ABSTRACT
This article provides a detailed analysis of outdated public records by the administration in accordance with Law No. 6698 in an effort to address concerns regarding the applicability of Law No. 6698, whether outdated public records fall under the purview of personal data, and what factors should be taken into account if these records are processed.
I. INTRODUCTION
Nowadays, public records created as a result of transactions conducted by public institutions and made available for a variety of reasons have become an important topic of discussion in terms of personal data protection. The Personal Data Protection Law No. 6698 (“Law No. 6698”) aims to protect individuals’ personal data, but some ambiguities and practical issues arise regarding how these records should be handled.
Law No. 6698, which came into force in 2016, took an important step to ensure the protection of individuals’ personal data. However, during the implementation of Law No. 6698, especially regarding how outdated public records should be handled, some ambiguities and discussions have arisen. These records can be found in the archives of public institutions, court records, school records, hospital records, and similar sources. Law No. 6698 defines any information that makes it possible to identify an individual directly or indirectly as personal data. This definition is further explained in Article 3 of Law No. 6698, emphasizing that if a record, even if outdated, contains information that can be used to identify or make identifiable a person based on certain characteristics, it can be considered personal data. Public records published by administrations are generally made accessible according to criteria determined by considering public interest and the principle of transparency. These records are shared to inform the public and ensure the effective functioning of audit mechanisms. This article seeks to answer questions about whether outdated public records fall within the scope of personal data, the applicability of Law No. 6698, and what considerations should be taken into account if these records are processed, by providing a detailed analysis of outdated public records by the administration in terms of Law No. 6698.
The Official Gazette dated 24.03.2016, numbered 29677, Law No. 6698 on the Protection of Personal Data1, The Official Gazette dated 22/11/2001, numbered 24607, Law No. 4721 Turkish Civil Code2, The Official Gazette dated 26/09/2004, numbered 25611, Law No. 5237 Turkish Penal Code3.
II. APPLICABILITY OF KVKK : LEGAL BASIS AND LIMITATIONS
If outdated public records fall within the scope of Law No. 6698, their processing is subject to the application of Law No. 6698. Law No. 6698 imposes a series of conditions and limitations for the processing of personal data. Article 4 of Law No. 6698 states that there is a legal basis for the processing of personal data, the data must be suitable for the purpose of processing, the data must be accurate and up-to-date, the processing of the data must be limited to a reasonable period of time, and appropriate technical and administrative measures must be taken for the security of the data. Article 5 of Law No. 6698 imposes special conditions for the processing of personal data. According to this article, personal data can only be processed for specific and legitimate purposes, must be processed in accordance with the purpose of processing, must be accurate and up-todate, when necessary, must be stored for a limited period related to the relevant purpose, and appropriate technical and administrative measures must be taken to ensure their security.
In this context, the existence of a legal basis for the processing of outdated public records is essential for the applicability of Law No. 6698. For example, the administration’s retention of these records for archival purposes may be based on the “legal obligation” or “public interest” grounds in Article 5 of Law No. 6698. However, these grounds should not be abused and should be used in accordance with the fundamental principles of Law No. 6698. Administrations should process personal data only to the extent necessary, for the required duration, and in accordance with the purpose of processing, and should take care to protect these data.
III. EVALUATION OF PERSONAL DATA PROCESSING PRINCIPLES UNDER KVKK IN TERMS OF DATA PROCESSED AND PUBLICLY DISCLOSED BY ADMINISTRATIONS
The main purpose of Law No. 6698 is to protect individuals’ fundamental rights and freedoms, especially the privacy of private life, in the processing of personal data. Article 3 of Law No. 6698 defines personal data as “any information relating to an identified or identifiable natural person”.
The need for the protection of personal data forms the basis of the emergence of rights. The right to privacy also arises from the need to protect individuals’ privacy. Communication and information sharing have become easier as technology has advanced, urbanization has accelerated, and media activities have become more diverse and widespread. These developments have also interfered with people’s private lives.
The principles and rules regarding the protection of personal data are specified in many international documents. These international regulations were reflected in the Turkish Constitution with the 2010 constitutional amendment, adding a paragraph on the protection of personal data to Article 20 titled4 “Privacy of Private Life” This paragraph states that “Everyone has the right to demand the protection of personal data concerning themselves. This right includes being informed about personal data, accessing these data, requesting their correction or deletion, and learning whether they are used in accordance with their purposes,” thus establishing the right to demand the protection of personal data as a constitutional right. The continuation of the sentence explains the scope of this right. Various crimes are regulated in the Turkish Penal Code No. 5237 (“Law No. 5237”) against those who do not comply with the measures taken within the scope of personal data protection. Articles 135-138 of the Law No. 5237 define the crimes of unlawfully recording, giving, obtaining, and not destroying personal data. If these crimes are committed by legal entities, security measures related to legal entities will be applied.
In this context, the records shared publicly by administrations contain personal data such as the names, surnames, and addresses of real and legal persons, which are considered personal data under Law No. 6698. Accordingly, Article 11, paragraph 1, subparagraph e of Law No. 6698, titled “Rights of the Data Subject,” defines the right to request the deletion or destruction of personal data under the conditions stipulated in Article 7. For example, outdated personal data held by the Trade Registry under the administration of the Chamber of Commerce should be deleted, destroyed, or anonymized by the Chamber of Commerce. Article 7 of Law No. 6698, titled “Deletion, Destruction, or Anonymization of Personal Data,” states that “Personal data shall be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject, in case the reasons for processing no longer exist, even though they have been processed in accordance with this Law and other relevant laws”. In line with this provision, personal data must be deleted, destroyed, or anonymized by the data controller ex officio or upon the request of the data subject if the reasons for processing no longer exist. As can be understood from the wording of Article 7 of Law No. 6698, the article is of a mandatory nature. Mandatory legal rules are rules that cannot be altered or ignored by the parties or individuals at their discretion. In line with the mandatory provision of Law No. 6698, outdated and no longer necessary personal data must be deleted by administrative institutions, such as the Trade Registry under the Chamber of Commerce, which processes and publicly shares personal data.
There are fundamental principles regarding the processing of personal data that have been accepted in international documents and reflected in the practices of many countries. Article 4 of Law No. 6698 regulates the procedures and principles for the processing of personal data in line with Convention No. 108 and Directive 95/46/EC of the European Union. Accordingly, the general principles tobe considered in the processing of personal data specified in Article 4 of Law No. 6698 are as follows: compliance with the law and the rules of honesty, accuracy and, when necessary, up-to-dateness, processing for specific, explicit, and legitimate purposes, being relevant, limited, and proportionate to the purposes for which they are processed, and being retained for the period stipulated in the relevant legislation or required for the purposes for which they are processed. These principles should form the basis of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles.
Article 4, paragraph 2 of Law No. 6698, which regulates the “General Principles” regarding the processing of personal data, establishes principles for the processing of personal data and makes compliance with these principles mandatory. Subparagraph (a) of paragraph 2 defines compliance with the law and the rules of honesty, bringing the obligation to comply with the principle of compliance with the law and the rules of honesty in the processing and storage of personal data. According to the principle of compliance with the rules of honesty, the data controller should consider the interests and reasonable expectations of the data subjects while trying to achieve their goals in data processing. In other words, the data controller should act in a way that prevents outcomes that the data subject does not expect and should not expect5. The principle of compliance with the law and the rules of honesty encompasses other principles as well. Compliance with the law generally means compliance with legal norms and universal legal principles. The scope of compliance with the law is broad and includes compliance with legislation. Whether this principle is applicable should first be evaluated within the framework of the constitutional regime of fundamental rights and freedoms. The processing of personal data means interfering with the fundamental rights of the person, and for this interference to be considered honest and lawful, it must comply with the constitutional regulations on the restriction of fundamental rights and freedoms.
Compliance with the rules of honesty, as regulated in Article 2 of the Turkish Civil Code No. 4721 (“Law No. 4721”), means not violating the rule of honesty while processing personal data. The processing of personal data should comply with the principle of honesty to prevent the misuse of rights. This principle requires individuals to act in accordance with the rules of trust and reasonable expectations while exercising their rights. In terms of the protection of personal data, the processing of data should be limited to the minimum amount necessary, should not be conducted in a way that the data subjects cannot foresee, and should consider the interests and reasonable expectations of the data subjects. Data processing that violates the privacy or dignity of the data subject without a justified reason is contrary to the principle of compliance with the law and the rules of honesty.
The personal data of real and/ or legal persons processed and publicly shared on public platforms by administrations should be processed in accordance with the principles explained above. In line with the principle of compliance with the law and the rules of honesty, the processing of the minimum amount of data, considering the privacy of private life, the interests, and reasonable expectations of the data subject, and processing the data in accordance with the law, the public sharing and publication of outdated personal data of real and/ or legal persons by administrations on public platforms is contrary to the principle of compliance with the law and the rules of honesty.
In Article 2(b) of the Law No. 6698, it is defined as being accurate and, when necessary, up-to-date, imposing the obligation to comply with the principle of being accurate and, when necessary, up-to-date in the processing and storage of personal data. In line with this principle, if we need to give an example of the publication of personal data that has lost its currency and purpose of processing on public platforms by administrations, the continued public announcement by the Trade Registry, which is affiliated with the Chamber of Commerce, of personal data processed regarding former board members and/ or shareholders of companies belonging to real and/ or legal persons, clearly violates the principle of being accurate and, when necessary, up-to-date, as explained above, for the real and/ or legal persons whose personal data is processed and shared.
Article 2(c) of the Law No. 6698 stipulates the provision of processing for specific, explicit, and legitimate purposes, introducing the principle of processing personal data for specific, explicit, and legitimate purposes. The principle that the purposes of processing personal data must be specific, legitimate, and explicit ensures that personal data processing activities are clearly understandable by the relevant person, determines which legal processing condition these activities are based on, and clearly sets forth the purpose of the personal data processing activity.
This principle requires the data controller to clearly and precisely specify the purpose of data processing and for this purpose to be based on a legal justification. If the data controller processes personal data for purposes other than those notified to the relevant person, they assume responsibility for these actions6. The legality of the purpose requires that the data processed by the data controller be directly related to the work they do or the service they provide and necessary for these purposes. As emphasized in the precedent decisions of the Personal Data Protection Board (“PDPB”), a legitimate purpose means that the data processed by the data controller is directly related to the service provided or the work done and necessary for these purposes7.
The principle of processing personal data for “specific, explicit, and legitimate purposes” ensures that personal data processing activities are clearly understandable by the data subject, determines the legal basis on which these activities are carried out, and clearly defines the purpose of the personal data processing activity. The purpose must be legitimate, meaning that the data processed by the data controller must be directly related to the service provided or the work done and necessary for these purposes8.
When evaluated within the scope of this principle; for instance, if the administration publishes outdated and no longer relevant personal data on public platforms, it would be considered an unlawful data processing activity. An example of this would be the Trade Registry, which is affiliated with the Chamber of Commerce, continuing to process personal data of former board members and/ or shareholders of companies and publicly announcing this data, despite there being no legitimate purpose for doing so. Therefore, the Trade Registry’s continued public announcement of personal data on public platforms constitutes a violation of rights for individuals and/ or legal entities.
In accordance with the provision in subparagraph (ç) that personal data must be processed in connection with, limited to, and proportionate to the purposes for which they are processed, the principle of being connected with, limited to, and proportionate to the purposes for which they are processed has been established. Therefore, it is important that the processed data is suitable for achieving the specified purposes and that personal data that is not related to or needed for the purpose is avoided. Processing data to meet potential future needs should not be preferred, as it would constitute a new data processing activity. The processed data should be limited to the personal data necessary to achieve the purpose. Processing data beyond what is necessary for the purpose is contrary to the principle of limitation. The data processing activity should be based on obtaining sufficient data to achieve the purpose, but avoiding unnecessary data processing beyond this9. The principle of proportionality means establishing a reasonable balance between the data processing and the purpose to be achieved. In other words, data processing should be to the extent necessary to achieve the purpose. There is no legal or public justification for the Trade Registry, an administrative institution affiliated with the Chamber of Commerce, to continue publishing outdated personal data such as names, surnames, addresses, etc., of individuals and/ or legal entities. The Trade Registry contains up-to-date information. It should be remembered that, according to the general principles of the Law No. 6698 personal data must be accurate and up-to date. In subparagraph (d) of Article 2, it is stated that personal data should be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed, thereby establishing the principle that personal data should be retained for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they are processed.
In addition to the retention periods determined by the data controller in accordance with the principle of purpose limitation for the storage of personal data, there are also retention periods specified in the relevant legislation to which the data controller is subject. In this case, if there is a period stipulated in the legislation for the relevant personal data, the data controller is obliged to comply with this period. If no such period is stipulated, the data can only be retained for the period necessary for the purpose for which they are processed. If there is no valid reason for retaining the data longer, the data will be deleted, destroyed, or anonymized. Personal data cannot be retained for future use or for any other reason.
Considering all these principles explained in detail above, the processing of outdated personal data of individuals and/ or legal entities by administrations is unlawful and constitutes a violation of rights. It is essential to terminate such unlawful personal data processing activities by administrations and to delete, destroy, and/ or anonymize the personal data of the individuals and/ or legal entities whose data is being processed.
A. Problems Encountered In Practice
There are some significant issues in complying with the Law No. 6698:
a. Difficulties in Practice:
The lack of sufficient technical infrastructure, resources, and personnel with the necessary knowledge and training on personal data in administrations for deleting or anonymizing outdated records shared publicly through relevant websites or physically causes difficulties in practice and leads to rights violations.
b. Lack of Transparency:
By not providing sufficient transparency regarding the processing of outdated records shared publicly through relevant websites or physically, administrations make it difficult for citizens to learn about their rights related to personal data and to exercise these rights.
c. Lack of Supervision:
There are insufficient mechanisms to supervise the compliance of the process of processing outdated records shared publicly through relevant websites or physically by administrations with the Law No. 6698.
1. Solutions to Technical and Resource Issues Encountered in Practice
To address the technical infrastructure and resource deficiencies of administrations in deleting or anonymizing outdated public records, a roadmap should be established to ensure that the relevant administrations have sufficient technical infrastructure and resources. This roadmap should include elements such as making necessary technical infrastructure investments, supporting the relevant administrations with specialized personnel in this area, and providing the necessary resources.
2. Increasing Transparency in the Processing of Personal Data
Administrations need to take some steps to ensure transparency when processing outdated public records. These steps may include:
a. Publishing a Personal Data Policy: Administrations should publish their personal data policies on their websites and provide explanations in these policies on how out - dated public records will be processed, which records will be deleted, and which records will be anonymized.
b. Right to Information: To facilitate citizens’ right to information regarding the processing of their personal data, administrations should provide easily accessible information and resources on this matter.
c. Obligation to Inform: When processing outdated public records, administrations must inform the relevant individuals about this matter and explain the purpose of data processing, the duration of data processing, and the measures related to data security.
3. Strengthening the Role of the Board: Implementing an Effective Supervision Mechanism for Out - dated Public Records
To ensure that administrations act in compliance with the Law No. 6698 when processing outdated public records, the role of the Board should be effectively strengthened and focus on the following points:
a. Increasing the Frequency and Scope of Audits: The Board should conduct more frequent and comprehensive audits of the activities of administrations in processing outdated public records. Audits should be planned and conducted at regular intervals, and the Board’s powers should be expanded to include accessing the records of administrations, examining relevant documents, and investigating administrations when necessary.
b. Improving the Complaint Mechanism: PDPB should play an active role in making the existing complaint mechanism, through which citizens can report that their personal data is not being processed in accordance with the Board, more accessible and transparent. PDPB should handle complaints quickly and effectively, inform complainants about the process, and report on the outcomes of complaints. Additionally, the complaint mechanism should be made more effective, ensuring that citizens can easily submit their complaints and that the process for resolving complaints is more transparent.
c. Specializing the Audit Team: PDPB should have an audit team specialized in the processing of outdated public records. This team should have a thorough understanding of the relevant legislation and the issues encountered in practice, and be able to effectively audit administrations.
d. Enforcing Penal Sanctions: PDPB should ensure consistency and effectiveness in applying existing penal sanctions against administrations that violate the provisions of the Law No. 6698. When applying sanctions, the severity of the violation should be taken into account to create a deterrent effect.
e. Increasing the Board’s Role Specifically for Administrations: PDPB should take a more active role in the processing of outdated public records, provide guidance to ensure that administrations act in compliance with the Law No. 6698, and increase the frequency of its audits.
f. Publication of Audit Results: PDPB should publicly publish the audit results. This will enhance transparency and serve as an incentive for administrations to comply with the Law No. 6698.
g. Increasing the Frequency of Audits: PDPB should conduct more frequent audits of the activities of administrations in processing outdated public records. Audits should be planned and conducted at regular intervals. In summary, to resolve the issues related to the processing of outdated public records, it is necessary to strengthen the role of the PDPB, make transparency and supervision mechanisms effective, apply penal sanctions in a deterrent manner, and eliminate uncertainties.
4. Solution Proposals
To address these issues and ensure that administrations can act in compliance with the Law No. 6698 when processing outdated records, the following solution proposals can be offered:
a. Guidelines and Standards: Administrations should publish detailed guidelines and standards related to the processing of outdated records. These guidelines should clearly specify under which circumstances outdated records will be considered personal data, which legal bases can be used for processing these records, what measures should be taken to ensure the security of the records, and how individuals’ rights will be protected.
b. Systematic Process: Administrations should establish a systematic process for the processing of outdated records and regularly review this process. This process should include the identification, evaluation, deletion, or anonymization of records, ensuring their security, and protecting individuals’ rights.
c. Transparency and Information: Administrations should provide clear and understandable information to the public about the existence and access conditions of outdated records through their website or other platforms. This information should clearly state the purpose of processing the records, what information they contain, who can access this information and how, the duration for which the records will be retained, and the procedures for deleting or anonymizing the records.
d. Audit and Improvement: Administrations should conduct regular audits to ensure compliance with the Law No. 6698 and make necessary improvements. These audits should evaluate the compliance of the process of handling outdated records with the Law No. 6698 and ensure that necessary improvements are made if there are deficiencies in the process.
e. Training and Awareness: Training and information programs should be organized for administration employees and citizens to teach the fundamental principles of the Law No. 6698, the risks associated with processing outdated records, and the measures that need to be taken to protect personal data.
IV. CONCLUSION
In conclusion, it is of great importance that administrations comply with the fundamental principles of the Law No. 6698 when processing outdated public records and strengthen transparency and supervision mechanisms if these records qualify as personal data. Especially considering the principle of accuracy and, where necessary, being up to date, administrations should terminate the processing activities of outdated personal data, and these data should be deleted, destroyed, or anonymized. This will ensure the protection of the fundamental rights of data subjects and ensure that administrations act in compliance with the Law No. 6698. Additionally, PDPB should more actively enforce transparency and supervision mechanisms over administrations, making their personal data processing policies more transparent and accountable, thereby increasing public trust. Evaluating outdated public records within the scope of the Law No. 6698 is of great importance for the protection of personal data. If these records qualify as personal data, they should be processed and stored in accordance with the provisions of the Law No. 6698, and this can be achieved by strengthening transparency and supervision mechanisms.
BIBLIOGRAPHY
Personal Data Protection Authority, “Fundamental Principles of Personal Data Processing”, https://www.kvkk.gov.tr/Icerik/4189/ Kisisel-Verilerin-Islenmesine-Iliskin-Temel-Ilkeler Access Date, 05.08.2024).
PDPB, T. 12.03.2020, K. 2020/212.
PDPB, T. 03.03.2020, K. 2020/193.
Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.
European Union Data Protection Directive 95/46/EC.
Official Gazette dated 24.03.2016, No. 29677, Personal Data Protection Law No. 6698.
Official Gazette dated 22.11.2001, No. 24607, Turkish Civil Code No. 4721.
Official Gazette dated 26.09.2004, No. 25611, Turkish Penal Code No. 5237.
Official Gazette dated 13.05.2010, No. 27580, Law on the Amendment of Certain Articles of the Constitution of the Republic of Turkey No. 2709.
FOOTNOTE
1 The Official Gazette dated 24.03.2016, numbered 29677, Law No. 6698 on the Protection of Personal Data.
2 The Official Gazette dated 22.11.2001, numbered 24607, Law No. 4721 Turkish Civil Code.
3 The Official Gazette dated 26.09.2004, numbered 25611, Law No. 5237 Turkish Penal Code.
4 The Official Gazette dated 13.05.2010, numbered 27580, Law on the Amendment of Certain Articles of the Constitution of the Republic of Türkiye No. 2709
5 “Personal Data Protection Authority, “Fundamental Principles Regarding the Processing of Personal Data https://www.kvkk.gov.tr/Icerik/4189/ Kisisel-Verilerin-Islenmesine-Iliskin-Temel-Ilkeler Access Date 05.08.2024.
6 Personal Data Protection Authority, “Fundamental Principles Regarding the Processing of Personal Data” https://www.kvkk.gov.tr/Icerik/4189/ Kisisel-Verilerin-Islenmesine-Iliskin-Temel-Ilkeler Access Date 05.08.2024.
7 PDPB Decision, D. 12.03.2020, K. 2020/212.
8 PDPB Decision, D. 03.03.2020, D. 2020/193.
9 Personal Data Protection Authority, “Fundamental Principles Regarding the Processing of Personal Data” https://www.kvkk.gov.tr/Icerik/4189/ Kisisel-Verilerin-Islenmesine-Iliskin-Temel-Ilkeler Access Date 05.08.2024
