Turkey: Law on the Protection of Personal Data has been entered into force in Turkey

Turkey: Law on the Protection of Personal Data has been entered into force in Turkey

 

logo

Law on the Protection of Personal Data numbered 6698 (KVKK) has been published in the 29677 numbered Official Gazette dated 07.04.2016 and has been entered into force in Turkey

Following this development, there is a need to raise awareness of relative issue for hospitals, banks, commercial companies and other real and legal persons that the society has frequently shared their personal data unquestioningly; otherwise, the threat of being exposed to severe legal sanctions possibility has been came up.

The purpose of this Law is to protect fundamental rights and freedoms of people, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data. The provisions of this Law shall apply to natural persons whose personal data are processed as well as to natural or legal persons who process such data fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

The concept of “personal data” is defined in the KVKK[1] as follows: “all the information relating to an identified or identifiable natural person”. That definition is also similar in doctrine and ruling cases of Supreme Court (Yargıtay). In order to assume the data as “personal data”, it is necessary to take these items into consideration collectively: “item of information”, “existence of a real person with a determined or determinable identity”, “causa proxima[2].

Processing of personal data means, any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means. It is necessity to comply with the following principles when processing of personal data: “lawfulness and conformity with rules of bona fides”, “accuracy and being up to date, where necessary”, “being processed for specific, explicit and legitimate purposes”, “being relevant with, limited to and proportionate to the purposes for which they are processed”, “being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed”.

Personal data cannot be processed without the explicit consent of the data subject. The exceptions to this condition are: a) it is clearly provided for by the laws; b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid; c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract; d) it is mandatory for the controller to be able to perform his legal obligations; e) the data concerned is made available to the public by the data subject himself; f) data processing is mandatory for the establishment, exercise or protection of any right; g) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject, upon disappearance of reasons which require the process. Anonymizing means that rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data.

Excluding from exception clauses on the Law, personal data also cannot be transferred without explicit consent of the data subject. Therewithal, Personal data cannot be transferred abroad without explicit consent of the data subject. However, exceptions to the requirement of “explicit consent of the data subject” for transferring personal data within the Turkey are same for the transfer of personal data abroad. On the other hand, due to the action herein is cross-border, the legislator has been stipulated a few additional requirements in order to be able to transfer the personal data to abroad without the explicit consent of data subject. These conditions are: a) sufficient protection is provided in the foreign country where the data is to be transferred[3]; b) the controllers in Turkey and in the related foreign country guarantee a sufficient protection in writing and the Board has authorized such transfer, where sufficient protection is not provided.

Data Controller means the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system. Processor, on the other hand means the natural or legal person who processes personal data on behalf of the controller upon his authorization. Natural or legal persons who process personal data shall be obliged to enroll in the Registry of Data Controllers before proceeding with data processing. The Presidency shall maintain a publicly accessible Registry of Controllers under the supervision of the Board. Whilst collecting personal data, the controller or the person authorized by him is obliged to inform the data subjects about the following: a) the identity of the controller and of his representative, if any, b) the purpose of data processing; c) to whom and for what purposes the processed data may be transferred, d) the method and legal reason of collection of personal data, e) the rights of data subject. This liability is named as “Obligation of Controller to Inform”.

Also each person has the right to apply to the controller and a) to learn whether his personal data are processed or not, b) to request information if his personal data are processed, c) to learn the purpose of his data processing and whether this data is used for intended purposes, d) to know the third parties to whom his personal data is transferred at home or abroad, e) to request the rectification of the incomplete or inaccurate data, if any, f) to request the erasure or destruction of his personal data under the conditions, g) to request notification of the operations to third parties to whom his personal data has been transferred, h) to object to the processing, exclusively by automatic means, of his personal data, which leads to an unfavorable consequence for the data subject, i) to request compensation for the damage arising from the unlawful processing of his personal data.

The controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, ensure the retention of personal data. In case of the processing of personal data by a natural or legal person on behalf of the controller, the controller shall jointly be responsible with these persons. The controllers and processors shall not disclose the personal data that they learned to anyone in breach of Law, neither shall they use such data for purposes other than processing. This obligation shall continue even after the end of their term.

Articles 135-140 of Turkish Penal Code No. 5237 shall apply in terms of the crimes concerning personal data. Real or legal person who does not fulfill certain obligations determined in the Law on the Protection of Personal Data shall be sentenced with administrative fines determined in the section of the misdemeanor in the same Law. Hereunder; a) those who fail to comply with obligation to inform shall be required to pay an administrative fine of 5.000 to 100.000 TL, b) those who fail to comply with obligations related to data security shall be required to pay an administrative fine of 15.000 to 1.000.000 TL, c) those who fail to comply with the decisions issued by the Board shall be required to pay an administrative fine of 25.000  to 1.000.000 TL, d) those who fail to meet the obligations for enrolling in the Registry of Data Controllers and making a notification shall be required to pay an administrative fine of 20.000 to 1.000.000 TL.

As a result, it can be said that the Protection of Personal Data is still new and actual topic in Turkey and this trending issue is still in the developmental stage in Turkish Law System. When considered the greatness of administrative fines amounts in KVKK, the companies, which have the characteristics of the Data Processor, needs to become and stay compliant with the detailed regulations introduced by the Law.

[1]  The Law on The Protection of Personal Data no. 6698.

[2] Causal relation.

[3] Countries with adequate protection are identified and announced by the Personal Data Protection Authority.

 

More info:

Prokon

info@prokon-tr.com