Privacy Notice Legal Compliance Check under Turkish Data Protection Law

A data controller’s one of the main obligations is the duty to inform. Each data controller who collects and processes personal data must inform the data subject as to the data processing. The content of the information which should be given to data subject may vary depending on the applicable data protection legislation and the specific data processing activity.

So many companies are required to comply with the Regulation (EU) 2016/679 (General Data Protection Regulation) (‘GDPR’) regardless of their residence as a result of the wide territorial scope of the GDPR. Likewise, Turkish companies generally publish their privacy notices in accordance with the GDPR. Although the contexts of the obligation to inform are relatively similar with respect to Turkish Personal Data Protection Law No. 6698 (Kişisel Verileri Koruma Kanunu)(‘KVKK’) and GDPR, compliance with GDPR may not guarantee compliance with KVKK in each case. Turkish Data Protection Authority (‘Turkish DPA’) declared that referring to the GDPR shall not be regarded as an exclusion from the obligation to inform provisions of the KVKK by its announcement dated November 8, 2019. Therefore, companies that fall within the jurisdiction of KVKK must also consider KVKK while fulfilling their data protection compliance with regard to the obligation to inform. This article aims to review the similarity and differences between KVKK and GDPR with regard to the basic information to be provided in terms of processing and collecting personal data, and how to avoid complex privacy notices.

Obligation to Inform Under KVKK

Despite the fact that the reasoning of KVKK indicates that obligation to inform is stipulated in accordance with the Directive 95/46/EC[1], there are still certain differences to be observed about the content of the obligation to inform. According to 10^th Article of the KVKK, at least, the following information must be provided to the data subjects:

• The identity of the data controller and its representative, if any
• The purposes for which personal data will be processed,
• To whom processed personal data may be transferred (the recipients) and the purposes of such transfer,
• Legal basis and method of the collection, and
• The right of data subjects.

Considering the Directive 95/46, method of the collection and purposes of transfer was not required to be provided to data subjects. On the other hand, the GDPR has regulated the issue even more detailed and stipulated more elements to be provided to data subjects at minimum level based on the specific processing. Accordingly, all data subjects have to be informed about the retention period. However, the period of retention is not an essential element of a KVKK compliant privacy notice. Since above mentioned information consists a minimum level of information to be provided in terms of KVKK, there is no restriction for providing additional information as long as main requirements of a privacy notice are fulfilled.

Qualities of a Privacy Notice

It is stated that the obligation to inform has to be fulfilled with an intelligible, clear, and plain language in accordance with the Communique on the Procedures and Principles to be followed in Fulfillment of the Obligation to Inform dated March 10, 2018 issued by Turkish DPA.

Even though terms of clear, plain, and intelligibility are not defined under the mentioned communique, the Article 29 Working Party[2] has indicated that clear and plain language means providing information in the simplest manner, avoiding complex sentence and language structures[3]. Furthermore, the intelligibility has been defined as a quality of the information that enables the average member of the intended audience to understand the context[4].

It is usually neglected that the basic language is also a requirement under both KVKK and GDPR in order to fulfill their obligation to inform as a data controller. The privacy notices are usually structured in a way that is complex and misleading for the target subjects since they are prepared to fulfill both requirements of KVKK and GDPR at one and the same time.

Despite of the fact that the requirements of GDPR on obligation to inform will cover the essentials of KVKK on the same context at the same time, the privacy notices that are designed to fulfill the requirements. Thus, this may confuse the readers and may cause incompliance with some elements of KVKK. While KVKK explicitly stipulates the purposes of transfer of data to the third parties, however, this matter is not stipulated under GDPR even though such information is considered as an essential component of transparency in some cases.

To conclude, under the scope of GDPR companies in Turkey should provide privacy notices including the elements of both KVKK and GDPR. In that sense, these privacy notices shall be transparent and concise in order to avoid information fatigue and to provide a reader friendly information. The privacy notices may be separated in terms of the language options as for each subject data protection legislation in order to avoid any possible excessive reading burden. Offering layered information to create a reader friendly platform may also help satisfying the requirements of different laws. Moreover, data controllers in Turkey have to take into consideration that they have to prepare their privacy notices in compliance with the information in their data processing inventories.