The Law of Personal Data Protection (The Law) numbered 6698 had entered into force on 28.03.2016 by publication in the Official Gazette. Provisions relating to the transfer of personal data to third persons or abroad, the rights of the relevant person, application and complaint, crimes and administrative fines have entered into force six months after the date of the publication of the Law and other provisions had entered force on the date of publication of the Law .
It has stated that the personal data that had processed before the publication date of the Law will regulate in accordance with the Law within 2 years from the date of publication of the Law and a process of harmonization and transition has granted to the Data Controller. The harmonization process will end on 28.03.2018 and the Data Controller will be held responsible for their legal liabilities provided by Law from this date.
The purpose of the Law are to protect the fundamental rights and freedoms of people, particularly the right to privacy, during the processing of personal data and to regulate the rules, procedures and liabilities of the real persons and legal entities that process personal data. Even though there are discussions in the concept of the ‘person’ in practice and doctrine, the personal data of the real persons are protected as it is understood from the Law and the Law's preamble. The Law protects real persons’ personal data primarily; however if the data belonging to the legal entity includes the data of the real persons and if it becomes identified or identifiable due to the data of the legal entity, in the circumstances the right of protection of the personal data in the data belonging to the legal entity shall be covered.
Personal data defined as any information relating to an identified or identifiable real person. In this manner, the definition of the concept of personal data is as broad as possible. Personal data are all data that can be identify the person directly or indirectly, like persons’ name, surname, date and place of birth, telephone number, licence plate of motor vehicle, passport number, curriculum vitae, picture, image and sound recordings, fingerprints, IP address, e-mail address, hobbies, preferences, interactant, group memberships, marital information, health information etc. In this context, all of the data that the employers have obtained from its’ employees, the suppliers have obtained from its’ customers, or the associations/foundations have obtain from their members are given as examples.
In addition, data such as persons' race, ethnic origins, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, health, sexual life, criminal conviction and security measures, biometrics and genetics and membership of association, foundation or trade-union are defined as "Special Qualified Personal Data", Special Qualified Personal Data, except health and sexual life, may not be processed without the explicit consent of the person relevant, except in the exceptional cases listed in the Law.
PROCESSING OF PERSONAL DATA
The processing of personal data defined as any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system.
The basic principles that must be observed in the processing of personal data are shown as "Being in conformity with the law and good faith,
Being accurate and if necessary, up to date,
Being processed for specified, explicit, and legitimate purposes, Being relevant, limited and proportionate to the purposes for which data are processed, Being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected.”
According to the Law, personal data may only be processed providing that it is in accordance with the basic principles listed above, but only if the relevant persons’ explicit consent. No data shall be processed in cases where there is no explicit consent or except for the exceptions listed in Article 5 of the Law. In case the reasons necessitating their processing cease to exist, personal data must be deleted, destroyed or anonymised.
TRANSFER OF PERSONAL DATA ABROAD
According to the article 9 of Law, except for certain exceptions listed in the Law, it is prohibited to transfer personal data abroad without obtaining the explicit consent of relevant person. Personal data may be transferred abroad without obtaining the explicit consent of the relevant person, in case there is not an adequate level of protection, if the Data Controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board exists.
DATA CONTROLLERS AND DATA CONTROLLERS REGISTRY
Data Controller has defined in Article 3 of the Law as " Natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system.
Real persons or legal entities who process personal data shall register with the Data Controllers Registry prior to commencing processing. However, considering objective criteria that shall be designated by the Board such as the characteristics and the number of data to be processed, whether or not data processing is based on any law, or whether data will be transferred to third parties, the Board may set forth exemptions to the obligation to register with the Data Controllers Registry.
The Data Officers Registry is open to the general public. The Regulation for Data Controllers Registry is existing in draft and is expected to be enter into force as of the date of 01.01.2018.
DATA CONTROLLERS’ OBLIGATIONS
Within the scope of obligation to inform, Data Controller or the person it authorized is obligated to inform the relevant person about the identity of the Data Controller and if any, its representative, the purposes for which personal data will be processed, the persons to whom processed personal data might be transferred and the purposes for the same, the method and legal cause of collection of personal data, the rights set forth under article 11.
The Regulation on Deletion, Destruction or Anonymization of Personal Data has been published in the Official Gazette dated 28 October 2017 and numbered 30224 and regulates how Data Controllers’ do preservation, disposal policies, deletion, destruction or anonymization of personal data. In this respect, in accordance with the Regulation, the Data Controllers will also be responsible for the creation and inspection of the personal data processing inventory within the company.
APPLICATION PROCEDURE OF RELEVANT PERSON IN THE SCOPE OF THE LAW
The relevant person shall convey her/his requests relating to the enforcement of this Law to the Data Controller in writing through a notary public or e-mail. The Data Controller shall conclude the request included in the application free of charge and as soon as possible considering the nature of the request and within 30 days at the latest. However, in case the operation necessitates a separate cost, the fee in the tariff designated by the Board may be collected.
The Data Controller shall accept the request or reject it by explaining the reason and notify the relevant person of its reply in writing or electronically. In case the request included in the application is accepted, it shall be fulfilled by the Data Controller accordingly. In case the request is resulted from the fault of the Data Controller, the collected fee shall be returned to the relevant person. In case the application is rejected, replied insufficiently, or not replied in due time; the relevant person may file a complaint with the Board within 30 days following the date he/she learns the reply of the Data Controller and in any event, within 60 days following the date of application. The most important thing in terms of complaining to the Board is that the application remedy has been exhausted. Complaint remedy cannot be applied to without exhausting the application remedy. The Board shall conduct necessary inspection within the scope of its remit either ex officio in case it learns the allegation of a violation or upon complaint. Except for the information and documents that constitute state secrets; Data Controller shall submit the information and documents requested by the Board related to its subject of inspection in 15 days and if necessary, provide for examining on-site.
Upon complaint, the Board inspects the request and replies to those concerned. If not replied within sixty days following the date of the complaint, the request shall be deemed to be rejected. As a result of the inspection conducted, in case it is understood that a violation exists, the Board decides that the illegalities it identified shall be eliminated by the Data Controller and serves it to those concerned. This decision shall be fulfilled accordingly without delay and within 30 days at the latest as from the notice.
PENALTIES AND SANCTIONS TO BE APPLIED FOR THE INFRINGEMENT
The provisions of Articles from 135 to 140 of the Turkish Criminal Code (articles relating to the recording of personal data unlawfully) apply to the crimes related personal data. Ones who do not delete or anonymize personal data contrary to article 7 of the Law shall be punished in accordance with article 138(failure to destroy the data crime) of the Turkish Criminal Code.
Administrative fines have been imposed on those who act contrary to the provisions of the Law, such as the application of administrative fine from 5,000 Turkish Lira to 1,000,000 Turkish Lira.