Legitimate Interest in Turkish DPL Compared with GDPR and Directive


Legitimate interest has been the subject of various interesting discussions in the European data protection practice. As the Turkish Data Protection Law is modeled on Directive 95/46/EC and also includes some concepts from the GDPR, legitimate interest became an important topic also in the Turkish data protection practice. Although the wording of legitimate interest as a lawful basis under the DPL is similar to the directive and the GDPR, there are important differences.

The DPL lists the lawful bases for processing personal data under its Article 5. As in the GDPR and the directive, one of the lawful bases for processing is legitimate interest. However, the wording of this lawful basis is different than its counterparts in the GDPR and the directive. The table below shows the wording of the lawful basis under the DPL, the directive and the GDPR:

Wording of Legitimate Interest as a Lawful Basis

DPL

Processing is mandatory for the legitimate interests of the data controller, provided that the processing does not harm the fundamental rights and freedoms of the data subject.

Directive

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed except where such interests are overridden by the interests [or] fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

GDPR

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The DPL uses the term “mandatory” instead of the term “necessary” which is preferred by the directive and the GDPR.When the table set forth above is reviewed, four important differences of the DPL become visible.

  • The DPL does not include the interests of the third parties into the equation.
  • The DPL does not mention the interests of the data subject; it only mentions the fundamental rights and freedoms of the data subject.
  • The DPL does not use the term “override.”

Although mandatory and necessary are two terms similar in meaning, “mandatory” can be interpreted to be narrower in scope than “necessary.” In order for an activity to be mandatory, there should not be any option but to engage in that activity. In order for an activity to be deemed necessary, it should be needed to be done but the requirement to do it is not as strong as it is in the activities which are mandatory. Within the context of the legitimate interest as a lawful basis under the DPL, a strict interpretation of the word “mandatory” would suggest that the data controller should not have any option but to engage in the relevant processing activity so that it can pursue its legitimate interests; whereas if the word “necessary” had been used instead of “mandatory,” the same data controller would have other options, but there would be a reason for that data controller to choose the relevant data processing activity.

Such a strict interpretation would not be practical and would excessively limit the data processing activities. In most cases, such an interpretation would not allow the application of legitimate interest as a lawful basis, which cannot be the intention behind this specific provision. As a result, we believe that an interpretation focusing purely on semantics should be avoided and the term “mandatory” should be interpreted more pragmatically in accordance with the context within which it is used; it should be interpreted to mean “compelling” rather than the conventional meaning of mandatory.

The DPL does not take into consideration the interests of third parties. Therefore, a data controller subject to the DPL cannot rely on legitimate interest as a lawful basis, if its processing activity is made to pursue the legitimate interests of a third party.

Another peculiarity of the DPL is that it does not mention the interests of the data subject when determining the area to be protected against the legitimate interest of the data controller; it only mentions the fundamental rights and freedoms of the data subject. Not all of the interests of an individual can be regarded as a fundamental right or freedom. However, in most cases, the interests of a data subject would eventually fall under the scope of a fundamental right or freedom, particularly the right to privacy which is a fundamental right explicitly protected by the Turkish Constitution. As a result, although it would have been better had the DPL included the word “interests” of the data subject, the interpretation of this provision would eventually be similar to the Directive or the GDPR when it comes to protecting the interests of the data subject.

The final difference is related to the expression of “overriding.” The DPL does not use such an expression, however both the directive and the GDPR set forth that the legitimate interests of the data controller should not be overridden by the interests or fundamental rights and freedoms of the data subject. The term “override” requires a balancing test between the interests or fundamental rights of the data subject and the legitimate interest of the data controller. The restrictive framework in the DPL is worded differently. The DPL requires that a processing activity not harm the fundamental rights or freedoms of the data subject in order for the legitimate interest to be considered a lawful basis for processing.

The wording in the DPL refers to the relation between the processing activity and the fundamental rights and freedoms of the data subject and requires an analysis as to whether such processing activity is harmful to the fundamental rights and freedoms. It does not refer to a relation between the interests of the data subject and the legitimate interest of the data controller. As a result, an initial review of the relevant provision does not directly lead to a balancing test between the interests or fundamental rights of the data subject and the legitimate interest of the data controller.

It is only through interpretation that we can say that a balancing test should be made also under Turkish law. The text of the DPL suggests an analysis as to whether the processing activity harms the fundamental rights and freedoms of the data subject. Every personal data processing activity occurs in the sphere of protection of personal data of a data subject; each processing activity (including processing for legitimate interest) intrudes on the right to privacy to a certain degree. If the wording of the DPL is to be used, how can we understand when such an intrusion becomes “harmful”? It is not possible to say that each intrusion would be harmful to the fundamental rights and freedoms, otherwise it would not be possible to apply legitimate interest as a lawful basis for processing.

Only when the processing activity becomes too invasive, may it be regarded as harmful to the fundamental rights and freedoms of the data subject. A balancing test would be a useful tool to understand whether a processing activity is “too” invasive. As a result, although the wording of the relevant provision in the DPL does not explicitly suggest a balancing test, its interpretation requires a balancing test to be made in order to understand whether the legitimate interest can be accepted as a lawful basis for a specific processing activity.

The explanations set forth above show that the wording of the DPL in relation to legitimate interest needs improvement. Strict textual interpretation leads to inapplicability of legitimate interest as a lawful basis in almost all cases. Only through a more pragmatic interpretation we can come to a practical conclusion in terms of legitimate interest, which is similar to the interpretation under the GDPR and the directive.

It is therefore important to briefly analyze whether the DPL allows this more pragmatic interpretation. The wording of Article 5 of the DPL, which lists the lawful bases for processing activities, is problematic in the sense that it separates explicit consent and the other lawful bases. In its first paragraph, Article 5 sets forth that personal data can be processed with explicit consent and then in its second paragraph it continues to provide a list of lawful bases on which personal data can be processed without the need of explicit consent. The structure of Article 5 suggests that the DPL accepts explicit consent as a rule and the other legal grounds as exceptions.

Turkish law accepts the principle of “exceptions should be interpreted strictly.” It is therefore imperative to analyze whether this principle prevents a pragmatic, purposive or contextual interpretation as we recommend above. The principle of strict interpretation of exceptions does not necessarily exclude a pragmatic, purposive or contextual interpretation. In any interpretation of legal texts, the ratio legis (the purpose of the lawmaker) must always be taken into consideration. In terms of the DPL, it is clear that the lawmaker intends the data controllers to use legitimate interest as a lawful basis for their processing activities.

As mentioned above, a strict textual interpretation would prevent the legitimate interest to be applied as a lawful basis in most cases. Therefore, such a strict textual interpretation would not conform with the purpose behind this provision. As a result, we believe that the principle of strict interpretation of exceptions does not prevent the pragmatic, purposive or contextual interpretation of the provision related to legitimate interest under the DPL. The lawful basis of legitimate interest should still be interpreted strictly but with taking into consideration the purpose behind the wording. Another important point on this issue is that the Turkish data protection authority does not accept explicit consent to be the rule and the other lawful bases to be the exceptions. The DPA considers the explicit consent and the other lawful bases to be on the same level. On the other hand, Turkish Constitutional Court used the term “exceptions” for the other lawful bases in one of its decisions related to the DPL.

As a final note, it is important to explain the approach of the Turkish DPA to legitimate interest as a lawful basis. The Turkish DPA published guidelines on this issue and those guidelines show that its interpretation is closer to the GDPR. The DPA does not focus on the semantics or sole textual interpretation and considers the purpose behind the wording as well. In the guidelines, our DPA explicitly states that a balancing test must be made between the legitimate interest of the data controller and the fundamental rights and freedoms of the data subject.

First published by IAPP – Privacy Tracker, 04.12.2018