Get in Line With Data Protection Requirements
A global movement regarding personal data protection has gained momentum in the past few years.
Questions of privacy, transparency and fairness are as global and important as they are nuanced and never have these questions been in the public eye as now, with Senate hearings on data privacy in the social media space and the countless “opt-in” and policy update e-mails readers will undoubtedly have received and possibly are continuing to receive.
As administrative fines start to be handed out for non-compliance in Turkey and in the EU, businesses should take the time to review their compliance position under personal data protection legislation. This article will seek to guide readers through a high-level set of steps to help get their bearings in the landscape of Turkish personal data protection legislation and its potential interface with EU legislation.
An introduction to Turkish data protection legislation
Turkey’s data protection reform came in the form of the Personal Data Protection Law No. 6698 published in the Official Gazette dated 7 April 2016 (the “PDPL”). The PDPL provided express protections and compliance and transparency obligations on the use, storage and processing of personal data where previously general law protections, which were either inadequate or too general, governed.
The 2 year transition period for compliance with the PDPL has expired as of 7 April 2018, slightly ahead of the General Data Protection Regulation numbered 2016/679 of the European Parliament (the “GDPR”) which has come into force on 25 May 2018.
Does this concern you?
If you have employees, offer goods or services to natural persons or are in any way responsible for the processing(1) of any personal data(2) relating to any identified or identifiable natural persons you may be classified as a Data Controller under the PDPL and you should closely review your information processing practices.
Not all entities are subject to the PDPL and not all entities are subject to the PDPL to the same extent. Therefore, if you have determined that your information processing activities are of the type that is subject to the PDPL, you should also check whether you benefit from any exemptions specified in the PDPL or any of the exemptions determined by the Personal Data Protection Board (the “Board”).
A third and equally important step is to check whether you have a parallel obligation to comply with both the PDPL and GDPR. While the PDPL does not provide an express scope in terms of its territorial applicability, many scholars are of the view that the PDPL applies to Data Controllers who reside in Turkey as a straightforward application of the principle of territoriality and also to Data Controllers residing outside of Turkey who process the personal data of Turkish citizens transferred from Turkey, notwithstanding the place of processing. The GDPR applies to Data Controllers residing in a member state of the European Union (a “Member State”) (or in a state where a Member State’s laws apply by virtue of public international law), regardless of whether the processing takes place in a Member State or not. The GDPR also applies to the processing of personal data of data subjects in a Member State by a Data Controller not residing/registered in a Member State provided that the processing is related to the offering of goods or services (irrespective of a payment) to such data subjects in a Member State or the monitoring of their behaviour insofar as their behaviour takes place in a Member State.
What are the next steps?
If you are a Data Controller engaging in data processing activities subject to the PDPL, you should consider the following steps.
1) Determine Your Processing Activities
You should determine the type of personal data you are processing, the purposes and methods of such processing activities and the length of time for which you are storing personal data.
The Regulation on the Data Controller’s Registry published in the Official Gazette dated 30 December 2017 and numbered 30286 (the “Regulation”) requires Data Controllers to prepare a personal data processing inventory (the “Inventory”) in respect of the information above and a personal data protection and annihilation policy (the “Policy”).
2) Make Sure You Have Legal Grounds for Processing
It is safe to say that consent of the data subject is the backbone around which data protection regulations are built and the primary legal ground for processing.
The PDPL requires the consent of the data subject to be express, specific, informed and freely given. It is of critical importance to make sure that all your processing activities are grounded on the consent of the data subject or, otherwise, comfortably benefit from an exemption from the requirement to obtain consent.
Furthermore, you should assess whether any information you process constitutes “sensitive personal data”. The PDPL treats certain data such as genetic information, information relating to sexual orientation and criminal background, as a further restricted subset of personal data which can only be processed with the express consent of the data subject or in circumstances required by law. Such “sensitive personal data” is also subject to additional protective measures announced by the Board(3).
3) Review Your Data Storage Practices
Broadly speaking, the PDPL permits you to process personal data only for so long as there is a legitimate purpose for processing. Where such purpose no longer exists, you are required and may be requested by relevant persons, to erase, destroy or anonymise any stored personal information.
You also need to determine a periodic annihilation schedule where periodic sweeps may not be longer than six months apart unless the Board has determined a lower minimum periodic annihilation frequencies for your sector or business field(4).
4) Review Your Data Transfer Practices
The PDPL requires that you should ensure any country outside of Turkey where you transfer personal data offers sufficient data protection.
A list of countries that offer sufficient protection will be announced by the Board in due course. If you are transferring personal data to other countries, you will need to apply to the Board to demonstrate that the receiving country offers sufficient data protection.
In determining the receiving country for any personal data you are transferring, you should take into account the centre where processing activities are carried rather than the place of residence or incorporation of the recipient.
5) Take Appropriate Cyber-Protection Measures
You must take appropriate technical and/or organisational measures with respect to the protection of personal data commensurate with applicable breach risks to ensure that the storage, transfer and in general all processing of personal data are appropriate secure.
Considering that record keeping and/or processing of data by electronic means has become standard practice, it is highly recommended and often necessary to take external technical support regarding the protection of the personal data.
6) Register with VERBIS
Unless you benefit from an exemption and notwithstanding whether your place of residence or incorporation is in Turkey, you should register with the data controllers’ registry through its online platform (“VERBIS”) prior to processing any personal data(5).
7) Assess Your GDPR Compliance Status
If you are subject to the PDPL and GDPR simultaneously, which will likely be the case for any business engaging in cross-border commerce, ensure you have sought specialist advice for any interface issues.
While the PDPL and the GDPR are consistent across each other to a large extent, they are not identical.
In addition to differences in the scope of territorial applicability, which is discussed above, perhaps the most significant difference between the GDPR and the PDPL is the definition of consent. Consent is required by the GDPR to be a freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” – this sets a higher burden of proof on Data Controllers in demonstrating “opt-ins” than the PDPL.
As a general rule of thumb, where the PDPL and GDPR apply to a matter simultaneously, it is prudent to apply the stricter of the two.
Failure to comply with the obligations under the PDPL is subject to administrative fines between TRY5,000 (approximately EUR 900) and TRY1,000,000 (approximately EUR 180,000) whereas incompliance with the obligations under the GDPR may result in fines up to EUR 20 million or 4% of a Data Controller’s global annual turnover.
Contact us for further support
Following the expiry of the transition periods under the PDPL and the GDPR, all businesses should assess their compliance position and data protection obligations.
Bezen & Partners can assist you in assessing your compliance status and transitioning your compliance practices in accordance with the requirements of the PDPL.
1 The definition of “processing” as defined in the GDPR and the PDPL are generally consistent. Accordingly, the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data is regarded as processing. 2 Personal data includes, but is not limited to, the name, e-mail address, gender and recruitment information of natural persons. 3 See the Personal Data Protection Board Decision dated 3 January 2018 and numbered 2018/10. 4 There has been no such decision as of the date of publication of this material. However, we expect the Board will announce sector-specific periods in due course. 5 VERBIS has not been activated as at the date of publication of this material and many ancillary issues in relation to registration formalities, such as the applicable registration fee, are yet to be determined.