New Amendments Introduced with the Law on Protection of Personal Data

Articles
By Berfu Dural
Kişisel Verilerin Korunması Kanunu'nun Getirdiği Yenilikler
Kişisel Verilerin Korunması Kanunu'nun Getirdiği Yenilikler

Protection of Personal data has become necessary to prevent illegal activities and interference with personal freedoms as a result of insufficient protection of personal data in our country and as a result of becoming a globally integrated country in the developing area of e-commerce.

Especially in recent years, in order to carry effective trade with European countries, with the introduction of Article 25 and 26 EU Directive 95/46 EC restricting the transfer of personal data to countries with insufficient measures regarding personal data, the regulation had to be quickly drafted in our country.

Article 20 regulating the right to privacy in the Constitution was amended with the referendum in 2010. The amendment is as follows; “All individuals, have the right to demand the protection of their personal data. This right; includes information on personal data regarding the person, accessing the data, requesting the change or deletion and being informed on the reasons for such information. Personal data can only be processed in cases stipulated by law or with the express consent of the person. The principles and procedures regarding the protection of personal data are regulated per law.” providing constitutional assurance for the protection of personal data.

After many studies on the protection of personal data, Law on Protection of Personal Data No. 6698  (“KVKK”) was enacted by the National Assembly on 24.03.2016 and entered into force by being published in the Official Gazette on 07.04.2016.

It is possible to say that many new concepts and liabilities will directly affect us with the introduction of the law.

PURPOSE AND SCOPE OF THE LAW

Within the systematic of the Law, the new regulations introduced in the processing of personal data aim to protect the fundamental rights and freedoms of individuals, especially the privacy of individuals. Also the procedures and principles for natural persons and legal entities that process this personal data are regulated.

The preamble of the Law states that it will be applied to natural persons whose personal data are processed and real persons and legal entities who process this data.

It is regulated that the law shall be applied if personal data is processed automatically or non-automatically provided that it is part of a data registry system.

With the mentioned regulation, the definitions introduced in the application of the Law are given below.

The definitions in the Law according to Article 3 are as follows.

Explicit consent: freely given, specific and informed consent,

Anonymizing: rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,

President: President of the Personal Data Protection Authority,

Data subject: the natural person, whose personal data is processed,

Personal data: all the information relating to an identified or identifiable natural person,

Processing of personal data: any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means,

Board: the Personal Data Protection Board,

Authority: the Personal Data Protection Authority,

Processor: the natural or legal person, who processes personal data on behalf of the controller upon his authorization,

Data registry system: the registry system which the personal data is registered into through being structured according to certain criteria,

Data Controller: the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.

ANALYSIS OF THE LAW

It is important to determine the concept of personal data and the authorized bodies processing these data before analyzing the regulation introduced with the law.

Personal Data

According to the Law: personal data is all kind of information regarding an identified or non-identifiable natural person. The scope of personal data includes the name, surname, date of birth, ID number, e-mail address, phone number, IP address, CV, pictures, images and audio recording belonging to the natural person.

Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, sect, , membership to associations or trade-unions, health, sexual life, convictions and security measures and genetic data are deemed to be personal data of special nature.

Specific concepts have been defined in the application of the Law.  The subjects and their limitations during the process of personal data have been regulated.

Data Controller

Data controller is the natural and legal person that determines the purpose and means of personal data processing and is responsible for the establishment and management of the data registry system. The data controller also decides which personal data is collected, the purpose and legal reasons to collect process personal data, and the duration for the storage of persona data and conditions to change.

The data controller is the authority that requires personal data processing and decides the purpose and means in this process.

 

Processor

Processor means a natural or legal person which processes personal data on behalf of the data controller, in accordance with the authority granted by the data controller.

The processor is the deciding authority in technical issues such as the IT and methods, security precautions, data backup, methods of deletion and destruction for collecting personal data within the guidelines set by the data collector.

Processing of personal data

Processing of data protection is any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.

Explicit Consent

Is the consent given regarding personal data. Explicit consent is a statement indicating that an approval is granted limited to the process and solely to that process by the person concerned with their own freewill and with sufficient information on the subject of the data processing.

Consent can be taken via e-signature, wet signature or secure e-signature.

If the data is claimed to be processed without explicit consent, the burden of proof for the existence of explicit consent belongs to the Data Controller.

Deletion, Destruction and Anonymizing

Deletion refers to the destruction of personal data in a way that it cannot be used again and cannot be recovered.

Destruction refers to the disposal of information and materials such as files, documents, CD’s, floppy disk and hard disks containing data.

Accordingly, the data controller should delete personal data ex officio or upon the request of the person concerned if the reasons requiring the processing of personal data are annulled.

General principles

Personal data may only be processed in compliance with the procedures and principles set forth in this Law and other laws. The following principles shall be complied in terms of processing of personal data for data controller and data processor.

Conditions for processing of personal data

  • Personal data should be processed in accordance with the law and good faith.
  • Accuracy and being up to date, where necessary.
  • Being processed for specific, explicit and legitimate purposes.
  • Being relevant with, limited to and proportionate to the purposes for which they are processed.
  • Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed.

 

1. Being in Accordance with The law and Good Faith

 

It is one of the main principles that the data controller should take as basis in the processing of personal data.

The Data Controller;

  • Shall provide a viable reason to process personal data.
  • Shall not use personal data to the detriment of the relevant persons without a viable reason.
  • Shall inform the relevant persons on the processing of personal data.
  • Shall comply with the conditions set for with the legal regulations, primarly Law No.6698, in the process of data processing.

2. Accuracy and Being Up-To-Date

The data controller has the responsibility to check that any processed personal data is correct and up-to-date.

 If the data controller identifies that the personal data are inaccurate or out-of-date or the relevant persons requests a correction, the data shall be deleted, destroyed or anonymized.

3. Processing for Specific, Explicit and Legitimate Purposes

The purpose for processing personal data shall be determined by the data controller in a clear, exact and definite manner. The relevant persons shall be notified on the process.

Accordingly, the collection of personal data for a general purpose, without specifying a purpose or for uncertain reasons is in violation of this principle.

Legitimate reasons for personal data processing are exemptions granted by the Law on Personal Data Protection not requiring the consent of the relevant person.  

4. Being relevant with, limited to and proportionate to the purposes for which they are processed

The data controller shall process personal data in accordance and limited with the determined purpose. As a result, unnecessary personal data shall be identified and subsequently deleted, destroyed or anonymized.

This principle regulates that the personal data processed for a specific purpose should be stored for the period of time required or for the period indicated for the purpose for which they were processed.

The existence of a viable reason to store personal data, or the end of the period of time in the relevant regulation shall be followed. If the mentioned time period is over, the data collector shall delete, destroy or anonymize the personal data.

 Conditions for Personal Data Processing

Personal data can only be processed with the explicit consent of the natural persons whose data is required.

Consent on the personal data processing by the relevant persons is an important condition that legitimizes the process of such data in terms of the protection of personal data.

Conditions that do not require consent in the processing of personal data:

Although, as a rule, it is not possible to process without requiring explicit consent, the law provides some exemptions that enable the processing of personal data without the consent of the relevant persons.  These conditions are as follows:

a) It is clearly provided for by law:

Primary Regulations: Constitution of the Republic of Turkey, The Council of Europe Convention No.108

Secondary Regulations: Turkish Civil Code, Turkish Penal Code, Law on Protection of Personal Data, Turkish Code of Obligations, Turkish Commercial Code, Labor Law,

Tertiary Regulations: Sectoral regulations (Banking Law, Law on Bank Cards and Credit Cards Law etc.)

Quaternary Regulations:  Common Regulations (Social Security and General Health Insurance Law, Code of Criminal Procedure,

b) Mandatory protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.

In a situation where the person has no ability to discern or consent is not valid because the persons is mentally ill, personal data will be processed to protect life and physical integrity.

c) Processing of personal data belonging to the parties of a contract is necessary provided that it is directly related to the conclusion or fulfillment of that contract.

For example, if the bank acquires the payroll, title deed records of that person for a loan contract.

d) It is mandatory for the controller to be able to perform his legal obligations.

e) Data processing is mandatory for the establishment, exercise, or protection of a right.

f) Data processing is mandatory for the legitimate interests of the data controller, without prejudice to the fundamental rights and freedoms of the person concerned.

By providing exceptions to the rule of consent from the natural person for the processing of personal data, it is possible to process such personal data without the consent of the person concerned per law.

THE TRANSFER OF PERSONAL DATA WHITIN THE COUNTRY OR ABROAD

Personal data cannot be transferred abroad without explicit consent of the data subject.

However, if there are exceptions in which the explicit consent provided in the Law on Personal Data Protection is not required, if there necessary conditions are met, personal data can be transferred abroad provided that the transferred country has adequate measures. If there is no adequate measure in place, the data controllers of Turkey and the foreign country shall provide a written guarantee on the necessary measures and realize the transfer with the approval of the Board.

Obligations on Data Security in Terms of the Law on Protection of Personal Data

Obligation of the Controller to Inform:

The controller or authorized persons, during data collection, are obliged to provide information to relevant persons on the identity, procedures of data collection and legal reasons, the purpose of data collections, on to whom and why personal data can be transferred and on the rights of the revenant persons per law.

Liabilities regarding Data Security:

Data collectors are obliged to take all necessary technical and administrative measures to prevent all illegal processes on personal data, the illegal access to personal data and their protection.

The above-mentioned liabilities also apply to data processors that process personal data on their behalf, based on the authorization granted by the data controller. Processors are jointly liable for the implementation of the above mentioned measures with the data collectors.

  1. The data controller is obliged to carry out necessary audits in its own institutions and organizations in order to ensure that the provisions of this Law are applied.
  2. Data collectors and processors cannot disclose acquired personal data in violation with the provisions of the Law and use them for purposes other than processing. These liabilities remain even after their duties are finalized.
  3. If the processed personal data is illegally obtained by others, the data collector notifies this to the relevant person and the Personal Data Protection Board as soon as possible.

The Rights of Relevant Person:

Everyone can apply to the data collector to;

a)Learn if their personal data is processed,

b)Request information if their personal data is processed,

c) Request information on the purpose of personal data process and if it’s used for the purpose,

d)Being notified if their personal data is transferred to third parties within the country or abroad,

e)Request changes if personal data is processed incomplete or wrong,

f)Request the deletion or destruction of personal data in terms of the condition provided in article 7,

g)Request notification if personal data is transferred to third parties for processes made in terms of clauses (d) and (e),

h) Object to a result in detriment to the person by analyzing the processed data exclusively through automated systems

i)Request compensation if personal data is damaged due to illegal processing.

 

Registry to the Data Collectors’ Register

The collector is obliged to apply to the Data Collectors’ Registry before initiating data processing.

The data collector shall notify the purpose for data process and the recipient of the personal data, the measures and the maximum time period to process personal data, during the application process to the registry.

If there are changes made to the information provided to the registry, the data collector shall immediately inform the Personal Data Protection Board on the changes.

The procedures and principles regarding the Data Controllers’ Registry will be regulated by the regulation to be issued and the Registration of the Data Collectors will be announced by the Personal Data Protection Board.

THE APPLICATION TO THE DATA COLLECTOR IN TERMS OF PERSONAL DATA PROTECTION

The relevant person submits requests regarding the implementation of this Law to the data controller in writing or by other methods determined by the Board.

The data controller concludes the requests in the application free of charge as soon as possible or within thirty days at the latest depending on the nature of the request.

 The data collector accepts or declines the request by providing the reasons.

COMPLAINTS TO THE BOARD

If the application made to data collector by the relevant persons is declined or the provided answer is found to be insufficient or the response is not provided within the expected time;  the relevant persons can submit a complaint to the Board within sixty days from the application day after being notified on the answer.  

THE DUTIES OF THE PERSONAL DATA PROTECTION BOARD

a- To ensure that the personal data are processed in compliance with fundamental rights and freedoms.

b- To conclude complaints in regard to personal data protection

c– Conducting investigations ex officio or upon a complaint regarding a violation and taking temporary measures if needed

d- Ensuring the maintenance of Data Collectors’ Registry,

e- Taking the necessary measures needed for the process of personal data of a special nature,

f-  To decide on the administrative sanctions stipulated in this law and to take regulatory action regarding the duties, powers and responsibilities of the data controller and its representative.

SANCTIONS

The board can enforce an administrative fine on data collectors if a violation is detected. Administrative fines are imposed such as; a fine of 5,000 TL – 10,000 TL if the data collector fails to provide information, 15,000 TL – 1,000,000 TL for the violation of data security, 25,000 TL -1,000,000 TL non-compliance with the decisions of the Personal Data Protection Board, 20,000 TL – 1,000,000 TL for non-compliance to register to the data collector’s registry and obligation to notify are imposed.

In terms of the violation of the Law on Personal Data Protection, the articles of the Turkish Penal Code No.5237 can be imposed. Therefore,

  • 1-3 years if personal data is registered illegally,
  • 2-4 years for providing, distributing, or taking over personal data illegally,
  • 1-2 years for not destroying personal data even though the determined time is over,

can be imposed.

If these crimes are committed by legal persons, security measures specific to these persons will be imposed.

Effective Dates in the Transition Process of Law on Protection of Personal Data No. 6698

All articles of the law came into force on 04.2016, which is the effective date.

  • It has been decided that the relevant consent will be in compliance with the Law if all concerned persons remain silent until the date of 04.2017 for all consent which were taken in accordance with the law before the publication of the Law.
  • The last day for the appointment for all data collectors in public institutions is 2017
  • It was also decided that the regulation for the Law shall be in force as of 04.2017.
  • The final date to make the data processed before the publication of the Law compatible with the Law is 04.2018

 

It is clear that many amendments brought by the Law on Protection of Personal Data numbered 6698 and the practical application of the Law will be shaped by the regulation to be issued and by the Board’s procedures. To conclude, we hope that the Law on the protection of personal data will be implemented in line with our legal system, our social and economic life as soon as possible.

You might also like
Articles

Border Carbon Adjustment Mechanism

Articles

Why Should Startups Prefer Technoparks?

Articles

Greenwashing Within the Framework of Competition Law

Articles

The Importance of Information Management for Companies

Leave A Reply

Your email address will not be published.