The Turkish Parliament finally passed the long-awaited Law on the Protection of Personal Data which is to set forth the general framework on data protection and it currently awaits for presidential approval before being published in the Official Gazette. Meanwhile, we would like to provide an overview of the data protection landscape in Turkey before the framework data protection law enters into force.
At present, Turkish data protection landscape comprises various provisions scattered among diverse codes and regulations, and the interpretation thereof by the courts. The following is an overview of the said legislation and the prominent jurisprudence.
Personal information is not defined under the current laws, however, based on the Constitutional Court and Supreme Court decisions1 it is understood as any information relating to an identified or identifiable individual.
The backbone of Turkish data protection law is the following Article 20/III of the Turkish Constitution:
Everyone has the right to request the protection of her/his personal data. This right includes being informed of, having access to and requesting the correction and deletion of her/his personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person's explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law.
Whether the term "everyone" in the text covers legal entities or only refers to natural persons is argued by the Constitutional Court in its decision dated 2014. 2 The court concluded that even though it is plausible that the article is meant to cover natural persons, considering the term used in the text is "everyone", all persons including legal entities have the right to protection of personal data. It is to be noted here that the scope of the framework law is expressly limited to natural persons, and therefore this particular interpretation of the Constitutional Court will not be applicable to the framework law.
Turkish Civil Code
Turkish Civil Code numbered 4721 is a primary general law that grants personal rights which embody the right to privacy and as a consequence, protection of personal data. Violation of personal rights is stated to be unlawful unless justified by the consent of the person whose right has been violated, or by superior private or public benefit, or by authority granted by law. In such unlawful violations, persons have a right to request for protection from a judge and a right to compensation.
Turkish Penal Code
Turkish Penal Code numbered 5237 ("TPC") provides that any person who unlawfully records personal data shall be punished with imprisonment from one to three years . The term "unlawfully" in the code, read in conjunction with the Constitution and Turkish Civil Code, primarily refers to the requirement of express consent of the data subject in the particular case of data protection.
TPC also addresses unlawful processing of sensitive personal information, however, currently, the penalty is the same as with non-sensitive information . After the entry into force of the framework law, this will also change as TPC will be amended to include a more severe penalty for unlawful processing of sensitive data.
The preamble of the article explains that how data is collected (i.e. analogue or digital) is not relevant in terms of the act, and therefore, it is important to note here that this provision is applicable to the collection of personal data over the internet or other mediums as well.
TPC further prohibits the illegal transfer, dissemination or collection of personal data. Such acts are punishable by imprisonment from two years to four years. Moreover, individuals who are responsible for deletion of personal data following the expiry of a retention period can be imprisoned from one year to two years if they fail to comply with their responsibility to delete.
A final point on TPC is that confidentiality of the information is not relevant and bears no effect in terms of personal data under TPC. As interpreted by the Supreme Court General Assembly of Criminal Chambers, the legal interest of recording of personal data is not only the confidentiality of the information but also the personal rights. 3
Turkish Code of Obligations and Labour Code
The Turkish Code of Obligations numbered 6098 imposes a duty on employers with regard to personal data of employees. Accordingly, an employer can use personal information of an employee only to the extent it is related to the employee's aptitude to work or where it is necessary for the execution of her/his agreement.
Furthermore, the Labour Code numbered 4857 imposes a further duty on the employer with regard to the personnel file of the employee. Accordingly, the employer shall use the information she/he has obtained from the employee in congruence with the principles of good faith and law, and shall not disclose information for which employee has a justifiable interest in keeping as a secret.
In addition to the foregoing, there is sector-specific legislation on data protection covering, inter alia, the sectors of banking, finance, electronic communication, e-commerce and the main actors of the internet (content providers, hosting providers and access providers). For the purposes of this overview, these will not be addressed in this article.
In this final section, we would like to provide a glimpse of the future by summarizing the key points of the framework law.
The framework law follows the lead of the European Union and the Council of Europe, Directive 95/46/EC and the Convention numbered 108 in particular, and sets forth a similar mechanism primarily comprising data subjects, data controllers, data processors, and a data protection authority.
In summary, prominent provisions are that it sets forth fundamental principles for data processing, makes a clear distinction between sensitive and non-sensitive personal data, establishes the general rule that explicit consent of the data subject is a prerequisite for data processing, addresses data security issues and transfer of data abroad, and determines the rights of the data subjects and obligations of the data controllers.
1 Supreme Court General Assembly of Civil Chambers. Decision dated 17.6.2015, numbered E:2014/56 K. 2015/1679; Constitutional Court. Decision dated 12.11.2015, numbered E. 2014/196 K. 2015/103.
2 Constitutional Court. Decision dated 4.12.2014, numbered E.2013/84 K. 2014/183
3 Supreme Court General Assembly of Criminal Chambers. Decision dated 17.6.2014, numbered E. 2012/1510 K. 2014/331