The Personal Data Authority has released a guideline after the decision of the Personal Data Protection Board. This guideline focuses on the processing of Turkish ID numbers, particularly when other methods can be used to identify individuals. Even though the Authority considers direct processing as non-compliant with the Personal Data Protection Law, the guideline aims to provide clear methods and principles for handling Turkish ID numbers to ensure lawful processing under the law.
The Board reviewed the use of Turkish ID numbers. focusing on a situation where a data controller offers meal card services through a mobile app. The Board highlighted that, although Turkish ID numbers are generally considered personal data, they have a special importance, exceeding that of other personal data categories. This is because a data breach involving Turkish ID numbers could potentially cause more harm to the individuals affected.
The Board's decision emphasized that achieving the same goal could be done by using different personal data, which would be less restrictive on individuals' rights, making the processing of Turkish ID numbers unnecessary. The Board found the processing of Turkish ID numbers to be against the general principles outlined in the law, specifically the principles of relevance, limitation, and proportionality in handling personal data. This decision is crucial for following these principles, preventing unnecessary risks, and safeguarding the rights and privacy of data subjects.
Even though Turkish ID numbers are not considered sensitive data according to the law, the Guideline underscores their importance. This is because there is a risk of revealing other personal information linked to these ID numbers during processing, as indicated by the Board. The Guideline emphasizes following the general principles in the law, emphasizing that processing data should only be for its intended purpose. It advises against including irrelevant or potentially useful data for future needs.
The Authority disapproves of directly handling Turkish ID numbers, pointing out issues with relevance, limitation, and proportionality in data processing. The Guideline states that directly processing Turkish ID numbers is seen as excessive, especially when less invasive methods like using phone numbers in mobile apps are an option. The Guideline suggests considering alternative, less intrusive methods for identification purposes.
The Guideline offers a detailed plan for data subjects, data controllers, and data processors, giving guidance on situations explicitly governed by existing laws. Handling Turkish ID numbers requires a careful approach. For instance, one situation where direct processing is needed is outlined in the Turkish Commercial Code, which mandates shareholders to show their Turkish ID cards at company general assembly meetings.
Overall, the Authority aims to guide data subjects, controllers, and processors, stressing the importance of informed decision-making when dealing with Turkish ID numbers. The Authority, through the Guideline, emphasizes that not considering proportionality and necessity in the direct processing of Turkish ID numbers may go against established data protection principles.
Originally published by The Legal Industry Reviews
© Kolcuoğlu Demirkan Koçaklı Attorneys at Law 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.