Turkish Law Blog
A Brief Investigation on the Turkish Personal Data Protection Law No.6698
Law No.6698 on Protection of Personal Data ("Law") entered into force after being published in the Official Gazette No. 29677 dated 07.04.2016. Turkey, despite being a party to much international protocol; Law No.6698 is the first direct legislation fort he protection of personal data. The law such as TCK ("The Turkish Penal Code") and CMK ("Criminal Law Regulations") contain brief regulations on the protection of personal data but; these arrangements can be applied after the emerge of a possible loss. However, Law No.6698 is considered as preventive and protective legislation, simply because there is no need for damage or loss to occur in terms of implementation.
1. Purpose and Scope of the Law
The purpose of Law No. 6698, as stated in Article 1 of the Law; "To protect the fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data." " The provisions of this Law shall apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means." (Article No.2) Again, according to the text of Law No. 6698, those persons whose personal data are processed must be legally natural persons. It is still a controversial topic in the doctrine that the legal persons' data will not be protected under this law and no definite consensus has been reached. Last but not least, the data protected under the law must be "partly or completely automatic or part of any data recording system". For example, while the name-surname and related information are written on a piece of paper are not covered by Law No. 6698 as long as it remains in this form, it will fall under the scope of the law when it becomes part of a data recording system.
2. What is Personal Data?
Personal data is defined as " all the information relating to an identified or identifiable natural person" in Article 3 of Law No. 6698. In this context, it is necessary to address the personal data definition of the Constitutional Court. According to the Court; "Personal data" refers to all information about a person, provided that it is identifiable. In this context, it is not just information that reveals the individual's identity, such as name, surname, date of birth and place of birth; but phone number, motor vehicle license plate, social security number, passport number, resume, picture, image and sound recordings, fingerprints, IP address, e-mail address, mobile phone, preferences, interacted persons, group memberships, family information, health information are all accepted as personal data which can be determined directly or indirectly. It also mentions "personal data of special qualities" and their processing conditions in Article 6. According to this; " Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, clothing, membership to associations, foundations or trade-unions, health, sexual life, convictions and security measures, and the biometric and genetic data are deemed to be personal data of special nature."The processing of personal data depends on the open interest of the individual concerned. However, there are exceptions in this case. In exceptional cases, this data may be processed without the explicit consent of the parties.
3. Principles on the Protection of Personal Data
In Article 4 of Law No. 6698, principles concerning the protection of personal data are considered. These are; (a) legally justifiable and correct information, (b) Updated information (c) for specific, clear and legitimate purposes; (d) in connection with the purpose for which it is being worked, limited or measured; (e) foreseen in the applicable legislation or they are kept for the time required for the purpose for which they are processed. (Taştan, Protection of Personal Data in Turkish Contract Law, Twelve Plate Publications, p. 48)
4. Data Controller, Data Processor, and Register Obligation
a) According to the definition made in Law No. 6698; " The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system" According to this definition, the data controller describes and controls how, when, why and how much personal data is processed and determines the duration of the transaction and provides the management of the data protection system. (Taştan, Protecting Personal Data in Turkish Contract Law, Twelve Plate Publications, p.70) In institutions with a legal entity, if the data responsibility is the legal entity; also when there is no legal entity, the data responsibility is the actual person. It is not legally possible for a legal person to show a natural person as a data officer to escape responsibility; if such a situation arises, criminal sanctions will be imposed on the responsible persons. According to Law No. 6698, data controllers are obliged to register with the "Data Controller Register" before commencing data processing and to comply with the regulatory procedures to be established by the Board.
b) According to the definition made in Law No. 6698; "A data processor is a natural or legal person who processes personal data on behalf of the controller upon his authorization." According to this definition, a data processor is a natural or legal person that processes data based on parameters specified by the data authority on the processing of personal data. maybe the same person who processes data responsibility and data. (Taştan, Protecting Personal Data in Turkish Contract Law, Twelve Plate Publications, p.71) Again, the data processor is a third person who has a contractual relationship. (Taştan, The Protection of Personal Data in Turkish Contract Law, Twelve Plate Publications, p.72) Cloud firms that perform data storage (eg Google Drive, Dropbox) are in data processing status under Law No. 6698. It should be emphasized that if the data processor is a third person, a personal data processing contract between the data responsibility and the data processor comes into play.
5. Erasure, Destruction or Anonymizing of Personal Data and the Rights of Interest
According to Article 7 of Law No. 6698; " Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon the disappearance of reasons which require the process." "In this context, anonymization is; rendering personal data by no means identified or identifiable with a natural person even by linking with other data. "(Law No. 6698, article 3 / IV) However, under Article 11 of Law No.6698; the person whose personal data has been processed can apply for data responsibility; (a) to know if the person's data is processed and available, (b) know if the personal data is being processed properly and whether it is being used properly, (c) third parties to whom personal data are transmitted in the country or abroad (d) require that personal data be deleted or destroyed within the framework of the conditions provided for in Article VIII; (e) by analyzing the processed data exclusively through automated systems, (f) claim damages in the event of a corruption due to the processing of personal data in contravention of the law.
6. The Board
Like any other legal regulation under supervision, Law No.6698 is also under the supervision of "Personal Data Protection Board". Bearing in mind that the regulation itself is a big step for IT ("information technologies") law, we look into the Authority's decisions on specific matters. While anyone can apply to the Board about a data protection breach, there are some steps to take for a successful application.
In this context, the relevant persons must submit their requests regarding the application of the Law to the data officer first. The law provides for a gradual application procedure for applications within the scope of protection of personal data. It is mandatory for the persons concerned to apply to the data officer before they can exercise their rights. Complaints cannot be made to the Board before this is exhausted. The law reserves the right to compensation of those concerned whose personal rights have been violated under the general provisions. Since it is mandatory to make the application and it is optional to go to the complaint, it will be possible for the person concerned to make a complaint to the Board on the one hand and to go directly to the judiciary. At this point, however, it should be noted that there is no obstacle for the persons concerned to apply directly to the judiciary for violations of rights. In other words, there is no obligation to apply to the data officer before the issue is brought to the judiciary. The obligation to directly contact the data officer is a requirement that must be followed before the matter is communicated to the Board. (www.kvkk.gov.tr/İcerik/2062)
It is a fact that Law No. 6698 is the cornerstone of the "digitalization period" in Turkey. In this context, it is expected that not only legal entities but also laws to be shaped accordingly. As an example, this is one of the reasons why employers are obliged to protect their workers following Law No. 6698. The companies must go through restructuring and start the process of compliance with Law No. 6698. Otherwise, any failure to provide restructuring and harmonization processes will lay the groundwork for criminal and legal sanctions.