The development of new information technologies and in particular the Internet over the past few decades has led to concerns about the security of personal data. The storage and transfer of personal data had never been easier than today. Such increase in exchanges of personal data within and across national borders necessitates an effective protection of the right to privacy at both national and international levels.
Despite such gradually increasing sensitivity on protection of personal data, there is not yet a specific law governing personal data privacy in Turkey, though a number of other legislation, as analyzed below, deal with the protection of personal data. There is also a draft Law Concerning Protection of Personal Data (the "Draft Law"), which was prepared and developed by the Turkish Ministry of Justice for several years without success.
- The Draft Law
Under the National Program for the Harmonization of Turkish Legislation with European Union Law1, the Turkish Government has committed to harmonize its legislation. Accordingly, the Draft Law mainly follows the European Union Data Protection Directive No. 95/46/EC and the Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries.
Alignment with the EU acquis on personal data protection was one of the short-term priorities of the Turkish Government under the 2003 Accession Partnership Document published by the European Commission. The Draft Law was aimed to be enacted by December 2004 under the National Program of 2003, and the Personal Data Protection Authority was aimed to be established in 2005. However, neither the Draft Law has been enacted nor the Personal Data Protection Authority has been established yet.
The Draft Law has been envisaged to govern issues such as:
- the protection of personal data and fundamental rights and freedoms;
- recording and use of data within certain clear purposes in line with the rule of law;
- reliability and accuracy of data, its renewal and erasure when necessary;
- security of confidential personal data such as race, political opinion, religion, health, sexual life, and the right of persons regarding provision of information related to themselves.
The Draft Law was submitted to the Parliament on 24 April 2008, but its review process at the relevant committee of the Parliament has not yet been completed over the past three years.
- Other Laws Concerning Data Privacy
- Data Privacy Provisions in the Turkish Constitution
Article 20 of the Turkish Constitution regulates the right to respect for private life as follows: "Everyone has the right to demand respect for his private and family life. Privacy of individual and family life cannot be violated." Article 20 also prohibits the search or seizure of any individual, his private papers, or his belongings unless there exists a decision duly granted by a judge on the grounds such as national security or public order, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial.
The third paragraph of Article 20, added in 2010, specifically deals with data privacy as follows: "Everyone has the right to demand the protection of his personal data. This right comprises the right to be informed about the personal data concerning himself, access to such data, right to request correction or deletion of them as well as the right to be informed if such data is used in accordance with the purposes for which it was collected. Personal data can be processes only in cases regulated in a law and upon express consent of the subject individual. Principles and procedures regarding the protection of personal data shall be regulated by a law."
Article 22 of the Constitution as amended in October 2001 preserves the secrecy of communication and provides that "Communication shall not be impeded nor its secrecy be violated, unless there exists a decision duly granted by a judge in cases explicitly defined by law, and unless there exists an order of an agency authorized by law in cases where delay is deemed prejudicial."
- The Civil Code
The Turkish Civil Code sets forth a number of provisions to protect the privacy of personal information. Pursuant to Article 24 of the Civil Code, in particular, an individual whose personal rights are unjustly violated may bring a civil action to prevent such violation and/or the compensation of damages arising from such violation.
- The Labor Code
The Turkish Labor Code, which entered into force on 10 July 2003 and replaced the old Labor Code No. 1475, provides that the employer is obliged to use the personal data of its employees in accordance with the laws and the principle of good faith, and not to disclose any such personal data if the relevant employee has a reasonable benefit in the confidential treatment of such data. We are not aware of any court precedent regarding the implementation of this specific provision of the new Labor Code, which was not provided in the repealed Labor Code.
In the Turkish employment law literature, it is commented that the "management authority" of an employer includes reasonable intervention in the private lives of the employees to the extent that it is necessary for a sound operation of the business.2 The necessity and reasonableness tests require a case-by-case analysis in each specific case.
- The Criminal Code
The new Criminal Code, which entered into force on 1 June 2005, also sets forth a number of provisions specifically dealing with the protection of personal data. The Criminal Code provides that unlawful storage of personal data is subject to a penalty of imprisonment from six months to three years. In the event of unlawful transmission or reception of personal data, the penalty is increased to imprisonment from one year to four years. In the case that such crime is committed by government officials or to facilitate performance of a profession, the punishment shall be increased by half. Furthermore, those who do not delete or destroy personal data in spite of the expiry of the time period stipulated in the relevant laws for the maintenance of such data shall be punished by imprisonment from six months to one year. Neither the Criminal Code nor any other law defines unlawful storage or transmission of personal information. However, the term unlawful in this context may generally be interpreted as storage or transmission of personal data without consent of the relevant individuals.
- The Banking Law
The new Banking Law No. 5411, which entered into force on 1 November 2005, also provides a number of provisions dealing with the protection of personal data concerning the customers of banks.
Article 73 requires the directors, managers and other personnel of banks to keep personal information about their customers confidential. Under Article 159 of the Banking Law, violation of such requirement is subject to an imprisonment from one to three years as well as an administrative fine. In the case that such violation is made for the purposes of obtaining a benefit, the penalty shall be increased by one sixth.
- The Bank Cards and Credit Cards Law
The Bank Cards and Credit Cards Law No. 5464, which entered into force on 1 March 2006, also includes certain provisions aimed to protect the personal data of the bank cards and credit card holders.
Pursuant to Article 23 of the Bank Cards and Credit Cards Law, member merchants/shops cannot use, store or copy the personal data regarding their customers, which they obtain during the utilization of credit cards or bank cards in their shop/work place, without written consent of the relevant customer. Card issuing institutions are also required to keep such information confidential other than for the purposes of marketing their services. Article 39 of the Bank Cards and Credit Cards Law provides that violation of such requirements is subject to imprisonment from one to three years as well as an administrative fine.
- Health Legislation
Pursuant to Article 4 of the Medical Deontology Bylaw3, doctors cannot disclose any confidential information they obtained when performing their profession, unless such disclosure is required by virtue of law.
Pursuant to Article 23 of the Patient Rights Regulation4, no information, which was obtained during the provision of health services, can be disclosed, except for the cases permitted by law. The same article also provides that even the consent of the relevant patient would not reveal the liability of the person making such disclosure if it results in the violation in its entirety or extreme restriction of the personality rights of the relevant patient. Persons making such disclosure would be subject to criminal and civil liability if (i) the disclosure is not based upon a valid and fair reason from legal and ethical perspectives; and (ii) the disclosure may have an adverse effect on the relevant patient. This provision suggests that a disclosure of a patient's personal data should not be subject to criminal and civil liability if it may not have an adverse effect on the relevant patient. In such cases, however, the disciplinary sanctions envisaged by the Regulation would remain applicable. Finally, Article 23 of the Patient Rights Regulation also provides that the identity of the patient cannot be disclosed in activities with research or training purposes without the consent of the relevant patient.
Furthermore, pursuant to Article 16 of the Regulation Concerning the Analysis of Body, Genital Inspections and Determination of Physical Identity in Criminal Trial5, at the end of a criminal investigation, if the trial process is terminated for any reason, such as non-conviction or dismissal, then the personal data obtained during such physical medical inspections must be immediately destroyed in the presence of a public prosecutor and a protocol must be drawn to evidence such destruction.
Turkey is also a member of the Council of Europe and has signed the Council's Convention on Human Rights and Biomedicine.6 Pursuant to Article 10 of that Convention,
"1. Everyone has the right to respect for private life in relation to information about his or her health.
2. Everyone is entitled to know any information collected about his or her health. However, the wishes of individuals not to be so informed shall be observed.
3. In exceptional cases, restrictions may be placed by law on the exercise of the rights contained in paragraph 2 in the interests of the patient."
Turkey has ratified the Convention on Human Rights and Biomedicine by Law No. 5013 in 2003, and, therefore, it has the force of a national law in Turkey.7
- Council of Europe's Convention on Data Privacy
Turkey is a member of the Council of Europe and signed the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) in 1981.8 However, Turkey has not yet ratified that Convention, and, therefore, it is not in the status of a law for the purposes of Turkey's domestic law.
Data protection in Turkish law is governed by the Constitution and a number of laws such as the Civil Code, Criminal Code, Labor Law, Banking Law and the Bank Cards and Credit Cards Law. There is not yet a specific law governing the privacy of personal data in Turkey, though there is a Draft Law on Data Privacy, which was prepared by the Turkish Ministry of Justice for several years without fruition.
The Draft Law, which was prepared as a part of Turkey's commitments toward the European Union under the National Program for Accession to the European Union, mainly follows the European Union Data Protection Directive No. 95/46/EC and the Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, and will be a big step forward for the regulation of this area when enacted.