Av. Sevcen CAN & Av. Yasemin ÇORAK
1. TURKEY’S APPROACH TO PERSONAL DATA PROTECTION
The world has changed as a complex, “information age”. Because of the incredible technological developments, the access of information has started to be easier by digitalization.
The application of information has changed by developing technologies and much of these information is related to individuals. The credit and debit cards, phone and store cards has been using from most of people since they are created. However, society has forgotten that these things can all are used to record where we are and what we do. The Law for data protection aims to protect individual rights to privacy by regulating the collection, use and dissemination of such personal information. Furthermore, there are many European and International treaties that have been signed on the protection of personal data.
In Turkey, the lawmaker has regulated to keep safe of personal data according to European standart. Indeed, this legislation brings heavy sanctions against legal violations on protection of personal data. In this manner, the companies in private sector have to be respectful in presence of individual data. Otherwise these companies can be fined up to 1 million administrative fine.
The legislation has banned the recording of personal data without the consent express of persons. Besides, every institution and agency has to hire a person called “data responsible” who will be responsible of saving the personal data processing. On the other hand, the person who works in public institution and responsible for saving the personal data processing if he acts against the legislation could receive disciplinary punishment.
2. THE LAW ON THE PROTECTION OF PERSONAL DATA
The Law on the Protection of Personal Data (“LPPD” and/or “Law”) No. 6698 was published in the Official Gazette on 7 April 2016 and entered into force. The purpose of this Law is to protect the fundamental rights and freedoms of individuals in the processing of personal data and to regulate the obligations, the procedures and principles to be followed by natural and legal persons who process personal datas. The provisions of this Law enforce to natural persons whose personal datas are processed and to natural and legal persons who process these datas completely or partially, automatically or non-automatically.
Under the protection of personal data policy, with the entry into force of LPPD, Turkish Data Protection Authority was established as an independent regulatory authority having organisational and financial autonomy. The mission of the Authority is to provide the protection of personal data and develop awareness in this respect in line with the fundamental rights, as well as to establish an environment to enhance the capability of competition of the public and private organizations in the world of data-driven economy. Duties to be fulfilled by the Authority;
– To follow the practices and developments in legislation, to make evaluations, researches, examinations and suggestions,
– To cooperate with state institutions and organizations, non-governmental organizations, professional associations or universities in matters fall within the their field of duty,
– To monitor and evaluate international developments related to personal data, to cooperate with international organizations in matters fall within their fields of duty, to ateend meetings,
– To report annually to the Presidancy, Grand National Assembly of Turkey Human Rights Investigation Commission,
– To fulfill other duties assigned by law.
2.1. DEFINITIONS
The definitions of some concepts in the Law should be explained;
Personal data: Any information relating to an identified or identifiable real person. Thera are basically two criterias that are used to differentiate personal data from non-personal one; the data must be related to a person and that person must be identified or identifiable.
Data subject: The natural person whose personal data is being processed. If personal data relating to a legal person identifies or makes identifiable a natural person, these data are protected under the LPPD as well.
Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data registry system. There is no difference between public legal persons and private legal persons in terms of being data controller.
Processing of personal data: Any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
Explicit consent: Freely given, specific and informed consent.
Anonymizing: Rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.
Data registry system: The registry system which the personal data is registered into through being structured according to certain criteria.
2.2. PRINCIPLES
Policies and regulations relating to the protection of personal data in Turkey have been implemented in the light of international policies and regulations, especially in accordance with General Data Protection Regulation (“GDPR”). Therefore, the key principles followed up for the protection of personal data in Turkey correspond to principals internationally accepted. The principles included in LPPD are as follows:
i. Lawfulness and conformity with rules of bona fides.
ii. Accuracy and being up to date, where necessary.
iii. Being processed for specific, explicit and legitimate purposes.
iv. Being relevant with, limited to and proportionate to the purposes for which they are processed.
v. Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.
The principles above shall be complied within the processing of personal data.
2.3. CONDITIONS FOR PROCESSING OF PERSONAL DATA
Explicit consent, in other words, specific and informed consent freely given by the data subject is primary requirement to process personal data. Personal data cannot be processed without the explicit consent of the data subject. However, in some cases, explicit consent is not required. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) it is clearly provided for by the laws.
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
c) processing of personal data belonging to the parties of a contract is necessary for conclusion or fulfilment of that contract.
d) it is mandatory for the controller to be able to perform his legal obligations.
e) the data concerned is made available to the public by the data subject himself.
f) data processing is mandatory for establishment, exercise or protection of any right.
g) it is mandatory for legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
Conditions for processing of personal data are limited under the LPPD and they cannot be extended.
2.4. CONDITIONS FOR PROCESSING OF SENSITIVE PERSONAL DATA
Concept of sensitive personal data is defined in the Law as personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership of associations, foundations or trade-unions, information relating to health, sexual life, convictions and security measures and the biometric and/or genetic data. Sensitive personal data is limited by the Law and they cannot be extended.
Obtaining of sensitive personal data is more risky than the other personal data when the case of violation of the personal rights occurs. For this reason, sensitive personal data is protected more strictly than the others. As a result, it is prohibited to process the sensitive personal data without explicit consent of the data subject. However, sensitive personal data, excluding those relating to health and sexual life, may be processed without seeking explicit consent of the data subject, in the cases settled for by laws. Sensitive personal data relating to health and sexual life may only be processed, without seeking explicit consent of the data subject, by any person or authorised public institutions and organizations that have confidentiality obligation, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
Conditions for processing of sensitive personal data are limited under the LPPD and they cannot be extended.
2.5. TRANSFER OF PERSONAL DATA
The Law has made a dual distinction regarding transfer of personal data; transfer inside Turkey and transfer abroad.
2.5.1. Transfer of Personal Data Inside Turkey
There is no difference between the conditions for processing personal data and transferring personal data inside Turkey. Personal data can only be transferred with the explicit consent of the data subject, in the manner as data processing. However, legal processing of personal data does not mean that it can be transferred without constraint. For transferring personal data, one of the following conditions must be met;
– Explicit consent must be given by the data subject,
– It must be mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent or whose consent is legally invalid due to physical disability,
– Processing of personal data belonging to the parties of a contract must be necessary provided that it is directly related to the conclusion or fulfilment of that contract.
– It must be mandatory for the controller to fulfil its legal obligations.
– The data must be made manifestly public by the data subject.
– It must be mandatory for the establishment, exercise or protection of any right.
– It must be mandatory for the legitimate interests of the controller.
Any natural or legal person who transfer the personal data must comply with the purpose and method relating to the processing of personal data.
2.5.2. Transfer of Personal Data Abroad
The related Law stipulate more strict conditions for transfer of personal data abroad than those for transfer inside Turkey. Personal data may be transferred abroad in one of the following cases that;
– Explicit concent must be given by the data subject.
– The country to which data will be transferred must be approved by Board as “Adequate Country” and there must be circumstances needed for processing personal data abroad.
– If the country is not approved by Board as “Adequate Country”, it is needed data controllers in Turkey and abroad commit in writing to provide an adequate level of protection.
Concept of adequate country can be defined as country where sufficient level of protection is provided. The Board shall decide whether there is sufficient protection in the foreign country concerned and whether such transfer will be authorised, by evaluating the followings:
a) the international conventions to which Turkey is a party,
b) the state of reciprocity concerning data transfer between the requesting country and Turkey,
c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,
d) the relevant legislation and its implementation in the country to which the personal data is to be transferred,
e) the measures guaranteed by the controller in the country to which the personal data is to be transferred.
The Board announces the countries where sufficient level of protection is provided. However, there is no adequate country announced by the Board yet.
Lastly, in cases where interest of Turkey or the data subject will seriously be harmed, personal data, without prejudice to the provisions of international agreements, may only be transferred abroad upon the permission to be given by the Board after receiving the opinions of related public institutions and organizations.
2.6. RIGHTS AND OBLIGATIONS RELATED TO PERSONAL DATA PROTECTION IN TURKEY
2.6.1. Data Controller’s Obligations
a) Obligation to inform
Whilst collecting personal data, the controller or the person authorised by the controller is obliged to inform the data subjects about the following:
– The identity of the controller and of his representative, if any,
– The purpose of data processing;
– To whom and for what purposes the processed data may be transferred,
– The method and legal reason of collection of personal data,
– The data subject’s other rights referred to in this Law.
b) Obligation to ensure data security
The data controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to:
– Prevent unlawful processing of personal data,
– Prevent unlawful access to personal data,
– Ensure the retention of personal data.
Other than above;
– The data controller is obliged to conduct necessary inspections with the aim of implementing the provisions of this Law in his own institution or organization.
– The data controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, shall not use such data for purposes other than processing. This obligation shall continue even after the end of their term.
– In case the processed datas are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time.
c) Obligation to erase, destruct or anonymise of personal data
Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject or disappearance of reasons which require the process.
In cases where the reason of processing disappears, it is not necessary for the data subject to apply for erasure, destruction or anonymisation of personal data. Controller is obligated to erase, destruct or anonymise them.
d) Obligation to register to Data Controllers’ Registry
2.6.2. The Rights of Data Subject:
Each person (not limited to data subject) has the right to apply to the controller and
– to learn whether his personal datas are being processed or not,
– to request information if his personal data is being processing,
– to learn the purpose of his personal data processing and whether this data is being used for intended purposes,
– to know the third parties to whom his personal data is transferred in the country or abroad,
– to request the rectification of the incomplete or inaccurate data, if any,
– to request to erasure or destruction of his personal data,
– to request notification of the rectification, erasure or destruction to the third parties to whom personal data has been transferred,
– to object to the processing, exclusively by automatic means of his personal data, which leads to an unfavourable consequence for the data subject,
– to request compensation for the damage arising from the unlawful processing of his personal data.
Data subjects shall seek their rights through application to the controller or complaint to the Board. In our next article, we will explain the application and complaint methods for seeking rights of data subject.
2.7. APPLICATION TO THE CONTROLLER
Application and complaint methods for seeking rights of data subject is regulated in Article 13, 14 and 15 of the Law.
Data subject has the right to apply to the data controller to learn whether his personal data is being processed or not, to request information if his personal data is being processing, to learn the purpose of his personal data processing and whether this data is being used for intended purposes, to know the third parties to whom his personal data is transferred in the country or abroad, to request the rectification of the incomplete or inaccurate data, if any, to request erasure or destruction of his personal data, to request notification of the rectification, erasure or destruction to the third parties to whom personal data has been transferred, to object to the processing, exclusively by automatic means of his personal data, which leads to an unfavourable consequence for the data subject, to request compensation for the damage arising from the unlawful processing of his personal data.
Data subject shall submit his request relating to the implementation of the Law to the data controller through the application in writing. The data controller shall conclude the demands involved in the applications within the shortest time possible and within thirty days at the latest. The data controller shall accept the application or decline it and communicate its response to data subject in writing or in electronic media. If the demand involved in the application found admissible, it shall be fulfilled by the data controller.
Data subject has to right to make a complaint to the Personal Data Protection Board if he has not obtained their requests through the application method. Data subject cannot make a complaint to the Board before exhausting the application process to the data controller.
2.8. COMPLAINT TO THE BOARD
Data subject has some rights to make a complaint to the Board if he has not obtained their requests through the application method. Data subject cannot make a complaint to the Board before consuming the application process to the data controller.
If the application is declined, the response is found unsatisfactory or is not given in due time, the data subject may file a complaint to the Board within thirty days as of he learns about the response of the controller, or within sixty days as of the application date, in any case.
Article 15 of the Law on Protection of Personal Data regulates the procedures and principles of the examination to be made by the Board. According to this Article;
i. The Board shall make the necessary examination in the matters included its scope of work upon complaint or ex officio, where it is learnt about the alleged violation. The controller shall be obliged to communicate within fifteen days the information and documents related to the subject of examination which the Board has requested, and shall enable, where necessary, on-the-spot examination.
ii. The Board shall finalise the examination upon complaint and give an answer to data subjects in sixty days as of the application date. In case the Board fails to answer the data subject’s application in sixty days, it is deemed to be rejected.
iii. Following the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that any infringement shall be remedied by the relevant controller and notify this decision to all it may concern. This decision shall be implemented without delay and within thirty days after the notification at the latest.
iv. The Board may decide that processing of data or its transfer abroad should be stopped if such operation may lead to damages that are difficult or impossible to recover and if it is clearly unlawful.
2.9. DATA CONTROLLERS’ REGISTRY
Data Controllers’ Registry is maintained by the Personal Data Protection Board publicly. Natural or legal persons who process personal data shall be obliged to register in this Registry before proceeding with data processing. However, by taking into account by the Board such as the nature and quantity of the data processed, the legal requirement for data processing or transferring the data to third parties, the Board may provide exception to the obligation of registration in the Data Controllers’ Registry.
Application for registration shall include followings;
a) identity and address of the controller and of his representative, if any,
b) purposes for which the personal data will be processed,
c) explanations about group(s) of personal data subjects as well as about the data categories belonging to these people,
d) recipients or groups of recipients to whom the personal data may be transferred,
e) personal data which is envisaged to be transferred abroad,
f) measures taken for the security of personal data.
g) maximum period of time required for the purpose of the processing of personal data.
In case of violating the registration obligation, the data controller who are obliged to register may be fined up to 1 million Turkish Liras.
3. CRIMES AND MISDEMEANOURS REGARDING PERSONAL DATA
3.1. MISDEMEANOURS
Those who breach the Law shall be required to pay varying amounts of administrative fine. Amounts of stipulated fines are;
a) For those who fail to comply with obligation to inform; administrative fine of 5.000 to 100.000 TL,
b) For those who fail to comply with obligations related to data security; administrative fine of 15.000 to 1.000.000 TL,
c) For those who fail to comply with the decisions issued by the Board; administrative fine of 25.000 to 1.000.000 TL,
ç) For those who fail to meet the obligations for enrolling in the Registry of Data Controllers; administrative fine of 20.000 to 1.000.000 TL.
The administrative fines listed in this article shall be applicable to natural persons and private law legal persons who are controllers.
3.2. CRIMES
Turkish Penal Code No. 5237 shall be applied in terms of crime concerning personal data. The enforcement of crimes concerning personal data are regulated in Articles 135-140 of Turkish Penal Code. According to the Code, acts of recording of personal data, obtaining or giving data illegally and not destroying data are regulated as a crime;
3.2.1. Recording Of Personal Data
Any person who illegally records one’s personal data shall be sentenced to a penalty of imprisonment for a term of 1 to 3 years. Where the act of recording of personal data are committed regarding another person’s political, philosophical or religious opinions, their racial origins, their illegal moral tendencies, sex lives, health or relations to trade unions, penalty to be imposed shall be increased by one half.
3.2.2. Obtaining Or Giving Data Illegally
Any person who illegally obtains, disseminates or gives to another person’s personal data shall be sentenced to a penalty of imprisonment for a term of 2 to 4 years.
In cases where the offences of recording, obtaining or giving of personal data are commited by a public official misusing his power derived form his public post or by benefiting from the privileges derived from a profession or trade, the penalty to be imposed shall be increased by one half.
3.2.3. Not Destroying The Data
Any person who fails to destroy data in accordance with the prescribed procedures, after the expiry of the legally prescribed period for destruction, shall be sentenced to a penalty of imprisonment for a term of 1 to 2 years.
The commencement of an investigation and prosecution for the acts of recording, obtaining, giving or not destroying of personal data are not subject to complaint.
iletisim: [email protected]
