Law 6698 on the Protection of Personal Data came into force on April 7 2016 and applies to:
- real persons whose personal data is processed; and
- real persons and legal entities that process personal data.
Therefore, defining the actions and main actors involved in the processing of personal data is key to understanding the law's general scope.
Under Law 6698 on the Protection of Personal Data, the 'processing of personal data' means any operation performed on personal data (wholly or partly) through automatic means or - if the data is part of a data filing system - through non-automatic means, such as collection, recordal, storage, preservation, alteration, retrieval, disclosure, transfer, acquisition, provision, categorisation or prevention. The definition of the processing of personal data is broad in scope and similar to that of the EU Data Protection Directive (95/46/EC).
The law defines a 'data controller' as the real person or legal entity which sets the objectives and means of processing personal data and is in charge of establishing and managing a data filing system. In contrast, the EU Data Protection Directive defines a 'data controller' as a natural or legal person, public authority, agency or any other body which (alone or jointly) determines the purpose and means of processing personal data. Where the purpose and means of processing personal data are determined by national or community laws or regulations, the data controller or the specific criteria for his or her nomination may be determined by national or community law. Therefore, under the directive, a public authority may also be a controller. Law 6698 on the Protection of Personal Data does not exclude public authorities from its scope; however, their role is not specifically addressed in its definition of a data controller, which grants broad exemptions to public authorities that process personal data.
The law defines a 'data processor' as a real person or legal entity which processes personal data based on the authority given by or on behalf of the data controller. Similar to its definition of a data controller, the EU Data Protection Directive specifically states that public authorities may also be considered data processors.
General measures for processing personal data
Under Article 4 of Law 6698 on the Protection of Personal Data, personal data can be processed only according to the procedures and principles established under the law and other relevant legislation. In that regard, personal data must be:
- processed lawfully and fairly;
- accurate and updated where necessary;
- processed for specified, clear and legitimate purposes; and
- relevant and limited to the reason for which it is processed.
Conversely, the EU Data Protection Directive establishes more detailed basic principles. Under the directive, and similar to Law 6698 on the Protection of Personal Data, personal data must be:
- processed lawfully and fairly;
- collected for specified, explicit and legitimate purposes; and
- processed in a way that is compatible with these aims.
Further, the processing of data for historical, statistical or scientific purposes is permitted, provided that EU member states provide appropriate safeguards which are:
- adequate, relevant and not excessive regarding the aims for which the data is collected or processed further; and
- accurate and updated as required.
Every reasonable step must be taken to ensure that inaccurate or incomplete data is deleted or corrected and stored in a form which permits the identification of the data subjects for no longer than is required to fulfil the aim for which the data was collected or will be further processed. EU member states must establish appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
As a general rule, Law 6698 on the Protection of Personal Data states that personal data cannot be processed without the "explicit consent of the data subject", while the EU Data Protection Directive states that personal cannot be processed without the data subject's unambiguous consent.
The law and the directive provide exemptions to the explicit consent requirement. Under the law, personal data can be processed without the data subject's explicit consent if it:
- is explicitly foreseen by the law;
- is necessary to protect the vital interests or integrity of the data subject or another person where the data subject is physically or legally incapable of giving his or her consent;
- involves the processing of personal data of parties to a contract and is directly linked to the execution or performance of the contract;
- is required to ensure compliance with a legal obligation to which the data controller is subject;
- involves data that has been made public by the data subject;
- is required for the establishment, exercise or defence of a legal claim; or
- is in the data controller's legitimate interest, provided that such interest does not violate the data subject's fundamental rights and freedoms.
The last three exemptions are not included in Article 7 of the EU Data Protection Directive. However, the directive includes the following exemptions regarding the processing of personal data without the data subject's consent:
- if the processing of personal data is required to perform a task carried out in the public interest or in the exercise of the official authority vested in the data controller or a third party to whom the data has been disclosed; or
- if the processing of personal data is required for the legitimate interests pursued by the data controller or by a third party or parties to whom the data is disclosed, except where such interests are overridden by the data subject's interests, fundamental rights or freedoms.
The EU Data Protection Directive's additional exemptions have been incorporated into Law 6698 on the Protection of Personal Data, but in a manner which establishes circumstances under which the law does not apply to government authorities.
The provisions regarding Law 6698 on the Protection of Personal Data's applicability and its requirements for processing personal data grant excessive rights through exemptions to government authorities. For example, if personal data is processed by public institutions and organisations "which are authorized by law within the scope of their preventive, protective and intelligence activities for national defence, national security, public safety, public order or economical safety", such as the police force, the law will not apply. Conversely, the EU Data Protection Directive states that personal data may be processed without the consent of the data subject if it is necessary for the performance of a task undertaken in the public interest or in the exercise of official authority vested in the data controller, which can grant certain exemptions based on specific circumstances rather than exempting government institutions themselves.
Although Law 6698 on the Protection of Personal Data was based closely on the EU Data Protection Directive, there are clear legislative differences between the two, which will result in major differences in practice. Further, the law's provisions require further clarification in order to be implemented correctly.
(First published in International Law Office on October 25, 2016)
By Gonenc Gurkaynak, Managing Partner, and Ilay Yilmaz, Partner, ELIG, Attorneys-at-Law