which was
re-arranged and came into effect on April 14th, 2016 for all
European Countries. Although the Law on the Protection of Personal Data has
similar features with its outline and purpose with GDPR, there are
differences with regard to implementations and obligations. Accordingly,
TAV Airports Holding and TAV Group Companies are operating in countries
that are members of European Union, GDPR adjustment programs are being
carried out under their operation responsibilities. Not only in countries
that are members of the European Union but also in other operations, there
are different laws in effect that are directed to the Protection of
Personal Data and programs are being carried out under the responsibility
of the operations.