Law On The Protection Of Personal Data

Data Protection Authority published two guidelines on the implementation of Law 6698 on the Protection of Personal Data on its website:

The Implementation Guidelines for the Law on the Protection of Personal Data (LPPD); and

The Frequently Asked Questions (FAQ) Document on the Law on the Protection of Personal Data.

Hereby guidelines contain information on the implementation of data protection concepts and procedures regulated under the data protection law, in spite of they are not parts of legislation or legally binding. Hence, in order to understand the Data Protection Authority’s perspective on data protection-related obligations, it is important to analysis the guidelines.

The data protection law is the first study of Turkish legislation. Also It specifically regulates general principles and procedures regarding the protection of personal data. Hence, it does not contain specific examples. Certain data protection concepts which are important in practice remain unclear for data protection practitioners and the grey areas under the data protection law hinder a clear understanding of the newly introduced data protection rules. This update focuses on the data protection law’s more ambiguous concepts and the clarifications offered by the guidelines.

Territorial applicability of data protection law

Laws should be applicable to real and legal persons residing in Turkey when considered the principle of territoriality. In context of this principle, the data protection law should not be applicable to companies that reside outside Turkey. However, the guidelines explicitly state that the data protection law is applicable to even data controllers outside Turkey (if they undertake an activity in Turkey.)

Explicit consent

As a general rule under the data protection law, the data subject’s explicit consent is required to process personal data. The guidelines clearly state that explicit consent should not have a general scope and wording it should focus on the specific aim of processing personal data. The FAQ Document states that explicit consent should not be a prerequisite to provide goods or services to the data subject, as this should be based on free will.

The data controller guidelines state in order to manage and supervise data protection-related matters (if the data controller is a legal entity), a data controller may appoint a real person. In such cases, the data controller would still be a company. Therefore, the data controller’s identity and responsibilities will not be transferred to individuals appointed as authorized persons.

Processing personal data without explicit consent

One of the most discussed concepts is whether a data controller’s legitimate interest eliminates the explicit consent requirement – provided that the data subject’s fundamental rights are not violated. In some cases, the use of the legitimate interest loophole could ease a company’s work flow, as explicit consent would not be required to process personal data. That said – provided that this concept should not be interpreted too broadly, as data controllers could use it to avoid the free will of data subjects, which would be against the spirit of the data protection law. The guidelines state a ‘legitimate interest’ may be interpreted as a legitimate commercial interest, with reference to the EU Data Protection Directive (95/46/EC).

As they provide guidance on the difference between a ‘legitimate interest’ and the ‘basic rights of the data subject’ it is also clear the guidelines are in compliance with Article 29 of the working party’s opinion on legitimate interest. Consequently, in spite of the definition of legitimate interest remains unclear, it appears that in practice it will follow EU law. Lastly, the guidelines also state that a legitimate interest is not a last resort for data controllers to avoid the explicit consent requirement.

Personal data’s transfer to third parties

Article 8 of the LPPD sets out the regarding general principles for the transfer of personal data in Turkey to third parties. The LPPD provides no exceptions for a corporate group and in this concept, it differs from EU practice. Accordingly, personal data cannot be transferred without the data subject’s explicit consent. Further, the Data Protection Authority’s guidelines specifically state that the transfer of personal data between corporate groups would be considered a transfer to a third party.
Transfers between the departments, divisions and branches of a single data controller are not deemed a transfer to a third party within the scope of the guidelines. Finally, even if the guidelines shed light on how to interpret some of the data protection law’s more ambiguous points, they do not clarify how to implement these provisions and how burdensome their implementation could be. The process will be clearer once secondary legislation is effective and the Data Protection Authority wields its power regarding data protection rules.