Turkey is working full speed to comply with continuous developments in technology and set the international standards and draw up the security requirements especially on personal data.
Initial Step: The Enactment of the Convention
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention”) came into force in Turkey in March 2016.
The purpose of the Convention is to secure fundamental rights and freedom of each and every individual, especially the ones relating to privacy on automatic processing of
How Should the Personal Data be Processed?
According to the Convention, personal data means any information relating to an identified or identifiable individual, and the term “automatic processing” includes the following operations if carried out in whole or in part by automated means: storage of data, carrying out of logical and/or arithmetical operations on those data and their alteration, erasure, retrieval or dissemination of them.
According to the Convention, the ongoing automatic processing of personal data must be obtained and processed fairly and lawfully; stored for specified and legitimate purposes and not used in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes for which they are stored; accurate and, where necessary, kept up to date. Such data must be maintained in a form which permits the identification of the data subject for a period which is no longer than time of the purpose required for storing of such data.
Adaptation to the Domestic Law
According to the Convention, the parties to the Convention shall take appropriate security measures for the protection of personal data stored in automated data files against accidental or unauthorized destruction or accidental loss of the data as well as against their unauthorized access, alteration or dissemination. The Convention mandates that the parties establish appropriate sanctions and remedies for violations of provisions of domestic law giving effect to the basic principles of data protection too.
The personal data, revealing the racial origin, political opinions or religious or other beliefs, as well as personal data on individuals’ health or sexual lives cannot be processed automatically, unless domestic law provides appropriate protection measures.
The Convention provides that, any person can obtain rectification or erasure of a data related to him/herself if such data has been processed in breach of the provisions of domestic law giving effect to the basic principles of the Convention. Furthermore, such person can have a remedy if a request of aforementioned rights is not complied with.
Enactment of the Law in Turkey
While the Convention was signed in 1981, Turkey has ratified it only in 2016 after making the necessary changes in its domestic law. Finally, the Law on Protection of Personal Data came into force on April 7, 2016 (“Law”). The aim and scope of the Law are in line with the Convention in general.
Consent Concept under the Law and Under the Comparative EU legislations
Pursuant to Article 5 of the Law, the only possibility for processing the personal data is obtaining the explicit consent of the person, the personal information of whom will be collected and processed. The Law defines the explicit consent as the consent given for a specific issue with a free will.
Similarly, the European Union’s legislation on personal data protection requires obtaining the explicit consent of the person whose personal data to be processed. According to the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (“Directive 95/46/EC”), in order for a consent to be considered explicit, such consent must have been given clearly on the data subject. Furthermore, in inquiring for the consent of a person to process his/her personal data, there must be the option presented to the data subject whether to give his/her consent to a “specific” case. It should also be noted that the subject matter must be specific, for a person to give his/her consent for processing. This means, consents of data subjects provided in general and without considering any specific case, are not deemed to have been legally given.
Exceptions to the Explicit Consent
Article 5 of the Law provides certain exceptions to the “explicit consent” requirement, which in fact are in line with the exceptions provided under the Directive 95/46/EC. Those exceptions can be lined up as (i) the data necessary for the lives or the physical integrities of individuals, which cannot be gathered directly from the relevant data subject, (ii) the data required to be processed belonging to the parties to a contract, provided that such data is relevant to the contract, and (iii) where other laws require so.
On the other hand, however, with an agreement by the European Parliament, the Council and the Commission on data protection, aiming a modern and harmonized data protection framework across the EU on 15 December 2015, the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons With Regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or The Execution of Criminal Penalties, and on the Free Movement of such Data, and Repealing Council Framework Decision 2008/977/JHA (“Directive (EU) 2016/680”) came into force on 5 May 2016, which needs to be transposed by the Member States by 6 May 2018. The Directive (EU) 2016/680 provides for a clear description of the consent to be obtained from natural persons, and also limits the collection and processing of the personal data of data subjects to be in favor of the individuals’ rights, introducing a limited interpretation of the “explicit consent” definition of the individuals.
The Directive (EU) 2016/680 underlines the importance of the sensitive data and limits the availability to collect and process it for data processing by competent authorities. Along with bringing a much broader sense in terms of the “sensitive date”, the Law also considers certain other elements to the definition of “sensitive”. Under Article 6 of the Law, sensitive data stands for specially qualified personal data. According to such article, personal data revealing the information such as racial or ethnic origin, political, philosophical views, gender, religion etc. are considered to be “specifically qualified personal data”; therefore cannot be processed without the explicit consent of the respective data subject. However, there are further exceptions to receiving the explicit consent of the individuals in terms of their sensitive data. In such cases, the precautions as determined by the Personal Data Protection Council in Turkey (“Council”) must be taken.
Authorities, Features of the Newly Established Council
It is important to highlight that the Council, having substantial voice on the processing of the personal data, was recently been established on January 12, 2017. The Council is the decision making body of the Personal Data Protection Institution which is established in Ankara, the capital city of Turkey.
The Council plays a vital role, especially when the personal data is decided to be transferred to abroad. According to the Law, the Council determines on the state having sufficient protection and its specific approval is also sought by the local and international authorities to process the national data.
The Council is further competent to receive the complaints, in case the complaining parties have previously applied to the Data Responsible, who are entitled to determine the purpose of processing the personal data; and monitor the public Data Responsible Registry, where the Data Responsible are obliged to be registered. Pursuant to the Law, no other body, institution, person etc. can give directives, instructions or else to the Council within the scope of its own assigned position.
International Data Transfer Samples: EU-US Privacy Shield
Considering the recent developments regarding the transfer of personal data between the EU and the USA under the agreement, namely the EU-US Privacy Shield , which merely eases up the collection and processing of the personal data transferred among themselves, it became more important for Turkey to protect its own data. It is obvious that protecting the personal data for the states has become harder, since it is well known that the EU-US Privacy Shield negotiations have taken more than a year and eventually finalized in February 1, 2017, therefore the transfer of the same should be conducted within legal frames.
As the competent authority in Turkey to transfer the national data to abroad is the Council itself, the investigation, assessment and negotiations, where applicable, should be made intensively by the Council in order to protect both, the citizens’ and country’s substantial individual and/or collective data.
I'm busy working on my blog posts. Watch this space!