Legal Journal
Written on 12 April 2016
What Does "Turkish Law on Protection of Personal Data" Bring?
It has become harder to protect any data including personal data day by day, as a result of technological developments. After developments and changes in our daily life, growing accessibility and popularity of internet; it’s become inevitable to fill the deficiency of data protection regulation. Although there was some amendments to the Constitution of Turkish Republic and other laws with limited number of provisions, they did not provide the necessary protection and regulation.
Turkey has entered into an adaptation process and its first step was the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention”) in 1981. However, during these 35 years, Turkey did not formally accept the Convention or bring into force the legal changes specifically with respect to personal data.
In 2016, the Convention was accepted formally by Turkish Government on 18.02.2016 as a consequence of rising needs of the society and EU harmonization process. Following that, Law on Protection of Personal Data No:6698 (“the Law”) which is drafted based on EU Directive No:95/46/EC’s was legislated. The Law was published on Official Gazette on 07.04.2016 and entered into force at the same day.
1. What is Personal Data? Which Information is deemed within the scope of Personal Data?
Personal data is any information relating to an identified or identifiable natural person. Information such as name-surname, birth date, ID number, social security number, phone number, photograph, license plate, CV of a natural person are deemed as personal data under the Law.
There is also another term used in the Law; special personal data. Race, ethnic origin, political opinion, religion, religious sect or other beliefs, association/foundation or trade-union membership, health information, sex life, criminal conviction, data on adopted security measures and biometrical or genetic data of a real person are his special, or with other words, sensitive personal data.
2. Who are the Actors of Processing of Personal Data?
Data Subject: Real person whose personal data is processed. (e.g. employees of a company)
Data Controller: Natural or legal person which determines the purposes and means of the processing of personal data. (e.g. company)
Data Processor: Natural or legal person which processes personal data with authority given by and on behalf of the data controller (e.g. firms which provide outsourced payroll services)
Institution: Institution of Protection of Personal Data.
Commission: Commission of Protection of Personal Data established under the Institution.
3. What does Processing of Personal Data mean?
Under the definition of the Law, processing of personal data includes;
“Any operation which is performed upon personal data, by automatic means or, provided that being part of a data recording system, by non-automatic means, such as collection, recording, storage, conservation, alteration, reorganizing, disclosure, transmission, taking over, making available, classification or blocking its usage.”
According to this definition; processing personal data without human intervention and for example by a computer and software, or processing it without electronic devices and by using a manmade data system may all be included in scope of the Law.
4. Is It Necessary to Get Permission In Order to Process Personal Data?
Processing any kind of personal data, whether special/sensitive data or otherwise, is only possible under the procedures and principles regulated by the Law and with direct consent of data subject.
On the other hand direct consent is not required in some exceptional, special and numerous clausus circumstances stated under the Law such as; situations based on legislation (e.g. providing wage information of employees to Tax Office upon written request), data subject’s former publication of data; or in case of health/sexual data, under situations relating to public health.
It is not clear how these exceptions will be practiced or how they will be interpreted (strict or liberal interpretation). It will become clearer in time depending on the practice of the courts and the Institution.
5. What are the Main Obligations of Data Controller and Data Processor?
During collection of personal data, data subject should be explicitly notified about purpose and scope of processing of personal data. This notification which will be given by data controller should include information such as; identity of the controller and of his representative, if any; purpose or purposes of the processing; the recipients to whom the data might be disclosed and the disclosure purpose; method and purpose of collecting the data, right to request information and right of application of data subject under the Law.
Some other obligations of the data controller are taking security measures for protection of collected data, processing data in a way compatible with its collection purposes and registering to the Data Controllers Register which will be formed by the Institution.
Data processors are also subject to rules and restriction such as complying with data controller’s instructions, ensuring safety of data and following the rules about transfer of data.
Companies or persons might be both data controller and data processor at the same time.
6. Is it Possible to Transfer Personal Data to Group Companies or Foreign Countries?
Personal data might be transferred domestic or foreign third parties solely subject to some specific rules and conditions. Group companies should also follow these conditions and procedures when they transfer data within the same corporate group since each one of the group companies is a different legal person.
Data subject’s direct consent is the main condition in order to transfer his personal data to another agency/body. However there are some exceptions to this rule as well, where data subject’s direct consent is not required.
There is one more special condition which needs to be met to transfer data to foreign countries without data subject's direct consent. This condition is adequate level of protection for personal data on the recipient/foreign country. Countries that have adequate level of protection shall be determined and announced by Commission of Protection of Personal Data. In case the country, to which the data will be transferred, does not have adequate level of protection; data controller from Turkey and the receiving data controller abroad must undertake in writing to ensure adequate level of protection and get Commission’s prior permission.
7. What are the Rights of Data Subject whose Personal Data is Processed?
Everyone has the right to obtain from data controller information about whether or not the data relating to him is being processed; information about processing if his personal data is processed; information in relation to the purposes of the processing and whether or not data is being processed in a way compatible with its collection purposes; and the right to request from data controller correction, erasure or destruction his personal data. In the event data subject suffers damages because of illegal data processing, he has the right to claim indemnification of losses and damages.
8. Is there any Regulatory Body which will Control the Processing of Personal Data? What will be the Sanctions for Violation of the Law?
According to the Law, Institution of Protection of Personal Data, which is administratively and financially autonomous, shall work as a control mechanism and a commission named Commission of Protection of Personal Data shall be established for resolution of appeals.
Duties and powers of the Institution’s and Commission’s include ensuring that processing is in accordance with fundamental rights and freedoms of the data subject; settlement of data subject’s complaints; keeping records of Data Controllers Register; determining conditions of data protection in relation to security; following and evaluating the local and international developments on legislation; cooperating with governmental bodies, non-governmental organizations and universities.
In the event that data controller or data processor does not meet their obligations, they may be subject to monetary fines from 5.000-TL to 1.000.000-TL and penalty of imprisonment from 1 year to 4 years. Data controller may also face damage claims of data subjects.
9. What Should Companies Do to Comply with the Law?
The Law regulates a harmonization period as it is the first detailed regulation with respect to processing personal data and it includes provisions which require major changes and novelties. Accordingly, personal data which has been processed before 07.04.2016 shall be harmonized with provisions of the Law within 2 years as of 07.04.2016.
Personal data which is determined as inconsistent with provisions of the Law also needs to be erased, destroyed or rendered anonymized immediately.
In this context, especially Companies and independent consultants, should primarily;
- Determine whether or not they perform operations which are stipulated under the Law; and if they are performing, determine what are these operations,
- Specify allocation of liability between Company/Consultant and third person(s) who process(es) data on behalf of the Company/Consultant (accounting firms, payroll firms, cloud computing firms); execute necessary agreements, amend existing agreements and determine control procedures,
- Analyze all agreements used by Company including job application forms with regards to processing and transferring personal data, and amend these documents in accordance with both the operations of Company/Consultant and provisions of the Law,
- Establish technical and legal infrastructure in order to ensure security of personal data,
- Identify obligations of local or foreign third parties and countries in the event that data is being transferred within the context of operations of Company/Consultant; and set up alternative models if necessary,
- Train employees who will be the part of data processing operations,
in order to comply with the Law.
Av. Nihan Malkoçer