A Short Brief

Turkish Data Protection Act no.6689 which is recently entered into force on 7th April, 2016 includes provisions on how data shall be processed. The main rule is to process personal data with the knowledge or consent of the data subject. However there are exceptions to this rule cited in article 5. Our aim is to closely investigate how article 5(f) "legitimate interest" exceptions shall be interpreted. The rule provides that personal data may be processed if processing is necessary for the purposes of the legitimate interests pursued by the controller except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. Unlike the other exceptions, legitimate interest of the controller is more convenient to be enforced broadly. There is no explicit explanation according to the Act no.6689, therefore in order to understand the concept of this rule we shall understand reference provisions; European Union Law.

Before Turkish Protection of Personal Data Act enters into force, Directive 95/46/EC of the European Parliament and of the Council have already include the "legitimate interest" exeption. Article 7(f) states that Member States shall provide that personal data may be processed only if; "(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1)."

Article 29 Data Protection Working Party has announced an opinion on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC on 9 April 20141. Working Party states that 'Interests' and 'rights' should be given a broad interpretation. Therefore Working Party states that the article provides more protection for the data subject, namely it requires the data subjects' 'interests' to be also taken into account, not only his or her fundamental rights and freedoms. The clear message is nevertheless that all relevant interests of the data subject should be taken into account. The nature of the data and the way it is processed is effective to the impact on data subject. Article 7(f) aims to protect data subjects from disproportionate impact. Therefore it is expected that data subject shall have some impact but it shall be balanced with the interest of the controller.

According to the Working party an interest can be considered as legitimate as long as the controller can pursue this interest in a way that is in accordance with data protection and other laws. In other words, a legitimate interest must be 'acceptable under the law'

In Order To Be Relevant Under Article 7(f), A 'Legitimate Interest' Must Therefore:
  • be lawful (i.e. in accordance with applicable EU and national law);
  • be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently specific);
  • represent a real and present interest (i.e. not be speculative).

The controller has the responsibility to evaluate whether it has a legitimate interest. The controller will first define the legitimate interest and make the balancing test. A company considering involving in a new business and collecting personal data in that relevant market shall not present a legitimate interest because the interest of the controller is prospective, unlikely to happen and speculative. However, a private business interest of a company may coincide with a public interest to some degree. This may happen, for example, with regard to combatting financial fraud or other fraudulent use of services.

Working Party recommends that controllers explain to data subjects in a clear and user-friendly manner, the reasons for believing that their interests are not overridden by the interests or fundamental rights and freedoms of the data subjects, and also explain to them the safeguards they have taken to protect personal data, including, where appropriate, the right to opt out of the processing. In some cases be a valid alternative to inappropriate use of, for instance, the ground of 'consent' or 'necessary for the performance of a contract or other exceptions under article 7 of the Directive.

The context below shall be considered as the controller define its legitimate interest.

  • Consider the nature and source of the legitimate interest, and the impact on data subjects on the other hand. Is data processing is necessary for a fundamental right? Is otherwise in the public interest or benefits from social, cultural or legal/regulatory recognition in the community concerned? Is the nature of the data considered sensitive or obtained from publicly available sources?
  • Decide whether the legitimate interest prevails over the rights and interests of the data subjects.
  • Consider additional safeguards to prevent undue impact on the data subjects. For example; data minimization, 'functional separation' (technical and organizational measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals), use of anonymization techniques, aggregation of data, privacy-enhancing technologies, privacy by design, privacy and data protection impact assessments.
  • Moreover there are three issues often plays a crucial role in the context of "legitimate interest" exception; increased transparency, general and unconditional right to opt-out, data portability and related measures to empower data subjects (data subjects may modify their own data). These are very important in connection with the safeguards - and the overall assessment of the balance.

It is possible to encounter some examples in business. For example the employer monitors internet use during working hours by employees to check they are not making excessive personal use of the company's IT. The data collected include temporary files and cookies generated on the employees' computers, showing websites visited and downloads performed during working hours. The data is processed without prior consultation of data subjects and the trade union representatives or work council in the company. There is also insufficient information provided to the individuals concerned about these practices.

The amount and nature of the data collected represents a significant intrusion into the private life of the employees. In addition to proportionality issues, transparency about the practices, closely linked to the reasonable expectations of the data subjects, is also an important factor to be considered. Even if the employer has a legitimate interest in limiting the time spent by the employees visiting websites not directly relevant to their work, the methods used do not meet the balancing test of Article 7(f). The employer should use less intrusive methods (e.g. limiting accessibility of certain sites), which are, as best practice, discussed and agreed with employees' representatives, and communicated to the employees in a transparent way.

In conclusion

Article 7(f) should not be seen as a legal ground that can only be used sparingly to fill in gaps for rare and unforeseen situation as 'a last resort' - or as a last chance if no other grounds may apply. Nor should it be seen as a preferred option and its use unduly extended because it would be considered as less constraining than the other grounds. Rather, it is as valid a means as any of the other grounds for legitimizing the processing of personal data.

As explained in article 7(f) Directive 95/46/EC and article 5(f) Turkish Data Protection Act are in the same direction. Therefore in order to assess how to apply legitimate interest exception in Turkey; we shall understand the dynamics of EU Law. The provision is very broad and to be on the safe side the data controllers shall examine in detail that processing data is highly important for the company. Otherwise the operations will be deemed unlawful and consequently administrative sanctions may be imposed to the company, and for the respective employees and the managers may be punished.


1. http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.