Data protection update: Turkey

This article was written by Ekin İnal, lawyer at İnal Kama Attorney Partnership, affiliate firm of Norton Rose Fulbright in Turkey.

As explained in our newswire article on data protection in Turkey, the long-awaited Data Protection Law was enacted on April 7, 2016 and was later followed by various regulations. As also mentioned in our subsequent article on the data protection regime, the members of the Data Protection Board (the Board) took office in early 2017 and have been busy since.

Below is an update on recent developments in data protection.

Unless exempt from the requirement, all data controllers must be registered with the Data Controllers' Registry (the Registry) prior to processing any personal data. The Registry will be kept by the Board under the supervision of the Data Protection Authority or DPA.

The Turkish DPA published a regulation on the Registry to regulate its establishment and working principles, the procedure to be followed for registration by individual and legal entity data controllers and the rules and principles in relation to personal data disclosed to the Registry.

The establishment of the Data Controllers’ Information System (VERBİS), where data controllers will register and will upload the required information on personal data, is still awaited. Data controllers will be required to register upon the establishment of VERBİS. Any data controller that becomes a data controller following the establishment of VERBİS will be required to register prior to processing any personal data and within 30 days of falling within the scope of the data protection legislation.

The Board has the discretion to decide on exemptions to the registration requirement to register with the Registry. The Board announced a list of data controllers which will be exempt from this requirement as follows

• Data controllers processing personal data exclusively through non-automated means, provided that the processing is part of a data recording system.
• Notaries.
• Associations, foundations and unions that are processing personal data in accordance with, and limited to, the applicable legislation and their scope of activity, and if such data belongs to their employees, members, associates and donors.
• Political parties.
• Attorneys-at-law.
• Public accountants and sworn-in public accountants.

As explained in our previous publications, as a general rule, no transfer of personal data may be made without the express consent of the subject. Under certain circumstances data may be transferred without consent. Transfer of personal data without consent is subject to further restrictions if the data is transferred outside of Turkey. Accordingly, data controllers may transfer personal data to a recipient country with an adequate level of data protection, or where there is a written agreement with the data controller or processor in the recipient country if that recipient country does not have an adequate level of data protection. This agreement must be submitted to and approved by the Board.

While the Board is still to announce the "white list" countries that will be deemed to have an adequate data protection level, it has announced the minimum required content of the above-mentioned agreement. For instance, the recipient of data has to take all technical and administrative measures required to ensure an adequate level of security, suitable for the type of personal data. The recipient has to process the data in line with applicable legislation and the agreement, and if processing is not in accordance with legislation or the agreement, the Turkish data controller has the right to suspend transfer of data and terminate the agreement. The Turkish data controller also has the right to monitor the foreign recipient's compliance with the agreement.

The foreign recipient must represent that it has the administrative and technical capability to fulfill its obligations under the agreement and the agreement does not violate any provision of the recipient country legislation.

Certain categories of personal data are categorized as “special personal data”, such as information on a person’s religion, beliefs, appearance, biometric and genetic data and criminal records. Special personal data may not be processed without the explicit consent of the data subject and data controllers must take adequate measures as determined by the Board.

The Board adopted a decision relating to the measures to be taken by data controllers when processing special personal data. Accordingly, data controllers should set a separate, systematic, manageable and sustainable policy and procedure with definite rules for the protection of special personal data.

Adequate measures set forth by the Board can be categorized as follows

• Measures in relation to employees (such as providing periodic trainings to employees in relation to the protection of special personal data and regulatory framework, executing confidentiality agreements).
• Measures for protecting special personal data kept, processed or accessed in and electronic environment (such as securing the data by using cryptographic means, keeping cryptographic keys in secure and different mediums, logging all transaction records on special personal data in a secure way).
• Measures for protecting special personal data kept, processed or accessed in a physical environment (such as taking adequate security measures specific to the environment that the data is kept in, for example against theft, fire, flood, preventing unauthorized entries to ensure the physical safety of the environment that the data is kept in).
• Measures for transferring special personal data (such as using a corporate email address with a password or using a registered email address (Kayıtlı Elektronik Posta) if the transfer is to be made via email, using cryptographic means and keeping the cryptographic keys in a separate place if the transfer is to be made via an external hard disc, CD, DVD or by a similar method).

Whilst abiding by the adequate measures set out above, data controllers should also take into account the technical and administrative measures published on the Board’s website and set out in the Personal Data Security Guidelines (Kişisel Veri Güvenliği Rehberi).

The DPA recently published summarized rulings of the Board with a view to shedding light on Turkey’s rather recent legislation on data protection.

Certain take-away points from the decisions can be summarized as follows. The relevant data controllers have either had administrative sanctions imposed on them or been instructed to remedy the breach

• A notification made to data subjects 17 months after and to the Board 10 months after a breach cannot be interpreted as a “notification without undue delay” and therefore constitutes a violation to data security.
• As a general rule, the data protection legislation allows processing without explicit consent if processing is directly related to the execution or performance of a contract. Although explicit consent is not required in this case, if a data controller still requires consent as a condition to the agreement (for a membership, for provision of services etc.), such action constitutes an abuse of rights and the data controller breaches its obligation to process data lawfully, fairly and for a specified purpose. Also, a consent so imposed is not freely given.
• If a court requests the transfer of certain personal data from a data controller, transferring personal data which exceeds the scope/amount requested by the court runs afoul of the “data minimization" principle (data being adequate, relevant and limited to what is necessary).
• The Board warned data controllers of the application of administrative fines if data controllers fail to (timely) respond to a data subject’s application to exercise its rights under the data protection legislation.
• The Board instructed a data controller to comply with the "storage limitation" principle and not to store data longer than necessary or required under the applicable Turkish laws.
• The Board sanctioned two data controllers on the grounds that they failed to take the required technical and administrative measures for the protection of personal data. One data controller sent a document containing a customer's personal data to another customer with the same name, and in the other case, the data controller's employee examined a customer’s personal data for personal reasons.
• Requesting documents containing personal data although they are not required to conclude a transaction breaches the data controller's obligation to process and use data in a lawful and fair manner, and as limited to a specified purpose. The Board decided that the data controller's action indicates a lack of technical and administrative measures for the protection of personal data.

In addition to the above summarized rulings, the Board ordered the cessation of activities of companies providing online phonebook services by providing telephone numbers and names of persons without their consent.

Further, the Board ordered public and private sector institutions and organizations, operating among others in the banking and healthcare sectors, which provide services at counters, booths, box-offices and desks to take necessary measures to prevent service receivers from hearing, seeing or accessing each other’s personal data.