The Law on the Protection of Personal Data numbered 6698 published at the Legislative Journal dated April 7, 2016 and No. 29677, in force by October 2016.
This Law sets forth certain new liabilities for the data supervisors who process the received personal data, and also, according to Article 31 Sub article 3 of the Law, data supervisors are required to make sure that the personal data that was processed prior to the publication of this Law complies with the provisions of this Law within 2 years from the date of publication (and therefore, until April 7, 2018).
What is personal data?
In order to review the Law of Protection of the Personal Data No. 6698, terminology used for personal data shall be inspected. Article 2 of the Law defines the personal data as “Any kind of information that belongs to a natural person (consumer, client, agency owner, company partner, employee, etc.) whose identity is determined or may be determined”. In this respect the below listed examples of data may be deemed as personal data:
- ID Number
- ID and Passport info
- Residency/Contact info (phone number, address, e-mail address)
- Image/ voice recording/photograph
- Credit card info/ Bank account number
- Info required for visa applications
Additionally, as per Article 6, race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, dress and appearance, association and foundation memberships, health condition, sexual life, info regarding the criminal sentences and security measures, criminal records, biometric and genetic information of an individual shall also be considered as ‘private personal data’.
According to Article 4, personal data may only be processed if it is stored in compliance with the law and the good faith principle, and is stored correctly and up to date, with a motive of clear, legal and specific purposes, relating to the purpose of data processing, in a limited and proportional manner and for limited duration.
Whereas Articles 5 and 6 of the Law restricts the processing of personal data and private personal data without the express consent of the data provider.
Furthermore, Articles 8 and 9 of the Law restricts the transfer of personal data to third parties and/or to abroad (to jurisdictions out of Turkey) without the express consent of the data provider.
III. DATA SUPERVISORS AND THEIR LIABILITIES
According to the Law, persons and/or entities that store and designates the purpose and facilities of processing of personal data shall be considered as “data supervisors” and legal or natural persons that processes the data in the name of the data supervisor by the authority of the data supervisor shall be deemed as “data processors”.
Therefore natural and/or legal persons that gather, keep, process and preserve such data belonging to their customers and/or clients and/or other people in their own databases shall all be considered as “data supervisors”.
Liabilities of the data supervisors regarding the data security are set forth in sub article 1 of Article 12 of the Law. Accordingly, data supervisors are obliged to prevent the illegal processing of and unauthorized access to personal data and they need to take all necessary technical and administrative measures to provide the proper security level of the kept data.
In addition to the above, Article 10 of the Law sets forth that data supervisors shall be liable to provide the relative person (data provider) the following information:
- Title of the Data Supervisor (if exists identity and address information of the data keeper)
- Purpose of Data Processing
- To whom and with what purpose the data can be transferred to
- Legal reason and method of the data gathering
- Other liabilities regarding the rights of individuals mentioned in the Article 11
For more information and questions please email firstname.lastname@example.org Mrs Holmgren is the senior partner in London Legal International and is in charge of our Turkish Civil Law division.