Fri, Jun
69 New Articles

Data Protection – An Overview of 2021 and What To Expect in 2022

Data Protection – An Overview of 2021 and What To Expect in 2022

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In Turkey, 2021 continued to be dominated by the COVID-19 pandemic and the various legal difficulties and ambiguities that it brought. This raised several questions on how to apply the Turkish data protection law and related legislation, in particular about how to properly process data on health, vaccination status, and PCR tests.

While the Turkish Data Protection Board (Board) passed various decisions in 2021, they generally did not result in the final resolution of the above issues. Conversely, while the Turkish government did publish decrees and letters impacting this area, it remains unclear how the provisions of these decrees and letters should be interpreted together with the provisions of the law.

The following is a summary of the main developments in the field of data protection in Turkey, in 2021.

Decisions of the Board

Unfortunately, during 2021 the Board did not publish any decisions or guidance on how personal data related to vaccinations and PCR tests should be kept, with the exception of one decision in which the Board found that various systems implemented by public authorities for the recording of personal data relating to vaccinations, PCR tests, and infection status were outside the scope of the law. Yet this decision, unfortunately, does not clarify if and how private entities may collect and process the same set of data.

The Board did, however, decide to extend the deadline for VERBIS registrations – the public data controllers’ registry in Turkey – until December 31, 2021. Registration with VERBIS is mandatory for various Turkish and foreign data controllers, and the extension of the registration obligation prevents entities that have not complied with this obligation, also due to the difficulties brought about by the pandemic, from being subject to sanctions.

Decrees and Governmental Orders

There is currently a decree and an official letter in force, published by governmental authorities in Turkey, on the data protection implications related to COVID-19.

The decree in question was issued by the Ministry of Interior and requires all individuals to show their HES Code (HES Kodu), created using an app issued by the Ministry of Health, when entering public areas such as shopping malls, cinemas, and theaters. The HES code contains information on vaccination status, PCR tests, and whether the person has suffered from a COVID-19 infection in the last 14 days. The said letter was sent to all governors by the Ministry of Labor and Social Security. The letter succinctly states that, “beginning September 6, employers are authorized to require unvaccinated employees to submit to weekly PCR testing and to maintain records of vaccinated employees and those who submit weekly PCR test results.”

As mentioned, the processing of personal data by private legal entities continues to fall under the scope of the law, which provides strict rules for the processing of health-related data. Thus, the obligations imposed on employers by the above-mentioned letter could be considered as contrary to the law. Therefore, it is necessary to clarify, on the basis of precedents and decisions of administrative authorities, how these potentially contradictory issues are interpreted in Turkish legal practice.

Further Work

To conclude, the law, which is based on EC Directive 95/46, was a major step forward for the implementation of, and compliance with, data protection in Turkey. However, there is still a considerable need for development, especially as many questions remain largely unanswered due to the existing regulations and thus cause difficulties in the application and implementation of the law.

To this end, and in view of the problems mentioned, we expect the Board to clarify which persons (e.g., company doctors) are authorized to process health data on behalf of the employer, as mentioned in the above letter.

In addition, the Board should also clarify the exact conditions for the cross-border effects of the Law. This is important to determine the data controllers abroad who, as mentioned above, are required to register with VERBIS.

Finally, we expect the Board to publish a list of safe countries to which personal data can be transferred without explicit consent. This is an important issue, as Turkey hosts many subsidiaries of global companies. Accordingly, the publication of such a list should ease the cumbersome cross-border data transfer procedures that currently apply to these companies under the law.

By Sinan Abra, Head of Data Protection, Yalcin Babalioglu Kemahli in Cooperation with CMS

This Article was originally published in Issue 8.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

CMS at a Glance

CMS Sofia is a full-service law firm, the largest international law firm in Bulgaria and one of the largest providers of legal services in the local market as a whole. The breadth and depth of our practice means that our lawyers are specialised, with a level of specialisation that few of our competitors can match.

CMS Sofia is the Bulgarian branch of CMS, a top ten global legal and tax services provider with over 5000 lawyers in 43 countries and 78 offices across the world.

CMS entered the Bulgarian market as one of the first internationally active law firms in 2005 and is now among the most respected legal advisors in the country. We have 7 partners, 4 counsel and over 30 lawyers in our office in Sofia.

Our legal experts, who are rooted in Bulgaria’s local culture, can also draw on years of experience in foreign countries and are at home in several legal systems at once. We know the particularities of the local market just as well as the needs of our clients and combine both to achieve optimum solutions. Our lawyers are Bulgarian qualified and we also have English qualified experts – all of them regularly working on cross-border mandates.

In our work, we focus on M&A, Energy, Projects and Construction, Banking and Finance, Real Estate, Media, IP and IT law, Tax, Employment law, Competition, Procurement and any kind of Dispute resolution, including arbitration and mediation. What’s more, we also take care of the entire legal management of our clients’ projects.

Firm's website.