Turkish Law Blog

Data Privacy: We Already Did It

Erdem Mümtaz Hacıpaşaoğlu Erdem Mümtaz Hacıpaşaoğlu/ Startup Law Consultancy | Vircon Data Protection
13 August, 2020
969

Introduction

Data privacy is such a hot topic these days considering all those punishments with seven digits, permissions for the usage of data, postpones of VERBİS (Turkish Data Register), and large compliance projects every single company has been dealing with.

It almost became like a buzzword like every company is ready to Industry 4.0, using Artificial Intelligence for their decisions, now they are, and their products are compliant with KVKK. (Turkish Data Protection Law[1]) As it is spoken everywhere, half of the society became privacy experts and consultants.

With those so-called “experts” everywhere, most of the companies believe they are ready and compliant by just filling some templates. When you are in a conversation with someone, you will most likely hear: “Oh KVKK, we already did it.” But is it something you can complete and get rid of?

Even if you answer it by just considering grammar, “being compliant” is something continuous. Body of laws are rapidly changing on data protection, Turkish DPA [2]is announcing new decisions weekly, even the data you gather changes day by day. Turkish Republic’s 11th Development Plan [3]shows how we are going to be harmonized with the European Union in terms of data protection laws. That’s why most of the experts define compliance projects as “a living process.” Every data controller has to find a way to merge data compliance awareness into their daily routines. Probably the best way of doing this is to do the Privacy Impact Assessment before every type of data processing. It is not mandatory under the Turkish Data Protection Law, but even filling out a document about how a new process in the company affects their compliance has a considerable impact.

Second Chapter

Checking the Compliance

When a company tries to comply with a regulation, the roadmap is always not clear. If we consider a huge corporation as a controller, it will get even blurrier. I would like to offer some fundamental tips and signs to check whether the company is on the right way:

1. Website

Having a website is a must for a joint-stock company which is almost like being visible in the online world. It is mandatory under the Turkish Commercial Code to have a website if you are a joint-stock company either you have more than 40 million Turkish Liras in your actives, or you have net sales more than eight million Turkish Liras or you have more than 200 employees. [4] Every website collects a vast amount of data. It can be in the form of a cookie, digital footprint, login pages, e-bulletins, forms to fill, and so on. If you can’t see any warnings or procedures about why and how your data are processing, you can hear the ring of the bells. Probably you haven’t done “the compliance thing.”.

2. Cookies

“Cookies are one of the behavioral targeting techniques. Cookie files become active when an equipment reaches to website. Cookies provide information about user behaviors, interests and likes[5].” Every cookie is not the same and unfortunately, we can’t “solve the KVKK thing” with a checkbox or a warning.  Even there is not an article about cookies in Turkish Data Protection Law, it is personal data in the sense of “determining a person[6]”. Information Commissioner’s Office (ICO)’s recent guide about cookies and its substitutions states that “You have to tell people the cookies are there; explain what the cookies are doing and why; and get the people on the store on their device.”[7]

3. Physical Space Matters

It is important to consider physical interactions with data subjects in physical spaces. Every step they take is a chance -or risk if you can see the other side of the medal- to collect personal data. Mostly, companies record data subject’s physical appearance and move with CCTV applications. Sometimes they record their coming and arrival times, sometimes they even want to take their personal ids to make sure if they are the person they claimed to be. Sometimes it is justified under employer’s obligation to protect their employees under Turkish Employment Law[8]. Sometimes CCTV applications is necessary for protecting property under Property Ownership Law. [9]If your reflections of the compliance project in the physical space, if nothing has changed in the daily life of the company, compliance project must be detailed. Please note it cannot be interpreted as you can track your employees.

4. Employees

Normally, unless you are a data science company or highly interacting with the customers, the biggest amount of the data you are processing is your employee’s data. Even it’s an obligation under Labour Law, you have to be sure whether you collect more data that you are obliged to take. You have to rethink every question you ask in your Human Resources processes. Is it a must or is it just curiosity? We can blame Turkish legislation for not being detailed with which documents you should take from your employees in order to be compliant. I believe lighting up a candle instead of swearing to darkness. You should gather with your Human Resources Management / Talent Management department and deep dive into the reasons why you do every single process. According to a survey made by Accenture, “62% of executives said the companies are using new technologies to collect data on people — from the quality of work to safety and well-being — fewer than a third said they feel confident they are using the data responsibly[10].”

5. 3rd Parties

When you consider a company’s daily business routine, hundreds of interactions with third parties can be seen. It can the cleaning service you outsourced; it can also be the security team. Sometimes it is the mail guy bringing Black Friday boxes, sometimes it is a data privacy lawyer giving lectures in the company to raise awareness. It is important to determine the status of the third party before creating a legal background. If they are “the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.” they become controller. In this case, they have the same obligation with your company. That’s why you don’t have to prepare a separate legal document to determine the liability regime. If they are “the natural or legal person who processes personal data on behalf of the controller upon his authorization.” they become processors. Under Turkish DPL, controllers are responsible with the actions of processors because they are processing data on behalf of the company. While choosing the processor, it is important to audit their compliance with the Turkish DPL. It is essential to keep an eye of them to make sure there is no data breach without your knowledge. It is common to sign data processing agreement with controllers. “A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.”[11]

6. Privacy by Design

It is always easier to build better than trying to fix. The same principle applies for the privacy compliance. When you design a product or service, if you consider the privacy outcomes at the beginning, you will end up with a compliant process. As a consequence, you won’t have the control of those personal data. Privacy by Design concept emerged to overcome potential negative outcomes. “The term ‘Privacy by Design’, or its variation “Data Protection by Design”, has been coined as a development method for privacy-friendly systems and services, thereby going beyond mere technical solutions and addressing organizational procedures and business models as well.”[12]The first step is to reduce and minimize your data in terms of collection personal data without any reason. The second step is to increase the safety and hide your data. The third step is to separate databases as much as you can. When there is a breach, potential attack or harm, it can become easier to return to a stable level. The fourth step is to aggregate data.  The fifth step is to inform data subjects in a transparent and open manner. The sixth step is to inform control every stage of the data processing. The seventh step is to enforce legal requirements. For example, when there is a breach, you have to inform authorities about the possible outcomes. The eighth step is to demonstrate your compliance to data subjects, third parties and data protection authorities.[13]

7. Data Lifecycle

The basic data lifecycle is to collect, to use, to preserve, to share and to delete. Every step of the cycle has to be compliant with the law. It is important to determine the legal basis of the collection. It can either be consent or other bases which are listed under the 5th article of Turkish Data Protection Law. Other steps rather than delete is already mentioned in the article but data retention really matters. “Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process.” In order to be compliant, data retention period of every data must be determined in the cycle.

Conclusion

Data protection and data privacy plays such a huge role in a company’s day to day operations. It requires a deep focus and operation power to be fully compliant with the regulation. When you evaluate the risk without a domain expertise, it always feels like it is something to be solved very easily. Most of the companies believe they got rid of the problem and done with the “KVKK thing.” It is really hard to determine and prove the compliance. Company needs to look from a broader perspective, include every aspect of the organization. It is not always easy to track the whole data lifecycle. Keeping track of data collected, their retention periods and so on. Company has to apply risk base approach and privacy by design perspective in new business lines. Company’s outer look must be compliant with the regulation. Website’s privacy policy is a good way to demonstrate the compliance. Cookie policy is an obvious part of the demonstration. Third parties play an important role on the overall compliance. You are as strong as the weakest part of the organization. Breach of a processor can risk the company in terms of compensation, punitive damage and reputation. If you also take care of your employee matters and physical space problems, you will have a meaningful level of data protection.  Privacy compliance is a long way to go and it is a living process. It takes time and effort to build a culture but when you build it carefully you will have a long-lasting asset. It can feel like a waste of resource and effort, but it will elevate the company drastically. When the company creates the proper culture, transparency and fairness will guide them to “do the KVKK thing.”


References

11th Development Plan (2019-2013), Turkish Republic Presidency Strategy and Budget Presidency, 07/2019

European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering  pg 2

European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering  pg 16-22

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ (Access Date: 12.06.2020)

https://tresorit.com/blog/everything-you-need-to-know-about-a-data-processing-agreement/ (Access Date: 12.06.2020)

[1]https://www.cnbc.com/2019/04/15/employee-privacy-is-at-stake-as-surveillance-tech-monitors-workers.html (Access Date: 12.06.2020)

Property Ownership Law numbered 634 published in Official Gazette on 23/06/1995 article 19

Taşdelen ve Acar Şentürk (2018), “Impact of internet advertising to the consumer “, Inf E-Magazine, 2018:180 (free translation)

Turkish Commercial Law, numbered 6102 published in official gazette on 22/11/2001 article 1524

Turkish Data Protection Law numbered 6698 published in official gazette on 07/04/2016

Turkish Data Protection Law, article 3/d

Turkish Employment Law numbered 4857 published in Official Gazette on 22/05/2003


[1] Turkish Data Protection Law numbered 6698 published in official gazette on 07/04/2016

[2] Turkish Data Protection Authority: Kişisel Verileri Koruma Kurumu

[3] 11th Development Plan (2019-2013), Turkish Republic Presidency Strategy and Budget Presidency, 07/2019

[4] Turkish Commercial Law, numbered 6102 published in official gazette on 22/11/2001 article 1524

[5] Taşdelen ve Acar Şentürk (2018), “Impact of internet advertising to the consumer “, Inf E-Magazine, 2018:180 (free translation)

[6] Turkish Data Protection Law, article 3/d

[7] https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ (Access Date: 12.06.2020)

[8] Turkish Employment Law numbered 4857 published in Official Gazette on 22/05/2003

[9] Property Ownership Law numbered 634 published in Official Gazette on 23/06/1995 article 19

[10]https://www.cnbc.com/2019/04/15/employee-privacy-is-at-stake-as-surveillance-tech-monitors-workers.html (Access Date: 12.06.2020)

[11] https://tresorit.com/blog/everything-you-need-to-know-about-a-data-processing-agreement/ (Access Date: 12.06.2020)

[12] European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering  pg 2

[13] European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering  pg 16-22

Leave a comment

Please login or register to comment

Comments