Recent Developments On The Personal Data Protection Law
“Protection of Personal Data Law” (No: 6698) was enforced as a result of Turkey becoming a contracting party to the 108 numbered “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” and the general process of harmonizing EU and Turkish legislation, on 7th of April, 2016.
In accordance to the matter, it is expected that the policy; due to the fact that the General Data Protection Regulation has been put into force on 04.04.2016 by being accepted through the European Parliament, will be amended in the near future to make the policy compatible with the GDPR.
When the Protection of Personal Data Law (Law) was first published, it didn’t address regulations regarding many matters and delegated the regulations of those subjects to a secondary legislation and stated that the secondary legislation would be enforced by the Personal Data Protection Institution (Institution). With the Institution starting to take action in 2017, regulations and annunciations got enacted, The Institution made principle decisions and even started to implement punishments upon those who didn’t act in accordance to the law.
In this article, we have compiled the secondary legislation, which we find to be very significant especially for data supervisors and processors since 18.06.2019 and the significant decisions made by the Institution in their own nature.
I. New Additions To The Legislation
1. The Secondary Legislation
- A “Data Controller Registry (VERBIS)”, a system where data supervisors could register and use concerning personal data protection, was installed. The Regulation Regarding the Data Supervisors Registry (VERBIS Regulation) was enacted by the Institution, taking effect after 01.01.2018, to form Data Supervisors Registry, determine and ensure the application of the principles and procedures regarding the foreseen registries to the Data Supervisors Registry, through its management.
According to the VERBIS Regulation, every real person or legal entity should register the information regarding their data processing activities to the system, before they start to process their data. The registry durations to VERBIS is stated below:
- Data supervisors (legal persons and legal entities), who have more than 50 annual employees or have an annual financial statement over 25 million TLs are under obligation to register with the Data Supervisors Registry between. 01.10.2018 – 30.09.2019.
- Data supervisors (legal persons and legal entities), who have less than 50 annual employees and an annual financial statement below 25 million TLs, who’s primary activities are processing sensitive personal data are under obligation to register with the Data Supervisor Registry between 01.01.2019 – 31.03.2020.
In order to register to VERBIS, firstly the data supervisors must prepare a Personal Data Processing Inventory (Inventory). This Inventory must contain the data supervisors’ personal data processing activities which are generated in compliance to their business process; their purpose for processing personal data and the legal reasoning, the data categories, the maximum retention period, necessary for the purpose of processing the personal data, created in association with the transmitted receiving group and the subjected people’s group, personal data expected to get transferred to foreign countries and the information regarding the measures taken to ensure data safety, explained in detail. Data supervisors are under liability for the information which are presented to and published at the Registry are complete, accurate, up to date and justified under the law.
To those who fail to register with VERBIS, a pecuniary penalty will be applied as described in the policy’s 18th article, first clause, section (ç). The amount of the subjected pecuniary penalty can change between 20.000 and 1.000.000 Turkish Liras.
On the other hand, “Data supervisors (legal persons and legal entities), who have less than 50 annual employees and an annual financial statement below 25 million TLs, who’s primary activities are not processing sensitive personal data” are excluded from the obligation to register with the Data Supervisors Registry, by the decision of the Institution. But it has to be indicated that, being excluded from the obligation to register with VERBIS does not mean an exception of being excluded from the Law as well.
- Another new regulation is “The Regulation Regarding the Deletion, Destruction and Anonymization of Personal Data” which has been enforced on 01.01.2018. This regulation indicates that data supervisors who are under obligation to register with the VERBIS, are under liability to prepare a policy which they will base their deletion, destruction and anonymization processes upon and use to determine the maximum duration needed for the purpose of personal data processing.
- On 10.03.2018, the Institution, by taking notice in the necessity that the relevant people must be informed by data supervisors or their authorized personas about this procedure, issued the “Annunciation Regarding the Applicable Principles and Procedures to Fulfill the Requirement for Disclosure”, which states the minimal requirements and the composition of the disclosure. This annunciation is valid for every data supervisor and processor, regardless of their state of registration obligation to VERBIS and the annunciation regulates the data supervisor informing the relevant person when acquiring the subjected personal data and the principles and procedures regarding the stated information.
2. Decisions from the Institutions
Apart from the regulations and annunciations enacted within the context of protection of personal data by the Institution, a significant amount of decisions has been made by the Institution regarding the legislation. Institutional decisions that may be significant for data supervisors and processors are listed below.
In regards to transferring data overseas, as prescribed by the provision (Article 9), transfers can’t be made without the explicit consent of the people of interest, in situations where the foreign country that the data is being transferred to doesn’t have adequate protection both Turkish and the subjected foreign data supervisors have to commit to ensure adequate protection and the Personal Data Protection Institution (Institution) must give the necessary permits in order to be able to transfer data overseas without the explicit consent of the person of interest. The authority to determine the safe countries has been given to the Institution with the regulation, as well. In this context, a form has been published through the Institution’s 02/05/2019 dated and 2019/125 issued decision that states The Criteria That Will Be Applied to Determine the Countries Who have Adequate Preservation. The in-subject form regulates that, when determining the secure countries, some criteria as the reciprocity situation, the relevant country’s legislation regarding the processing of personal data and its application and whether the country has the authority to preserve independent data or not will be evaluated by the Institution.
- The Institution also published a decision on 31.01.2018 named The Necessary Measures Data Supervisors Should Take While Processing Sensitive Personal Data. This decision explains the principles that must be applied during the processing of sensitive personal data and determined that, in parallel to the subjects indicated in this decision, politics and procedures must be indicated and the administrative measures stated in the Personal Data Protection Guide must be taken.
- Again, by the Institution a principle decision has been made on 31.05.2018. According to this decision, to prevent data supervisors from, for their position or their duty provides access to personal data, exceeding or abusing their powers for personal purposes or reasons and for processing the personal data apart from the main purpose or sharing the data with third persons causes a violation, the decision states that every technical and administrative measure necessary to constitute the appropriate security level, must be taken by data supervisors to ensure the prevention of actions of this context.
- In the Institution’s 16/10/2018 dated decision it has been stated that as a measure for preventing data processors and supervisors sending advertisement notices to and forwarding calls regarding advertisement by emailing, texting or calling the persons of interest; it has been decided by the Institution that the processing of these data without the consent of the person of interest should immediately stop and if data supervisors and processors fail to comply with this decision a pecuniary penalty will be applied.
- In another decision dated 24.01.2019, a principle decision about the duration of application to the data supervisor by the person of interest in cases of data violation, the duration which the data supervisor must reply to the person of interest regarding the issue and the duration to apply to complaint procedures in cases which the data supervisor doesn’t reply to the applicant in the set duration.
- In the Institution’s 24.01.2019 dated decision, principles regarding the process of informing the Institution and the relevant people about the violation, in cases where the data supervisor has knowledge about the violation. With this principle decision, the Institution while aiming to create unity in practice and preventing an incontinency amongst decisions; put emphasis on the Europe General Data Protection Regulation which abrogates European Union’s 95/46/EC issued directive, which acts as a foundation to the law, and especially the fact that the Europe General Data Protection Regulation also includes detailed information regarding data violation declaration, in contrary to the Directive.
- In the principle decision made by the Institution on 31.05.2018, for data supervisors or people with access to personal data due to their positions or duties, exceeding or abusing their powers by personal means and purposes, results in the processing of the personal data without the appropriate means or sharing the data with third persons can cause unlawful results to be formed, to prevent these sort of actions the decision regulates that the data supervisor must take every technical and administrative measure in order to ensure the appropriate security level.