Legal Dimension of Corporate Data Security

The existence of a strong interest[1] on any data by natural or legal entities is called “data ownership”. It is seen that the identification of the data owner serves to ensure data security[2]. In the international doctrine where data ownership is examined, the definition of “corporate data” has emerged. Corporate data is exemplified as, but not limited to, commercial information of companies, information of employee and information of customer and supplier[3].

While there are discussions in the doctrine that legal entities, as well as natural persons, should be protected from data breaches, there are approaches that personal data can be protected by legal regulations for the protection of trade secrets of legal entities. Although according to the GDPR and the Turkish data protection legislation(Law №6698[4]), data protection is limited to natural persons; it should be emphasized that countries are free to include legal entities in the scope of data protection in accordance with the Ration №24 of the Directive 95/46/EC[5]. However, the more recent Directive 2002/58/EC on the Processing of Personal Data and the Protection of Privacy in Electronic Communication[6] clearly stipulates the need for the protection of legal entity data[7]. Also in Switzerland, the Data Protection Law, which entered into force on 01.07.1993, provides for the right to the protection of personal data, including legal entities without any discrimination[8].

In the Turkish legislation, the data of a legal entity that contains a different legal personality other than natural persons and may seen as a confidential business information, know-how or a state secret(depending on the data type of public/private entities) shall not be evaluated in the personal data category and shall not be protected within the personal data legislation. For this reason, all the facts that can be deducted from the legal entity will be called as “data” and cannot be protected by the legal regulations within the scope of data protection law regarding the “personal data”. Data relating to natural persons constituting the bodies of the legal entity shall be considered as “personal data” in accordance with the legal regulation, so long as it can be directly associated with a certain or identifiable legal person as an organ member.

While the basis of the necessity of protecting personal data is to aim to prevent data-related damages of natural persons to whom the data is linked; and if it is accepted that the purpose of data protection is to provide data security, there is a dominant view that the term as “data security(datensicherheit)” is preferable. When the German law regulations, which are the starting point of the term data security are examined, it is seen that data security means dominating data, ensuring multi-faceted protection of data and effective use of the right to control data. Likewise, the interests of legal entity data security and the interests of users who have organic ties with the legal entity are directed to protection for reasons of national security, commercial utility[9] or management efficiency.

When the comparative law on data protection is considered, it is seen that the data of legal entities such as natural persons are protected. For example in Switzerland, the data protection law regulates the data can only be processed if they meet the criteria of legality, goodwill, limited for purpose, transparency, data accuracy and data security[10].

Another important regulation on the subject is Trade-Related Aspects of Intellectual Property Agreement(“TRIPS”) that most comprehensive agreement qualities in the field of intellectual property are entered into practice since 2000 in Turkey. Article 39 of the TRIPS titled “protection of undisclosed information” obliges member states to protect unexplained information and data submitted to governments. Article 3 stipulates that the members of their citizens shall have no less protection than the practice of protection of intellectual property, except for the exceptions provided for by the Paris Convention (1967), the Bern Convention (1971), the Rome Convention or the Intellectual Property Treaty on Integrated Circuits.

All information relating to the legal entity, which uses labor and time capital in its acquisition by the legal entity and which may be deemed worthy of protection as a result of making a difference by having these data, may be considered as legal entity data. As a matter of fact, when the personal data mining studies in comparative law are examined, it is seen that the volume and revenues of legal entities related to legal entities are taken into consideration in this equation as a whole.

Following the identification of the legal entity data, the security of these data should be ensured as multilateral aspects. Data security is defined as an effort to protect and transmit data to the recipient without any interference in order to protect the data from unauthorized access in the electronic environment. In the practice of German law states as methods of securing legal entity data with the ability of legal entities to monitor and manage their access to their data comprehensively, to make backups of these data at every stage of the transactions, to close the existing security gaps by the parties, to protect them from unauthorized access, to use secure storage and monitoring methods, to ensure the security of passwords and password keys[11].

In the researches conducted in Turkey shows that, in order to prevent data theft attacks and security vulnerabilities, it is necessary to learn the elements of information security. Therefore, in order to ensure the security of the legal entity data, the confidentiality, integrity, authentication, non-repudiation, accountability, access control, reliability and safety of data must be ensured initially.

[1] Carol Woodbury, “The Importance of Data Classification and Ownership”, SkyView Partners Inc, 2007, (çevrimiçi) http://www.srcsecuresolutions.eu/pdf/Data_Classification_Ownership.pdf,

[2] Safwan Mahmud Khan, Kevin W. Hamlen, AnonymousCloud, “A Data Ownership Privacy Provider Framework in Cloud Computing”, y.y., http://www.utdallas.edu/~hamlen/khan12trustcom.pdf ,

[3]Definition of Corporate Data, Law Insider Contract Database and Search Engine, https://www.lawinsider.com/dictionary/corporate-data

[4] Turkish Personal Data Protection Law no. 6698, published in the 29677 numbered, 07.04.2016 dated Official Gazette.

[5] It was published in the Official Journal of the European Communities dated 23.11.1995 and numbered L281–38.

[6] It was published in the Official Journal of the European Communities dated 31.07.2002 and numbered L201–45.

[7] Habip Oğuz, “Elektronik Ortamda Kişisel Verilerin Korunması, Bazı Ülke Uygulamaları ve Ülkemizdeki Durum”, Uyuşmazlık Mahkemesi Dergisi 0/3, 2013.

[8] Pierre Engel, La Protection de la Personnalite, Lausanne, Formation continue des journalistes, 1985.

[9] Checkliste für die Datensicherheit im Unternehmen, ownCloud, https://owncloud.com/wp-content/uploads/2015/11/eBook_Data_Security_IT_Checklist_GER_DE_151101.pdf

[10] Nico Ebert, Michael Widmer, Datenschutz in Schweizer Unternehmen 2018, Eine Studie des Instituts für Wirtschaftsinformatik und des Zentrums für Sozialrecht, ZHAW School of Management and Law, Schweiz 2018.

[11] Checkliste für die Datensicherheit im Unternehmen, Owncloud.

This Article is issued in TurkishLawBlog.