Personal Data Protection in Turkey
1. What is Personal Data?
Personal data is defined as all the information relating to an identified or identifiable natural person under Personal Data Protection Code no 6698. It’s scope is very broad like hair color, shoe size, one’s religious beliefs, credit card information, name, phone number etc. Kindly note that it should belong to a real person; not a legal one.
2. Why is Personal Data Protected?
Today, personal data is protected by various legal systems throughout the world with legal mechanisms. The protection is closely linked to the violation of personal data unlawfully by third parties, especially for commercial reasons by trade companies and discriminative reasons by organizations. For example, illegal processing of personal data may result in sharing of health data to unwanted third parties which may result in rejection of a job application. Therefore it is directly related with one’s legal rights and freedoms.
Secondly, obtaining personal data of a person by third parties in the modern era is one of the most dangerous causes of cyber crimes which include but not limited to credit card fraud, hacking into banking accounts, impersonation and obtaining money from one’s friends etc.
Third but not least, protection of personal data also ensures a safe and fair consumer market by avoiding companies approaching consumers with sensitive information to affect their purchase decisions.
3. How is Personal Data Protected?
Personal data is protected via international and national legal mechanisms such as the General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive in the European Union which entered into force in 2016.
In Turkey, The Code on the Protection of Personal Data No. 6698 dated 2016 is the main legislation in this field. It is directly based on the Directive 95/46/EC of the European Parliament and of the Council of 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
4. What is the Scope of The Code on the Protection of Personal Data No. 6698?
The purpose of the Code is to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures for those natural or legal persons who process personal data.
Turkish Data Protection Authority has also been established under this Code in Ankara. It’s mission is to provide the protection of personal data and develop awareness in this respect in the public eye in line with the fundamental rights related with privacy and freedom stated in the Turkish Republic Constitution and the Code.
5. What are the Fundamental Concepts of Data Protection?
There are some key concepts in data protection which should be understood well. These are:
- Personal Data
- Processing of Personal Data
- Data Controller
- Explicit Consent
As we have talked about personal data above; it should be related to a real person and it should identify that person from the rest. The code also specifies sensitive personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data. These special categories of personal data cannot be processed without explicit consent of the data subject.
“Processing of personal data” means any operation which is performed on personal data such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization etc.
So how can a company process personal data? A company may collect identity and contact information, address of it’s employees, customers, job applicants or company visitors. Any type of collection, storage, transfer of these personal data is deemed as the processing of personal data.
“Data Controller” is the real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system. A doctor, a pharmacist, a company or a foundation are the examples of data controllers. The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of and access to personal data, and ensuring protection of personal data. In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time.
Last but not least, “Explicit Consent” means freely given, specific and informed consent. This is rather important; because the Code requires explicit consent of the data subject for processing, on many occasions. In order for an explicit consent to be valid, the data subject should be well informed as to the grounds and the scope of processing and the data subject should have the opportunity to declare his or her will freely.
6. What are the General Principles of Processing of Personal Data?
The Code specifies some general rules for personal data processing in Article 4. The principles are:
- Lawfulness and fairness
- Being accurate and kept up to date where necessary.
- Being processed for specified, explicit and legitimate purposes.
- Being relevant, limited and proportionate to the purposes for which they are processed.
- Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
Data controllers are responsible for obeying these principles while processing personal data.
7. What are the Conditions for Processing Personal Data
The Code specifies a general condition for personal data processing in Article 5. This condition states that personal data can not be processed without explicit consent of the data subject. However, there are some exceptions to this condition;
- If it is expressly provided for by the laws.
- If it is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
- If processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
- If it is necessary for compliance with a legal obligation to which the data controller is subject.
- If personal data have been made public by the data subject himself/herself.
- If data processing is necessary for the establishment, exercise or protection of any right.
- If processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject
then explicit consent is not sought.
8. What are the Rights of the Data Subjects?
In accordance with Article 11 of the Code, each person has the right to request to the data controller about him/her;
- to learn whether his/her personal data are processed or not,
- to demand for information as to if his/her personal data have been processed,
- to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
- to know the third parties to whom his personal data are transferred in country or abroad,
- to request the rectification of the incomplete or inaccurate data, if any,
- to request the erasure or destruction of his/her personal data,
- to object to the occurrence of a result against the person himself/herself by analyzing the data
- processed solely through automated systems,
- to claim compensation for the damage arising from the unlawful processing of his/her personal data.
9. What are the Sanctions Against Data Controllers Who Act Against the Code?
The Code imposes both administrative fines and penal provisions for the data controllers who do not comply with the provisions of the Code.
As for the crimes, Articles 135 to 140 of Turkish Penal Code shall be applied to the crimes concerning personal data. Specifically, those who do not erase or anonymize personal data as contrary to the provisions of the Code, shall be punished in accordance with Article 138 of the Turkish Penal Code.
To be more specific,
- Article 135 of Turkish Penal Code, imposes a sentence of 1 to 3 years in prison for those, who illegally record personal data.
- Article 136 of Turkish Penal Code, imposes a sentence of 2 to 4 years in prison for those, who illegally obtain or transfer personal data.
- Article 138 of Turkish Penal Code, imposes a sentence of 1 to 2 years in prison for those who do not destroy personal data in accordance with the provisions of the Code, following it’s expiry.
As for administrative fines, those,
- who do not fulfil the obligation to inform,
- who do not fulfil the obligations related to data security,
- who do not fulfil the decisions issued by the Board,
- who act contrary to the obligations for registry with the Data Controllers’ Registry
shall be imposed to pay an administrative fine in different amounts between roughly 10.000.-TL to 2.000.000.-TL for 2021. These amounts are automatically increased in October of each year in accordance with the average Producers Inflation Rate of the current year.
10. What is the Personal Data Protection Law Compliance Process?
Responsibilities of data controllers have been determined within the framework of the Personal Data Protection Law No. 6698, related secondary legislation and the decisions of the Personal Data Protection Board. In this context, the data controllers are obliged to adjust their organizations and comply to legislation such as registeri ng in the “Data Controllers Registry Information System” (VERBIS), preparing the “Personal Data Processing Inventory” and “Storage and Destruction Policy” and taking technical and administrative measures regarding personal data security.
The process required by Data Controllers to regulate their own organization and activities in accordance with the principles specified in Law, and Board decisions is called the adaptation process. It is extremely important that this process is prepared with a consultant who is well aware of Personal Data Protection. Otherwise, Data Controllers are likely to face administrative fines and imprisonment within the scope of the audits to be carried out by the Board, either ex officio or upon complaint.
For information in Turkish please visit: https://monasystems.com/6698_kvkk/