The long-pending Law No.6698 on Protection of Personal Data (“Data Protection Law” or “Law”), which is Turkey’s first dedicated general law on data protection, was published in the Official Gazette on April 7, 2016 and fully entered into force as of October 7, 2016.
Background
Prior to enactment of the Data Protection Law, protection of personal data was regulated under different pieces of legislation such as the Constitution, the Turkish Civil Code and the Turkish Criminal Code which will remain applicable alongside with the Data Protection Law.
Adoption of a law on data protection had been in the Parliament’s agenda over a decade due to Turkey’s efforts to harmonize its legislation with acquis communautaire as a candidate country for European Union (“EU”) accession. However, legislative works in the Parliament gained a new impetus as a result of developments in political dialogue between Turkey and the EU such that, the Data Protection Law, which had been before Parliament as a draft since 2012, was finally enacted on April 7, 2016.
Scope of the Law and Definitions
The primary objective of the Data Protection Law is the protection of fundamental rights and freedoms set forth under the Constitution, notably the right to privacy and regulation of the rules with regards to processing of data and data processors’ duties.
The Data Protection Law applies to those real persons whose personal data is processed and to those persons or legal entities who process such data. Provisions of the Data Protection Law will be applicable for actors in both public and private sectors.
Processing of data is broadly defined under the Law so as to cover any methodical practice relating to personal data such as obtaining, recording, storing, modifying, reorganizing, disclosing, transferring, classifying and blocking.
Personal data is defined under the Law as any information relating to an identified or identifiable real person. Parliamentary reasoning of the Law clarifies that personal data is not limited to certain information of individuals such as their name, surname, date or place of birth and includes all kind of information pertaining to their physical, familial, economic or social characteristics. The term identified or identifiable refers to whether an available data can be associated with an individual for his identification.
The term data processors refers to those real or legal persons that process data through data recording systems based on the authorization granted by the data controller. Therefore, every company that stores, transfers or processes personal data related to their customers, employees or business transactions shall fall within the scope of the Law regardless of the sector they operate in. However, finance sector including banks, insurance companies, factoring and leasing companies, telecommunications sector and health sector are amongst the sectors that need to act more prudently due to vast amount of personal data they are dealing with.
The Law defines data controllers as real or legal persons that determine the objectives and means of processing and that are responsible for the establishment and management of data recording system.
Sensitive personal data refers to individual’s racial and ethnic origin, political opinion, philosophical beliefs, religious beliefs or other faiths, appearance, association, foundation or trade union memberships, health condition, sexual life, criminal convictions or security measures and biometric information.
Processing and Protection of Personal Data
Personal data cannot be processed without the explicit consent of the data owner. Pursuant to the Parliamentary reasoning, the term explicit consent should be understood as data owner’s consent beyond any doubt which is given for that specific processing with his own free will based on adequate relevant information.
Nevertheless, it is possible to process personal data without explicit consent of the data owner in exceptional circumstances listed under the Law. Exceptions include circumstances where data processing is stipulated in laws, data has already been disclosed to public by the data owner or it is necessary for establishment, exercise or protection of a right. In addition to exceptions in which the need for data owner’s explicit consent is lifted, the Law also provides that its provisions will not apply to certain circumstances listed under Article 28 of the Law. Accordingly, personal data can be processed by National Intelligence Services and other intelligence units for their activities pertaining to national security, defence, public order and economic security.
The Law sets forth the principles and procedures to be applied for processing of personal data and stipulates that personal data can only be processed provided that these principles and procedures are complied with. These principles require that processing of personal data shall be:
- lawful and in conformity with the principles of good faith,
- accurate and up to date where necessary,
- made for specific, explicit and legitimate purposes,
- relevant, limited and in proportion with the purpose of processing, and
- stored no longer than necessary or for the time prescribed under relevant legislation.
Processing of Sensitive Data
Processing of sensitive data is subject to stricter rules as legislator foresees that data owner may suffer or face discrimination as a result of its disclosure. Thus, the data controller is not only required to obtain the explicit consent of the data owner but also to take necessary measures to be mandated by the data protection authority for processing of sensitive data. However, exceptions for processing sensitive data are brought by the Law in which the need for data owner’s explicit consent is lifted. Accordingly, sensitive data, except for data related to health and sexual life, can be processed without explicit consent of the data owner provided that it is permitted by laws. Data pertaining to health and sexual life can only be processed for protecting the public health, diagnosing, treatment, providing care services and planning and management of health services and its financing.
Transfer of Personal Data
The Law envisages that personal data cannot be transferred to third parties or abroad without data owner’s explicit consent. Nevertheless, certain circumstances in which personal data can be transferred to third parties or abroad without data owner’s explicit consent are also set forth in the Law in a similar way with processing of personal data. However, in addition to data owner’s explicit consent, the recipient country must offer an adequate level of protection for transfer of data abroad. In the event such adequate level of protection is not offered, data protection authority’s approval as well as a written undertaking by both data controllers in Turkey and relevant country pertaining to protection of the data to be transferred must be obtained. Countries offering an adequate protection shall be announced by the Board[1] based on objective criteria stipulated under the Law. In addition to the foregoing, save for the relevant provisions of international agreements, approval of the data protection authority will also be needed in the event transfer of personal data abroad causes serious harm to data owner’s or Turkey’s interests.
Data Protection Authority
The Data Protection Law provides general provisions pertaining to establishment and organisation of an independent national data protection authority (“Authority”) and a personal data protection board (“Board”) as its decision-making body. Authority will be financially and administratively independent but will be affiliated with the Prime Ministry. Authority undertakes general supervisory and regulatory tasks which will include monitoring data controllers’ and processors’ compliance with the Law, dealing with complaints and imposing sanctions set forth under the Law. However, the Board will not be the first resort for complaints. Accordingly, complaints will be submitted to data controllers in the first place and brought before Board only if data controllers fail to answer the application in due course or their answers are deemed to be inadequate.
Authority shall establish a data controllers registry under the supervision of the Board where in principle all data controllers will be required to be registered with. However, exemptions to this obligation might be brought by the Board based on objective criteria such as volume and qualifications of the processed data. Failing to comply with this obligation will lead to imposition of an administrative fine up to TL 1 million.
Transitional Period
The Law envisages a gradual entry into force and provides obligations for transitional period. Accordingly, data processors will ensure that all the personal data processed prior to publication of the Law complies with the provisions thereunder within two years as of the date of the publication of the Law and the personal data contrary to the Law must be erased, destroyed or anonymized immediately. Failing to comply with this obligation will result in imposition of administrative fines stipulated under the Law and even relevant criminal penalties set forth under Turkish Criminal Code. The Data Protection Law entered into force as of the date of publication in the Official Gazette apart from particular provisions pertaining to the complaint procedure, transfer of data to third parties and abroad and administrative fines and criminal penalties, which took effect six months thereafter.
What is next?
All of the provision of the Law entered into force as of October 7, 2016. However, the Board have neither been able to establish the registry nor enact the secondary legislation yet as the Board was not established until December 2016[2]. However, provisions of the Law apply despite these delays and failing to comply with the obligations under the Law will result in imposition of administrative fines and relevant criminal fines as explained above.
In line with the foregoing, the provisions of the Law, notably the ones pertaining to data controllers registry, transfer of personal data and imposition of administrative fines, are expected to be implemented by the Board in 2017.
[1] The list of the countries are not published yet. However, there is an understanding that the EU member states will be included in the list as the Law has been prepared in line with the EU Data Protection Directive 95/46/EC.
[2] Meeting quorum of six was not met as only five Board members were appointed until the appointment of two other Board members on December 15, 2016. The Council of Ministers’ decision pertaining to appointment of the remaining two Board members was also published in the Official Gazette on December 30, 2016.
This information is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This should not be acted upon in any specific situation without appropriate legal advice. This information is protected by copyright and may not be reproduced or translated without the prior written permission of Ergün Avukatlık Bürosu.