Basics
The Law on the Protection of Personal Data numbered 6698, published at the Legislative Journal dated April 7, 2016 and No. 29677, came into force in October 2016.
This Law sets forth certain new liabilities for the data supervisors who process the received personal data, and also, according to Article 31 Sub article 3 of the Law, data supervisors are required to make sure that the personal data that was processed before the publication of this Law complies with the provisions of this Law within 2 years from the date of publication (and therefore, until April 7, 2018).
What is personal data?
To review the Law of Protection of Personal Data No. 6698, the terminology used for personal data shall be inspected. Article 2 of the Law defines personal data as “Any kind of information that belongs to a natural person (consumer, client, agency owner, company partner, employee, etc.) whose identity is determined or may be determined”. In this respect, the following examples of data may be deemed as personal data:
- ID Number
- ID and Passport info
- Residency/Contact info (phone number, address, e-mail address)
- Image/ voice recording/photograph
- Credit card info/ Bank account number
- Info required for visa applications
Additionally, as per Article 6, race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, dress and appearance, association and foundation memberships, health condition, sexual life, info regarding the criminal sentences and security measures, criminal records, biometric and genetic information of an individual shall also be considered as ‘private personal data’.
According to Article 4, personal data may only be processed if it is stored in compliance with the law and the good faith principle, and is stored correctly and up to date, with a motive of clear, legal and specific purposes, relating to the purpose of data processing, in a limited and proportional manner and for a limited duration.
Whereas Articles 5 and 6 of the Law restrict the processing of personal data and private personal data without the express consent of the data provider.
Furthermore, Articles 8 and 9 of the Law restrict the transfer of personal data to third parties and/or abroad (to jurisdictions outside of Turkey) without the express consent of the data provider.
III. DATA SUPERVISORS AND THEIR LIABILITIES
According to the Law, persons and/or entities that store and designate the purpose and facilities of processing of personal data shall be considered as “data supervisors” and legal or natural persons that process the data in the name of the data supervisor by the authority of the data supervisor shall be deemed as “data processors”.
Therefore, natural and/or legal persons that gather, keep, process, and preserve such data belonging to their customers and/or clients and/or other people in their own databases shall all be considered as “data supervisors”.
Liabilities of the data supervisors regarding data security are outlined in subarticle 1 of Article 12 of the Law. Accordingly, data supervisors are obliged to prevent the illegal processing of and unauthorised access to personal data, and they need to take all necessary technical and administrative measures to provide the proper security level of the data kept.
In addition to the above, Article 10 of the Law sets forth that data supervisors shall be liable to provide the relevant person (data provider) the following information:
- Title of the Data Supervisor (if the identity and address information of the data keeper)
- Purpose of Data Processing
- To whom and with what purpose the data can be transferred
- Legal reasons and methods of data gathering
- Other liabilities regarding the rights of individuals mentioned in Article 11
For more information and questions, please email b.orhan@londonlegalint.co.uk. Mrs Holmgren is the senior partner in London Legal International and is in charge of our Turkish Civil Law division.
