On July 11 2017 the Data Protection Authority published two guidelines on the implementation of Law 6698 on the Protection of Personal Data on its website:
- the Implementation Guidelines for the Law on the Protection of Personal Data; and
- the Frequently Asked Questions (FAQ) Document on the Law on the Protection of Personal Data.
Although these guidelines are not pieces of legislation or legally binding, they include detailed information on the implementation of data protection concepts and procedures regulated under the data protection law. Therefore, it is important to review these guidelines to understand the Data Protection Authority's perspective on data protection-related obligations.
The Implementation Guidelines for the Law on the Protection of Personal Data include details of the data protection law's historical background and legal basis, as well as information on EU data protection legislation. The FAQ Document of the Law on Protection of Personal Data primarily answers questions that may be raised by data protection practitioners and includes explanations and examples regarding data protection concepts.
The data protection law is the first piece of Turkish legislation which specifically regulates general principles and procedures regarding the protection of personal data. Hence, it does not include specific examples of how these rules should be implemented. Certain data protection concepts which are important in practice (eg, a legitimate interest to process personal data without the data subject's explicit consent) remain unclear for data protection practitioners and the grey areas under the data protection law hinder a clear understanding of the newly introduced data protection rules. This update focuses on the data protection law's more ambiguous concepts and the clarifications offered by the guidelines.
Based on the principle of territoriality, laws should be applicable to real and legal persons residing in Turkey. In light of this principle, the data protection law should not be applicable to companies that reside outside Turkey. However, the guidelines explicitly state that the data protection law is applicable to data controllers outside Turkey if they undertake an activity in Turkey.
As a general rule under the data protection law, the data subject's explicit consent is required to process personal data. The guidelines explain the principles of explicit consent and clearly state that explicit consent should not have a general scope and wording – rather, it should focus on the specific aim of processing personal data. The FAQ Document states that explicit consent should not be a prerequisite to provide goods or services to the data subject, as this should be based on free will. For example, if a data subject is a member of a sports club which requires taking fingerprints during the membership process, the data subject should have the right to refuse to provide fingerprints and use the sports club without providing explicit consent to process his or her personal data.
The data protection law does not set a required form for explicit consent, whereas the guidelines state that if explicit consent is obtained in written form, it should be clear, understandable and user friendly. Further, the guidelines state that the explicit consent text should not reference another medium – for example, a text that says "I hereby provide my explicit consent to the text which is published at www.xyz.com website" would not fulfil the explicit consent requirement.
The data controller guidelines state that a data controller may appoint a real person to manage and supervise data protection-related matters if the data controller is a legal entity. In such cases, the data controller would still be a company. Therefore, the data controller's identity and responsibilities will not be transferred to individuals appointed as authorised persons (eg, a data protection officer in a company).
One of the most discussed concepts under the data protection law is whether a data controller's legitimate interest eliminates the explicit consent requirement – provided that the data subject's fundamental rights are not violated. In certain cases, the use of the legitimate interest loophole could ease a company's work flow, as explicit consent would not be required to process personal data. That said, this concept should not be interpreted too broadly, as data controllers could use it to avoid the free will of data subjects, which would be against the spirit of the data protection law. The guidelines state that a 'legitimate interest' may be interpreted as a legitimate commercial interest, with reference to the EU Data Protection Directive (95/46/EC).
It is also clear that the guidelines published by the Data Protection Authority are in line with Article 29 of the working party's opinion on legitimate interest, as they provide guidance on the difference between a 'legitimate interest' and the 'basic rights of the data subject'. Therefore, although the definition of legitimate interest remains unclear, it appears that in practice it will follow EU law. Finally, the guidelines also state that a legitimate interest is not a last resort for data controllers to avoid the explicit consent requirement.
Article 8 of the data protection law sets out the general principles for the transfer of personal data in Turkey to third parties. The data protection law provides no exceptions for a corporate group, which differs from EU practice. Accordingly, personal data cannot be transferred without the data subject's explicit consent. Further, the Data Protection Authority's guidelines specifically state that the transfer of personal data between corporate groups would be considered a transfer to a third party.
That said, transfers between the divisions, departments and branches of a single data controller are not considered a transfer to a third party within the scope of the guidelines.
Finally, even if the guidelines shed light on how to interpret some of the data protection law's more ambiguous points, they do not clarify how to implement these provisions and how burdensome their implementation could be. The process will be clearer once secondary legislation is effective and the Data Protection Authority wields its power regarding data protection rules.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.
For further information on this topic please contact Gönenç Gürkaynak or Ilay Yilmaz at ELIG, Attorneys-at-Law by telephone (+90 212 327 17 24) or email (firstname.lastname@example.org or email@example.com). The ELIG, Attorneys-at-Law website can be accessed at www.elig.com.