Turkey: Current Debates On Personal Data Protection; What Extent Does The Law Apply To Foreign Data Controllers?

Last Updated: 10 November 2017
Article by Serkan İçtem and Berna Aşık Zibel

The first anniversary of the Law on Protection of Personal Data No. 6698 ("Law") is now passed, however practice under the Law has not yet been clarified entirely. There are still secondary regulations which are not put in effect and important practical issues begging for clarification.

The Turkish Personal Data Protection Authority ("PDPA") recently published some guidelines to clarify implementation of the Law. On 28 October 2017, the Regulation on Deletion, Destruction and Anonymization of Personal Data ("Deletion Regulation") was published in the Official Gazette no. 30224. We expect that the draft Regulation on Data Controllers' Registry ("Draft Regulation on Registry"), which was submitted to public review in May 2017, will also enter into force soon.

A total of twelve guides were published in the official website of PDPA on various areas of practical application of the Law. Most guidelines relate to specific matters including; defined terms such as personal data, processing, data controller; basic concepts such as express consent, anonymization, related person; what is express consent; how to transfer personal data abroad; constitutional right of an individual to request personal data protection; right of an individual to apply PDPA for complaints. Two main guidelines are directly linked to each other; the first one being the general "Implementation Guideline" and the second one being the "Q&A Guideline on Implementation" ("Q&A"). These guidelines are only explanatory and not legally binding, yet they provide valuable information on the future practice of the PDPA.

Over the last year, there were numerous debates on various aspects of the Law. Herein this paper, we aim to highlight few of these debated topics in light of these recently published guidelines. 

Deletion, Destruction or Anonymization of Personal Data

As stated above, Deletion Regulation was published in the Official Gazette and will enter into force on 1 January 2018.

Under the Deletion Regulation, data controllers who are under an obligation to register with the data controllers' registry are required to draft and implement a "personal data retention and destruction policy". The Deletion Regulation sets forth specific elements to be included in this policy and requires data controllers to delete, destruct or anonymize the outdated personal data periodically and maximum in semiannual intervals. In addition, data controllers shall keep all records with respect to deletion, destruction or anonymization of personal data for at least three years. Although, the Deletion Regulation implies that data controllers may either (i) delete, (ii) destruct, or (iii) anonymize personal data which is outdated or requested by a data subject to be deleted or destructed, it is debated topic whether data controllers are in fact free to choose between these actions. "Deletion of personal data" is defined as "the process of making personal data inaccessible to and unusable by the relevant users" whereas the "destruction" is defined as "the process of making personal data inaccessible to and unusable by anyone". The significant difference between these two terms lies on whether data will be inaccessible only to "relevant user" or to "anyone", since the term of "relevant user" is defined under the Deletion Regulation as those who process personal data within the organization of the data controller or with the authority given by the data controller; except those who are responsible for the technical storage, preservation and backup of the data. In other words, when deleted, data will still be accessible to those who are responsible for technical storage, preservation and backup of the data and if data controller has the right to choose between these actions, choosing destruction will be meaningless since it is always beneficial for data controllers to keep the data accessible even if it means it is only accessible by the technical IT personnel.

Applicability to Foreign Data Controllers

According to the Law, a "data controller" is a person who, either alone or with others, controls the content and use of personal data. In other words, all businesses processing or using personal data for or while conducting their activities are deemed a data controller.

As per article 5(b) of the Draft Regulation on Registry, a data controller which has no presence (office) in Turkey is still obliged to register to the data controllers' registry through a data controller representative before processing personal data in Turkey. The Q&A document also states that the Law is applicable to a data controller who is located abroad if it conducts activities in Turkey requiring processing of personal data. In light of the above, we understand that if the Draft Regulation on Registry enters into force in its current form, a foreign business conducting personal data processing activities (e.g. collecting personal data) in Turkey will be required to appoint a data controller representative and comply with the registration requirement provided that no other exemptions are applicable to that specific business. The Draft Regulation on Registry defines data controller representative as a legal entity residing in Turkey or a citizen of the Republic of Turkey. This means, Draft Regulation on Registry sets forth the extraterritorial application of the Law, however it is widely criticized as (Draft Regulation) being contradictory to the intention of the Law in this respect which does not impose a strict obligation to appoint a representative for this purpose as for foreign data controllers.

Registration Requirement and Nature of the Data Controller

The Law does not provide any distinction between real or legal persons who process personal data in terms of registration requirement. The Draft Regulation on Registry sets forth a requirement for all data controllers to become registered in case they conduct personal data processing activities (e.g. collecting personal data) in Turkey. For the registration process, a data controller shall first, prepare a personal data inventory. Under the Deletion Regulation, personal data inventory is defined as inventory which shall be prepared by a data controller in detail through associating with their personal data processing activities related to their business processes, purpose of processing personal data, data category, transferred recipient groups, data subject group, data categories which will be transferred abroad, maximum term to keep data under certain categories and protective measures.

Under the Draft Regulation on Registry, there are some general exemptions from the registration requirement provided as for institutions engaging in certain activities such as; prevention or investigation of a crime or performance of supervisory or regulatory duties. In addition, the PDPA has the authority to bring specific exemptions to the registration requirement as for parties processing personal data. Some of the exemption criteria set forth under the Draft Regulation on Registry are generic such as nature and number of the data processed, purpose of data processing, field of activity on which the data is processed, etc. In addition, there are two important criteria which will play a tremendous role in determining who will need to register. These criteria are set forth as; a) the annual turnover and b) the number of employees of the data controller but the specifics of these criteria as well as the above indicated generic ones are not yet defined by the PDPA.

The Q&A explains that a holding company processing millions of data and a small family-owned business may not be considered equal in terms of registration requirement. Apart from registration requirement, Q&A also states that the general principles and provisions of the Law on protection of personal data, namely obligation towards the individual whose data is being processed are equally applicable to all data controllers despite their size.

Despite this additional information provided by the Q&A, there is still a significant degree of uncertainty on which businesses will be subject to the registration requirement which is by far the most important question concerning practice of the Law.

The Status of a Group of Companies under the Law

Q&A explains that transfer of data between legal entities in the same corporate group will be treated same as if transfer to an unrelated third party. In other words, there is no exception for intra group transfers under the Law. This raises an important issue of whether each group company must individually establish and maintain a data protection system which inevitably will mean duplicate cost for the group as a whole. Q&A sets forth that each group company will be considered individually as a data controller "when such company itself determines its own objectives for personal data processing". Having said that there is no definition and/or criteria on what the term "determination its own of objectives" mean therefore it is uncertain whether it is possible for sister companies (especially those who are under 100% control of the same parent) whose management does not have a separate system for personal data processing and keeping a data registry system, to claim that it is not a data controller itself but instead the holding company.

Status of Third Parties to Whom the Data to be Transferred

An important debate with respect to the obligation to inform a data subject to procure its consent thus, the "clear consent" requirement is on whether it is necessary to specifically provide the data subject with the name and title of each third-party to whom the relevant personal data is being transferred. Since "clear consent" is required to be specific, there are strong arguments suggesting the necessity of specifying each transferee's identity when data subject is informed. Q&A indicates that it will be sufficient to define third-party transferee only by its field of activity/occupation. As an example, according to the Q&A, it is sufficient for a data controller to only inform data subject that it will transfer his/her personal data to their lawyers, couriers, group companies by indicating their field of activity and necessity of transfer.

The Status of the Data Processor

According to the Law, "data processor" means a person processing data on behalf of a data controller. Q&A explains that data processor is a person outside the organization of a data controller. It is further expressed that a real or legal person may both be a data controller and a data processor in terms of its different operations and activities.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Bezen & Partners
Gün + Partners
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Bezen & Partners
Gün + Partners
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions