The Law on Protection of Personal Data Explained in 20 Questions

Personal data which are defined as any type of information that can identify persons, cover information related to them such as identity, communication information including areas such as finance and health. In today’s world, personal data are collected, shared, and stored via IT systems by private sector and public for different purposes. Therefore, the protection of personal data became crucial due to the risk of unauthorised access and sharing of confidential information.

Personal data started to be used in international documents in the 1980’s and it was taken under protection by the members of the European Council via the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was also signed by Turkey. Also the Data Protection Directive 95/46/EC was adopted later on.

In Turkey the constitutional amendment of 2010 provided a constitutional framework to the matter of protection of personal data and a clear and permanent legislation was attained with the Law on Protection of Personal Data (“the Law”) numbered 6698 which entered into force in 2016.

Matters such as the obligations of the companies and definition of personal data, processing of personal data and its transfer, data controller and related person shall be explained below within the scope of the Law.

1. What is personal data?

The Law defines personal data as any type of information that relates to an identified or identifiable individual.

Within the preamble of the Law, it is set out that information related to a person’s physical, familial, financial and social features are personal data in addition to information that can certainly identify a person such as name, surname, place of birth, date of birth. Therefore all situations that can identify a person by associating with any kind of information such as identity, social security number which carry a concrete content representing persons’ physical, financial, cultural, social, psychological identity are personal data. Within this context information such as resume, phone number, license plate, audio and video recording will also be accepted as personal data.

2. What is the purpose and scope of the Law?

The purpose of the Law is to protect fundamental rights and freedoms of persons including the right of privacy and to set out the procedures and principles that will be complied by the real and legal persons processing data together with their obligations.

The provisions of the Law shall be applied to real persons whose personal data are processed and real and legal persons processing this data by fully or partially automatic or non-automatic ways provided that it is a part of a data recording system. The Law does not make any differentiation in terms of public or private sector, area of activity or size for data processing legal persons. Therefore all real and legal persons processing data are required to comply with the procedures and principles set out by the Law and to take the necessary measures and make the required notifications.

3. When will the law not be applicable?

The exceptions which the Law will not be applicable to are defined within the Article 28. Within this scope the Law will not be applied to the following matters:

· The processing of personal data by real persons within the scope of activities related to themselves or their family members that are residing at the same house provided that the data are not transferred to third persons and the obligations related to data safety are complied with.

· Processing of personal data by anonymising together with official statistics for purposes such as research, planning and statistics.

· Processing of personal data for purposes such as art, history, literature or science or within the scope of freedom of expression provided that the national defence, national security, public safety, public order, financial security, privacy or personal rights are not breached or no offense is constituted.

· Processing of personal data by administrative authorities and establishments that are authorised by law within the scope of preventive, protective or informative activities for ensuring national defence, national security, public safety, public order or financial security.

· Processing of personal data by judicial or execution authorities in relation to procedures of investigation, prosecution, judicial or execution.

4. Which Personal Data Is Protected by the Law?

As stated above the provisions of the Law shall be applied to personal data of the real persons whose data are processed of. The Law defines the real person whose data is processed of as the relevant person.

5. What activities are considered as processing of data?

Processing of personal data is defined as any activity on personal data such as collecting it by fully or partially automatic or non-automatic ways provided that it is a part of a data recording system and recording, storing, securing, altering, reorganizing, explaining, transferring, taking over, making accessible, classifying or preventing the use of this personal data.

Data recording system is defined as a recording system where the personal data is processed by structuring it as per certain criteria. The system may be physical or electronic.

As it can be understood from the definition above, the processing of personal data is a broad concept which includes all activity realized on the data from the first moment that it was obtained and afterwards.

Together with this, as set out within the preamble, the personal data which are processed by non-automatic ways are not within the scope of the Law if they are not a part of a data recording system. Nevertheless the protection of this data shall be enforced via provisions of the Turkish Criminal Code.

6. How personal data can be processed?

The second part of the Law sets out the processing of personal data. Within this scope, the personal data can be processed of by complying with the procedures and principles under this Law and other legislation and only with the explicit consent of the related person.

The explicit consent is explained as a declaration of consent of the related person for processing his or her own personal data, which is provided freely, with sufficient information about the matter, in a clear way which would leave no room for doubt and which is limited only with this procedure.

The principles that should be adhered to for processing of personal data are set out within Article 4 of the Law as follows:

· Being in conformity with the law and good faith.

· Being accurate and if necessary, up to date.

· Being processed for specified, explicit, and legitimate purposes.

· Being relevant, limited and proportionate to the purposes for which data are processed.

· Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are processed.

Within the scope of the principle of being processed for specified, explicit, and legitimate purposes, the data controller[1] is required to determine the purpose of processing clearly and certainly and this purpose should be legitimate. Therefore the liability of the data controller will occur if the data is processed for any other purpose. Also regarding the legitimate purpose, the processed data should be in connection with the business which is performed or the service which is provided or it should be necessary for these.

The principle of being relevant, limited and proportionate to the purposes for which data are processed requires the processed data to be suitable for the determined purposes, and to refrain from processing personal data that is irrelevant for realizing the purpose or not needed.

7. Is it possible to process personal data without an explicit consent?

As per the Article 5 of the Law, the personal data can be processed of without an explicit consent if one of the conditions below is satisfied:

· If it is clearly set forth under certain laws.

· If it is mandatory for the protection of life or to prevent the physical injury of a person, in cases where that person cannot express consent or whose consent is legally invalid due to physical disabilities.

· If it is necessary to process personal data of the related parties of a contract, provided that it is directly related to the establishment or performance of a contract.

· If it is required for a data controller to fulfil its legal obligations.

· If the data are made public by the relevant person.

· If processing of personal data is mandatory for establishment, exercise, or protection of a certain right.

· If processing of data is mandatory for legitimate interests of the data controller, provided that the fundamental rights and freedoms of the relevant person is not breached.

8. How sensitive data can be processed?

The data related to race, ethnic origin, political beliefs, philosophical beliefs, religion, denomination or other faiths, clothing and attire, membership of an association, charity or union, health, sexual life, criminal convictions and security measures and biometric and genetic data are defined as sensitive data under the Law.

Pursuant to the Law, sensitive data cannot be processed without an explicit consent. In terms of processing without a consent a differentiation is made, accordingly except for the data related to health and sexual life, the sensitive data can be processed under the conditions prescribed by the Law.

The data related to health and sexual life can only be processed without an explicit consent by persons under the obligation of confidentiality or authorised institutions and establishments for the purposes of protecting public health, preventive medicine, diagnosis, performing services of treatment and care, health services and financial planning and management.

On the other hand, adequate measures which will be determined by the Board should also be taken in case of processing of sensitive data.

9. Under which conditions the personal data is required to be deleted, anonymised or destroyed?

The personal data are required to be deleted, destroyed or anonymised ex officio or upon the request of the related person by the data controller if the purposes of processing are no longer existing despite the duly processing of the personal data in accordance with the provisions of the Law and other related legislation.

10. Can personal data be transferred to third parties?

The Law considers transfer or taking over personal data within the scope of processing. Therefore in general the conditions for processing must be complied with for the transfer of the data. Accordingly personal data cannot be transferred to third parties without an explicit consent.

For the transfer of personal data without an explicit consent, the conditions under Article 5 of the Law for processing of personal data without a consent should be satisfied. For sensitive data, the conditions under Article 6 which are for processing of this data without a consent should be satisfied and adequate measures should be taken.

11. Can personal date be transferred to a foreign country?

The explicit consent requirement which is explained above is also sought for transfer of data to foreign countries. For transfer without a consent, one of the conditions for transfer of data set forth above and the conditions defined below should be satisfied:

· If there is sufficient protection where the data will be transferred to,

· Providing written undertaking for sufficient protection by data controllers in Turkey and the related foreign country and the Board’s approval if there is no sufficient protection.

The countries which have sufficient protection will be determined and declared by the Board. Since no announcement was made in this respect, explicit consent should be obtained for transfer.

12. What is the data controller’s obligation to inform?

The data controller who determines the objectives and tools of processing of the personal data, and whom is responsible for the establishment and management of a data recording system or the person authorised by itself has an obligation to inform the related person during the collecting of personal data. Within this scope information should be provided about the following matters:

· Identity of the data controller or it’s representative,

· Purpose of processing,

· The persons that the data may be transferred to and the purpose of transfer,

· Method of collecting personal data and its legal ground,

· Rights of the related person in relation to application to the data controller.

13. What are the data controller’s obligation in relation to data safety?

The data controller is required to take all technical and administrative measures for providing the suitable level of safety for the purposes of:

· Preventing illegal processing of personal data,

· Preventing illegal access to personal data,

· Ensuring safeguarding of personal data.

The data controller is also required to undertake the necessary inspections at its own institution or establishment for ensuring the application of provisions of this Law or to ensure that these inspections are made.

If the personal data is processed of by other real or legal persons on behalf of himself the data controller shall be jointly liable with these persons.

Data controller and data processors cannot disclose the personal data to third parties without complying with the provisions of this Law or cannot use these data apart from the purpose of processing. This obligation shall continue after their departure from the office.

The data controller is also required to inform the Board and the related person as soon as possible if people obtain processed personal data via illegal methods.

14. What is the Data Controllers Registry?

Under the supervision of the Board, Data Controllers Registry shall be kept by the Presidency in a publicly available manner. Natural or legal persons who process personal data shall register with the Data Controllers Registry prior to commencing processing within the time determined and declared by the Board. The Board may allow exceptions for registration to the Data Controllers Registry under the circumstances prescribed by the Law

No regulation has been made in relation to the Registry yet.

15. What are the related person’s rights?

The real person whose personal data is processed can make an application to the data controller in order to use the following rights:

· Learn whether her/his personal data have been processed;

· Request information as to processing if her/his data have been processed;

· Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose;

· Know the third parties in the country or abroad to whom personal data have been transferred;

· Request amendment in case personal data are processed incompletely or inaccurately;

· Request deletion or destroying of personal data within the framework of the conditions prescribed by the Law;

· Request notification of activities made as per indents (d) and (e) to third parties to whom personal data have been transferred;

· Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems;

· Request compensation for the damages in case damages are incurred due to unlawful processing of personal data.

In case of an application, the data controller is required to conclude the request within the application free of charge in the shortest time as per the nature of the request and in thirty days at the latest. If the procedure requires incurring a cost, the fee determined by the Board may be obtained.

Upon the application, the data controller will either accept the requests within the application or reject it by explaining the reasoning and will inform its answer to the related person in written or electronically. If the application is rejected, or the answer is not sufficient or not provided within the time limit, the related person may file a complaint to the Board within thirty days starting from the notification of the answer or within sixty days at the latest.

16. What are the Data Protection Board’s obligations and duties?

The Agency for Protection of Personal Data is established as a public entity with administrative and financial autonomy in order to undertake the obligations prescribed by the Law. The Agency shall enforce the regulations in relation to application of the Law. The Agency is comprised of the Board and the Presidency. The decision-making body of the Agency is the Board which is consisted of nine members. The Board inaugurated recently today the conclusion of the appointments.

The duties and powers of the Board are prescribed by the Law. Within this scope, the following are among the duties of the Board; settling the complaints of the related persons claiming that their rights connected with personal rights are violated, inspecting whether the personal data are processed in compliance with the laws upon receiving a complaint or ex officio if the allegation of violation is found out in relation to matters within there are of duty and to take interim measures when necessary, to determine the sufficient measures for processing of personal data, to ensure that the Registry is maintained, to undertake the regulatory procedures within their area of duty and in relation to data safety and to decide on the administrative sanctions prescribed by the Law.

The Board is required to keep minutes of the matters that are discussed. The decisions and dissenting votes (if any) shall be written within fifteen dates from the date of the decision. The Board may announce its decisions to public if it deems necessary.

17. What are terms and procedures of Board’s reviews?

The Board shall make the necessary reviewing upon receiving a complaint or ex officio if the allegation violation within its’s area of duty is found out. Upon receiving a complaint, the Board shall provide an answer to the related parties after its review. The Board will be deemed to have refuse the complaint, if an answer is not provided within sixty days from the date of the complaint. Therefore with reference to ex officio investigations, no time limit is prescribed by the Law.

If a breach is determined upon the Board’s review, the Board shall notify the related parties by deciding that the data controller will rectify the determined breaches. This decision shall be enforced without delay from the date of notification and within thirty days at the latest.

If the Board determines that the breach is widespread, a resolution may be adopted and published by the Board.

The Board may also decide to stop the processing or transfer of persona data to abroad if irreparable or unrepairable damage is caused and there is an explicit breach of law.

Except for the classified information and documents which are a state secret, the documents and information requested by the Board in relation to its review should be submitted within fifteen days and site survey should be enabled if necessary.

Administrative actions may be filed against the decisions of the Board.

18. What are the crimes and misdemeanours prescribed by the Law?

In terms of offences in relation to protection of personal data, the relevant provisions of the Turkish Criminal Code numbered 5237 shall be applied. Within this scope, in case the personal data are not deleted or anonymised, the Article 138 shall be applied for the relevant persons.

In case of breach of matters such as obligation to inform, obligations on data safety, notification and registration to the Registry, administrative fines are set forth by the Law in differentiating amounts. For example, in case of breach of obligation to notify and register to the Registry an administrative fine from 20.000 Turkish Liras to 1.000.000 Turkish Liras may be imposed by the Board.

As stated within the preamble, the difference between minimum and maximum amounts are kept wide as the scope of wrongfulness and the level of culpability and financial situation of the offender will be considered as per the Law of Misdemeanour numbered 5326 whilst a decision is made on the administrative fines.

19. What are the secondary regulations in relation to the Law and the expected developments about these?

The related regulations are required to enter into force within a year from the date of publication of the Law. Therefore the regulations are required to be published in the Official Gazette on 7th of April, 2017 at the latest. Under the current situation, the Board announced that the draft regulations will be available for sharing opinions[2].

As stated above, the Data Controllers Registry is not established yet. Within the scope of the secondary legislation the Board will make a regulation in this area and announce the dates for registry.

20. What is the status of personal data processed prior to the Law?

The transitional provisions within the Law provides a regulation in this matter. Accordingly, the personal data that is processed before the date of publication of this Law shall be rendered in compliance with the provisions of this Law within two years following the date of publication its Law. Personal data that is determined to be contrary to the provisions of this Law shall be immediately deleted, destroyed, or anonymised. The consents that are lawfully obtained before the date of publication of this Law shall be deemed in compliance with this Law, provided that no declaration of intention to the contrary is made within one year.

You may contacts us from info@engblaw.com for your questions regarding the legislation on protection of personal data and procedures of compliance.

[1] The Law defines data controller as the real or legal person that determines the objectives and tools of processing of the personal data, and is responsible for the establishment and management of a data recording system.

[2] http://www.kvkk.gov.tr/haber_mevzuatcalismasi.html (date of access 04.04.2017)