Personal data is defined under the Law on Protection of Personal Data No. 6698 ("Turkish DP Law") which is enacted on April 7, 2016 based on the EU Directive 95/46/EC. According to Article 3 of the Turkish DP Law, personal data means any information relating to an identified or identifiable real person.
Directive 95/46/EC of the European Parliament and of the Council, dated October 24, 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data ("EU Directive") on which Turkish DP Law is based on, also includes the same definition of personal data and it also defines the concept of identifiable person. According to Article 2 of the EU Directive, identifiable person is a person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Even though the EU Directive defines identifiable person along with the definition of personal data, this definition is very broad and it reflects the intention of the European lawmaker for a wide notion of personal data.
According to Recital 26 of the EU Directive, to determine whether a person is identifiable, all the means to be used reasonably either by the controller or by any other person to identify the said person should be taken into account. It is also stated under the same recital that the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
Working Party on the Protection of Individuals with regard to the Processing of Personal Data ("Working Party") which is established under Article 29 of the EU Directive and which has advisory status, adopted an opinion regarding the analysis of the definition of personal data ("Opinion 4/2007"). In its opinion, Working Party divided the definition of personal data to four elements.
1st Element - Any Information: According to the Opinion 4/2007, the concept of personal data includes any sort of statements about a person. It covers "objective" information, such as the presence of a certain substance in someone's blood. It also includes "subjective" information, opinions or assessments. The term personal data includes information regarding the person's private and family life, but also information regarding whatever types of activity is undertaken by the individual (e.g. working relations or the economic or social behavior of the person).
It is not necessary for the information to be considered as personal data that it is contained in a structured database or file. Also information contained in an electronic document may be considered as personal data (e.g. in telephone banking, where the customer's voice giving instructions to the bank are recorded on tape, those recorded instructions should be considered as personal data or images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable).
The Opinion 4/2007 also mentions biometric data such as fingerprints, retinal patterns, facial structure, voices, handwritten signature, particular way to walk or to speak, etc. as personal data.
2nd Element - Related to: In many situations the relationship between the data and the person can be easily established (e.g. the data registered in someone's individual file in the personnel office are clearly "related to" the person's situation as an employee).
In some situations, the information conveyed by the data concerns objects in the first instance, but not the individuals (e.g. the value of a house is information about an object). Data protection rules will not apply when this information will be used solely to illustrate the level of real estate prices in a certain district. However, under certain circumstances such information should also be considered as personal data. Indeed, the house is the asset of an owner, which will be used to determine the extent of this person's obligation to pay some taxes. In this context, it will be indisputable that such information should be considered as personal data.
According to the Working Party, data relates to an individual if it refers to the identity, characteristics or behavior of an individual or if such information is used to determine or influence the way in which that person is treated or evaluated. It is stated under the Opinion 4/2007 that in order to consider that the data "relate" to an individual, a "content" element or a "purpose" element or a "result" element should be present.
3rd Element - Identified or Identifiable: Identification is normally achieved through particular pieces of information which are called "identifiers" and which hold a particularly privileged and close relationship with the particular individual (e.g. height, hair color, etc.) or a quality of the person which cannot be immediately perceived (e.g. a profession, a function).
The European Court of Justice, in one of its decisions, stated that "referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data."
According to the Working Party, publishing a woman's X-Ray plates along with her first name (which is an unusual one) makes those X-Ray plates personal data. The Working Party has considered IP addresses as data relating to an identifiable person as well.
For information to be treated as 'personal data' within the meaning of Article 2 of the EU Directive, it is not required that all the information enabling the identification of the data subject must be in the hands of one person. Accordingly, the European Court of Justice in one of its decisions considered Internet Protocol address as personal data.
4th Element - Natural Person: According to the Working Party, the protection of data applies to natural persons. The right to the protection of personal data is universal and it is not restricted to nationals or residents in a certain country.
Information relating to deceased people should not to be considered as personal data according to the rules of the Directive, as the deceased people are no longer natural persons according to civil law. However, the data of the deceased may still indirectly receive some protection in certain cases (e.g. the information that a dead person suffered from hemophilia indicates that his/her son also suffers from the same disease, as it is linked to a gene contained in the X-chromosome).
The aforementioned four elements are included in the definition of personal data both under Turkish DP Law and the EU Directive.
Since the secondary regulation on Turkish DP Law is not enacted yet, what to understand from the definition of personal data is not clear. However, since Turkish DP Law is based on the EU Directive, the opinion of Working Party might be taken into consideration while evaluating an information whether it can be considered as personal data or not.
This article was first published in Legal Insights Quarterly by ELIG, Attorneys-at-Law in December 2016. A link to the full Legal Insight Quarterly may be found here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.