Summary: This article provides information on the Law on the Protection of Personal Data numbered 6698, some articles of which have come into force on 7 April 2016. The mentioned law applies to real persons whose personal data is processed, as well as to real persons or legal entities that process such data fully or partially through automatic or non-automatic means.
- Purpose and Scope
The concept of protection of personal data in Turkey is based on the paragraph added to the Turkish Constitution on September 12, 2010 with the Act No. 5982. The last paragraph of Article 20 states that “Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law.”
The Law on the Protection of Personal Data numbered 6698 (the “Law”) was published on the Official Gazette dated 7 April 2016 and numbered 29677. The Law provides the basis of the right stipulated under article 20 of the Turkish Constitution.
The Law was enacted for the protection of right to privacy, as well as other fundamental rights and freedoms, in processing of personal data by real persons and legal entities. It provides principles and procedures to be followed by such persons or entities which process and hold personal data.
Provisions of this Law apply to real persons whose personal data is processed as well as to real person or legal entities that process such data fully or partially through automatic or, provided that it is a part of any data recording system, non-automatic means.
2. Definition of Personal Data and Processing of Personal Data
Personal Data has been defined as all kinds of information concerning an identified or identifiable real person.
Processing of personal data, as defined under Article 3 of the Law, includes all kinds of processes on data such as obtaining, recording, storing, protecting, changing, reorganizing, disclosing, transferring, acquiring, making available, classifying or LAW ON THE PROTECTION OF PERSONAL DATA preventing use of personal data fully or partially through automatic or nonautomatic means.
- Data Supervisors
The Law defines real persons or legal entities that determine the purposes and means of processing personal data and who are in charge of setting up and managing the data recording systems, as well as ensure lawful protection of the personal data as Data Supervisors.
Upon the receipt of personal data, the Data Supervisor is obliged to provide certain information to the concerned persons:
- identity of the Data Supervisor and, if any, their representative,
- purpose of processing the personal data,
- to whom and why the processed personal data may be transferred,
- the method and legal reason of collecting personal data.
Moreover, the Law grants every person the right to request certain information in relation to their own personal data from the Data Supervisor. The concerned person may:
- obtain information on whether their personal data has been processed;
- if processed, request information concerning such processing,
- obtain information on the purpose of processing personal data and whether the processed data is used for this purpose,
- be informed of the third persons to which the personal data is transferred within and out of the country,
- if the personal data is processed incompletely or incorrectly, request correction thereof,
- request deletion or disposal of personal data in compliance with the conditions stipulated in Article 7,
- request notification of processes concerning the correction and deletion/disposal of personal data to the third persons to whom the personal data is transferred,
- object to any adverse result arising as a consequence of analysis of processed data solely by means of automatic systems,
- request compensation of damages arising out of unlawful processing of personal data.
- The Personal Data Protection Institution and the Board
The Law also provides for the establishment of the Personal Data Protection Institution (the “Institution”) as an independent governmental institution.
The main managing body of the Institution is the Board, whose duties include reviewing and resolving infringement claims regarding personal data protection, keep the registry of Data Supervisors, ensuring the protection of personal data pursuant to the Law and imposing administrative sanctions as provided under the Law.
The Law stipulates that the Board will be established within 6 months from the publication date of the Law.
- Conditions for Processing of Personal Data
Pursuant to Article 5 of the Law, personal data cannot be processed without the express consent of the concerned person. However, the Law has provided certain exceptions to this rule where such consent is not sought:
- where an exception is expressly stipulated by law;
- where it is necessary for the protection of a person’s life or bodily integrity, provided that such person cannot express his/her consent due to an actual impossibility or his/her consent is not deemed to be legally valid;
- where processing of personal data is required in relation to the parties to a contract, provided that it is directly related to drawing up or enforcement of the contract;
- where it is required for the fulfilment of the statutory liabilities of a Data Supervisor;
- where the data has already been made public by the concerned person;
- where processing personal data is required for the establishment, usage or protection of a right;
- without prejudice to the fundamental rights and freedoms of the concerned person, where processing personal data is required for legitimate interests of the Data Supervisor.
- Special Personal Data
The Law has identified certain personal data such as the race, ethnicity, political view, philosophical belief, religion, sect and other beliefs, attire, membership to an association or syndicate, medical condition, sexual life, criminal records and, biometric and genetic data of a person as “Special Personal Data”.
The processing of Special Personal Data is not allowed without the express consent of the concerned person. However, certain exceptions have been provided to this rule. Certain exceptions for Special Personal Data regarding a person’s medical condition and sexual life are specified under the Law. On the other hand, exceptions for other types of Special Personal Data are not listed thereunder, the Law simply makes reference to exceptions under other laws which stipulate that express consent of the person is not required to process Special Personal Data.
Personal data concerning medical condition and sexual life of a person may be processed without express consent of the concerned person for the purposes of protection of public health, performance of preventive medicine, medical diagnosis, treatment and care services, and planning and management of health services and financing thereof. In any event, the processing of such data may only be undertaken by persons or authorized bodies and entities who are subject to a confidentiality obligation, such as medical authorities and personnel.
7. Deletion, disposal or anonymization of personal data
The personal data may be deleted, disposed of or anonymized provided that the underlying reasons for the processing of such personal data have been extinguished.
Apart from the deletion and disposal of personal data, the Law has provided an alternative method in which the personal data is “anonymized” by modifying the data in a way that it cannot be linked to an identifiable person in any manner whatsoever. The Law does not identify the methods for the deletion and anonymization of personal data, it is stipulated that these will be specified under future regulations.
- Transference of Personal Data
As a general rule, personal data cannot be transferred without the express consent of the relevant person. This general rule applies for transfers within Turkey as well as international transfers.
The exceptions set out for the consent requirement regarding the processing of personal data stipulated under article 5.2 and for Special Personal Data specified under article 6.3 are also determined as exceptions for the consent requirement regarding the transference of personal data. In the event that the transfer is going to be made to another country, the country must be one of the countries recognized by the Board of the Institution or an undertaking must be submitted by the foreign Data Supervisors and a permission must be obtained from the Board.
9. General Exceptions
Article 28 of the Law provides certain exceptions to the application of the Law. The most significant of these exceptions is stated under article 28.3, which states that the provisions of the Law shall not apply where the personal data is processed by authorized public bodies within the scope of their activities regarding security and intelligence with the purpose of establishing national security, public security, national defence, public order or economic safety.
Processing with an artistic, historical, literary or scientific purpose is also provided as an exception to the application of the Law, provided that doing so does not infringe personal rights, right of privacy, national security, national defence, public safety, public order and economic safety.
- Entry into Force and Integration
All personal data which had been processed prior to the publication date of the Law shall be brought in compliance with the provisions of the Law within 2 years. Otherwise, they shall be deleted, disposed or anonymized pursuant to the Law.
Unless there is any declaration to the contrary within 1 year from the publication of the Law, all consents lawfully obtained prior to the date of publication of the Law shall be deemed as valid.
Pursuant to Article 32, the Law shall enter into force on the date of its publication, which is 7 April 2016. However, it has been stipulated that the below provisions enter into force 6 months after the date of publication:
- Article 8: Transference of personal data
- Article 9: Transference of personal data to foreign countries
- Article 11: Rights of the concerned person
- Article 13: Applications to the Data Supervisor
- Article 14: Complaints to the Board
- Article 15: The procedure of the investigation to be made upon a complaint
- Article 16: Registry of Data Supervisors
- Article 17: Criminal Acts
- Article 18: Offenses and Penalties