Personal Data Protection LawLEGAL LIABILITY ARISING FROM FAILURE TO PROTECT THE PERSONAL DATA

Personal Data Concept

 

If it is necessary to define personal data, in the Turkish Personal Data Protection Law, personal data is defined as all kinds of information related to a real person whose identity is certain or identifiable.

In this context, data which as the name, surname, telephone number, license plate of the vehicle, identity number, social security number, passport number, resume, image and voice records, fingerprints, genetic information of the person who enables the exact identification of the persons are considered as personal data.

Processing of Personal Data

Any operation performed on personal data, such as obtaining, recording, storing, preserving, changing, rearranging, disclosure, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that it is part of any data recording system, is considered as the processing of personal data.

Any activity carried out in the process of deleting, destroying or anonymizing personal data after it is collected in the specified manner is considered as the processing of personal data within the scope of Turkish Personal Data Protection Law

Almost every moment of our daily lives, we are faced with collecting and processing of our personal data like when buying tickets to travel, staying in a hotel, receiving treatment in the hospital, registering at school, filling out a membership card or applying for a new job.

The law defines all kind of operations which are receiving, recording, storing, changing, using, transferring, etc. of all personal information as the processing of personal data.

According to the law, in the processing of personal data some principles must be followed. (Article 4 of Turkish Personal Data Protection Law) ;

a) Compliance with the law and good faith.

b) Be accurate and be up-to-date

c) Processing for specific, explicit and legitimate purposes.

d) Being relevant, limited and proportionate to the purpose for which they are processed.

e)  Being stored for the necessary time for the purpose of processing.

Legal Regulations on Personal Data Protection İn Turkish Law

In the article 20 of the Turkish Constitution:

Privacy of private life

’Everyone has the right to demand respect for his/her private and family life. Privacy of private or family life shall not be violated. Unless there exists a decision duly given by a judge on one or several of the grounds of national security, public order, prevention of crime, protection of public health and public morals, or protection of the rights and freedoms of others, or unless there exists a written order of an agency authorized by law, in cases where delay is prejudicial, again on the above-mentioned grounds, neither the person, nor the private papers, nor belongings of an individual shall be searched nor shall they be seized. The decision of the competent authority shall be submitted for the approval of the judge having jurisdiction within twenty-four hours. The judge shall announce his decision within forty-eight hours from the time of seizure; otherwise, seizure shall automatically be lifted.) Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/ her personal data, and to be informed whether these are used 27 in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law.

 In the Turkish Penal Code No. 5237, crimes related to personal data are regulated between articles 135 and 140.

Art. 135 “Recording of personal data”,

Art. 136 “Unlawfully giving or obtaining data”,

Art. 138 “destroying data”.

Comprehensive regulation regarding personal data was made with Turkish Personal Data Protection Law (effective date on April 7, 2016.) As stated in the first article of the Law, the purpose of this Law is to “protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.” determined as.

The scope of this law is stated in the second article. “It applies to natural persons whose personal data are processed and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.’’

The law which will be applied to natural persons whose personal data are processed and to natural and legal persons who personal data are processer and will be applied if personal data is processed automatically or by non-automatic means, provided that it is a part of any data recording system. There is no distinction between the public and private sectors in terms of the implementation of the law, and the procedures and principles regulated find application in both sectors.

Scope of Turkish Personal Data Protection Law

It is understood that the Law will only be applied to data related to natural persons, since the first article of the KVKK refers to “real persons whose personal data are processed”. Data related to legal entities are not within the scope of this Law. The provisions of the law regarding the processing of personal data do not apply to personal data that are physically recorded and that are not part of the data recording system. Within the scope of Article 28 of Turkish Personal Data Protection Law, a dual distinction was made as “issues that are completely out of scope” or “issues that are partially out of scope”.

While the law does not find any application area in matters that are completely out of scope; In cases that are partially out of scope, only some articles of the law (clarification obligation, rights of the data owner and registration in the registry of data controllers) are not applied.

ARTICLE 28

(1) The provisions of this Law shall not be applied in the following cases where:

a) personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.

b) personal data are processed for official statistics and provided that they are being anonymized for the purposes for such as research, planning and statistics.

(c) personal data are processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defence, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.

(ç) personal data are processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorised and assigned by law to maintain national defence, national security, public security, public order or economic security.

(d) personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.

(2) Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding the data controller’s obligation to inform, Article 11 regarding the rights of the data subject, excluding the right to claim compensation, and Article 16 regarding the obligation to register with the Data Controllers’ Registry shall not be applied in the following cases where personal data processing:

Obligations of the Data Controller

The data controller is obliged to provide the following information to the data owner, personally or through the person he/she has authorized, during the acquisition of personal data within the scope of Turkish Personal Data Protection law article 10 :

ARTICLE 10 – (1) At the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following:

a) the identity of thedata controller and of its representative, if any,

b) the purpose of processing of personal data;

c) to whom and for which purposes the processed personal data may be transferred,

ç) the method and legal basis of collection of personal data,

d) other rights referred to in Article 11.

Rights of The Data Subject

ARTICLE 11 – (1) Each person has the right to request to the data controller about him/her;

a) to learn whether his/her personal data are processed or not,

b) to demand for information as to if his/her personal data have been processed,

c) to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

ç) to know the third parties to whom his personal data are transferred in country or abroad,

d) to request the rectification of the incomplete or inaccurate data, if any,

e) to request the erasure or destruction of his personal data under the conditions referred to in Article 7,

f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,

g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,to claim compensation for the damage arising from the unlawful processing of his/her personal data.

Data Controllers’ Registry

ARTICLE 16 – (1) Under the supervision of the Board, the Data Controllers’ Registry shall be kept by the Presidency and be made publicly available.

(2) Natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry.

(3) Application for registration with the Data Controllers’ Registry shall be made with a notification including:

a) The identity and address of the data controller and of its representative, if any,

b) The purpose for which the personal data will be processed,

c) The explanations relating to group(s) of persons subject to the data and the data categories of these persons,

ç) The recipients or groups of recipients to whom the personal data may be transferred,

d) The personal data which are envisaged to be transferred abroad,

e) The measures taken concerning the security of personal data.

f) The maximum storage period necessary for the purpose for which personal data are processed.

(4) Any changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency

(5) Other procedures and principles relating to the Data Controllers’ Registry shall be laid down through a by-law.

Right of Application and Complaint regarding the Protection of Personal Data

Within the scope of Article 13 of Turkish Personal Data protection Law applications proceed in two stages. Those concerned shall first submit their applications to the data controllers in writing or by other methods to be determined by the Personal Data Protection Board.

The data controller who receives this request shall examine the request as soon as possible and within thirty days at the latest, in return for a fee to be charged according to the tariff determined by the Personal Data Protection Board, free of charge or if the process requires an additional cost; It is envisaged to accept or reject it by explaining its reason, and also to notify the relevant person of its answer.

If the data controller accepts the request, he/she has to fulfil requirement; If the data controller is at fault regarding the request of the person concerned regarding the implementation of the Law, the fee charged is returned to the person concerned. Persons whose application to the data controller is rejected within the scope of Article 14 and Article 15 of the Turkish Personal Data Protection Law, or who find the response insufficient or whose application is not answered in due time, have the right to complain to the Personal Data Protection Board.

It is not possible for the persons concerned to file a complaint directly with the Personal Data Protection Board without applying to the data controller.

The compensation rights of the persons whose personal rights are violated within the scope of the processing of their personal data are reserved according to the general provisions.

Since the application is mandatory and the complaint is optional, it will be possible for the person whose application is rejected implicitly or explicitly, to file a complaint with the Personal Data Protection Board on the one hand, and directly go to the judicial or administrative jurisdiction on the other.

The period stipulated for the person concerned to file a complaint with the Personal Data Protection Board is thirty days from the date the data controller learns of his reply, and in any case sixty days from the date of application.

However, there is no need for a complaint from the person concerned in order for the Personal Data Protection Board to conduct an investigation.

It has been foreseen that the Personal Data Protection Board will respond at the end of the examination to be carried out upon the complaint, and if no response is given within sixty days from the date of the complaint, it is decided that the request will be deemed rejected

Accordingly, when the sixty-day period from the date of the complaint has elapsed, the period of filing a lawsuit in the administrative jurisdiction will begin.

If the Personal Data Protection Board, upon a complaint or ex officio review, concludes that the provisions of the Law have been violated, it decides that the unlawful violations it detects will be corrected by the relevant data controller and notifies the relevant parties of the decision.

This decision shall be implemented without delay and within thirty days following the notification. upon a complaint or ex officio review, upon the determination of the Personal Data Protection Board that the illegal practice is widespread, a decision of principle is taken on this matter by taking the opinion of the relevant institutions and organizations, and this decision is published. In addition, the Board is authorized to decide to stop the processing of data or the transfer of data abroad before the final decision, in the event that irreparable or impossible damages arise and the conditions of clearly unlawful occur together. It is possible for those concerned to file lawsuits in administrative courts against the decisions taken by the Board.

What is the Penalty for Not Following the Law?

In case of unlawful recording, transfer, dissemination or seizure of personal data, it is not destroyed even though it is expired or if it is necessary to be destroyed; crimes related to personal data within the scope of Article 17 of the Turkish Personal Data Protection Law are punished with prison sentences ranging from 1 to 6 years, according to the provisions of Article 135 – 140 of the Turkish Penal Code.( Articles 135 to 140 of Turkish Penal Code No. 5237 of 26/9/2004 shall be applied to the crimes concerning personal data.) If crimes within this scope are committed by legal persons, security measures will be applied to them. Higher judicial remedies can be appealed against these decisions. Inquirements and proceedings are not subject to complaint in crimes under Art.135, 136 and 138 of Turkish Penal Code No. 5237

Misdemeanours

ARTICLE 18 – (1) For the purposes of this Law;

a) For those who do not fulfil the obligation to inform provided for in Article 10 shall be imposed to pay an administrative fine of 5.000 to 100.000 TL,

b) For those who do not fulfil the obligations related to data security provided for in Article 12 shall be imposed to pay an administrative fine of 15.000 to 1.000.000 TL,

c) For those who do not fulfil the decisions issued by the Board pursuant to Article 15 shall be imposed to pay an administrative fine of 25.000 to 1.000.000 TL,

ç) For those who act contrary to the obligations for registry with the Data Controllers’ Registry and for notification provided for in Article 16 shall be imposed to pay an administrative fine of 20.000 to 1.000.000 TL.

(2) The administrative fines provided for in this article shall be applied to the natural persons and the private law legal persons who are the data controllers.

(3) In the event that the actions listed in the first paragraph be committed within the public institutions and organizations as well as the public professional organizations, the disciplinary provisions shall be applied to the civil servants and other public officers employed in the relevant public institutions and organisations and those employed in the public professional organizations upon the notice of the Board and the result is reported to the Board.

In summary, in accordance with the Turkish Personal Data Protection Law No. 6698, data controllers are obliged to register with the Data Controllers Registry. The Data Controllers Registry is kept in the Data Controllers Registry Information System (VERBIS) and all Registry transactions are carried out through VERBIS. Registration for VERBIS can only be done online.

You can contact with our office to get opinions from our lawyers who are experts in Turkish Personal Data Protection Law and relevant regulations to get legal support regarding the application, complaint and litigation process against both penal and administrative sanctions on the protection of personal data as stated above.