On February 12, 2024, the Personal Data Protection Authority ("Authority") published an Information Note on the Personal Data Processing Based on the Legal Reason Applicable to Processing Required for the Laws ("Information Note") and made assessments under Turkish law and EU law regarding the processing of personal data in cases stipulated by laws. Although the Information Note mostly includes general scholar explanations from Turkish law and EU law perspectives, we would like to share some points within the framework of the Information Note, which may be useful for data controllers’ consideration.
Legal Grounds and Exceptions in the Personal Data Protection Law
Pursuant to Article 20 of the Constitution of the Republic of Türkiye, titled "Privacy and Protection of Private Life", it is regulated that all individuals have the right to request for the protection of their personal data and that personal data can be processed with explicit consent or in cases where expressly stipulated under laws as the general principle. However, it is also possible to limit this fundamental right and freedom with the laws under certain conditions.
As it is known, pursuant to the Law No. 6698 on the Protection of Personal Data ("Law"), in parallel with the Constitution, personal data and sensitive personal data (other than personal data relating to health and sexual life) may be processed without explicit consent in cases where processing expressly stipulated under laws. However, beyond this, many other legal grounds are also regulated in the Law and it is made possible to process personal data without explicit consent in some cases that are not expressly stipulated in laws. Within this framework, data controllers may process personal data without explicit consent in cases where (i) processing is necessary for the protection of the life or physical integrity of the person or another person who is unable to disclose his consent due to actual impossibility or whose consent is not legally valid, (ii) processing is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract, (iii) processing is mandatory for the data controller to fulfill its legal obligation, (iv) personal data has been made public by the data subject himself/herself, (v) processing is necessary for the establishment, exercise or protection of a right, and (vi) processing is necessary for the legitimate interests of the data controller, provided that it does not violate the fundamental rights and freedoms of the data subject. In addition, there are some data processing activities that are exempted from the Law pursuant to Article 28 of the Law.
Since the legal grounds stipulated by the Law (other than the legal ground for the cases "explicitly stipulated under laws" and "explicit consent", as stated in the Constitution) and the exceptions stipulated in the Law regarding the processing of personal data can also be considered as a limitation to the right to protection of personal data, it became necessary for the Authority to make an explanation regarding such legal grounds’ conformity with the Constitution. In this context, the Authority stated that the Law shall be considered a limitation to the right within the scope of the Constitution and therefore the legal grounds and exceptions set forth under the Law shall be considered compliant with the principles under the Constitution.
Regulations Made by Administrations
Within the framework of the basic principles set forth under the Constitution, the right to protect personal data can only be limited by laws. This sets a form requirement for such limitations and only the following can be considered as laws for the right limitation purposes: (i) regulations approved and enacted by the Turkish Grand National Assembly and (ii) international treaties which duly came into effect in Turkey. Secondary regulations (regulations, communiqués, procedures and principles, instructions, orders etc.) to be issued by administrations should not be considered as laws in this respect and should only be considered as provisions that concretize legal regulations within the framework of an authorization granted by the underlying law. It should be expected that the administrations do not unilaterally make any regulation that would limit the right to protection of personal data and should not create a new limitation beyond the limitation imposed by a certain law. Otherwise, it may be considered that such regulations in contradiction with this principle may not comply with the requirement of being expressly stipulated under laws.
Nevertheless, considering that the Law itself is a limitation, the Authority has stated that personal data may be processed within the scope of secondary legislation issued in light of the explicit provisions in underlying laws in addition to the cases where there are explicit provisions in the laws. Although the Authority emphasizes the importance of the Constitution's principle of legality regarding the limitation of fundamental rights and freedoms, from the perspective of the Law, the Authority also accepts that the secondary regulations duly established by the administrations are binding and must be implemented unless they are annulled, and that personal data may be processed within the framework of these regulations. Therefore, the Information Note explicitly states that explicit consent may not be required for data processing activities based on secondary regulations issued by administrations based on an authorization granted to the relevant administrations by laws. It is also emphasized that in certain cases, administrations may have a discretion to determine the scope of the data to be processed.
For example, since it is mandatory to organize personnel files and to include the identity information of the employees in the personnel files pursuant to the Labor Law, explicit consent is not required for the identity data obtained for this purpose and stored during the legal retention period of the personnel files. Again, although the Law on Foreigners and International Protection does not explicitly regulate which data of foreigners can be collected, it is stated that the data within the scope of the secondary regulation issued based on the authority granted under the relevant law (regulating which data can be collected and how they will be processed) can be processed without explicit consent as it satisfies the criterion of being expressly stipulated under laws. Similarly, with the Information Note, it is deemed appropriate for a secondary regulation to determine which data will be collected from consumers although the relevant data categories are not expressly determined under the Law on the Protection of Consumers.
Condition of Being “Expressly” Stipulated
The Authority's view is that the will of the relevant legislator should also be considered as to whether this condition is met. Otherwise, it is stated that the relevant processing requirement will be very limited considering that laws are abstract regulations and requires to be detailed with secondary legislation in general. In this sense, within the framework of the Authority's Information Note, it is stated that if a data controller is under an obligation and the fulfillment of the obligation requires the processing of some personal data, it is also possible to process such personal data without seeking explicit consent based on the authority granted by the Law, which itself can be considered a limitation.
Within the framework of the example given in the Information Note, it is stated that in order to make salary payments, data such as bank account information of employees, information on whether they are married or not, information on their dependents, social security number can be processed without explicit consent.
Evaluation
The personal data processing condition of being stipulated under laws requires personal data to be processed on a legal basis and for specific purposes. It is of utmost importance for data controllers to make correct determination when relying on other data processing conditions other than explicit consent when processing personal data. We consider the Authority's purpose-oriented approach to interpretation of the data processing condition in question and its emphasis on the administrations’ discretion in this regard as a development that paves the way for a broad interpretation of the relevant data processing condition.
Special thanks to Meriç Güdücüoğlu for his contributions.