One of the many obligations imposed on data controllers by Law 6698 on the Protection of Personal Data is to provide certain information to data subjects during the collection of their personal data.
As per Article 10 of the law, the data controller or any person authorised by the data controller must provide data subjects with the following information during the collection of personal data:
- the identity of the data controller and its legal representative, if any;
- the reason for data processing;
- to whom and for what purpose the processed personal data can be transferred;
- the method and legal reason for collection; and
- other rights of the data subject under Article 11 of the law.
The definition of 'other rights' of the data subject (which came into force on October 7 2016 as part of the Protection of Personal Data's transitional provisions) includes the right to apply to the data controller to:
- learn whether data is being processed;
- request relevant information if personal data has been processed;
- obtain information about why personal data is being processed and whether such data has been processed accordingly;
- be informed of the third parties (in Turkey or overseas) to which personal data is transferred;
- request incomplete or inaccurate personal data process to be updated;
- request the deletion of personal data;
- request the notification to third parties to which personal data has been transferred of operations carried out within the meaning of the fifth and sixth bullet points above;
- object to any detrimental outcome which results from the analysis of the processed data exclusively by means of automated systems; and
- request compensation for damages incurred as a result of unlawful personal data processing.
These provisions are in line with the EU Data Protection Directive (95/46/EC) with certain differences. Article 10 of the directive governs information collected from the data subject. The data controller or a representative must provide a data subject whose data is being collected with the following information:
- the identity of the data controller and any representative, if applicable;
- the reason for which the data is being processed;
- further information requested, such as:
- the recipients or types of recipient of the data;
- whether replies to the questions are obligatory or voluntary;
- the possible consequences for failure to reply; and
- the existence of the right of access and the right to return data concerning the data subject.
The directive includes provisions regarding the timing of information to be provided to the data subject, depending on whether data is collected from the data subject (Article 10) or from a third party (Article 11). If the data is collected from the data subject, information must be provided at the time of collection. If the data is collected from third parties, information must be provided when the controller records the data or before the data is disclosed to a third party for the first time. Unlike the directive, Law 6698 does not make the aforementioned separation and states that information should be provided to the data subject during the collection of personal data. That said, the law does not regulate cases where the data is collected from a third party. In that regard, it is advisable that data controllers in Turkey obtain an undertaking from third parties for the collection of their personal data by stating that the third party informed the data subject of his or her rights in line with the law.
Finally, Law 6698 sets certain exemptions to the aforementioned obligation. Article 10, which regulates the data controller's obligation to provide information to the data subject, and Article 11 regarding the data subject's rights (excluding claims for damages) are not applicable if the processing of personal data is:
- necessary to prevent a crime or for a criminal investigation;
- made public by the data subject;
- necessary for supervisory or regulatory duties along with a disciplinary investigation or prosecution by the assigned and authorised public institutions and agencies along with professional organisations carrying the nature of public institutions, based on the authorisation of the law; or
- required to protect the state's economic and financial interests with respect to the budget, tax and financial matters.
The scope of the exemptions and how they will apply in practice remain unclear due to the lack of secondary legislation. That said, in order to ensure a high level of compliance, data controllers will need to evaluate their processes in detail to determine whether they fall under one of the exemptions outlined above.
For further information on this topic please contact Gönenç Gürkaynak or Ilay Yilmaz at ELIG, Attorneys-at-Law by telephone (+90 212 327 17 24) or email (firstname.lastname@example.org or email@example.com). The ELIG, Attorneys-at-Law website can be accessed at www.elig.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.