Following the enactment of Law 6698 on the Protection of Personal Data, Turkey is preparing relevant secondary legislation. The Draft Regulation on the Data Controllers' Registry and the Draft Regulation on the Erasure, Destruction or Anonymisation of Personal Data were recently published on the website of the Data Protection Authority (DPA) for public consultation. The DPA is also organising meetings with the public and private sectors to gather their opinions and comments on the regulations.
The aim of this secondary regulation is to establish the data controllers' registry, which will be available to the public under the supervision of the Data Protection Board. The board was established by the DPA to determine the registration procedures and principles to ensure the registry's implementation.
The draft regulation sets out the following basic data controller registration obligations:
- Data controllers must be registered before processing personal data.
- Data controllers that are resident outside Turkey must be registered through a data controller representative before processing personal data.
- The registry will be available to the public and the board can determine the scope and exemptions for the public availability of registry data.
- The information disclosed to the registry in applications will be predicated on the processing of personal data.
- The information submitted to and published in the registry will form the basis of the data controller's obligation to:
- provide information to the data subject;
- respond to the data subject's application; and
- determine the scope of explicit consent given by the data subject.
- Data controllers are responsible for ensuring that the information presented to and published in the registry is accurate, up to date and lawful. Registration will not rescind the additional liabilities of data controllers under Law 6698.
- The exemption of certain data controllers from the obligation to register based on the objective criteria set out in the secondary regulation does not exempt them from the additional obligations under Law 6698.
- Data controllers' transactions regarding the registry must be conducted through VERBIS (ie, the information system that will be used by data controllers to register or conduct other transactions relating to the registry), which can be accessed online and was established and is managed by the DPA.
- The maximum period for processing personal data presented to and published in the registry by data controllers will be determined with regard to the obligation of data controllers to erase, destroy and anonymise data, as per Article 7 of Law 6698.
The draft regulation also introduces a registration obligation. Organisations may implement organisational and technical measures which are proportionate to the risk presented by the processing in question, rather than perform administrative obligations which do not, in practice, uphold the protection of personal data.
Non-resident data controllers must register via a local representative where conditions or criteria give rise to the registration obligation. For instance, under existing EU data protection laws, the obligation to register with a registry only arises for entities which are established in an EU member state or make use of data-processing equipment located in an EU member state.
The designation of a local representative is not obligatory under Law 6698. The law implies that the designation of a local representative is optional. Conversely, the draft secondary regulation requires a local representative for registration.
Article 16 of the draft regulation provides for specific exemptions and Article 17 allows the DPA to determine additional exemptions. Article 17 is narrow in scope and excludes only the processing of personal data which does not occur automatically; it does not go far enough to be of any practical value.
The aim of the Draft Regulation on the Erasure, Destruction or Anonymisation of Personal Data is to determine the procedures and principles regarding the erasure, destruction and anonymisation of personal data processed wholly or partly through automatic means or non-automatic means if the data is part of a data filing system. Article 7 of Law 6698 already sets out the general principles for the erasure, destruction and anonymisation of personal data and the relevant provision states that the details thereof will be determined by secondary legislation.
As a general rule under Article 7 of Law 6698, if the reasons for which personal data was processed are no longer valid, said data should be erased, destroyed or anonymised by the data controller ex officio or by request from the data subject, regardless of whether the personal data has been processed in accordance with Law 6698 and the relevant legislation.
Further, Law 6698 states that parties which fail to erase or anonymise personal data in compliance with Article 7 will be punished in accordance with Article 138 of the Criminal Law Code (ie, failure to destroy the data within a defined system, despite the expiry of the legally prescribed period). The parties responsible for this failure will be sentenced to one to two years' imprisonment.
Article 5 of the Draft Regulation on the Erasure, Destruction or Anonymisation of Personal Data also sets out the circumstances in which "the reasons for processing personal data are no longer valid" – namely:
- the legislation which constitutes the basis of personal data processing is amended;
- a contract is terminated or revoked due to a lack of agreement between the parties or the agreement is invalid or automatically terminated;
- the original aim of the personal data processing is no longer valid;
- the processing of personal data is against the law or good faith;
- the data subject withdraws his or her consent – personal data processing is subject to the condition of explicit consent;
- the data controller accepts the data subject's application within the scope of his or her rights to request the erasure or destruction of the relevant personal data;
- a complaint is filed with the DPA and approved following the data controller's rejection of the data subject's application requesting the erasure or destruction of his or her personal data;
- there are no conditions that could justify the retention of personal data for longer than the maximum legal retention period; and
- the conditions that required the processing of personal data as per Articles 5 and 6 of Law 6698 no longer exist.
Further, within the scope of the relevant secondary regulation, the parties that register with the registry must prepare a personal data storage and destruction policy in accordance with the personal data processing inventory, which regulates the principles for the storage and destruction of personal data.
As per Article 7 of the relevant secondary legislation, a personal data storage and destruction policy should include the following information:
- the reason for the policy;
- the policy's filing medium;
- definitions of the legal and technical terms included in the policy;
- explanations of the legal, technical or other reasons that require personal data storage and destruction;
- details of the technical and administrative measures taken in order to store personal data safely and prevent personal data from being illegally processed and accessed;
- details of the technical and administrative measures taken in order to destroy personal data in compliance with the law;
- the names and responsibilities of the parties taking part in the personal data storage and destruction process;
- a table displaying the relevant personal data storage and destruction periods; and
- details of periodic destruction periods, in which the erasure, destruction or anonymisation procedure will be conducted ex officio, should Law 6698's corresponding provisions be rescinded.
The draft secondary regulations require certain amendments before they can become effective. For example, data controllers that are resident outside of Turkey must register with the data controllers' registry via a local representative. However, the relevant regulation introduces no specific conditions in this regard. It merely states that the obligation will be applicable for non-resident data controllers, whereas the corresponding EU legislation sets out certain criteria (eg, that the data controller must use data-processing equipment in an EU member state). Similar criteria should be introduced to the relevant Turkish regulation in order to narrow the scope of the abovementioned obligation. If not, the regulation's jurisdictional scope will be vague and there could be ambiguity in the interpretation of this obligation in practice. The proposed secondary legislation should help to clarify Law 6698's implementation and include concrete guidance for data controllers. In their present state, the draft secondary regulations could result in practical difficulties and they should be reviewed from this perspective.
For further information on this topic please contact Gönenç Gürkaynak or Ilay Yilmaz at ELIG, Attorneys-at-Law by telephone (+90 212 327 17 24) or email (firstname.lastname@example.org or email@example.com). The ELIG, Attorneys-at-Law website can be accessed at www.elig.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.