Turkish Law Blog
Data Privacy: We Already Did It
Data privacy is such a hot topic these days considering all those punishments with seven digits, permissions for the usage of data, postpones of VERBİS (Turkish Data Register), and large compliance projects every single company has been dealing with.
It almost became like a buzzword like every company is ready to Industry 4.0, using Artificial Intelligence for their decisions, now they are, and their products are compliant with KVKK. (Turkish Data Protection Law) As it is spoken everywhere, half of the society became privacy experts and consultants.
With those so-called “experts” everywhere, most of the companies believe they are ready and compliant by just filling some templates. When you are in a conversation with someone, you will most likely hear: “Oh KVKK, we already did it.” But is it something you can complete and get rid of?
Even if you answer it by just considering grammar, “being compliant” is something continuous. Body of laws are rapidly changing on data protection, Turkish DPA is announcing new decisions weekly, even the data you gather changes day by day. Turkish Republic’s 11th Development Plan shows how we are going to be harmonized with the European Union in terms of data protection laws. That’s why most of the experts define compliance projects as “a living process.” Every data controller has to find a way to merge data compliance awareness into their daily routines. Probably the best way of doing this is to do the Privacy Impact Assessment before every type of data processing. It is not mandatory under the Turkish Data Protection Law, but even filling out a document about how a new process in the company affects their compliance has a considerable impact.
Checking the Compliance
When a company tries to comply with a regulation, the roadmap is always not clear. If we consider a huge corporation as a controller, it will get even blurrier. I would like to offer some fundamental tips and signs to check whether the company is on the right way:
Having a website is a must for a joint-stock company which is almost like being visible in the online world. It is mandatory under the Turkish Commercial Code to have a website if you are a joint-stock company either you have more than 40 million Turkish Liras in your actives, or you have net sales more than eight million Turkish Liras or you have more than 200 employees.  Every website collects a vast amount of data. It can be in the form of a cookie, digital footprint, login pages, e-bulletins, forms to fill, and so on. If you can’t see any warnings or procedures about why and how your data are processing, you can hear the ring of the bells. Probably you haven’t done “the compliance thing.”.
“Cookies are one of the behavioral targeting techniques. Cookie files become active when an equipment reaches to website. Cookies provide information about user behaviors, interests and likes.” Every cookie is not the same and unfortunately, we can’t “solve the KVKK thing” with a checkbox or a warning. Even there is not an article about cookies in Turkish Data Protection Law, it is personal data in the sense of “determining a person”. Information Commissioner’s Office (ICO)’s recent guide about cookies and its substitutions states that “You have to tell people the cookies are there; explain what the cookies are doing and why; and get the people on the store on their device.”
3. Physical Space Matters
It is important to consider physical interactions with data subjects in physical spaces. Every step they take is a chance -or risk if you can see the other side of the medal- to collect personal data. Mostly, companies record data subject’s physical appearance and move with CCTV applications. Sometimes they record their coming and arrival times, sometimes they even want to take their personal ids to make sure if they are the person they claimed to be. Sometimes it is justified under employer’s obligation to protect their employees under Turkish Employment Law. Sometimes CCTV applications is necessary for protecting property under Property Ownership Law. If your reflections of the compliance project in the physical space, if nothing has changed in the daily life of the company, compliance project must be detailed. Please note it cannot be interpreted as you can track your employees.
Normally, unless you are a data science company or highly interacting with the customers, the biggest amount of the data you are processing is your employee’s data. Even it’s an obligation under Labour Law, you have to be sure whether you collect more data that you are obliged to take. You have to rethink every question you ask in your Human Resources processes. Is it a must or is it just curiosity? We can blame Turkish legislation for not being detailed with which documents you should take from your employees in order to be compliant. I believe lighting up a candle instead of swearing to darkness. You should gather with your Human Resources Management / Talent Management department and deep dive into the reasons why you do every single process. According to a survey made by Accenture, “62% of executives said the companies are using new technologies to collect data on people — from the quality of work to safety and well-being — fewer than a third said they feel confident they are using the data responsibly.”
5. 3rd Parties
When you consider a company’s daily business routine, hundreds of interactions with third parties can be seen. It can the cleaning service you outsourced; it can also be the security team. Sometimes it is the mail guy bringing Black Friday boxes, sometimes it is a data privacy lawyer giving lectures in the company to raise awareness. It is important to determine the status of the third party before creating a legal background. If they are “the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.” they become controller. In this case, they have the same obligation with your company. That’s why you don’t have to prepare a separate legal document to determine the liability regime. If they are “the natural or legal person who processes personal data on behalf of the controller upon his authorization.” they become processors. Under Turkish DPL, controllers are responsible with the actions of processors because they are processing data on behalf of the company. While choosing the processor, it is important to audit their compliance with the Turkish DPL. It is essential to keep an eye of them to make sure there is no data breach without your knowledge. It is common to sign data processing agreement with controllers. “A data processing agreement (DPA) is a legally binding document to be entered into between the controller and the processor in writing or in electronic form. It regulates the particularities of data processing – such as its scope and purpose – as well as the relationship between the controller and the processor.”
6. Privacy by Design
It is always easier to build better than trying to fix. The same principle applies for the privacy compliance. When you design a product or service, if you consider the privacy outcomes at the beginning, you will end up with a compliant process. As a consequence, you won’t have the control of those personal data. Privacy by Design concept emerged to overcome potential negative outcomes. “The term ‘Privacy by Design’, or its variation “Data Protection by Design”, has been coined as a development method for privacy-friendly systems and services, thereby going beyond mere technical solutions and addressing organizational procedures and business models as well.”The first step is to reduce and minimize your data in terms of collection personal data without any reason. The second step is to increase the safety and hide your data. The third step is to separate databases as much as you can. When there is a breach, potential attack or harm, it can become easier to return to a stable level. The fourth step is to aggregate data. The fifth step is to inform data subjects in a transparent and open manner. The sixth step is to inform control every stage of the data processing. The seventh step is to enforce legal requirements. For example, when there is a breach, you have to inform authorities about the possible outcomes. The eighth step is to demonstrate your compliance to data subjects, third parties and data protection authorities.
7. Data Lifecycle
The basic data lifecycle is to collect, to use, to preserve, to share and to delete. Every step of the cycle has to be compliant with the law. It is important to determine the legal basis of the collection. It can either be consent or other bases which are listed under the 5th article of Turkish Data Protection Law. Other steps rather than delete is already mentioned in the article but data retention really matters. “Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process.” In order to be compliant, data retention period of every data must be determined in the cycle.
11th Development Plan (2019-2013), Turkish Republic Presidency Strategy and Budget Presidency, 07/2019
European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering pg 2
European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering pg 16-22
https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ (Access Date: 12.06.2020)
https://tresorit.com/blog/everything-you-need-to-know-about-a-data-processing-agreement/ (Access Date: 12.06.2020)
https://www.cnbc.com/2019/04/15/employee-privacy-is-at-stake-as-surveillance-tech-monitors-workers.html (Access Date: 12.06.2020)
Property Ownership Law numbered 634 published in Official Gazette on 23/06/1995 article 19
Taşdelen ve Acar Şentürk (2018), “Impact of internet advertising to the consumer “, Inf E-Magazine, 2018:180 (free translation)
Turkish Commercial Law, numbered 6102 published in official gazette on 22/11/2001 article 1524
Turkish Data Protection Law numbered 6698 published in official gazette on 07/04/2016
Turkish Data Protection Law, article 3/d
Turkish Employment Law numbered 4857 published in Official Gazette on 22/05/2003
 Turkish Data Protection Law numbered 6698 published in official gazette on 07/04/2016
 Turkish Data Protection Authority: Kişisel Verileri Koruma Kurumu
 11th Development Plan (2019-2013), Turkish Republic Presidency Strategy and Budget Presidency, 07/2019
 Turkish Commercial Law, numbered 6102 published in official gazette on 22/11/2001 article 1524
 Taşdelen ve Acar Şentürk (2018), “Impact of internet advertising to the consumer “, Inf E-Magazine, 2018:180 (free translation)
 Turkish Data Protection Law, article 3/d
 https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ (Access Date: 12.06.2020)
 Turkish Employment Law numbered 4857 published in Official Gazette on 22/05/2003
 Property Ownership Law numbered 634 published in Official Gazette on 23/06/1995 article 19
 https://tresorit.com/blog/everything-you-need-to-know-about-a-data-processing-agreement/ (Access Date: 12.06.2020)
 European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering pg 2
 European Union Agency for Network and Information Security (2014) – Privacy and Data Protection by Design – from policy to Engineering pg 16-22