Under the Turkish data protection law (“DPL”), data subjects have the right to learn who processes their personal data, the purposes and legal bases of these processing activities, and to whom and for what purposes such personal data are transferred. These rights arise from the data controllers’ obligation to inform data subjects about their processing activities. During the collection of personal data, the data controller or any other person authorized by the data controller is obliged to provide data subjects with certain information, such as the identity of the data controller and of his representative (if any), the purposes of the processing, to whom and with what purpose the processed personal data can be transferred, and the method and legal reason/basis of collection. The same article of the DPL further requires data controllers to provide information to data subjects about certain other rights, as discussed below.
Data subjects have the right to know the third parties within or outside the country to whom personal data are transferred, and to ask for the rectification of any incomplete or inaccurate personal data processing as well. They may also request the erasure or destruction of their personal data (within the framework of the conditions set forth under Article 7) and request the notification of these operations to third parties to whom personal data have been transferred. According to this law, data subjects have the right to object to any consequence or situation that is to his/her detriment that results from an analysis of the processed data exclusively by means of automated systems, and to request compensation for the damages incurred due to the unlawful processing of personal data.
Interpretation of These Provisions
The Turkish Data Protection Authority has published the Communiqué on the Procedures and Principles for Compliance with the Obligation to Provide Information (“Communiqué”) in order to provide guidance for the interpretation of these articles.
The Communiqué sheds light on the methods to be used for providing information and specifies that data controllers may provide information to data subjects either physically or by using electronic means (e.g., verbally, in written format, by voice recordings, or through call centers), and also clarifies when data subjects must be informed. According to the Communiqué, data controllers are obliged to inform data subjects of their rights in all cases or circumstances in which their personal data is processed. Furthermore, they must also inform data subjects whenever the purpose of processing changes, prior to starting the data processing activity. For instance, if a data controller processes a data subject’s address information for the purpose of delivering the goods/services that the subject has ordered and will further process the same address information for marketing purposes in the future, then it needs to inform the data subject since the purpose of the data processing activity will change.
If different divisions/units of a data controller process personal data for different purposes, then the data controller must inform data subjects separately for each purpose. For instance, if the name, last name and phone number of a data subject is processed by the marketing department of a company for marketing purposes, and the same personal data is also processed by the human resources department to evaluate the job application of that data subject, then the data subject must be informed of both processing purposes.
The information that the data controllers provide to the Data Controllers’ Registry must be in line with the information they provide to the data subjects. It is also extremely critical for data controllers to realize and keep in mind that compliance with the obligation to provide information does not require the data subject’s prior request, and that the burden of proof is on the data controller to show that it has complied with all its obligations under the law.
The Communiqué also states that the explicit consent of data subjects must be obtained separately from the information provided to data subjects. In other words, data controllers are not allowed to obtain explicit consent from data subjects by using the same text or document with which they inform them.
Personal data must be processed for specific, explicit and legitimate purposes. Similarly, data controllers must also be clear and specific when providing information to data subjects, and they should avoid deficient, misleading or inaccurate statements. Moreover, they must steer clear of ambiguous or broad terms in the information provided to data subjects. For example, data controllers should not state that the personal data of data subjects might be processed for marketing purposes in the future. Rather, data subjects should be informed of the purpose for which their personal data is processed, not the possible purposes that might arise in the future. It should be noted that ambiguousness/vagueness is a crucial red line when it comes to providing information to data subjects, and data controllers must avoid such ambiguity whenever possible.
In addition, the information that will be communicated to data subjects must include: (i) the legal purpose of the personal data processing (in other words, the basis of the data processing activity), (ii) the recipients of the personal data, and (iii) the purpose of the data transfer.
While data controllers are required to provide data subjects with information about the processing of their personal data prior to data collection, this may not always be possible in practical terms. If personal data is obtained from an indirect source, such as the news media or public records, then data controllers must fulfill their obligation to provide information to data subjects (i) within a reasonable period of time after the personal data is obtained, (ii) in the first communication, if the personal data is obtained for the purpose of communicating with the data subject, and (iii) if the personal data is to be transferred, then at the first moment that the personal data is being transferred, at the latest.
Comparison of the DPL and the General Data Protection Regulation (“GDPR”)
The GDPR, which has entered into force on May 25, 2018, also brings similar requirements for data controllers. Some of the information stipulated under the GDPR which data controllers are required to provide to data subjects are not included in the DPL, such as (i) the right of data subjects to withdraw their consent at any time, (ii) the right of data subjects to lodge a complaint with a supervisory authority, and (iii) storage periods and the criteria used to determine the duration of such data storage, even though data subjects do, in fact, have those rights under the Turkish data protection legislation.
Another difference between the GDPR and the Turkish data protection legislation concerns indirect data collection practices. According to the GDPR, when personal data is collected indirectly, data controllers are not obliged to inform data subjects of such activity if (i) it is impossible, or (ii) it requires disproportionate effort, or (iii) it would render impossible or seriously impair the purpose of the data processing. Neither the DPL nor the secondary legislation in Turkey sets out similar exceptions or follows the GDPR on this issue. However, in practice, if a data controller is unable to inform data subjects about indirect personal data collection despite its best efforts and can demonstrate its efforts (i.e., show that it has genuinely attempted to inform data subjects), such activities should not raise any legal concerns under the DPL either. Nevertheless, keeping in mind that there is no clear definition of “sufficient effort” or provisions regulating this matter in the DPL, one cannot exclude the possibility of a data controller facing sanctions in this context.
Despite these differences, the GDPR requires data controllers to use clear and plain language in communicating with data subjects, similar to the DPL, and to provide data subjects with the information regulated under the DPL.
Interpreting the obligation to inform data subjects correctly is of paramount importance to data controllers, since failing to fulfill the obligation to provide information may result in an administrative fine ranging from 5,000 Turkish Liras up to 100,000 Turkish Liras. Therefore, data controllers should implement the Communiqué with the utmost care and be able and ready to demonstrate that they provide data subjects with the necessary information in order to fulfill their legal obligations and avoid such administrative penalties.
Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Noyan Utkan of ELIG Gürkaynak Attorneys-at-Law
(First published by Mondaq on May 29, 2018)