Law No. 6698 on the Protection of Personal Data (“DP Law”) entered into force earlier this year on 7 April 2016. Although immediately upon its entry into force, processing of personal data without the express consent of the data subject was prohibited, the enforceability of DP Law’s provisions governing the following was postponed for six months.
But on Aristotle’s view, the lives of individual human beings are invariably linked together in a social context. In the Peri PoliV he speculated about the origins of the state, described and assessed the relative merits of various types of government, and listed the obligations of the individual citizen.
- Transfer of Personal Data
- Rights of the Subject Person
- Appliations to the Data Controller
- Data Controller Registry
- Personal Data Protection Authority and Complaints
- Penalties
The purpose of this transition period was to give data controllers the chance to set up internal data processing units and to take the steps necessary to meet the new standards brought by the DP Law.
Now that this six-month transition period has ended as of 7 October 2016, the criminal and administrative penalties foreseen under the DP Law for non-compliance are in effect. So it’s time to check whether you are really ready and compliant.
What do the DP Law Provisions that have recently become enforceable stipulate?
Data Controllers may not transfer personal data without the express consent of the data subject
Now that the transition period has expired, data controllers may no longer transfer personal data to any other person, within Turkey or abroad, without the express consent of the data subject. Please be aware that this prohibition extends to any data transfers between a subsidiary and its mother company or sister companies, located in Turkey or abroad.
As an exception to this rule, DP Law states that in circumstances where personal data may be lawfully processed without the express consent of the data subject (i.e. circumstances prescribed in DP Law Article 5(2)), such data may similarly be transferred without the express consent of the data subject.
These exceptional circumstances are:
- When processing is necessary for the performance of or the entering into a contract
- When processing is necessary for compliance with a legal obligation
- When the data has been made public by the data subject
- When processing is necessary to protect the vital interests of the data subject
- When processing is necessary for the establishment, use and protection of a legal right
- When processing is necessary to protect the legitimate interests of the data controller except where the interests for fundamental rights and freedoms of the data subject override such interests.
Data controllers are under the obligation to provide information to data subjects on processing of their personal data
Data controllers are under the obligation to inform data subjects their name and address, the data collection method, the legal reason for data collecting, the purpose of processing, data subject’s rights (see below), and the full identity of third parties to whom personal data may be transferred together with the purpose of any such transfer.
Data subjects have certain rights exercisable against data controllers
Pursuant to Article 11 of the DP Law, data subjects have the right to obtain information on (i) whether or not their personal data has been processed, (ii) the purpose of such data processing; and (iii) the identity, in Turkey or abroad, of any third party to whom personal data has been transferred. Data subjects are also entitled to request the correction, deletion or eradication of their personal data by the data controller and by any third party to whom their personal data has been transferred. Data subjects are also entitled compensation for damages resulting from data processing that does not comply with the any of principles set forth under the DP Law.
Article 11 has entered into force upon the expiry of the transition period; hence, these rights are currently exercisable by any data subject.
Accordingly, data controllers are under the obligation to inform data subjects of their legal rights and to comply any such right exercised by a data subject.
Data controllers have to take measures to maintain the security of personal data
According to the DP Law, data controllers must take appropriate technical and organizational measures to maintain the security and privacy of the data collected. They also have to take measures that prevent any unauthorized processing of personal data collected.
What do you need to do?
If you are a corporation that processes personal data, you will need to:
- Set up a data processing inspection unit and/or appoint a data processing manager that will fulfill the duties specified under the DP Law; especially to fulfill the obligation to provide information to data subjects (described in the section above) and to process in a timely manner any complaints or requests received from data subjects.
- Review your contracts to make sure that data subjects have provided their express written consent for BOTH data processing and transfer of personal data. You may also consider amending consent language if necessary.
- Ensure that data subjects are notified in writing of their legal rights granted under the DP Law.
- Review you technical and organizational administration to ensure that data processing is secure.
- Prepare or update privacy and data processing policies.
- Register with the Data Controller Registry, once it is established, before any collection or processing of personal data.
