Data protection in Turkey: overview

A Q&A guide to data protection in Turkey.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

The Turkish Constitution, which embodies the highest set of rules within the Turkish national legislation hierarchy, sets out the following fundamental principles concerning personal data:

  • Article 17 states that every individual is entitled to the rights of life, protection and improvement of his or her material and spiritual being.

  • Article 20 provides that everyone has the right to request the protection of his or her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his or her personal data, and being informed whether this data is being used consistently with stated and foreseen objectives. Moreover, personal data can be processed only in accordance with law, or with the concerned individual's explicit consent.

General laws

Law on the Protection of Personal Data. The Law on the Protection of Personal Data numbered 6698 (Data Protection Law) is the main legislation, which regulates the processing of personal data in Turkey.

The Data Protection Law has recently entered into force upon its publication in the Official Gazette on 7 April 2016. Certain provisions of the Data Protection Law will enter into force on 7 October 2016. These provisions are:

  • Article 8 (on the transfer of personal data).

  • Article 9 (on the transfer of data abroad).

  • Article 11 (on the rights of the data subject).

  • Article 13 (on the application to the data controller).

  • Article 14 (on complaints to the board).

  • Article 15 (on the procedures and principles that apply when a complaint is made or ex-officio).

  • Article 16 (on the data controllers' registry).

  • Articles 17 (on crimes) and Article 18 (on misdemeanours).

The Data Protection Law harmonises Turkey's data protection policy with the Council of Europe's Strasbourg Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 (Strasbourg Data Processing Convention), and more specifically, Directive 95/46/EC on data protection (Data Protection Directive). Turkey has also recently ratified the Strasbourg Data Processing Convention on 30 January 2016.

The Data Protection Law's objective is to protect, in particular, the right to privacy and other fundamental rights and freedoms of individuals in the processing of personal data, and to regulate the procedures and principles for individuals and legal entities processing the personal data.

Civil Code. Articles 23, 24 and 25 of the Civil Code safeguard personal rights:

  • Article 23 sets out that no individual can waive his or her freedom or restrict it contrary to the law.

  • Article 24 provides that the violation of personal rights is unlawful unless justified by the consent of the person whose right has been violated, or there is a superior private or public benefit, or authority granted by the law.

  • Article 25 sets out the civil remedies in case of infringements of personal rights.

Law on the Regulation of Electronic Commerce. This law, which entered into force in 2015, sets out that entities are responsible for the storage and security of personal data (any data acquired during activities falling within the scope of this law). The law also states that personal data must not be transmitted to any third party, or be used for any other purpose, without the consent of the data subject.

The law also introduced an opt-in rule and banned commercial messages by e-mail, text messaging, fax and automated calls to consumers without their prior approval.

Code of Obligations. The following articles of the Code of Obligations also concern personal data:

  • Article 27 provides that any agreement contrary to personal rights is invalid.

  • Article 58 sets out that a person whose personal rights have been violated can seek damages against the violating person.

  • Article 419 imposes a duty on an employer in relation to employees' personal data. According to this rule, an employer can only use employees' personal data in relation to the employees' qualifications or if it is required to perform a service.

Criminal Code. The Criminal Code sets out the following sanctions for violations of the rules on the protection on personal data:

  • Article 134 provides that anyone illegally disclosing information about a person's private life can be fined or imprisoned from one to three years.

  • Article 135 provides that the illegal recording of personal data can result in between one to three years' imprisonment. Furthermore, in circumstances where the illegal recording includes data relating to the political, philosophical or religious views, ethnic origins, moral inclinations, sex lives, or union affiliations of individuals, the imprisonment sentence would be increased by half (resulting in a sentence of one and a half years to four and a half years).

  • Article 136 sets out that the illegal transfer, dissemination and collection of personal data is punishable by imprisonment of between two to four years.

  • Article 138 provides that individuals who are responsible for deleting personal data following the expiry of the retention period, but who fail to do so, can be imprisoned for one to two years.

Law on the Right to Access Information. This law, which is applicable to the activities of public authorities, aims to promote the convenient access to information for a natural and legal person.

Article 21 sets out that personal data and documents can be disclosed only if there is a public interest and the relevant person's written consent exists.

Labour Law. Article 75 of the Labour Law provides that employers are obliged not to disclose information belonging to their employees, if it is in the interest of the relevant employees for the information to remain confidential. This provision also sets out that employers should use their employees' personal data in good faith and in accordance with other applicable laws.

Sectoral laws

Banking Law. Article 73 provides that customers' personal data must be protected and kept confidential by banking personnel. Article 159 states that an administrative fine as well as a prison sentence (of one to three years) will apply to those who are in breach of this obligation.

Bank Cards and Credit Cards Law. Article 23 provides that the issuer is under an obligation to keep any information it collects confidential. Such data cannot be used except for the issuer's own marketing activities. The issuer must take precautions to prevent any party accessing this data except for those entitled to under the law.

The same article sets out that merchants must not disclose, store and/or copy any data (related either to the card or the cardholder) acquired in relation to the use of the credit card, unless there is written consent from the cardholder. Merchants must not share, sell, buy or exchange card information with any party except for the entity who is party to the membership agreement.

Article 39 provides that those who intentionally breach obligations set under Article 23 (issuers, merchants, officers who undertake an administrative role at the merchant and those who commit such a breach) will be subject to a prison sentence of one to three years as well as a monetary fine.

Regulation on Internal Systems of Banks. This regulation contains the principles that need to be followed by the internal systems of banks, which, among others, concern the infrastructure/software allowing the safe electronic registration, access and use of data. The banks' systems must aim to ensure the compliance of banks with the obligations under both banking legislation and any other laws. The "primary system" refers to the whole system whereas the "secondary system" is a back-up to the primary system.

Article 11 provides that Turkish banks are required to maintain their primary and secondary data systems in Turkey.

Finally, Article 42 sets out that a data management process must be formed in a way to ensure the data quality, and the consistent and trustworthy supply of such data, as well as its security.

Electronic Communications Law. Article 51 sets out the rules on personal data in the electronic communications sector, including the following:

  • Personal data can only be processed if it is expressly permitted by law and in line with principles of good faith.

  • Electronic communications and traffic data is deemed private and the recording, retention, interception or tracking of electronic communications is prohibited without a legal basis or the explicit consent of the data subjects who are parties to the communication.

  • Retaining and accessing data in users' terminal equipment for purposes other than those related to the provision of electronic communications services, is permitted only on obtaining the users' informed and explicit consent.

  • Traffic and location data can be transferred abroad only if the data subjects' express consents are obtained.

  • Electronic communications operators must take administrative and technical measures to ensure the security of their users' personal data.

Basic Law on Health Services. Under Article 3/f, the Ministry of Health is entitled to establish a registration and notification system for the efficient and fast operation of healthcare services, as well as tracking of individuals' health status.

Statutory Decree on Establishment and Duties of the Ministry of Health and Associated Authorities. Article 8/j sets out that the General Directorate of Health Services is assigned to make the relevant arrangements to protect personal data and privacy.

Article 11 authorises the General Directorate of Health Information Systems to make and/or procure any information systems and projects comprising personal health data, countrywide health status and information flow, in relation to health services.

With recent amendments introduced under Article 47 of the decree, personal data belonging to those applying to public and private health institutions (either data requested in order to provide the service or data in relation to the service provided) may be processed. Such processing can only be done by the Ministry of Health, for the aims of providing healthcare services, protecting public health and conducting preventative medicine, medical diagnostics, treatment and caring services as well as planning/calculating the associated costs. The system set by the Ministry must be accessible by data subjects and authorised third parties. A security system must also be established for monitoring the use of data. Public or private entities who employ healthcare staff are under a liability to notify the Ministry of Health about information regarding the employed staff and their activities.

The same article provides that relevant data can only be transmitted subject to the conditions provided under the Data Protection Law and the protection and credibility of the system must be set by the Ministry of Health in compliance with the principles determined by the Data Protection Authority.

 

Scope of legislation

2. To whom do the laws apply?

The Data Protection Law applies to natural persons whose personal data are processed, and to legal entities and individuals that process personal data through automatic means or as part of a data filing system.

General legislation applies to all entities and individuals whereas sector-specific laws apply only to persons who fall within the scope of that sector-specific legislation.

 
3. What data is regulated?

The Data Protection Law regulates the processing of data relating to an identified or identifiable natural person. In addition, there are also other types of data regulated under both general and sector-specific laws.

The Data Protection Law also makes a distinction among types of personal data. Article 6 of the Data Protection Law defines special categories of personal data, which refers to personal data relating to:

  • Race, ethnicities.

  • Political, philosophical, religious, sectarian views or other beliefs.

  • Clothes and appearances.

  • Association, foundation and union affiliations.

  • Health conditions.

  • Sexual life.

  • Convictions.

  • Safety precautions.

  • Biometric and genetic data.

 
4. What acts are regulated?

The Data Protection Law applies to the processing of all personal data. Processing is defined as "any operation which is performed upon personal data, whether by automatic means or not by automatic means, on the condition that it is a part of any data filing system, such as collection, recording, storage, conservation, modification, rearrangement, disclosure, transmission, taking over, making available, classification or blocking of use".

 
5. What is the jurisdictional scope of the rules?

The Data Protection Law does not contain a specific provision on its jurisdictional scope. At least until further guidance is issued by authorities and courts, it is generally considered that the Data Protection Law will also apply to foreign entities' processing of personal data of individuals residing in Turkey.

Although the Data Protection Law does not have a specific rule, Turkish international private and procedural law states that claims arising from the violation of personal rights through any means of mass media must be subjected to:

  • The law of the habitual residence of the damaged party in the event that the party who caused the damage is in a position to know that the damage would occur in that state.

  • The law of the state where the workplace or the habitual residence of the party who caused the damage is located.

  • The law of the state where the damage occurred in the event that the damaging party was in a position to know that the damage would occur in that state.

This rule also applies to claims resulting from the "violation of personality" by processing personal data or limiting the right of information on personal data.

 
6. What are the main exemptions (if any)?

The Data Protection Law does not apply if:

  • Data is processed by a natural person in the course of purely personal or household activity.

  • Data is processed for official statistical purposes or, provided that they are anonymised, for research, planning and statistical purposes.

  • Data is processed for artistic, literary, historic or scientific purposes or within the scope of freedom of expression provided that such processing does not infringe the privacy and personal rights, national defence and security, public security and order, and economic security or constitutes a crime.

  • Data is processed for criminal investigations, prosecutions and cases by judicial bodies and execution offices.

 

Notification

7. Is notification or registration required before processing data?

Under Article 16 of the Data Protection Law, legal entities and natural persons that process personal data must be registered to the Data Controllers Registry prior to any processing of personal data. The Data Protection Authority is, however, entitled to introduce exemptions for the registration requirement by taking into account objective reasons such as the type and number of data to be processed.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Data controllers are required to comply with data processing principles as well as rules on processing, retention, transfer of personal data. They must also register with the Data Protection Authority before processing any personal data. Moreover, the Data Protection Law requires them to put in place appropriate security measures to protect personal data. Within the scope of security measures, the Data Protection Law requires data controllers to conduct either external or internal audits to confirm that measures are in place. Also, in case of data breaches, data controllers must disclose the breach to the Data Protection Authority and data subjects.

Also, under Article 10 of the Data Protection Law, at the time of collection of the personal data, the data controller must provide certain information to data subjects including:

  • The identity of the data controller and of his representative, if any.

  • The purposes of the processing.

  • The recipients to whom data can be transferred, and the purpose of such a transfer.

  • The method and legal ground of the data collection.

  • The rights of data subject (see Question 13 for a list of rights of data subjects).

 
9. Is the consent of data subjects required before processing personal data?

As a general rule, the express consent of the data subject is required before the processing of their personal data. In this respect, consent cannot be implied or inferred.

Express consent is defined in Article 3 of the Data Protection Law as "any freely given, specific, informed indication of the data subject's wishes".

In the absence of express consent, personal data may still be processed if one of the following circumstances exists:

  • It is specifically designated by laws.

  • It is necessary in order to protect the life or physical unity of third parties or the data subject whose consent cannot be obtained due to physical impossibilities or whose consent would not normally be valid and binding.

  • It is necessary to process the personal data of contracting parties provided that such processing is directly related to the execution or performance of a contract.

  • It is necessary under a legal obligation which the controller is subject to and must comply with.

  • The data to be processed has been made public by the data subject.

  • It is necessary for the establishment, performance or protection of a right.

  • It is mandatory for the data controller's legitimate interest, on the condition that it does not harm the data subject's fundamental rights and freedoms

The Data Protection Law does not provide a specific form and content for the consent.

Consent concerning minors is not specifically indicated in the Data Protection Law, however relevant civil law provisions regarding minors may apply. According to Turkish civil law, minors cannot get involved in promissory transactions without their legal representatives' consent. They are only allowed to make acquisitive transactions and use their strictly bonded personal rights which may be considered as personal rights.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?
 

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

Article 6 of the Data Protection Law defines sensitive personal data as data relating to:

  • Race.

  • Ethnicities.

  • Political, philosophical, religious, sectarian views or other beliefs.

  • Clothes and appearances.

  • Association, foundation and union affiliations.

  • Health conditions.

  • Sexual life.

  • Convictions.

  • Security measures.

  • Biometric and genetic data.

It is prohibited to process sensitive data without the data subject's express consent, however except for personal data related to individuals' health conditions and sexual lives, it is possible to process sensitive personal data without the data subject's express consent where processing has been specifically designated by laws.

Under the Data Protection Law, without the explicit consent of the data subject, information related to health and sexual life may only be processed by persons who are under a confidentiality obligation, or by authorised institutions and establishments for the purposes of protection of public health, preventative medicine, medical diagnosis, carrying of treatment or nursing services, planning and management of health services and financing.

Additionally, while processing sensitive personal data, it is mandatory to take the necessary precautions indicated by the Data Protection Authority.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?
 
13. What other specific rights are granted to data subjects?

Under Article 11 of the Data Protection Law data subjects are entitled to:

  • Request to have information on whether his/her personal data is processed.

  • Request detailed information concerning the processed data and its purpose.

  • Request information on the third persons to whom his/her personal data are transferred.

  • Inspect the use of his/her personal data.

  • Request a correction of personal data if the data is processed inaccurately.

  • Request the deletion or destruction of the data if the legitimate reasons to process data no longer exist.

  • To remedy negative consequences about him or her that are concluded as a result of analysis of the processed personal data by solely automatic means.

  • Damages arising from unlawful processing of the personal data.

 
14. Do data subjects have a right to request the deletion of their data?

Yes. See Question 13.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

Article 12 of the Data Protection Law places a responsibility on data controllers to take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the illegal processing of personal data, illegal access to personal data, and to preserve personal data.

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

See Question 8 on information obligations.

Additionally, in case of data breaches, data controllers must immediately notify the data subjects and the Data Protection Authority.

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

Article 12 of the Data Protection Law states that in case the data is processed by a third party on behalf of the data controller, the controller will be jointly liable with the third party in relation to the obligation to put in place appropriate security measures.

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

Currently there are no specific laws or rules in Turkey that organise the use and deployment of cookies. However, in principle the use of cookies must comply with the Data Protection Law. Therefore, the data controller can store cookies on a data subject's terminal equipment if the data subject gives his/her explicit consent.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

The Law on the Regulation of Electronic Commerce prohibits the sending of unsolicited commercial messages by e-mail, text messaging, fax and automated machines to consumers without their prior approval (Article 6).

According to the Article 50 of the Electronic Communications Law, the recipient of the spam must be able to reject future messages free of charge and by simple means if the spam is conveyed for certain purposes (such as direct marketing), by electronic communications like automatic dialling machines, fax machines, e-mails and text messages.

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

The Data Protection Law states that personal data must not be transferred to foreign countries without the data subject's express consent.

The data, however, can be transferred outside Turkey without the consent of the data subject if one of the exceptions to the requirement to obtain express consent as explained above exists (see Question 9) and either:

  • There is an adequate level of protection in the foreign country.

  • If there is not an adequate level of protection in the foreign country, the data controllers in Turkey and the data transferor and transferee have provided adequate protection in writing and have obtained the approval of the Data Protection Authority.

These rules regulating the international transfer of personal data will enter into force on 7 October 2016.

The Data Protection Law does not distinguish between transfers of personal data to group companies located abroad and in Turkey. Therefore, the transfer of personal data to any other legal entity will be subject to the above mentioned rule.

 
21. Is there a requirement to store any type of personal data inside the jurisdiction?

There is no general data localisation rule in Turkey. With that said, certain laws and regulations, such as the Banking Law and the Law on Payment and Security Reconciliation Systems, Payment Services and Electronic Money Organisations include rules which require regulated entities to either store personal data in Turkey or at least store their primary and secondary systems in Turkey (see Question 1).

 

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Currently, data transfer agreements are not explicitly regulated under Turkish laws. However, once the rules on international data transfer to "inadequate" countries come into force (see Question 20), these types of agreements will likely be used in practice.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

See Question 20 for the rules on the legitimate transfer of personal data outside Turkey.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

As discussed in Question 20, starting from 7 October 2016, transferring personal data to inadequate jurisdictions will require the Data Protection Authority's approval if the express consent of the data subject does not exist.

Also, if the interests of Turkey or the data subject would be seriously damaged due to the international transfer of the personal data, the Data Protection Authority's approval to transfer personal data abroad will be required, which it will give by consulting with the relevant public authorities.

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The Data Protection Authority has the power to:

  • Organise inspections on its own initiative or upon a complaint.

  • Take appropriate measures when necessary.

  • Apply administrative fines and refer to criminal proceedings.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

The Data Protection Authority is responsible for monitoring data processing and ensuring compliance with the Data Protection Law, which sets out administrative fines and refers to the relevant articles of the Criminal Code, which in turn sets out prison sentences between one to four-and-a-half years and judicial fines in cases of unlawful data processing. The administrative fine for non-compliance with the current Turkish Data Protection Law ranges between TRY5,000 and TRY1 million depending on the type of infringement.

Data protection is also enforced as a result of:

  • The Civil Code, which grants a right to damages in cases of unlawful collection or processing of personal data.

  • A number of sector-specific regulations that impose administrative fines.

 

Regulator details

Turkish Data Protection Authority

W The Data Protection Authority has not yet launched its website.

Main areas of responsibility

The main regulatory body for data protection law in Turkey is the Turkish Data Protection Authority. However, please note that the Data Protection Authority has not yet been established. It is planned that the members will be selected in October 2016 when Data Protection Authority will start to operate. Its main responsibilities will be:

  • Ensuring hat personal data is processed in accordance with fundamental rights and freedoms.
  • Making decisions for the complaints of those who claim that their rights regarding personal data are violated.
  • Conducting examinations to ensure personal data is processed according to the laws, and in cases where a complaint is filed, or where it finds out such alleged violation has occurred ex officio, taking temporary measures when necessary.
  • Determining sufficient measures for processing sensitive personal data.
  • Keeping the Data Controller's Registry.


Online resources

W www.mevzuat.gov.tr

Description. This is the official and up-to-date website for Turkish legislation. The website is maintained by general directorate of legislative development and publication.



Contributor profiles

Fevzi Toksoy, Managing Partner

ACTECON

T +90 212 211 50 11
F +90 212 211 32 22
E fevzi.toksoy@actecon.com
W www.actecon.com

Professional qualifications. Competition and Trade Consultant

Areas of practice. EU and Turkish competition laws; anti-trust; international trade remedies; regulation; government affairs; complex merger filings/structuring of transactions; competition compliance programmes.

Non-professional qualifications. BSc, Bilkent University, 1994; LLM, EU Law at Marmara University Jean Monnet Institute, 1996; MA, EU Law at Universite Libre de Bruxelles (ULB), 1997; PhD, EU Law at Marmara University Jean Monnet Institute, 2007

Languages. Turkish, English, French

Professional associations/memberships.

  • ICN, Non-Governmental Advisor, International Competition Network Unilateral Conduct Working Group Member.
  • Bilgi University, Advisory Committee Member of Competition Law and Policies Application and Research Center.
  • Bilgi University, Advisory Committee Member of Ethics Research Center.
  • TEİD, Ethics and Reputation Society, Member of the Board.
  • American Bar Association (ABA), Associate Member.
  • Lecture on EU and Turkish competition law at the Marmara University EU Institute and lectures occasionally on mergers and acquisitions, international trade remedies and competition law aspects of EU and Turkish environmental law.

Publications.

  • Regulatory Authority and Superiority of Law ( Düzenleyici Kurumlar ve Hukukun Üstünlüğü) , Freedom Research Association ( Özgürlük Araştırmaları Derneği) , 2016.
  • Recent Problems in the Implementation of Competition Rules in Turkey, Practical Law, Thomson Reuters, 2015.
  • International Trade and Commercial Transactions in Turkey, Thomson Reuters, 2015 edition.
  • Trade & Customs: Turkey – Getting the Deal Through, 2015 edition.

Bahadır Balkı, Partner

ACTECON

T +90 212 211 50 11
F +90 212 211 32 22
E bahadir.balki@actecon.com
W www.actecon.com

Professional qualifications. Turkey, Attorney-at-Law

Areas of practice. EU and Turkish competition laws; anti-trust; international trade remedies; regulation; government affairs; complex merger filings/structuring of transactions; competition compliance programmes; competition litigation.

Non-professional qualifications. LLB, University of Bahcesehir, 2006; LLM, European Economic Law at Universitat des Saarlandes, Europa Institut, 2008

Languages. Turkish, English

Professional associations/memberships. ICN, Non-Governmental Advisor, International Competition Network Unilateral Conduct Working Group Member; Istanbul Bar Association; American Bar Association (ABA), Associate Member.

Publications.

  • Private Antitrust Litigation: Turkey, Getting the Deal Through, 2015 edition.
  • Trade & Customs: Turkey, Getting the Deal Through, 2015 edition.
  • Recidivism in Turkish Competition Law, Turkish Competition Authority, 2014.

Firdevs Sera Erzene Yıldız, Senior Consultant

ACTECON

T +90 212 211 50 11
F +90 212 211 32 22
E sera.yildiz@actecon.com
W www.actecon.com

Professional qualifications. Turkey, Attorney-at-Law

Areas of practice. EU and Turkish competition laws; anti-trust; international trade remedies; regulation; government affairs; merger filings; competition compliance programmes; competition litigation.

Non-professional qualifications. Law, Istanbul Bilgi University, 2008; LLM, in Competition Law, Queen Mary, University of London, 2012

Languages. Turkish, English, French

Professional associations/memberships. Istanbul Bar Association; American Bar Association (ABA), Associate Member.

Publications.

  • Private Antitrust Litigation: Turkey, Getting the Deal Through, 2015 edition.
  • Buyer Power in the Context of Private Label in the EU: Accompanied with a Special Reference to the UK' s Approach, Global Antitrust Review 2012.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247648384352", "objName" : "Data protection in Turkey overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/7-520-1896?null", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-3b01f5d1:15aff1730a1:7538", "analyticsSessionCookie" : "2-3b01f5d1:15aff1730a1:7539", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }