Follow us

PROTECTION OF PERSONAL DATA IN TURKEY

Protection of personal data is a much-debated subject recently in Turkey. The law numbered 6669 regarding the ratification of Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter referred to as the “Convention”) numbered 108 was adopted by the Grand National Assembly of Turkey (hereinafter referred to as the “Assembly”) and was published in the Official Gazette dated 18 February 2016.

As per article 4 of the Convention, that was opened for signature on 28 January 1981 at Strasbourg and that came into force on 1 October 1985, each signatory party shall take necessary measures in its domestic law to give effect to the basic principles for data protection set out in the Convention. Turkey had signed the Convention on 28 January 1981 and after adoption of the Law numbered 6669, the Code numbered 6698 on the Protection of Personal Data (hereinafter referred to as “Code”) was published in the Official Gazette dated 7 April 2016.

Except the articles 8, 9, 11, 13, 14, 15, 16, 17 and 18; all the articles of the Law numbered 6698 came into force as of the date of announcement in the Official Gazette, which is 7 April 2016 and the aforesaid articles shall come into force six months after the date of announcement, which is 7 October 2016.

The Purpose of the Code:

As per Article 1, the purpose of the Code is to protect the rights and fundamental freedoms of every individual, in particular his /her right to privacy with regard to processing of personal data, to regulate the responsibilities of the real persons and legal entities processing the personal data and to ascertain the procedures and the principles to be followed by them.

The Scope of the Code:

Article 2 regulating the scope of application sets forth that this Code shall be applied to the real persons whose personal data is processed and to the real persons and legal entities who process this data, fully or partially, automatically or by non-automatic means as a part of any data recording system.

 

General Principles of Data Processing:

As per article 4 of the Code, personal data can only be processed according to principles and procedures set by this Code and other regulations.

Whilst processing the personal data, it is obligatory to act in conformity with the below principles:

  1. To be in accordance with law and honesty rules;
  2. To be accurate and up to date whenever necessary;
  3. Processing for certain, clear and legal purposes;
  4. To be adequate, relevant and not excessive in relation to the purposes for which they are processed;
  5. To be stored for no longer than is required for the processing purpose of the data or is provided by the relevant legislation.

Article 5 regulates the conditions of processing the personal data. Accordingly;

    1. Personal data cannot be processed without the express consent of the relevant individual;
    2. However, personal data can be processed without requiring the express consent of the relevant individual provided that at least one of the conditions mentioned here below is met;
      1. If data processing as such is set forth clearly by the laws;
      2. If an individual cannot declare an express consent because of actual impossibility or if that individual’s declaration of consent is regarded null and void according to regulations and that data processing as such is a must for protecting that person’s or another person’s right to life or for protecting their bodily integrity;
      3. If it is necessary to process the personal data of the parties of a contract provided that it is directly relevant with concluding the contract or performance of the same;
      4. If data processing is a must for performing the legal obligations of the data supervisor (in Turkish “Veri Sorumlusu”);
      5. If the personal data is publicised with the relevant person himself or herself;
      6. If data processing is a must for establishing, protecting or enjoying a right;
      7. If data processing is a must for legitimate interests of the data supervisor provided that fundamental rights and freedoms of the relevant individual would not be harmed.

Article 6 regulates the conditions of processing confidential personal data. Accordingly, the data including race, ethnical origin, political opinions, philosophical belief, religion, religious sect or other beliefs of an individual, as well as his/her dresses, membership to an association, a foundation or a syndicate, his/her health and sexual life, criminal convictions and security measures and also his/her biometric and genetic data are confidential personal data. The confidential personal data shall not be processed without taking the appropriate safeguards to be determined by the Committee of Protecting Personal Data (hereinafter referred to as the “Committee”).

Also, as a principal, confidential personal data cannot be processed without the express consent of the relevant individual. However, if the relevant laws provide otherwise, the confidential personal data except health and sexual life, can be processed without the said consent. On the other hand, the confidential personal data concerning health and sexual life can be processed by the persons or authorised establishments and organizations who are under the responsibility of keeping secret with the purpose of protecting the public health; of preventive medicine, of carrying out medical diagnosis, treatment and care services; of planning, managing and financing health services without the necessity of the consent of the relevant individual.

As per article 7 of the Code, if the valid reason for processing personal data of an individual no longer exists, processed personal data shall be erased, destroyed or anonymized ex officio or by the data supervisor (in Turkish “Veri Sorumlusu”) on the request of the relevant individual.

Transfer of Personal Data:

As per article 8 of the Code, that shall come into force on 7 October 2016, personal data cannot be transferred to the third parties without the express consent of the relevant individual.

Exceptions to this principle are provided in the same article. Accordingly, personal data may be transferred without requiring the express consent of the relevant individual:

  1. If one of the conditions mentioned in the 2nd paragraph of the Article 5 is met (the exceptions granted to processing personal data without express consent of the relevant individual);
  2. If one of the conditions mentioned in the 3rd paragraph of the Article 6 is met, provided that necessary measures are taken (the exceptions granted to processing confidential personal data without express consent of the relevant individual).

The provisions in other codes for transferring personal data to third parties are reserved.

In the meantime, transferring the personal data abroad is regulated in article 9, which shall also come into force on 7 October 2016.

Rights of the Individuals whose Personal Data is Processed:

Article 10 of the Code regulates the enlightenment responsibility of the data supervisor. Whilst obtaining the personal data, the data supervisor or the person authorized by him/her, shall inform the relevant individual on the following issues:

  1. Identity of the data supervisor and of the supervisor’s representative, if exists;
  2. Purpose of the personal data processing;
  3. Who can obtain the processed data and for what reason;
  4. The method of gathering the personal data and the legal reason behind this gathering;
  5. Further rights of the relevant individual listed in article 11 of the Code.

Article 11, which shall come into force on 7 October 2016, regulates further rights of individuals. Some of the rights bestowed by this article are as follows:

  1. Getting information whether personal data is processed or not;
  2. If personal data is processed, then information regarding this processing;
  3. Learning the purpose of processing the personal data and if the processed data is being used according to that purpose;
  4. Information regarding the third parties inside and outside the country to whom the personal data is transferred;
  5. If the processed personal data is processed inaccurately or incompletely, requesting correction;
  6. Requesting the personal data to be erased or destroyed as per the conditions set forth in Article 7 of the Code.

Appeal and Complaint:

As per Article 13 of the Code that shall come into force on 7 October 2016, relevant individuals can file their requests concerning the application of this Code to the data supervisor in written form or in other methods to be determined by the Committee. The data supervisor must respond to these requests free of charge as quickly as possible depending on the nature of the request and in any case, within maximum 30 (thirty) days. However, if the transaction requires an extra cost, a fee may be charged in accordance with the tariff to be determined by the Committee.

The data supervisor must either accept or refuse the appeal by informing the relevant person in writing or in electronic environment. If the data supervisor refuses the request, the ground for refusal shall be explained.

Article 14 that shall come into force on 7 October 2016 regulates complaints before the Committee. An individual may file his complaint before the Committee on the following conditions:

  1. Individual shall, at first, apply to the data supervisor;
  2. Providing that the individual has applied to the data supervisor, one of the below mentioned conditions must be met:
    1. The application is dismissed or
    2. The reply for the application is insufficient or
    3. The application is not replied within 30 (thirty) days.

The relevant individual can file his/her complaint before the Committee within 30 (thirty) days after getting the reply of the data supervisor and in any case, within 60 (sixty) days after filing his/her application before the data supervisor.

Our Firm remains at your disposal for any further clarifications and assistance you may require.

by
2016, Newsletters
0
Copyright© Cailliau & Colakel