Personal Data Protection Law and Related Obligations

The Law on Protection of Personal Data No. 6698 was published in the Official Gazette dated 07.04.2016 and entered into force. With the said law, the obligations of natural and legal persons who process personal data within the scope of privacy, and the procedures and principles they will comply with are regulated. The provisions of the Law on the Protection of Personal Data apply to natural persons whose personal data are processed, and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.

Following the entry into force of the Personal Data Protection Law, personal data can only be processed within the scope of this Law and in accordance with the procedures and principles stipulated by other laws. Along with the obligations brought by the law, the principles that must be observed and followed in the processing of personal data are also regulated, and these principles are generally;

• Compliance with the law and the rules of honesty,
• Being accurate and up-to-date when necessary,
• Processing for specific, explicit and legitimate purposes,
• Being connected, limited and restrained with the purpose for which they are processed,
• It is in the form of being kept for the period required for the purpose for which they are processed or stipulated in the relevant legislation.

The most important issue stipulated by the Law on the Protection of Personal Data is now the personal data and the 6th article of this Law. Special categories of personal data defined in the article (regarding the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures) defined in the article data and biometric and genetic data) cannot be processed without the explicit consent of the person concerned.

In cases where the explicit consent of the person concerned is not sought, the 5th article of the Law No. 6698. 2 of the article. in paragraph and 6. 3 of the article. Except for the exceptions listed in this article, the processing of personal data without the explicit consent of the person concerned is prohibited by law.

The issue of deletion, destruction or anonymization of personal data, in case the reasons requiring the processing of personal data that have been processed with the explicit consent of the person concerned or in exceptional cases where the explicit consent is not sought, are eliminated, is subject to Article 7 of the Law No. 6698. regulated in the article.

3 of article 7 It is stated in the paragraph that the procedures and principles regarding the deletion, destruction and anonymization of personal data will be determined by the regulation, and the Regulation on the Deletion, Destruction or Anonymization of Personal Data referred to with this article entered into force on 01.01.2018. It is to determine the procedures and principles regarding the deletion, destruction or anonymization of the personal data processed with this regulation.

CONCEPTS OF DATA CONSULTANT AND DATA PROCESSOR

With the Law on the Protection of Personal Data and the Regulation on the Deletion, Destruction or Anonymization of Personal Data, the concept of “data controller” and “data processor” has been introduced.

• Data Supervisor ; It is the natural or legal person responsible for maintaining the data recording system within a unit, institution or representative.
• Data Processor ; Based on the authority given by the Data Controller, it is the natural or legal person who processes personal data on his behalf. The data controller is a local, corporate-specific, authorized person that even companies can choose. It is the person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data controllers are obliged to prepare the Personal Data Retention and Disposal Policy, on which they will base, for the deletion, destruction and anonymization of personal data.

As a minimum, in the personal data retention and destruction policy;

• The purpose of preparing the personal data retention and destruction policy,
• Recording media regulated by the personal data retention and destruction policy,
• Definitions of legal and technical terms included in the personal data retention and destruction policy,
• A statement regarding the legal, technical or other reasons that require the storage and destruction of personal data,
• Technical and administrative measures taken for the safe storage of personal data and the prevention of unlawful processing and access,
• Technical and administrative measures taken for the legal destruction of personal data,
• The titles, units and job descriptions of those involved in the storage and destruction processes of personal data,
• In the table showing the storage and destruction times,
• Periodic destruction times,
• If the current personal data retention and destruction policy has been updated, the information regarding the said change should be available.

Natural and legal persons who process personal data must register in the Data Controllers Registry , which is open to the public by the Presidency, under the supervision of the Personal Data Protection Board, before starting the data processing.

DELETING, DESTROYING OR MAKING PERSONAL DATA

In the event that all the conditions for the processing of personal data cease to exist, the personal data must be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.

• Deletion of personal data is the process of making personal data inaccessible and unusable for the relevant users in any way. In this case, the data controller is obliged to take all necessary technical and administrative measures to make the deleted personal data inaccessible and reusable for the relevant users.

• Destruction of personal data is the process of making personal data inaccessible, unrecoverable and unusable by anyone in any way. The data controller is obliged to take all necessary technical and administrative measures regarding the destruction of personal data.

• Anonymization of personal data means that personal data cannot be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. In order for personal data to be anonymized; Personal data must be rendered incapable of being associated with an identified or identifiable natural person, even through the use of appropriate techniques for the recording medium and the relevant field of activity, such as returning the data by the data controller, recipient or recipient groups, and matching the data with other data. The data controller is obliged to take all necessary technical and administrative measures regarding the anonymization of personal data.

Unless a contrary decision is taken by the Board, the data controller chooses the appropriate method of deletion, destruction or anonymization of personal data ex officio. It explains the method applied in its relevant policies and procedures. While taking actions regarding deletion, destruction or anonymization of personal data, they must act in accordance with the Board’s decisions and personal data retention and destruction policy. All transactions on this subject are recorded and these records are kept by the data controller for at least three years, excluding other legal obligations.

PERIODIC DISPOSAL

Periodic Destruction is the deletion, destruction or anonymization process that will be carried out ex officio at repetitive intervals and specified in the personal data storage and destruction policy, in case all the conditions for the processing of personal data are eliminated. The time period for periodic destruction is determined by the data controller who will prepare the Personal Data Retention and Destruction Project. This period cannot exceed six months in any case.

The data controller, who has prepared a personal data storage and destruction policy, deletes, destroys or anonymizes personal data in the first periodical destruction process following the date on which the obligation to delete, destroy or anonymize personal data arises.

The data controller, who is not obliged to prepare a personal data storage and destruction policy, deletes, destroys or anonymizes personal data within three months following the date of deletion, destruction or anonymization of personal data.

DELETE AND DESTROY TIMES IF RELATED BY REQUEST

The relevant person submits his/her requests in writing or by other methods to be determined by the Board to the data controller. If all the conditions for processing personal data have disappeared; The data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller finalizes the request of the data subject within thirty days at the latest and informs the data subject.

If all the conditions for processing personal data have not been eliminated , this request may be rejected by the data controller by explaining the reason, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest.

THINGS TO BE DONE IN THE APPLICATION

In accordance with the Law on the Protection of Personal Data No. 6698, employers are now required to obtain consent from their personnel regarding the use of their personal data, or to sign employment contracts, which are the clauses stating that consent has been given for the use and processing of their personal data for new employees.

However, of course, since the internal functioning and structure of each company is different from each other in commercial life, we share the general outlines of what needs to be done and the provisions of the current legislation for the purpose of informing. It will be appropriate to direct and inform employees and managers.

In the Personal Data Protection Law, Personal data is defined as “any information relating to an identified or identifiable natural person” . Personal data, “name, surname, date of birth and place of birth, telephone number, motor vehicle license plate, passport number, CV, picture, image and sound yachts, fingerprints, IP address, e-mail address, hobbies, preferences, interaction are all data that makes the person identifiable directly or indirectly, such as “persons, group memberships, family information, health information” .

In terms of companies, all the above-mentioned data obtained from the personnel working in the company and all the above-mentioned data obtained from the customers of the company due to the provision of goods and services are defined as personal data.

FUNDAMENTAL ISSUES EXPECTED TO BE MADE UNDER THE LAW NO 6698 ON THE PROTECTION OF PERSONAL DATA

1. For companies, the first thing to do is to identify a data controller and to clearly state the job description of this person.
2. In addition to the data controller, the roles and responsibilities of every employee who has access to the personal data processed within the organization should be distributed by the company, and it should be ensured that the data is processed legally by increasing control mechanisms. For example, not every personnel working in the human resources department should have system authorization. According to this, for example, every employee working in the Human Resources Department should not be able to see the salary information of other employees.
3. At the same time, it is necessary to prevent authorized persons from sharing their passwords with unauthorized persons in order to get some work done, and to restrict access to personal data and protect this information within the scope of the Personal Data Protection Law. Therefore, it is essential to clearly explain their duties and responsibilities to the limited number of employees who will process personal data.
4. Redesigning the data recording systems of companies in accordance with the requirements of the Personal Data Protection Law is also a part of this process, and ensuring the security of this area and restricting access to this information is of great importance due to the data it contains.

It is natural that there are some personal data that have been collected, processed and stored in the archives of the companies since the past. However, in accordance with the current legislation above, by following a path from the present to the past, by examining these processes, the contracts related to the collection, processing, storage and transfer of personal data, if any, should be reconsidered, and the illegal practices of the contracts should be determined. In cases where there are situations contrary to the law, destruction of personal data is possible where it is possible; If it is possible to correct the situations that are contrary to the law, these corrections should be included in the supplementary agreement etc. should be provided with various applications.

1- Things to Do in the Context of Data Security;

• Separating personal data from other data and determining their qualifications,
• Determining the purpose, scope and methods of processing personal data,
• Determining the Data Controller within the scope of the Personal Data Protection Law and registering it with the Data Controllers Registry,
• Authorization of Data Processors by the data controller,
• The Company’s “Privacy, Cyber Security and Cookie Policies are created or revised in accordance with the legislation,
• Acting in accordance with the policy to be formed on the deletion, destruction or anonymization of personal data after the disappearance of the purpose of processing and the expiration of the storage periods stipulated in the legislation,
• Network security/computer security and user security[verilerin] providing,
• Obtaining information security certifications.

2- Things to be Done in the Context of Labor Law;

• Informing employees about the purpose, scope and methods of processing their personal data,
• Obtaining written consent of employees whose employment contracts do not contain a clause stating that express consent is given with personal data,
• Revision of employment contracts to be concluded with employees,
• Since the employment contracts to be signed by the new employees have been revised with regard to the protection of personal data, having the new revised versions of the employment contracts signed.

3- Things to be Done in the Context of the Law of Contracts;

• Revising existing contracts and negotiating these issues between the contracting parties,
• Contracts, responsibility sharing arising from personal data, etc. adding provisions on matters,
• Personal data, commercial relations, etc. When it is necessary to transfer it abroad due to legal reasons, it is necessary to carry out the assessment of compliance with the law and to create the contracts to be made within this framework,
• Fulfilling the contract and authorization procedure between the person who will have the title of “data processor” and the “data controller” in case of outsourcing services regarding the processing of data.

In the light of all these explanations above, each company and institution should establish its own order, operation and rules as soon as possible in accordance with its own internal functioning, structure and dynamics, in line with the provisions of the current legislation.

Hunting. Senem ATALAY / Atty. Erdal KARDAS