Abstract
Some transactions such as obtaining, recording, storing, disclosing, transferring or classifying any kind of information regarding an identified or identifiable real person by a real or legal person that is responsible for establishing and managing the data recording system have been deemed lawful within the scope of the principles and the procedures set out in Personal Data Protection Law (“The Law”) numbered 6698, published on Official Gazette in 7 April 2016. In this article, the enacting process of The Law will be covered primarily, starting from Convention for the Protection of Individuals against Automatic Processing of Personal Data numbered 108 signed by Turkey until the time that it is in force. Afterwards, the kinds of information that are defined as personal data and specific personal data and how those data will be processed lawfully by data controller will be covered. Data subject’s rights and data controller’s obligations regarding data security will be reported as well. After providing brief information about the administrative structure of The Institution to be established per the new law’s application, crimes and misdemeanors that data controllers can confront with and the excluded parts of the scope of The Law will be explained in the last section.
I. INTRODUCTION
Personal data processing has become a basic need for public and private entities to be involved in any activity. Before a special regulation concerning personal data protection has entered into force in our country, personal data were processed without legal methodology and framework, and it was also impossible to confront those who are responsible for unlawful personal data processing. The provisions of lawful processing of personal data are regulated by Personal Data Protection Law (“The Law”).
In this study, firstly, the differences between personal data and specific personal data will be analyzed; subsequently, proper data processing methods will be examined as well. Afterwards, in addition to the statutory obligations imposed to the data controller for the purpose of secure processing and storing, the rights that data subject is entitled to will be dwelled upon. Thereafter, legally appropriate conditions concerning personal data processing will be assessed by adapting the employers as personal data controller within the frame of labor law. Lastly, organizational structure of the Institution of Personal Data Protection, which is instituted to fulfill the statutory obligations given by The Law, penal sanctions, and first-time-regulated administrative sanctions against unlawful acts will be studied.
II. HISTORICAL DEVELOPMENT
Along with the development of technology and increasing usage of computer in daily life across the globe in the second half of the 20th Century, it has bacome popular to record and transfer personal data to digital media. As a disadvantage of such popularity, the security problem has emerged as a current issue as a result of the data being easily acquired, misused and taken advantage of unlawfully by third parties. Accordingly, because the rules oriented to protect human rights are insufficient against substantial losses of the people working for private or public sector and whose data are recorded, it has become compulsory to settle on an international convention embracing this area.
In 1981, “The Convention for the Protection of Individuals against Automatic Processing of Personal Data” numbered 108 is accepted by the European Council and opened for signature. This convention has the characteristic of being the first binding convention for the protection of personal data.1 The convention is not only applicable for the member states of the European Council but also for all the other countries.
A. Enactment Process in Turkey
Turkey signed the convention in 28.01.1981 with other member states, however the provisions of the convention was approved after the Personal Data Protection Law numbered 6698 was published in the Official Gazette and entered into force on April 7th, 2016.
1. Before the 2010 Constitutional Amendment
In our country, the very first endeavor to constitute the Personal Data Protection Law took place in 1989. However, it failed on the first try and the draft law could not be completed. Next trial took place in 2000, but due to the government reshuffle and set of territorial issues on those days, the draft law could not be completed entirely. In the new draft version of the Turkish Penal Code dated 2001, the following acts were defined as crime: personal data collection, installing data into information system, not taking enough measures for protection, passing data to unauthorized people, data disposal, data disclosure, using data in special purposes, data takeover and not destroying the data when it’s convenient. The draft code could not be perfected because of the government reshuffle.
In 2004, the committee was established once again. However, the draft law that was prepared by that committee was not enacted due to the Grand National Assembly of Turkey (“GNAT”) election and was invalidated by internal regulation, article 77. Furthermore, “The Regulation of Processing of Personal Data and Protection of Confidentiality in Telecommunications Sector” prepared by the Information and Communication Technologies Authority (“ICTA”) entered into force in 2004.
2. After the 2010 Constitutional Amendment
By the constitutional reform in 2010, “The Protection of Personal Data” is guaranteed as a basic human right under the Constitution with the law numbered 5982 that was accepted with a referendum, and enactment of the details is envisaged to be regulated by enacting a law.2In 2011, the Ministry of Justice conveyed to the Prime Ministry with a letter that the renewal of the draft law would be reasonable. Thereupon, a science commission composed of academics was established and the draft constituted by the commission was dispatched to the relevant commission. These endeavors were accomplished with the assistance of the technical support of a Dutch consulting firm and Matra Fund which is a European Union cohesion fund and is used for technical aid regarding the phases of accession. The aforementioned draft was sent to the Prime Ministry in 2012.3
In 2013, “The Regulation of Processing of Personal Data and Protection of Confidentiality in Electronic Communication Sector” prepared by the ICTA entered into force. The next year, Supreme Court, referring to the constitutional amendment in 2010, invalidated Article 51 of Electronic Telecommunication Law numbered 5809 authorizing the Telecommunications Communications Presidency (“TCP”) and ICTA regarding personal data protection. Afterwards, a new draft law on the same subject was presented in GNAT in 2014, yet it was also rejected.
Following the GNAT reshuffle, it is stated in the 64th government 2016 action plan that legislative regulations regarding the protection of personal data will be put into practice within the first 3 months. After “The Draft Law of the Protection of Personal Data” was accepted by the Council of Ministers, the Law numbered 6698 was presented in GNAT in 18.01.2016 and entered into force in 07.04.2016 by being published in the Official Gazette.
III. THE PROCEDURES AND PRINCIPLES CONCERNING THE PERSONAL DATA PROCESSING
A. The Definition
In Article 3 of The Law titled “Definitions”, personal data has been defined as “any kind of information regarding an identified or identifiable real person.” In constitutional court decisions, it is expressed as “all sorts of information relating to a person as long as his/her identity is certain or determinable.” In this context, not only “name, surname, birth date” and any other information which reveal only the identity of a person but also “phone number, motor vehicle plate number, social security number, passport number, resume, photo, image and audio records, fingerprints, IP address, e-mail address, hobbies, choices, individuals interacted with, group memberships, marital information, health information and any other data that makes an individual certain or identifiable directly or indirectly” have been defined as personal data.4
B. General Principles
As per Article 4 of The Law, procedures and principles of personal data processing are regulated in parallel with Convention 108 and the 95/46/EC Directive. Therefore, personal data shall be processed fairly and lawfully; within the scope of specific, explicit and justified purposes; on the conditions that they are correct and up to date; compatible with the purpose of processing and stored only for the required length of time. For instance, a transaction which leads a person’s patient status to potential customer as a result of the acquisition of the processed data containing individual’s health records by a medical corporation will be considered as an unlawful transaction. Thereby, it has become obligatory to abide by the given principles for personal data processing.
The explicit consent is defined in The Law as consent that is expressed by free will and based on being informed about a certain subject. Tangible forms that are involved in explicit consent have not been listed. Hence, a detailed definition will emerge in time within the scope of Judicial Council’s decisions in the resolution of.
The Law defines any kind of transaction that can be performed on the data such as obtaining, recording, storing, conserving, altering, revising, disclosing, transferring, making acquirable, classifying or preventing from utilization are defined as processing of personal data. Personal data shall not be processed without the explicit consent of the data subject (a person to whom the personal data relates). However, it is not required to look for an explicit consent given by the data subject unless there is at least one condition included in the fifth Article in The Law. These conditions can be defined as when;
i. It is envisaged in the legislation.
ii. It is mandatory for someone who is unable to declare his/her consent or not legally entitled to give consent in consideration of protecting his/her or others’ life and physical integrity
iii. It is necessary to process the personal data of the contracting parties only if it is directly relevant to establishing and performing the contract.
iv. It is mandatory in order for the data controller to perform his/her legal obligations.
v. It is publicized by the data subject itself.
vi. It is mandatory to process the data for establishing, exercising or preserving a right.
vii. It is mandatory to process the data for data controller’s legitimate interests provided that the fundamental rights and freedoms of the data subject are not violated.
C. The Processing of Specific Personal Data
In The Law, specific personal data means personal data consisting of information as to the racial or ethnic origin of the data subject; political opinions, philosophical beliefs and religion, sectarian or other beliefs; appearance, membership of an association, foundation or syndicate; health condition, sexual life, previous penal conviction or safety precaution data, biometrical and genetic data.5
It is forbidden to process specific personal data without an explicit consent given by the data subject. However, the exceptional conditions are laid down by the sixth Article of The Law: All specific personal data apart from health and sexual life data can be processed if it is explicitly envisaged by the legislation. As for the personal data concerning health and sexual life, an explicit consent given by the data subject is not sought after for his specific personal data to be processed by the persons or institutions and organizations under confidentiality obligation with the purpose of protecting public health; preventive medicine; medical diagnosis; maintaining medical treatment and care services; planning, administering and funding to the health services. It is laid down as a condition that due precautions must be taken by the Organization of Personal Data Protection during the processing of specific personal data.
D. The Erasure, Destruction and Anonymizing of Personal Data
Even though processing may have been complied with the provisions of The Law and other provisions, it is regulated that the personal data shall be erased, destructed or anonymized by the controller of data upon the request of the data subject or ex officio if justifiable reasons that the reasons for the requirement of data processing disappear.6 The principle of purpose commitment is deemed as a basis of this provision.7The operation will be considered unlawful right after the purpose on which the data storing is based is removed. When assessed within the scope of “the right to be forgotten,” which is the objective accepted in the EU practice, the common ground between “the right to be forgotten” and the right of personal data protection is; “What lie behind the core of both rights are to live honorable life for an individual, improve his personality and manage his personal data freely.”8To give an example, it is considered as an invasion of privacy if the registry of the association member is not destructed or is still accessible in the event that the relevant member’s opinions and ideology entirely changes after 20 years of being affiliated to the association. Accessibility with an internet search of many kinds of data about an individual may result in judgmental views about that individual as well as constituting a barrier on developing their personality freely.
E. Transfer of Personal Data
Personal data shall not be transferred overseas without the consent of the data subject9. It is allowed to transfer personal data to foreign country providing that an adequate level of protection exists. If not, data controllers in foreign countries must provide recognizance an adequate level of protection and the permission must be granted by the Committee in order to transfer the data abroad. Reserving the provisions of the international convention, personal data can be transferred overseas in such cases where the interests of data subject or Turkey could be severely damaged only when permission is granted by the Council upon receipt of opinions of the relevant institutions and organizations.
F. Rights and Obligations
There are certain rights in The Law that data subjects are entitled to; on the other hand, some obligations are imposed on data controllers .10
1. The Rights of Personal Data Owner
The eleventh Article of The Law ensures the rights of a person whose personal data are processed. Learning whether or not a personal data are processed and the purpose are regulated within the scope of the data subject’s right to obtain information.
The data subject is vested to supervise and intervene in the obtaining, processing and transferring operations of the personal data by the lawmaker. Accordingly, the data subject has a right to demand a correction of broken and incorrect personal data, object to adverse outcomes to be occurred when processing undergoes automatically and seek compensation for damage by virtue of processing out of purpose and unlawfully.
2. Disclosure Requirement of Data Controller
Within the context of disclosure requirement the legislator entitles the data subject, the right to obtain information with regard to processing of those data as to who, for what purposes, based on which legal justification and who else the data could be transferred to. Accordingly, the data controller or other persons who have been authorized by the data controller, who obtain, process and transfer data, are liable to inform the data subject with regard to their credentials, the way of acquiring personal data, the purpose and the legal justification based on to process and transfer the data.11
3. The Obligations Regarding Data Safety
The law imposes the data controller an obligation of providing data safety that consists of storing them legally and preventing from processing and accessing personal data unlawfully.
Data controller is defined in The Law as a “natural or legal person that determines the objective and the means of processing and is responsible for establishing and managing the data recording system”. Thus, the data controller is the only authorized person to answer the questions of “why” and “how” concerning the operation of personal data processing.12
Data controller is jointly and severally liable for the data that is processed on behalf of him by a natural or a legal person. Additionally, it is mandatory for the data controller to conduct in his agency and institute the necessary audits to appropriately apply the provisions generated from the law text.
4. The Protection of Personal Data in Labor Law
Generally, the employee rights are damaged by the employer by virtue of the fact that the employees represent the weak side of the contract in which the principle of equality of arms is not applied. As a requirement for the principle of balancing the benefits, it is restricted by the legislation to process employee’s personal data for an employer who is superior to the employee in terms of audit and supervision. Prior to The Law, personal data belonging to the employee have been ensured against the employer by Turkish Code of Obligations in article 419. Considering the new regulations, the employer shall process the employee’s personal data only according to the conditions below:
i. In order to perform employer’s legal obligations: In this context, organizing documents relating to Social Security Institution or creating personal file are examples of processing a set of personal data.
ii. To perform obligations resulting from contract of employment: Within this scope, it is proper to learn employee’s body size regarding personal protective equipment to be put on for occupational health and safety and to examine disease registry.
iii. In a situation where there is “superior special interest” for enterprise: It is not an adequate cause to interfere in the rights of the employee for economic interests only. It is significant to make a balance in accordance with the principle of proportionality.
iv. Due to the given consent by the employee: It is not acceptable making unlawful transactions legal a common practice based only on the employee’s consent because it is out of question to expect the employee to stand against the employers’ demands; thus the employee’s free consent cannot be an excuse.
v. So as to make a contract of employment: Certain information about the applicant could be possessed in order to find out his/her business sense and suitability for job.
It is allowed for specific personal data regarding employee’s health condition to be processed in case of being related to the nature of business.13 For instance, it’s illegal for the employer to process the data of the employee about drinking alcohol. However, as it is required for the nature of business, it is allowed and legal to examine and process such specific personal data for drivers every morning.
A set of surveillance and observation methods that are applied at the office are also evaluated within the scope of data processing of the employee. Following the internet use of an employee, wiretapping, constant surveillance under CCTV’s etc. are unlawful except under the circumstances required by occupational health and safety and the purposes that the nature of business, not to exceed the necessary level .
G. The Registry of the Data Controller
It is a requirement for natural and legal persons processing personal data to register prior to data processing at the Registry of Data Controller, which is held open to public by the Leadership and is supervised by the Committee 14.The members of the Committee will be elected and the organization of the Leadership will be established within six months after the publication of The Law. Thus, the liability of the data controller to register will be introduced following the announcement of the Committee to be established as of October 7th 2016.
The following conditions must be included in the application for the Registry of Data Controller: Credentials and address information of the data controller or his/her representative (if any), the purpose of personal data processing, description of a group of data subjects and data categories related to this group, recipient or recipient groups that the personal data will be transferred to, the personal data that is envisaged to be transferred overseas, the precautions to be taken regarding personal data safety and maximum time given by the purpose of personal data processing. The Leadership shall be informed about any modification that may arise regarding the above-mentioned information.
H. Crimes and Misdemeanors
Before The Law entered into force, Turkish Penal Code15has been applied for unlawful recording, acquiring and destroying of the personal data. Yet, still there is no penal regulation on unlawful personal data processing. On the other hand, in addition to penalty of imprisonment, administrative fine is envisaged as a sanction of unlawful data processing for the first time16.
It is regulated in the Article 18 of The Law that real persons and private law legal entities, which act contrary to various liabilities stated by The Law can be subjected to different penalties. In this framework:
i. If the disclosure requirement is not fulfilled, from 5.000 TL to 100.000 TL,
ii. If the obligations regarding data safety is not fulfilled, from 15.000 TL to 1.000.000 TL,
iii. If the decisions given by the Committee are not implemented, from 25.000 TL to 1.000.000 TL,
iv. If the notice and registration requirement of the Registry of Data Controller is not fulfilled, from 20.000 TL to 1.000.000 TL,
shall be paid as an administrative fine.
I. The Excluded Parts of the Scope of The Law
Processing of personal data among the family members living in the same residence is excluded from the concept of The Law, as well as processing with the purpose of research and statistics. In the meantime, the procedure and principle of The Law shall not be implemented in the following circumstances of data processing: national defense, national security, public safety, public order, preventive and inhibitive intelligence activities towards providing economic safety, and processing by the judicial authorities with respect to investigation, prosecution and judgment transaction 17.
J. The Administrative Structure under The Law
The Institution of Personal Data Protection, which is administratively and financially autonomous and possesses public entity, is established to fulfill the obligations given by The Law. This Institution is comprised of the Committee, decision making body, and the Leadership. The Leadership is directly associated with the Prime Ministry and governed by the center in Ankara. The Committee, serving as a decision making body of the Institution, fulfills its obligations independently given by the legislation and The Law itself. The Committee consists of nine members. Five of those members are elected by the Grand National Assembly of Turkey; two of them are elected by Council of Ministers and the other two are elected by the President. The requirements to be a member of the Committee are provided by The Law.
The president of the Committee and the vice president, are elected among the members by the Council of Ministers. The president of the Committee is the president of the Institution as well. A Committee member’s term of office is four years and the same member can be reelected for the next term. A member of the Committee cannot be dismissed for any reason before the time given by the Committee is expired. The exception to this rule is stated in the Article 21, Paragraph 11.The president of the Committee is the head of the Institution. He/she regulates, implements the institution services in accordance with the legislation, objects and politics of the Institution, strategic plan, performance criteria and standards of quality of service, and facilitates coordination among the service units. The Leadership is an organized structure that consists of a vice president (who is assigned by the President) and service units under the heads of departments. The number of heads of departments cannot be more than seven.
Furthermore, apart from above mentioned officials, the personal data protection experts and assistant experts can be employed.
K. The Principles of The Law in regard to Inurement and the Transitional Period
The following provisions will enter into force six months after the publication of The Law in the Official Gazette: Transfers of personal data to third parties or overseas, the rights of the personal data subject, and the provisions of the crimes and administrative fines. All other provisions of The Law in addition to the aforementioned provisions will enter into force right after its publication.18
Two-year transitional period after The Law’s publication in the Official Gazette is allowed to make lawful those personal data processed unlawfully before the procedures and principles introduced by The Law. Unless otherwise stated, the consents received lawfully before The Law will be deemed statutory within a year .19
IV. CONCLUSION
The main reason why cooperation between our security forces and EUROPOL, which organizes the cooperation among the security forces in Europe, has not been carried out and electronic data interchange has not been actualized until a little while ago is that a regulation concerning personal data protection was not in force. Accordingly, the lack of collaboration in fighting against crime between our country, which is located within the route of transnational crimes, and other countries under EUROJUST, which is established for cooperative jurisdiction fighting with transnational crimes, was due to the absence of such regulation in force as well. Personal data protection also represents a great significance for our country because of its close relationship with the economy. Thus, data transfer, of which the foreign investors that are expected to invest in Turkey are in need in order to manage their own investments efficiently in Turkey and other countries, has not been functioning due to such legislation deficiency. While this situation was considered as a deterrent factor for such investments in our country, similar problems of our entrepreneurs on data transferring regarding their investments and partnerships in other countries came up as well.
In addition to all these, it can be stated that the personal data is directly related to four negotiation chapters of European Union Full Membership Process. Considering in the “progress reports”, a legal loophole on data protection in Turkey is referred to, the opportunity to pullahead in this progress period concerning negotiation chapters is seized with The Law being put into force.21
Consequently, a significant contribution to various areas such as social, economic, security and justice domains is expected to be made as a result of data and information sharing on a global scale following the The Law being put into force
BIBLIOGRAPHY
Aydın Akgül, Danıştay ve Avrupa İnsan Hakları Mahkemesi Kararları Işığında Kişisel Verilerin Korunması Hakkı, İstanbul 2014
Aydın Akgül,‘’Kişisel Verilerin Korunmasında Yeni Bir Hak: ‘‘Unutulma Hakkı’’ ve AB Adalet Divanı’nın ‘‘Google Kararı’’’ Türkiye Barolar Birliği Dergisi, January-February 2015, No 1116 http://tbbdergisi.barobirlik.org.tr/m2015-116-1440 (Access: 31.05.2016).
Füsun Nebil, “Kişisel Verilerin Korunması Kanununun Tarihçesi ve Analizi - II” http://turk-internet.com/portal/yazigoster.php?yaziid=52052 (Access: 27.05.2016).
Leyla Keser, the speech on “Current Developments in European Law” which was presented at IT Law Summit, Istanbul April 10 2016
FOOTNOTE
1 Aydın Akgül, Danıştay ve Avrupa İnsan Hakları Mahkemesi Kararları Işığında Kişisel Verilerin Korunması Hakkı, Istanbul 2014, p. 189.
2 Akgül, p. 222
3 Füsun Nebil, “Kişisel Verilerin Korunması Kanununun Tarihçesi ve Analizi - II” http://turkinternet.com/portal/yazigoster.php?yaziid=52052 (Access: 27.05.2016).
4 Constitutional Court Decisions D. 09.04.2014, E.2013/122, K.2014/74; D. 02.10.2014, E.2014/149, K.2014/151; D. 04.12.2014, E.2013/84, K.2014/183; D. 25.12.2014, E.2014/74, K.2014/201; D. 19.03.2015, E.2014/180, K.2015/30.
5 Personal Data Protection Law (PDPL) Art. 6.
6 PDPL Art. 7.
7 PDPL Art. 4.
8 Aydın Akgül,‘’Kişisel Verilerin Korunmasında Yeni Bir Hak: ‘‘Unutulma Hakkı’’ ve AB Adalet Divanı’nın ‘‘Google Kararı’’’ Türkiye Barolar Birliği Dergisi, January-February 2015, Issue1116, p. 14. http:// tbbdergisi.barobirlik.org.tr/m2015-116-1440 (Access: 31.05.2016).
9 PDPL Art. 9.
10 PDPL Art. 10-12.
11 PDPL Art. 10
12 Leyla Keser, Cited from the speech on “Current Developments in European Law” which was presented at IT Law Summit, Istanbul April 10 2016.
13 PDPL Art. 6.
14 PDPL Art. 16
15 Turkish Penal Code dated 26.09.2004, Art. 135-140
16 PDPL Art. 18.
17 PDPL Art. 28.
18 PDPL Art. 32
19 PDPL Temporary Art. 1
20 Personal Protection Draft Law Dated 18.01.2016, General Preamble
21 Personal Protection Draft Law Dated 26.12.2014, General Preamble.
