To be honest, protection of our personal data has never been a priority for us Turkish people. We have a very warm culture. We like the physical touch and deeply embrace in each other's lives. In other countries, this might be considered noisy but with the folks in Turkey, it is considered caring for each other.
When you go to a job interview, for example, people would ask you in which city you were born or the origins of your family, the professions of your family members, whether you live with your family or alone, whether you are married or not, and if you are a woman, even whether you are planning to get married or have kids soon. I know, I know it is crazy! But this has been our normal for so many years.
But now things are changing. Since the enactment of the Turkish Data Protection Law in April 2016, we started to realize that this was kinda insane. But it takes time to change your habits.
That is why celebrating the Data Privacy Day is important for us to realize that what we have been doing in the past was and is actually illegal. 1
Turkey enacted the Turkish Data Protection Law ("DPL") on 7 April 2016 and ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on 2 May 2016. So this is officially the second year that we will be celebrating the Data Privacy Day. Last year, the Turkish Data Protection Authority ("TDPA") took the lead and issued press releases to remind us of this special day. And this year, they are organizing a big conference on the 28th of January (https://28-Ocak-Veri-Koruma-Gunu).
As many of you already know, DPL was based on EU Directive 95/46/EC (the "Data Protection Directive"), which was repealed and replaced on 25 May 2018 by the General Data Protection Regulation 679/2016 (the "GDPR"). But it would be fair to say that, in many aspects, DPL leans more toward GDPR. This seems to be the approach of the TDPA as well. I will not bore you here with a full comparison between the GDPR and DPL, but I want to highlight just a few problems in the Turkish practice. I suggest you read all the way through, especially if you are a foreign data controller, ie. a controller who is not resident in the Republic of Turkey but have business or clients there.
- First of all, consent under Turkish law is always explicit consent. It doesn't matter if you process normal data or sensitive data. And what we call sensitive data, is even broader than GDPR's definition. DPL treats personal data revealing "race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dress, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometric and genetic data" as sensitive. Such categories of data can be processed without obtaining the explicit consent only if one of the following lawful grounds exists: (a) explicitly foreseen in the laws (except for data regarding health and sex life); and (b) personal data relating to health and sexual life can only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations.
I hear you say that this is a major problem for processing health data especially for employers. Therefore, one of my wishes for the year 2019 was to at least have an exemption in the DPL for processing employee's health data by the employer.
- When it comes to international data transfers, DPL has also a restrictive approach compared to GDPR. Honestly, this is also in my wish list for 2019. When I look back, however, this was my wish for 2018 as well. Little could be done in a year time though. The TDPA still could not issue the white listed countries. Therefore, transfer of data outside of Turkey (which may simply include using cloud computing services or apps having their own cloud servers) or simply sharing a database with the parent company outside of Turkey is still problematic if (1) you do not obtain the consent of the data subjects or (2) sign model clauses issued by the TDPA and further obtain its approval. Yes, the only good news from last year is that we have model clauses but still signing them would not suffice for transfers to other countries. One must also apply to the TDPA for its approval.
- If you were patient enough to read my article until now, here is the biggest news for our foreign friends on this special day. Although there is no specific provision in the DPL regarding the territorial scope of the DPL, the Regulation on Data Controllers' Registry refers to foreign controllers and requires them to be registered with the Turkish Data Controllers' Registry before commencing the processing of personal data. I believe this provision may be interpreted to give an extra-territorial reach to the DPL. Currently, we do not have any specific guidance of the TDPA in relation to extra-territoriality of the DPL. But, now that the data controllers residing abroad are required to register with the as the Data Controllers' Registry latest by 30 September 2019, in different occasions the TDPA noted that they tend to interpret the processing by a foreign controller very widely. This suggests that the TDPA would not apply any tests, like in Article 3 (1) or (2) of the GDPR and require data controllers outside of Turkey to register if they process personal data related to Turkey. For eg. a US app company processing personal data of a person residing in Turkey by way of an app provided by online platforms (without any specific aim to provide services/goods to Turkey) can be subject to registration requirements. In general, however, one could assume that most of the parent companies of foreign capital subsidiaries in Turkey would be caught in the registration requirement as well (at least for employees' personal data). You may want to have a look at our earlier blog article obligation-to-register-with-data-controllers-registry-begins-on-1-october-2018/.
Because the list of exemptions announced by the TDPA does not, at least for now, include foreign data controllers, the monetary thresholds or professional exemptions for registry would not apply to controllers residing outside of Turkey. It is worth to emphasize, however, that implications and applicability of extra-territoriality of the DPL may be eventually challenged before Turkish courts by foreign controllers due to lack of any specific provisions in the DPL or lack of any definition related to the scope.
1 Just to avoid any misunderstandings, privacy, and protection of personal life was protected under the Turkish Criminal Code since 2005 and was accepted as a constitutional right in the Turkish Constitution since 2010. But due to lack of a specific law, its implementation was very limited until 2016.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.