fbpx

Turkey Welcomes the Long Awaited Data Protection Law

Articles -
Data Protection and Privacy

The Law introduces an obligation to register and fines up to €300,000. Begüm Yavuzdoğan Okumuş examines Turkey’s new data protection law.

For many years, Turkey has lacked separate legislation on the issue of data protection. Previous draft laws that have been sent to the Turkish Parliament were either returned to the proposing committee or not even discussed before the Grand Assembly as Parliament was being dissolved before a general election. However, following the recent general election in November 2015, the current government announced that a Turkish data protection law was high on their priorities tor their legislative programme and adoption of the same was a real need tor Turkey’s EU harmonization process. To this effect, a Draft Law on the Protection of Personal Data was submitted to the Grand Assembly on IS January 2016 and entered into force as of 7 April, 2016.

The Law on Protection of Personal Data (“Law”), which is very much in line with the EU Directive 95/46/EC (“EU Directive”), contains detailed provisions relating to the protection of personal data, an area that was previously only covered by insufficient and piecemeal applications ot different legislative measures and the general rules of the Turkish Constitution.

PERSONAL DATA

The Law introduces an official definition tor the term “personal data”, defining it as “any type of information that relates to an identified or identifiable natural person”. In this sense, the Law provides a definition that is parallel to the EU Directive, though one that is slightly less detailed.

The central principle is that personal data can only be processed once the data subject has provided explicit consent. However, if at least one of the following exceptions exists, personal data can be processed without obtaining explicit consent:

  • The processing is clearly mandated by laws,
  • It is impossible to obtain the individual’s explicit consent, but the processing is required for the safeguarding of their or a third person’s life or physical well being,
  • The processing is directly related to the formation or execution of an agreement to which the data subject is a party,
  • Processing is required for the data controller to satisfy their legal obligation,
  • The data to be processed has been made public by the data subject,
  • Processing is mandatory for the establishment, use or protection of a right,
  • On the condition that it docs not harm the data subject’s fundamental rights and freedoms, the processing is mandator)’ for the legitimate interests of the data controller.

PERSONAL DATA or A SPECIAL NATURE

The Law also separately distinguishes a category of “personal data of a special nature” which is subject to a more extensive level of protection. The types of personal data that fall under this category are related to race, ethnicity, political views, philosophical beliefs, religious denomination or other beliefs, clothing and attire, membership of associations, charities or trade unions, health, sex life, convictions, security measures and biometric data.

As in the general category of personal data, the central prerequisite for processing such data is the explicit con¬sent of the data subject. However, in the situation where at least one of the following exceptions exists, there is no longer a requirement for explicit consent:

  • Excluding health and sex life data, the processing is clearly mandated by law,
  • Regarding sex life and health data, the data is to be processed by persons or authorized institutes bound by the duty of confidentiality for the purpose of the protection of public health, the provision of medical, diagnostic and treatment services and the planning, managements and financing of healthcare services.

By setting an additional level of protection, the Law dictates that personal data that falls under this category can only be processed if a data controller adheres to the appropriate precautions published by the Data Protection Institution, when it is established.

Therefore, the current standard operating procedures regarding data protection in Turkey must be reviewed by each company engaging in such activities – particularly if the scope of processing cannot be said to fall under any of the aforementioned exceptions.

DATA PROTECTION INSTITUTION UNDER PM

The Law provides, within six months from its enactment, for the incorporation of the Personal Data Protection Institution (“Institution”). The Institution will be positioned under the Prime Minister’s office, and will consist of the Data Protection Board (“Board”) and a President and shall be primarily responsible for enforcing the Law. Further, a Register of Data Controllers will be established and maintained by the Institution within six months after the enactment of the Law. Data controllers arc required to be registered with the Register of Data Controllers betöre processing personal data. The registration will include, among other details, information on the measures taken for ensuring data security, data which will be transferred to third parties and/or other countries, and the maximum period of retention for processed personal data.

TRANSFER OF DATA

The Law contains provisions relating to the general transfer of data and the transfer of data abroad. With regard to the general transfer of data, the central principle remains that explicit consent is required. However, the exceptional situations set out above are applicable again for personal data to be transferred without obtaining explicit consent.

For transfer of personal data abroad the explicit consent of the data subject is required. Again however, it the exceptional situations set out above exist, the transfer of the data abroad may only take place if:

  • the foreign country has sufficient safeguards or,
  • if they do not have such adequate safeguards, the data controller in the foreign country, has applied to the Institution with an undertaking in writing for equivalent safeguards and has obtained the Boards permission.

Countries that have sufficient safe guards are to be determined by the Institution and a list of these countries will be published. Last but not least, as a result of long discussions in the Parliament, the Law includes a provision indicating that personal data can be transferred abroad in cases where the interest of Turkey or the data subject can be adversely affected, provided that the approval of the Institution is obtained, taking into account international treaties.

THE PRIMARY OBLIGATIONS OF THE DATA CONTROLLER

The Law will introduce a host of obligations on data controllers to ensure that personal data is processed and transferred lawfully and proportionately. The most important of these obligations are the requirements to inform the data subject, and to erase, destroy or anonymizc personal data that is outside the purpose of its purpose of processing.

The data controller’s obligation to inform the data subject should especially be taken into account while drafting the consent forms and agreements that are to be presented to the data subject. The scope of this obligation covers providing information on the identity of the data controller, the purposes of data processing and data transfer, the legal justification behind the data collection, methods of collection of personal data, and the rights of the data subject. These are granted by the Law in relation to the right to request information on whether personal data is being processed or not, whether data is being transferred to third parties and details on those third parties and the purpose of the data controller in processing personal data. Data subjects also may request compensation for damages they have suffered due to unlawful processing of their personal data and to object to the conclusions that are to their detriment and that are reached through the process of personal data by automated means.

DATA CONTROLLERS MUST ENSURE DATA SECURITY

The Law further introduces data security obligations for data controllers and stipulates that data controllers are under an obligation to implement all kinds of technical and administrative measures to maintain a force after six months from the enactment of the Law. The important matter here is that the current provisions of the Turkish Criminal Code imposing criminal sanctions will be also be suspended for a period of six months after the enactment of the Law.

TRANSITION PERIOD

Under the Law, there is a transition period for two years meaning that personal data that has been processed prior to the enactment of the Law must be brought into compliance with its provisions within this period. In cases where such compliance is not achieved, non-compliant personal data shall be deleted, destroyed or anonymized. However, personal data for which consent from data subjects was obtained legitimately before the enactment of the Law will be held compliant with the Law, unless a contrary statement is obtained from the data subject within a year.

It is currently not clear how companies can adapt themselves to the Law and ensure all personal data obtained will be brought into compliance, or how personal data will be deleted, destroyed or anonymized. Secondary regulations will be prepared within a year of the law’s enactment. It is expected that guidelines will also be prepared by the Institution to shed light on ambiguous areas.

First published by Privacy Laws and Business – International Report in Jun 10, 2016.

Stay Informed

Subscribe to stay up to date on the latest legal insights and events of your choice.

Subscribe Now