Data Protection in Light of Recently Passed Personal Data Protection Law
The Personal Data Protection Law No. 6698 (the “Law”) has finally entered into force. As most of the interested parties are well aware, the Turkish authorities have been working on the draft law on the protection of personal data for a very long time in order to align Turkey’s domestic laws with European Union (“EU”) directives which Turkey indeed needs to procure compliance with as part of the acquis communautaire for its expected membership to the EU. In this respect, long lasting draft of the Law has been enacted and entered into force on 7 April 2016 and takes EU Directive numbered 95/46 as basis.
Under the Law, personal data is defined as any information relating to an identified or identifiable natural person (“Personal Data”); processing and transfer to third parties of which is subject to the consent of the person whose Personal Data is processed (“Related Person”). Such consent requirement is clearly set out in the Law. To serve its purpose, the term of “processing” is defined in a broad manner under the Law; in a way covering obtaining, recording, storing, altering, transferring and classifying any kind of Personal Data. There are also certain exceptional conditions for the processing and transfer of Personal Data without having the consent of the Related Person (e.g. if processing the Personal Data is directly related with the formation or performance of an agreement).
The Law defines data keeper as the real or legal persons who determine the purposes and means for processing the Personal Data and who are responsible the establishment and management of the processing system (“Data Keeper”). As per the Law, Data Keepers are required to provide information to Related Persons regarding the purpose of data processing and to whom the Personal Data will be revealed.
The Law also sets out certain security requirements for Data Keepers according to which they are obliged to take the necessary technical and administrative measures in order to ensure the required security level for the purposes of (i) preventing the unlawful processing of Personal Data, (ii) preventing unlawful access to Personal Data, and (iii) the preservation of Personal Data. In case the Personal Data is processed by a third party in the name of the Data Keeper, the Data Keeper shall be jointly liable with the relevant third party. Moreover, Article 12/4 indicates that Data Keepers and persons who process the Personal Data shall not reveal the data contrary to the provisions of the Law and shall not use the data for the benefit of themselves.
The Law also sets out the individual's right to know that his/her information is stored and, if necessary, to have it corrected. As per Article 11 of the Law, Related Persons can apply to the Data Keepers and ask for information on whether their Personal Data is processed or not, or to whom their Personal Data is transferred. It is also stated under Article 7 of the Law that in the event the reasons for processing the Personal Data cease to exist, such Personal Data should be d, destroyed or rendered anonymous by the Data Keeper either ex officio or upon request of the Related Person.
Article 17 and 18 of the Law regulate the offenses which may be committed in the application of this Law which will enter into force on 7 October 2016.
The Law also introduces a new regulatory watch-dog for implementation of data protection principles; which will also be responsible for supervision, audit and investigations concerning the entities keeping Personal Data. Such authority will be referred to as the Personal Data Protection Authority (the “PDPA”) and will be authorized to make necessary examinations regarding the application of the Law upon a complaint or ex officio. The PDPA will be established within 6 months as of 7 April 2016 with administrative and financial autonomy.
As per Article 16/2 real and legal persons who process the Personal Data are required to be registered with the Registry of Data Keepers before beginning to process the data. The PDPA is authorized to grant exceptions to the registration requirement in light of objective criteria as exemplified under the Law. Since Article 16/5 indicates that the procedures and principles regarding the Registry of Data Keepers are to be regulated by a “regulation”, it is expected for PDPA to adopt a regulation in this respect until 7 April 2017 and the details of this Registry of the Data Keepers are expected to be determined under such regulation.
It is also worth underlining that the compliance of the Personal Data that was processed before 7 April 2016 shall be procured with the Law within two years as per temporary Article 1. Furthermore, the consents lawfully obtained prior to 7 April 2016 shall be deemed in compliance with the Law, unless a contradicting statement is made.
Please see below a list of provisions of the Law which will enter into force 6 months following 7 April 2016:
- Transfer of Personal Data;
- Transfer of Personal Data abroad;
- Rights of the Related Person;
- Application to the Data Keeper;
- Complaints to the PDPA;
- Principles regarding examination upon complaint or ex officio;
- Registry of Data Keepers;
- Crimes; and
To summarize the foregoing remarks as to the Law, the Law itself is very broad and there are certain significant grey areas to be determined through the secondary legislation that will be adopted in order to draw a roadmap for the application of the mentioned broad provisions.
Since the Law has been newly enacted and there are no secondary legislation or any further explanations as to its implementation, all the market will experience the effects of the Law and its implications on current practice once these regulations governing the details of the system are adopted.
Having noted the foregoing remarks as to the Law, we would also like to touch base on other relevant pieces of the legislation concerning data protection; which will also be applicable together with the Law depending on the nature of the data concerned.
Article 20 of the Turkish Constitution sets forth that every person shall have the right to ask for protection of the personal data related to themselves. This right includes the request for reaching information on personal data, to have corrected or d the personal data and to know whether personal data is in use in compliance with the purpose. Further, personal data can only be processed if such processing is set out in laws or upon having consent of the related person.
Under Article 23 of Turkish Civil Code (“TCC”), existence of a general “personality rights” concept is recognized. It is accepted that such concept of personality rights comprise a person’s work-related, and commercial activities, therefore, disclosure of that person’s business secrets to third parties without his permission may constitute a violation of his personality rights, and legal entities can also enjoy these rights by virtue of the provisions of Article 48 of the TCC. Persons, whose above-stated rights are violated, may ask for an injunction to halt the violation, along with rights by which he can file an action for damages or for the payment of a sum of money by way of moral compensation (TCC Article 25 and Turkish Code of Obligations Article 58). Having said the foregoing, we wish to emphasize that such remedies can be implemented only in case of a violation of the above-mentioned personality rights. Therefore, if a person discloses confidential information regarding another person without obtaining permission, such remedies can come into question. As stated above, either real persons or legal entities can enjoy these rights.
As for criminal penalties, Article 136 of the Turkish Penal Code sets forth that, any person who delivers, distributes or obtains the personal data unlawfully shall be sentenced to imprisonment two years up to four years. In case such crime is committed by means of benefitting opportunity granted by an occupation and/or art, this constitutes an aggravating circumstance. If the above-mentioned crime is committed by legal persons, the security measures pertaining to legal persons shall be implemented.
Furthermore, unfair competition issue may arise as a result of disclosure of certain personal information. Namely, pursuant to Article 55(1)(d) of the Turkish Commercial Code, in case of use of information unlawfully -mostly for the purpose of personal interests- or disclosure of such information to third parties, provisions of unfair competition may be considered to be breached.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (the “Personal Data Convention”)
Pursuant to Article 90 of the Turkish Constitution, international treaties duly put into effect have the force of law. In the case of a conflict between international agreements (which have been duly put into effect) concerning fundamental rights and freedoms and the laws arise (due to differences in provisions on the same matter), the provisions of international agreements shall prevail.
Apart the domestic legislation, Turkey recently ratified the Personal Data Convention on 18 February 2016. Pursuant to Article 22, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of ratification. Therefore, the Personal DataConvention has not yet entered into force in terms of its provisions, but it will on June 1, 2016.
Article 4 of the Personal Data Convention imposes obligations on states to clearly establish the conditions for the processing, storage and transfer of personal data. Under Article 8 of the Personal Data Convention, related persons are entitled to apply to relevant authorities and reach information regarding their personal data.
Regulation on Processing of Personal Data and Protection of Privacy in the Electronic Communication Sector ( “Regulation on Personal Data and Privacy”)
The Regulation on Personal Data and Privacy entered into force on 24 July 2012, imposes restrictions on the transfer, storage, and processing of personal data. Under Article 4 of the Regulation on Personal Data and Privacy, personal data shall not be transferred abroad and processing of personal data is subject to the consent of the related person. The data relating to electronic communication is considered as confidential and shall not be listened, recorded, stored,interrupted or supervised without consents of all parties present in such communication. Furthermore, according to Article 5 of the Regulation on Personal Data and Privacy, Information and Communication Technologies Authority is entitled to request the companies all documents relating to the privacy and security of personal data and the companies are required to keep such data for certain periods of time. Briefly, the Regulation on Personal Data and Privacy contains similar provisions with the Law regarding data protection and privacy. However, the scope and coverage of the Law on data protection is much broader than the Regulation on Personal Data and Privacy and sanctions would be more severe.
* * *
This newsletter has been prepared only for information purposes. Please do not hesitate to contact us if you need assistance or more detailed information.