Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

The Personal Data Protection Law (PDPL) deems the mere possession of personal data as the processing of such data.

As a general rule, personal data cannot be processed without the explicit consent of the data subject. However, if one of the following conditions is met, personal data may be processed without seeking the explicit consent of the data subject:

  • the processing is clearly provided for by applicable law;
  • the processing is necessary to protect the life or bodily integrity of a person who is unable to give consent due to actual impossibility or whose consent is not legally recognised, or the life or bodily integrity of another person;
  • the processing is necessary for the formation or performance of a legal contract to which the data subject is party;
  • the processing is necessary in order to comply with a legal obligation to which the data controller is subject;
  • the data has been made public by the data subject;
  • the processing is necessary in order to establish, use or protect a legal right; and
  • the processing is necessary for the purposes of legitimate interests pursued by the controller, provided that the fundamental rights and freedoms of the data subject are not harmed.

 

Pursuant to recent decisions by the Data Protection Board (the Board), data processors can request the explicit consent of the data owners only if the above circumstances are not present.

There are also specific rules for processing sensitive personal data.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Under the PDPL, personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, clothing choices/habits, trade union membership, health, sex lives, criminal convictions and security measures, and biometric or genetic information are defined as ‘sensitive personal data’. As a general rule, sensitive personal data cannot be processed without the consent of the data subject, except where permitted or required by applicable law.

Furthermore, personal data relating to health and sex lives may be processed without the explicit consent of the data subject only by persons or authorised public institutions and organisations that have confidentiality obligations, and only for the purposes of protecting public health, administration of preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of healthcare services.

Processing of data must be in compliance with the purposes stated in the data processing notification. If the processor decides to process the data for any reason other than those stated in the data processing notification, a new notification stating the new purpose must be provided to the data subject.

The Board has issued heightened measures for the safekeeping and processing of sensitive personal data. These measures include, among others, training programs, encryption requirements, two-factor authentication for remote access, and physical security measures, such as access controls.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

When collecting personal data, the controller or the person authorised by the controller is obliged to inform the data subjects. The notification must include:

  • the identity of the controller and of its representative, if any;
  • the purpose of the data processing;
  • to whom and for what purposes the processed data may be transferred;
  • the method and legal basis for the collection of the personal data; and
  • the rights of the data subjects accorded by the Personal Data Protection Law (PDPL).

 

The notification must be provided at the time of the acquisition of the data, and must use easy-to-understand clear and plain language. If the personal data are obtained from a third party (ie, not the data subject), the notification must be made within a reasonable time after the data are obtained, at the time of first contact if obtained for the purpose of communication, and at the time of first transfer if obtained for the purpose of transferring.

Exemption from notification

When is notice not required?

A notice is not required if:

  • processing of the personal data is necessary to prevent a crime or for a criminal investigation;
  • the data subject has himself or herself made the personal data public;
  • processing of the personal data is required for supervisory, regulatory or disciplinary activities to be carried out by public institutions and professional associations with public institution status; or
  • processing of the personal data is required for the protection of the state’s economic and financial interests with regard to budgetary, tax-related and financial issues.

 

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

Data controllers are obliged to request for consent of the data subject at the time of acquiring data. Data subjects can freely decide whether to grant consent or not. Data subjects are entitled to withdraw their consent at any time. Having said that data controllers can process the data based on legitimate reasons under the PDPL.

Also, data subjects can demand their personal data to be erased, destructed or anonymised upon the disappearance of reasons which require the processing. Data subjects have also been granted with substantial rights to ensure that their personal data continue to be processed in accordance with the original purpose of the processing (for which consent was granted).

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Personal data must be:

  • processed lawfully and fairly;
  • accurate and, where necessary, kept up to date;
  • collected for specified, explicit and legitimate purposes;
  • relevant and limited to the purposes for which they are processed; and
  • retained only for the period stipulated by relevant legislation or the purpose for which they are processed.

 

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

There is no restriction on the amount of personal data that may be held. Having said that, personal data can be preserved only for the time periods foreseen in the applicable regulations or time periods necessary for the purpose of the processing.

In addition, the amount of data and the length of time the data may be held for must be proportional to the purpose of the processing, and both the amount and length must be as small as possible.

While determining the maximum storage period, the following must be taken into account:

  • generally accepted storage periods in the sector in which the data controller operates;
  • the length of time the legal relationship with the data subject that is the basis of the processing will continue for;
  • the length of time that the legitimate interest of the data controller in accordance with lawfulness and fairness principles will continue for;
  • the length of time during which the risks, costs and responsibilities arising from the storage of the relevant data category will legally continue for;
  • whether the intended maximum storage period is suitable to keep the relevant data category accurate and up-to-date;
  • the length of time during which the data controller is obliged to store the data pursuant to its legal obligations; and
  • the period of limitation determined by the data controller for the assertion of a right relating to personal data in the relevant data category.

 

Those data controllers who are obliged to register with the Data Controllers Registry, known as VERBİS (the Data Controllers Registry), are also obliged to prepare a data inventory, and data preservation and destruction policies that set forth, among other things, the periods during which personal data will be preserved.

Data controllers who are required to prepare data preservation and destruction policies must erase, destroy or anonymise, as applicable, the relevant data in regular intervals upon the triggering of such obligation. These periods cannot exceed six months. On the other hand, for data controllers who are not required to prepare data preservation and destruction policies, this time period cannot exceed three months.

Records of all erasure, destruction and anonymisation activities must be kept and stored for at least three years (subject to any other applicable legal obligations).

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes, the purposes for using the personal data must be determined when obtaining the consent of the data subject. Data controllers cannot exceed or circumvent these purposes. Furthermore, regardless of whether the processing of personally identifiable information (PII) is based on the consent of the data owner or a legitimate ground not requiring consent, the processing purposes must be disclosed to the data subjects.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Data controllers are bound by the purpose(s) stated in the relevant notification. Unless it is explicitly permitted by the PDPL, data controllers cannot use the data collected other than for the purposes clearly disclosed while collecting the data. Hence, if the collected data will be used for a new purpose requiring consent, data controllers are obliged to provide a new notification and to obtain a separate consent of the data subject. If the new purpose is based on one of the legitimate grounds under the PDPL (ie, no consent is necessary), data controllers still have to provide the data subject with a new notification that includes the new purpose.

Law stated date

Correct on

Give the date on which the information above is accurate.

12 May 2020.