Within the scope of Law No. 6698 on Protection on Personal Data (“LPPD“), it is important for companies to process personal data lawfully. Considering the legal, financial and commercial risks associated with noncompliance, companies, and especially employees who process personal data, must be conscious of the protection of personal data. This is important because the companies as well as the individuals who process personal data are liable for unlawful processing of personal data.
This note summarizes the obligations of the data controllers, the registration procedure to the Data Controller’s Registry, the privacy policies, the processing of data within the context of COVID-19, and the sanctions that may be encountered in case of violation of the law.
If you have any questions regarding your data processing activities or your obligations as a data controller, or if you have any concerns about the unlawful processing of personal data, please contact your company’s legal department.
1. What are the general obligations of data controllers?
Data controllers must notify data subjects of certain information on data processing activities during the collection of personal data. If personal data cannot be obtained directly from the data subject: (i) the notice requirement must be fulfilled within a reasonable time after the collection of personal data; (ii) the notice requirement must be fulfilled at the time of first contact if personal data will be used to contact the data subject; and (iii) the notice requirement must be fulfilled at the time of the first transfer if the personal data will be transferred.
Data controllers are responsible for preventing the unlawful processing of personal data and the unlawful access to personal data, as well as for maintaining personal data in a secure way. Data controllers are obliged to take all necessary technical and organizational measures to ensure this level of safety.
Data controllers must delete, destroy or anonymize data upon the request of the data subject or by ex offico when the data is no longer necessary.
Data controllers must register with the Data Controller’s Registry prior to processing personal data.
Data controllers must also respond to the applications of the data subjects and must execute the decisions of the board.
2. What information must be covered by the privacy policies?
Under Article 10 of the LPPD, data controllers must notify data subjects of certain information on data processing activities prior to or during the collection of personal data.
The privacy policies must contain the following information:
- The identity of data controller and its representative
- Data categories
- The purposes for processing
- The purposes of data transfer and the receipents of personal data
- Methods of collecting personal data and legal grounds for processing
- Data subject rights
Privacy policies must not contain general and ambiguous information and must be purpose-limited. Accordingly, any wordings that may give the impression that personal data may be processed for other possible purposes in the future must be avoided.
The burden of proving the fulfilment of the notice requirement lies with the data controller. Therefore, the data controllers must obtain the signature of the data subjects or have the data subject tick a box to confirm that they have read and understood the privacy policy.
There is no clear guidance on the LPPD regarding the language of the privacy policies. The privacy policy can be provided in any language that the concerned data subject is capable of understanding. However, it is recommended that privacy policies be presented in Turkish to avoid claims that the data subject did not understand the privacy policy and the data controller did not comply with the notice requirement.
3. What are the requirements for cross-border data transfer?
Under Article 9 of the LPPD, the following are the four mechanisms for cross-border transfer of personal data, and the data controllers must choose the most suitable mechanism for their operations:
- Explicit consent
- Adequate protection in the target country
- Execution of undertaking between data exporter and data importer and obtainment of the approval of Turkish Data Protection Authority (DPA)
- For group companies, execution of binding corporate rules and obtainment of the approval of the DPA
The DPA has not yet announced the countries that provide adequate protection. Furthermore, the DPA has published four approved undertakings, and no announcement has been made with respect to the approval of binding corporate rules. Accordingly, the most feasible short-term option in practice is obtaining the explicit consent of the data subject for cross-border transfer.
In addition, the DPA continues its works for the alignment of the LPPD with the General Data Protection Regulation (GDPR) with respect to cross-border data transfers.
4. What are the requirements for processing of employees’ personal data?
The processing of employees’ personal data must be in accordance with the LPPD. Accordingly, the data controllers must inform the employees regarding the processing of their personal data, obtain their explicit consent where necessary, and carry out processing activities based on the legal grounds stipulated under the Article 5/2 of the LPPD.
The employers must process the personal data of their employees, such as identity and contact data, salary information and bank account information, based on the legal grounds stipulated under the Article 5 of the LPPD.
Besides the aforementioned data categories, employers may also need to process health data and criminal records of employees all qualifying as sensitive personal data. The processing of sensitive personal data is stipulated under Article 6 of the LPPD. Accordingly, the sensitive personal data of the employees can be processed further to the explicit consent of the employees. Health data can only be processed: (i) further to explicit consent of the employees; or (ii) without the explicit consent of the data subject given that the processing is performed by someone under confidentiality obligation for the purposes stipulated under the LPPD, such as the protection of public health or preventive medicine. Therefore, without the explicit consent, the health data of the employees can only be processed and accesed by the workplace doctor.
5. Does the LPPD apply to the processing of sensitive personal data within the context of COVID-19?
Sensitive personal data processing activites are carried out during the use of HES code and collection of vaccinationation information and PCR test results within the context of the COVID-19 epidemic.
As per the announcements of the DPA, provisions of the LPPD do not apply to processing activities carried out by the Ministry of Health and authorized public authorities and institutions for the protection of public health and order in accordance with the Article 28 of the LPPD.
Moreover, according to the DPA’s announcement on 28 September 2021, processing of vaccination information and PCR test results within the scope of the operations of public institutions and organizations authorized by law constitute an exception to the LPPD. Accordingly, processing test results and vaccination information by public and private organizations based on and limited to the letters of the Ministry of the Interior, the Ministry of Labor and Social Security, and other other public institutions and organizations will not be subject to the LPPD.
6. Do we need explicit consent for cookies?
The use of cookies is not regulated under the LPPD, it’s secondary legislation nor in any guidance of the DPA. Therefore, the EU implementations are mainly followed in practice.
Data procesing during the use of cookies must be based on legal grounds stipulated under the Article 5 of the LPPD. The DPA’s approach on the matter is that explicit consent is not required for strictly required cookies that are necessary for the functioning of the website, whereas explicit consent is required for not-strictly required cookies. Furthermore, explicit consent is required for cookies that are directed for profiling and marketing purposes. The DPA has also recently published a decision concerning the use of cookies for profiling.
In addition, the notice requirement is still applicable for data processing activities through cookies.
The guidance of the DPA on practices regarding cookies should be closely followed for updates.
7. What is the Data Controller’s Registry?
The Data Controller’s Registry, also known as VERBIS, is an online system where data controllers dislose information regarding their personal data processing operations categorically. The aim of VERBIS, which is under the responsibility of the Personal Data Protection Board of the DPA, is the dislosure of data controllers to the public and informing the data subjects of the data processing activities carried out by the data controllers. The following data controllers must register with VERBIS:
- Real or legal person data controllers that have more than 50 employees in a year or an annual balance sheet above TRY 25 million (approximately USD 2.6 million)
- Real or legal person data controllers that have less than 50 employees in a year and an annual balance sheet below TRY 25 million (approximately USD 2.6 million) and whose principal business activity is the processing of special categories of personal data
- State institutions and organizations
- Data controllers residing outside of Turkey
8. What is the procedure and due date for the VERBIS registration?
The information on data controller, data categories, data processing purposes and legal grounds, data transfer and receipients, retention periods, and implemented technical and organizational measures must be provided categorically during the VERBIS registration.
In addition, the following matters must be taken into consideration:
- As part of the VERBIS registration process, a personal data processing inventory must be prepared. Information registered with VERBIS must be based on the data processing inventory.
- The data controllers must prepera a data retention and destruction policy and a data breach response plan.
- Foreign data controllers must appoint a data controller’s representative and a contact person prior to registering with VERBIS.
- VERBIS records must be complete, accurate, up-to-date and lawful. Data controllers registered to VERBIS must update their VERBIS records accordingly to reflect any change in their personal data processing activities within seven days of the change in the processing activities.
Pursuant to the Personal Data Protection Board’s decision numbered 2021/238, the VERBIS registration due date is extended and the data controllers who are required to register with VERBIS must complete their registration by 31 December 2021.
9. What is personal data processing inventory?
Data controllers who are required to register with VERBIS are also required to prepare a personal data processing inventory prior to their registration with VERBIS. Pursuant to the Regulation on Data Controller’s Registry, data processing inventories must include detailed information on processing purposes, legal grounds, data categories, receipients, retention periods, cross-border transfer and data security measures with respect to the data processing carried out by the data controllers.
Data processing inventories are not publicly available documents. However, VERBIS records must be in line with the data processing inventory.
10. What are the sanctions for unlawful data processing?
Unlawful processing of personal data is subject to three types of sanctions:
- Criminal sanctions: Persons who unlawfully record personal data are subject to imprisonment for one to three years. Furthermore, persons who unlawfully give out, release or acquire personal data are subject to improsenment for two to four-and-a-half years.
- Administrative sanctions: Administrative fines from TRY 9,834 to TRY 1,966,862 are applicable for 2021, depending on the type of violation.
- Legal sanctions: The data subjects may request compensation for damages they have suffered due to unlawful processing of personal data.
