PERSONAL DATA PROTECTION LAW - II

PROCESSING AND TRANSFER OF PERSONAL DATA

All operations performed on personal data, such as obtaining, modifying, editing, storing, and transferring personal data, in whole or in part, through any means, are considered processing of personal data. Unwanted situations can arise from the unlawful and unconscious processing of personal data. One of the most common incidents today is the commission of fraud involving unlawfully processed personal data. To prevent and control such situations, the legislator has set forth certain principles for the processing of personal data and has required certain conditions to be met. Compliance with the principles set forth in Article 4 of Law No. 6698 on the Protection of Personal Data is mandatory for the processing of personal data.

• Compliance with the law and rules of honesty,

• Being accurate and up-to-date when necessary,

• Processing for specific, clear and legitimate purposes,

• Being connected, limited and proportionate to the purpose for which they are processed,

• Storage for the period required by the relevant legislation or for the purpose for which they are processed .

The legislator has stipulated that only individuals who comply with the rules set forth in these principles may process relevant personal data. Any activity that clearly violates any of these principles will constitute unlawful processing of personal data. These violations of law are sanctioned by Articles 135-140 of the Turkish Penal Code No. 5237.

PROCESSING OF PERSONAL DATA

As mentioned, the legislator has set forth certain principles for the processing of personal data and clarified the conditions and procedures under which personal data may be processed. These conditions are listed individually in Article 5 of Law No. 6698 on the Protection of Personal Data.

“Article 5 of the Personal Data Protection Law:

(1) Personal data cannot be processed without the explicit consent of the person concerned.

(2) If one of the following conditions is met, it is possible to process personal data without the explicit consent of the relevant person:

a) It is clearly provided for in the laws.

b) If it is necessary for the protection of the life or physical integrity of a person who is unable to give his consent due to physical impossibility or whose consent is not legally valid, or of someone else.

c) It is necessary to process personal data of the parties to a contract, provided that it is directly related to the establishment or performance of a contract.

d) It is mandatory for the data controller to fulfill its legal obligations.

d) It has been made public by the relevant person himself.

e) Data processing is mandatory for the establishment, exercise or protection of a right.

f) Data processing is necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the relevant person.”

If we need to examine one by one the conditions that make the processing of personal data specified in the paragraphs above lawful ;

• Explicit Consent: We've previously outlined what explicit consent is and the conditions under which it occurs. Explicit consent makes the processing of personal data lawful. In the presence of explicit consent, the legislator has not required any other conditions and has deemed the processing of personal data lawful.

• Actual Impossibility: Due to physical conditions or health issues, individuals may sometimes find themselves unable to express their will. In such cases, if the failure to process personal data would endanger or distress the physical integrity of that person or another person, processing personal data is considered lawful, even without the person's explicit consent. For example, the location information of a kidnapped person is personal data, but that data must be processed to reach them. Since seeking explicit consent for this process would endanger the person's life, processing the data in question is lawful, assuming consent is present.

• Performance of a Contract: Processing the personal data of the contracting parties, as appropriate to the circumstances, to establish or perform a contract is lawful. Explicit consent is not required for this. For example, explicit consent is not required for the seller to record the buyer's address information for delivery pursuant to a sales contract; such data processing is lawful.

• Legal Liability of the Data Controller: Data controllers sometimes process personal data. Because these processes are necessary for the data controller to fulfill its obligations, they are considered lawful without requiring explicit consent. For example, it is lawful for the data controller to process personal data about employees during financial audits.

• Being Made Public: Even if a data subject discloses personal data to the public, explicit consent is not required for the processing of that personal data. For example, phone numbers are personal data and, as a rule, are not processed without explicit consent. However, if a person advertises for sale, including their phone number in the ad constitutes publicity. Processing this data is lawful.

• Establishment, Protection, and Exercise of Rights: Individuals may process information held by others that constitutes personal data necessary to exercise, protect, or ensure the establishment of a right they hold. For example, individuals' addresses and Turkish ID numbers constitute personal data and cannot be processed without explicit consent. However, a person wishing to file a lawsuit may legitimately process the defendant's information, and this is legal.

• Legitimate Interest: Personal data may be processed for the data controller's legitimate interest, provided it does not harm the data subject's fundamental rights and freedoms. For example , if a workplace distributes bonuses based on employee productivity, it is lawful to process individuals' work performance.

The legislature has primarily sought explicit consent for the processing of personal data. However, in the absence of this, if the processing of personal data would create a right for the data subject, protect their physical integrity, provide a legal benefit, or serve a legitimate interest of the data processor, the processing activity in question would be lawful without explicit consent.

While the processing of general personal data is subject to these conditions, special personal data is considered more valuable and in need of protection. Therefore, the processing of special personal data is subject to more stringent conditions. As a rule, the processing of special personal data, like general personal data, is subject to explicit consent. However, in cases stipulated by law, special personal data may be processed without explicit consent, excluding those related to health and sexual life. Personal data related to health and sexual life is considered more valuable to individuals and is subject to additional protection requirements. Processing data related to health and sexual life requires the best interests of the public. In other words, only in cases where there is a best interest of the public, such as protecting public health, preventive medicine, medical diagnosis, providing treatment and care services, and planning and managing healthcare services and their financing, can special personal data be processed without the express consent of the owner by persons under a confidentiality obligation or authorized institutions and organizations. As can be seen, personal data is considered very important for human lives and although its processing is subject to strict conditions, these processing activities can be carried out in cases of superior public interest.

If the reasons for processing personal data processed through the methods specified in the Personal Data Protection Law are eliminated, the use of the data will become unlawful, as there will be no further benefit. Therefore, once the reasons for processing the data are eliminated, the data controller will anonymize, delete, or destroy the data, either ex officio or at the request of the data subject. If the data controller fails to comply with a request for deletion, anonymization, or destruction of the data subject after the reason for processing has disappeared, this will render the legal situation unlawful, resulting in unlawful data processing. Consequently, the data controller will be subject to various sanctions.

TRANSFER OF PERSONAL DATA

The transfer of personal data by data processors to another data processor or data controller is defined as the transfer of personal data. Transfer of personal data becomes lawful when data obtained in accordance with the legally required personal data processing conditions is transferred to another person within the country, provided that the conditions stipulated in Article 8 of Law No. 6698 on the Processing of Personal Data are met. As with the processing of personal data, the legislator has required explicit consent for the transfer of personal data as a rule. However, in some cases where explicit consent is not provided, transferring personal data will not constitute unlawfulness. If the necessary conditions for processing general personal data without explicit consent exist, such as the actual impossibility of contract execution, the legal liability of the data controller, publicity, the establishment of rights, and legitimate interests, the transfer of general personal data will cease to be unlawful and will be considered lawful. The situation is more cautious regarding special personal data. If the conditions required for processing special personal data without express consent are met, the transfer of these data can be ensured in accordance with the law by taking adequate measures. The domestic transfer of private and general personal data is subject to these conditions.

Transfers of personal data abroad are subject to more stringent conditions. The primary requirement is the explicit consent of the person whose data is to be transferred. As a rule, transfers abroad cannot be made without explicit consent. However, there are exceptions to this rule. In cases where general and specific personal data that can be processed without explicit consent is transferred to another country, the transfer can be made provided that the country to which the data is to be transferred provides adequate protection, or if there is insufficient protection, the data controllers in Turkey and the relevant foreign country commit in writing to providing adequate protection and obtain the permission of the Personal Data Protection Authority . Countries with adequate protection are announced by the Personal Data Protection Authority. The existence of adequate protection is determined by evaluating factors such as international agreements to which Turkey is a party, relations with the country to which the data is to be transferred, and relevant legislative provisions.