According to Article 38 of the Turkish Constitution, findings that are acquired unlawfully cannot be used as evidence. In this respect, using personal data as evidence in disputes requires a legal assessment on whether the personal data is collected lawfully or not. In principle, evidence that are obtained unlawfully shall not be allowed in legal proceedings.
As known, the main legislation related to protection of personal data is the Turkish Personal Data Protection Law No. 6698 (the “DPL”). In this regard, whether a personal data is collected lawfully or not should be assessed primarily in accordance with the DPL. In general, under Article 28 of the DPL, data processing of personal data by judicial authorities or execution authorities for investigation, public prosecution, litigation or execution are exempt from the DPL. Therefore, the provisions of the DPL shall not apply to the collection of evidence in respect of judicial or execution authorities.
As the DPL is the fundamental law aiming to regulate all aspects and principles in personal data protection, the exemptions set out under the DPL should be interpreted narrowly. Therefore, it should not be possible to say that personal data contained in evidence submitted by parties or third parties in respect of investigation, prosecution, litigation or execution proceedings are exempt from the assessment on whether their collection is lawful or not in accordance with the DPL. Submission of personal data collected in contradiction with the DPL to a court case as evidence can be regarded as unlawful data transfer and unlawful processing of personal data. On the other hand, certain obligations under the DPL clearly impose some challenges for the data controllers who are willing to rely on evidence containing personal data in order to prove their claims.
The Constitutional Court evaluated this issue in its decision dated 3 February 2022 with the application number 2019/20473[1] not from the perspective of the DPL but in respect of the criminal offenses that directly concern the protection of personal data under the Turkish Criminal Law (“TCL”). Turkish Personal Data Protection Board (“Board”) also has several decisions which may give rise to different interpretations on this topic.
Evaluation of the Constitutional Court’s Decision
The Constitutional Court examined an individual application numbered 2019/20473 in its decision dated 3 February 2022, and in brief, it stressed that whether using personal data collected unlawfully as evidence would constitute a criminal offence under the TCL in terms of the protection of personal data should be investigated and prosecuted efficiently.
In the relevant case, the applicant claimed in the pending divorce suit that the applicant’s migraine attacks increased after getting married and the applicant’s spouse aggravated this situation. As argued in the application subject to the Constitutional Court’s decision, the applicant’s spouse detected that the applicant used to have migraine attacks and psychological disorders even before their marriage upon an investigation the spouse conducted to prove the opposite of the applicant’s allegations in the divorce suit. In this regard, the applicant’s spouse accessed the applicant’s previous medical reports and treatment records by using its professional privileges and influence of being a doctor.
The applicant filed a criminal complaint against her spouse for obtaining her health data and submitting the same as evidence to a court file on grounds that he committed the criminal offenses of misconduct, violation of private life, unlawful collection and sharing of personal data. In the complaint petition, the applicant emphasized that her health data have been obtained and submitted to the court file in breach with her right to privacy and protection of personal data, the TCL and the Regulation on Patient Rights.
That said, the public prosecutor rendered a non-prosecution decision after its criminal investigation. The reasoning of the decision included that spouse has a right to access the personal and health data of the other spouse for being a first degree relative. For this reason, the public prosecutor did not consider the suspect’s actions as a violation of confidentiality and privacy of personal life and ruled that submission of such evidence should be protected under the privilege of claims and defences in the divorce suit between the parties.
On the other hand, the Constitutional Court accepted the applicant’s individual application on grounds that the applicant’s right to privacy of life, protection of personal data and a fair trial have been violated due to the lack of an efficient investigation and prosecution.
The Constitutional Court evaluated at first that health data used by the applicant in scope of the dispute should be qualified as personal data, and therefore the collection, use and processing of such data falls under the right to protection of personal data. The Constitutional Court further underlined that the applicant did not disclose the information concerning its treatment to the spouse before their marriage, and the applicant did not give explicit consent for the transfer of these personal data to anyone including the spouse. Thus, the Constitutional Court emphasized that the public authorities failed to fulfil their positive obligations in terms of conducting an efficient and diligent investigation as the public prosecutor failed to provide sufficient reasoning, and the applicant’s right to protection of personal data has been hereby violated.
The Constitutional Court’s decision contains an implication manifesting that personal data presented as unlawful evidence can be qualified as unlawful data transfer and therefore, it can be subject to criminal investigation and prosecution in scope “unlawful collection or transfer of data” which is a criminal offense under the TCL.
Evaluation of the Board’s Decisions
Although the Constitutional Court does not make a separate evaluation about the DPL, as of 7 April 2016, the assessment on whether the personal data – other than those obtained by judicial authorities or execution authorities for their duties– are collected lawfully or not should be made in light of the DPL. On the other hand, the Board’s decisions sometimes give rise to ambiguities in practice.
In the decision dated 11 March 2021 and numbered 2021/230[2], the Board discussed a case where the complainant’s personal data is inquired and shared with judicial authorities by the complainant’s ex-spouse working as a public officer. In the said decision, parallel to the Constitutional Court’s determination, the Board decided that the matter can be evaluated in scope of the DPL as well and that the collection of the complainant’s personal data by way of an inquiry made by the spouse without the complainant’s request and sharing of the same with the court violated the data security obligations. In this regard, the Board deemed the processing of personal data by an officer working at a data controller for another purpose than fulfilling the obligations and public services in breach with the DPL. In respect of this data processing activity which does not rely on any of the legal grounds stipulated under the DPL, the Board particularly stressed the data controller status of the institution at which the individual who collected the evidence unlawfully worked. Also, the Board specifically stated that the said officer working at the data controller must be subjected to disciplinary sanction. The Board further instructed the institution to take the necessary measures for preventing the officers to access to any personal data processed by the institution out of purpose they are being processed. Since the data controller was a public institution, the Board imposed no administrative fines.
On the other hand, in the decision dated 18 February 2020 and numbered 2020/138[3], the Board provided certain evaluation which were criticized in terms of the DPL. In the case discussed by the Board, the employer as the data controller unilaterally terminated the employment contract of one of its employees and wanted to rely on a health report included in the employee’s personnel file as evidence in the re-instatement case initiated by the employee. The employee stressed that the employer filed his sensitive personal data to the case file without the court’s request and argued that this was an unlawful processing of personal in accordance with the DPL. As result of its examination, the Board ruled that sharing of the relevant information was exempt from the DPL pursuant to Article 28 of the DPL as the court requested an approved copy of the employee’s full personnel file from the defendant data controller with a writ issued during the course of the proceedings. In this regard, the Board decided to impose no sanctions on the employer. The Board could have made a different evaluation if there were no requests by the court. In any case, the Board failed to discuss whether the employee was provided with a sufficient pro and the data was collected lawfully when added to the personnel file in the first stage.
Conclusion and Remarks
In light of our explanations above, submission of personal data that are collected or shared by lawyers or judicial authorities during legal proceedings as evidence in contradiction with the DPL may lead to administrative sanctions to be imposed on data controllers and criminal investigations to be initiated against the real persons and representatives of legal entity data controllers.
For instance, when a data controller (i) uses unlawfully collected personal data as evidence in a dispute, (ii) shares irrelevant personal data to the subject in dispute to prove their claims even though such data are collected lawfully or (iii) submit especially sensitive personal data to case without a judicial authority’s request and the related individual’s explicit consent, these cases may be subject to further evaluation and risks from the perspectives of the DPL and the TCL. With regard to the individual criminal responsibility and non-applicability of criminal sanctions to legal persons, the liability arising from the TCL may come into question for representatives or the relevant employees of data controllers. Also, legal persons qualified as data controllers can be subject to security measures.
It is extremely crucial to collect personal data in accordance with the DPL and to ensure the data subjects be provided with sufficient privacy notices explaining to the relevant data subjects whether their personal data can be used as evidence to exercise and protect the rights in a potential dispute when their personal data are collected.
In addition, the applicable legal grounds for processing sensitive personal data, particularly the data related to health and sexual life, are much more limited, and explicit consent may also be required to use such data as evidence. Although the process is more manageable in terms of the personal data already being processed during the operations of the data controller, the compliance with the DPL in terms of the data collected especially during the investigations for a potential dispute and during the course of the dispute may come as a challenge. The exemption under Article 28 of the DPL clearly applies only to the evidence requested or investigated exclusively by the respective judicial authorities. In this respect, the personal data which are being considered to be used as evidence in a dispute and require a legal assessment on a case-by-case basis in order to determine the roadmap for the compliance with the DPL.