As we have indicated in our previous Client Alert dated 4 April 2016, Turkish Parliament finally passed the long-awaited Law on the Protection of Personal Data last week (the "Law"), following its ratification of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data numbered 108 ("Convention") last month.
On 7 April 2016, the Law has entered into force upon its publication in the Official Gazette. Whereas Turkish data protection law previously depended on scattered provisions of privacy in various codes and regulations, the Law will provide the general framework for the protection of personal data henceforth.
The Law follows the lead of the European Union and the Council of Europe, Directive 95/46/EC ("Directive") and the Convention in particular, and sets forth a similar mechanism primarily comprising data subjects, data controllers, data processors, and a data protection authority. In summary, prominent provisions are that it sets forth fundamental principles for data processing, makes a clear distinction between sensitive and non-sensitive personal data, establishes the conditions for data processing, addresses data security issues and transfer of data to third parties, and determines the rights of the data subjects and obligations of the data controllers.
Scope of the Law
The Law applies to natural persons whose personal data is processed, and natural or legal persons who process such data. "Processing" is defined broadly to cover virtually any methodical practice relating to personal data, whether it is automated or not.
There are certain cases where the Law will not be applicable. These include, among others, processing of personal data for the purposes of:
- research, planning and statistics or similar through anonymization;
- art, history, and literature or science, or within the scope of freedom of expression, provided that "national defence, national security, public safety, public order, economic safety, right to privacy or personal rights are not violated";
- national defence, public safety, public order or economic safety within the scope of preventive, protective and intelligence-related activities by authorized public institutions and organizations.
Definitions and General Principles
Referring back to the general mechanism that the Law adopts, there are four key players, namely the data subject, data controller, data processor and data protection authority. The definitions of those are the following:
Data subject is a natural person whose personal data is processed, and personal data is any information relating to an identified or identifiable natural person.
Data Controller is a natural or legal person who determines the purposes and means of the processing of personal data; and who is responsible for establishment and management of the data recording system which is a recording system through which personal data is processed by a certain structure.
Data processor is a natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller.
Data Protection Authority: The Law stipulates the establishment of a national data protection authority whose decision-making body will be the Board of Protection of Personal Data (the "DPA").
Finally, the Law sets forth general principles to be complied with when data is processed. These principles require that personal data shall be
- in conformity with the law and good faith;
- accurate and if necessary, up to date;
- processed for specified, explicit, and legitimate purposes;
- relevant, limited and proportionate to the purposes for which they are processed;
- stored only for the time necessitated by the purpose for which it is collected or the time designated by relevant legislation.
Processing of Personal Data
Contrary to the grounds for lawfulness approach of the Directive, the Law adopts a rule and exception model, where it provides a general rule for processing and transfers, and then sets forth exceptions thereto.
Accordingly, the primary principle is that personal data shall only be processed with the explicit consent of the data subject. "Explicit consent" is defined under the Law as freely given informed and specific consent, which is the definition of regular "consent" under the Directive.
Pursuant to the Law, personal data can be processed without the explicit consent of the data subject in the following exceptional cases:
- If it is expressly permitted by any law;
- If it is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
- If it is necessary for and directly related to the execution or performance of a contract to which the data subject is party;
- If it is necessary for compliance with a legal obligation which the controller is subject to;
- If the relevant information is revealed to the public by the data subject herself/himself;
- If it is necessary for the institution, usage, or protection of a right;
- If it is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
Processing of Sensitive Personal Data
Sensitive personal data is defined as "information related to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics" and its processing is subject to a stricter set of rules under the Law.
Accordingly, the data controller is not only required to obtain the explicit consent of the data subject but also to take adequate measures designated by the DPA. Nevertheless, consent requirement is not applicable in the following exceptional cases:
- Sensitive data, except for data concerning health and sexual life, can be processed if it is expressly permitted by any law;
- Data concerning health or sexual life can only be processed for the purposes of protection of public health, and planning or sustaining health-care services by an authorised body or persons who are under the obligation of confidentiality.
It is to be noted here that, in these cases, the data controller is still required to take the adequate measures designated by the DPA.
Transfer of Personal Data
The Law sets forth that personal data shall only be transferred abroad or to third parties in Turkey by obtaining the explicit consent of the data subject. The exception in this regard is that both non-sensitive and sensitive personal data can be transferred to third parties or abroad without the explicit consent of the data subject if one of the exceptional cases set forth under the processing of respective data is present. However, there are certain additional safeguards stipulated for transfers in these exceptional cases.
First, if sensitive personal data is being transferred to third parties in Turkey in accordance with an exceptional case, the receiving end of the transfer is additionally required to take the adequate measures designated by the DPA.
Second, if non-sensitive or sensitive personal data is being transferred abroad in accordance with an exceptional case, it is additionally required that
- the destination country must have an adequate level of protection, which is to be determined by the DPA; or
- both sides of the transfer must commit, in writing, to provide an adequate level of protection and the approval of the DPA must be obtained.
Finally, a controversial provision which was not present in the previous draft version of the Law, was introduced to the Law in the parliamentary discussions. Accordingly, "save for the provisions of international agreements", in cases where "interests of Turkey or the data subject will be seriously harmed", personal data may only be transferred abroad upon approval of the DPA. The preamble of this provision does not offer much explanation, and at this point, it is uncertain as to how it will be enforced.
Obligations and Administrative Fines
The Law imposes serious obligations on data controllers, some of which are, in summary, the following:
- To inform data subjects with regard to the data controller's identity, purpose, method, and legal ground of the processing, transfer of data to third parties, and the rights of the data subject (this might mean mandatory privacy policies for internet services), non-compliance of which results in an administrative fine of approx. €1,500 to €30,000;
- To ensure the security of the collected data, and to notify the DPA and the data subject of data breaches, non-compliance of which results in an administrative fine of approx. €5,000 to €310,000;
- To register with a publicly available Registry of Data Controllers ("Registry"), non-compliance of which results in an administrative fine of €6,000 to €310,000;
- To delete or anonymize outdated data, non-compliance of which is punishable by imprisonment pursuant to Article 138 of Turkish Criminal Code;
- To abide by the rights of the data subject and reply to the applications made by the data subject in 30 days;
- To comply with the decisions of the DPA, non-compliance of which results in an administrative fine of €8,000 to €310,000.
The Law stipulates a gradual entry into force and establishes transitional period obligations, some of which are summarized below.
Accordingly, the articles relating to the transfer of data, rights of the data subject, Registry, administrative fines, and criminal penalties will enter into force after six months. Further, data controllers must register with the Registry in accordance with the timeline announced by the DPA and make sure that the personal data they processed before the entry into force of the Law is compliant within two years.
Finally, the consents that are lawfully obtained before the entry into force of the Law shall be deemed to be valid, provided that they are not revoked within one year following the effective date.