The Law on Protection of Personal Data (“Law”) numbered 6698 is published on the official gazette dated 07.04.2016. The justification of Law clarifies that collection and transmission of one’s personal data through the information systems has become unavoidable in the last decades either by a private sector or a public sector. Although the collection and usage of personal data is necessary in some instances in terms of social and business life, it is also essential to protect one’s fundamental rights and freedoms which are secured by both international treaties and the Constitution of the Republic of Turkey. Thereby to balance between one’s fundamental rights and functioning of business and social life has become a current issue as a primary need.
The Law aimsto provide this balance by means of comprehensive and exclusive rules and committee which has been established under the same Law and acts as a control mechanism. The purpose of this study will be giving a brief overview about the Law.
Definition of Personal Data
Personal data is defined as “any information relating to an identified or identifiable natural person in the Law. Although the mentioned definition does not say much, justification of Law clarifies that not only the information some like name, surname, birthday, birth place are personal information but also the information regarding to a person’s physical, familial, economic, social, psychological, id number, phone number, social security and tax number, curriculum vitae, photo, imagery and voice recording, finger print, genetics etc. shall be considered as a personal data.
Information regarding to a person’s race, ethnic origin, political view, philosophy, religion, sect or any other believes, appearance, membership of an association/ foundation/union or health, sexual health, criminal record, his/her information related security precautions, biometric, on the other hand defined as special categories of personal data.
Such a distinction will gain importance when it comes to terms of data processing since different rules and restrictions have been adopted by Law for both categories.
Controller shall mean natural or legal person, which determines the purposes and means of the processing of personal data.
Processing of Personal Data
The definition of processing of personal data is provided in article 3/e of the Law as “…shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, any transaction executed on data such as collection, recording, organization, storage, adaptation, alteration, retrieval, transfer, acquisition, making available, combination or blocking.” This definition corresponds to the definition provided in the Directive 95/46/EC of the European Parliament and of the Council dated 24/10/1995.
Second part of the Law regulates the rules regarding processing of personal data under the articles titled “General Rules”, “Criteria for Making Data Processing Legitimate”, “Criteria for Making Special Categories of Personal Data Processing Legitimate”, “Erasure, Destruction or Anonymization of Personal Data”, “Transmission of Personal Data to Third Parties” and “Transmission of Personal Data to Abroad”. Context of the aforesaid articles will not be included broadly in this work but in the general sense, it may be noted, that according to Law processing of personal data must be;
- Fairly and lawfully,
- Correct and updated,
- For specified, explicit and legitimate purposes,
- Adequate, relevant and not excessive in relation to purposes for which they are collected.
Personal data and special categories of personal data may be processed only if; express consent of a relevant person is obtained. However there are exceptions enacted by the Law for both categories separately.
If personal data processing is necessary;
- To protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving his/her consent,
- For the whom will be parties of a contract on condition that it is directly related for concluding or performance of a contract,
- For compliance with a legal obligation of a data controller,
- For legitimate interest of a controller only if the processing does not interfere fundamental rights and freedoms of the data subject,
then express consent of a relevant person may not be obtained.
For the special categories of personal data express consent of a relevant person may not be obtained if processing is;
- Carried out by a foundation, association, union or any other non-profit seeking body on condition that the processing relates solely to the members of the body or to persons who have regular contact with in connection with its purposes and the data are not disclosed to a third party.
- Carried out by the persons or authorized institutions and organizations under the confidentiality obligation for the purposes of protection of public health, operating of preventive medicine, medical diagnosis, treatment and care services and envisaging, management and financing of medical services.
If personal data and special categories of personal data processing is necessary;
- For compliance with an explicit legal obligation,
- If data is already manifestly made public by the data subject,
- If data processing is compulsory for the establishment, exercise or protection of a right,
then express consent of a relevant person may not be obtained.
The Law also defines some circumstances with Article 28 which excludes application of the Law entirely. For instance, if personal data processing is related to one’s own data or a family member who is cohabitant to a processor; if personal data processing is necessary for national defense, national security, public safety, public order, economic safety or for the purposes of art, history, science or freedom of expression provided that right of privacy or personal right of data subject are not violated; if personal data processing is carried out by investigating, prosecution, judgment or enforcement authorities.
The exceptions enabling to process personal data and special categories of personal data without having consent of a relevant person are not considerably different than each other. It is also remarkable, that all the aforesaid exceptions contain general expressions which are open to interpretation and abuse accordingly.
Any kind of personal data shall be erased, destructed or anonymized by a controller when the necessity of processing of the related data is removed.
Violation of the Law
The rights of the data subject are stated in the article 11 of the Law. In addition to this article, data subject or any other relevant person has a right to make his/her requests to controller in concern with execution of the Law. If controller does not answer or reject his/her requests or if the answer is not satisfying then the relevant person has a right complain the controller before the committee.In case the violation of the Law, pecuniary fines specified in the article 18 are set forth to be imposed. However imposing of these pecuniary fines shall not exclude execution of the relevant articles of Turkish Criminal Court numbered 5237 or Turkish Civil Code numbered 4721.
- The Law on Protection of Personal Data, http://www2.tbmm.gov.tr/d26/1/1-0541.pdf, (last seen 30.03.2016)
- Justification of Protection of Personal Data, http://www2.tbmm.gov.tr/d26/1/1-0541.pdf, (last seen 30.03.2016)
- Directive 95/46/EC of the European Parliament and of the Council dated 24/10/1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, available on http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN (last seen 30.03.2016)
Vedia Nihal Koyuncu
Attorney at Law, LL.M.