保护个人资料的一般原则

general-principles-of-protection-of-personal-data

General Principles of Protection of Personal Data

With regard to personal data, the word ‘process’ refers to retrieving all or some of personal data by automatic or non-automatic means and recording, storing, changing, transferring, taking over, classifying or using the same.

Section 20(3) of the Turkish Constitution orders as follows:  “Every person has the right to ask for protection of his/her personal data. This right includes the person’s right to receive information about his/her personal data, to gain access to the same, to ask for correction or deletion of the same, and to learn whether the same are used for proper purposes or not.  Personal data can only be processed in accordance with the laws or upon explicit consent of data subjects. Rules and procedures governing the protection of personal data will be stipulated in a law.”

Personal data may only be processed in accordance with the rules and procedures stipulated in the Personal Data Protection Law.  The rules stipulated in Section 4 of the said law are mandatory and form the basis of compliance with the law in processing personal data. Therefore the rules described below must be followed in processing personal data:

1-The law and the rules of integrity must be followed;

2-Personal data must be correct and, when necessary, current

3-Personal data must be processed for certain, clear and legal purposes

4-Personal data must be connected, limited and proportional with the purpose of process

5- Personal data must be stored for the period stipulated in the law or needed for the purpose of process.

Personal Data Protection Law classifies certain types of data as special data: race, ethnicity, political view, philosophical belief, religion, sect or other beliefs, attire, membership to a society, foundation or union, health, sexual life, conviction, safety measures, biometric data and genetic data.

The law prohibits to process the above mentioned types of data without obtaining explicit consent from the data holder, allows that the said types of data except for health and sexual life data may be processed without such consent in the cases stipulated in the law, and that health and sexual life data may be processed without such consent by authorized persons and institutions for the purposes of protecting the public health, protective medicine, medical diagnosis, treatment and care services, planning and managing healthcare services and their financing, provided that such persons and institutions must undertake to keep such personal data confidential.

Deleting, destroying, anonymizing and transferring personal data

If the purpose of processing any personal data already processed in accordance with the law ceases to exist, the data controller or the data subject will delete, destroy or anonymize the relevant personal data.

As a rule, personal data may not be transferred without obtaining explicit consent from the data subject, but such transfer may be made by taking sufficient precautions in any of the cases described above and allowing the process of personal data without such consent. If any personal data will be transferred to a receiver located abroad, sufficient protection must be available there, the data controllers located at home and abroad must sign and give a statement confirming that sufficient protection is available, and a consent must be obtained from the Personal Data Protection Committee.

Processing personal data is an important and vital act in terms of both individuals, institutions and governments, therefore a law was needed to govern the said field of process, so that the Personal Data Protection Committee was enacted in 2016 to provide the necessary rules and legal ground.

This law allows to process personal data to strict conditions and legal grounds, and if any of the said conditions is not fulfilled or if any of the said legal grounds does not exist and the data subject has not given an explicit consent, the law will be violated and such violation will cause certain legal outcomes.

Data controller’s obligations:

Personal Data Protection Law orders certain rights and obligations for data controllers who will be responsible for personal data while retrieving them under the said law, and for data subjects.

One of the most important obligations stipulated by the law is the data controller’s obligation to give information,

The law defines the precautions to be taken by data controllers while personal data are processed, and the Personal Data Protection Committee issued a Personal Data Safety Guide to set good examples of following the law.

Rights of data subjects

Section 11 of the law grants certain rights to owners of personal data i.e. data subjects.

It orders that each data subject may ask the data controller whether or not his/her personal data has been processed, ask for information about the process, purpose of process and whether or not his/her personal data has been processed for that purpose, ask identities of the third parties to whom his/her personal data has been transferred and who are located at home or abroad, and ask for correction or completion of his/her personal data processed incomplete or incorrect.

Furthermore, i the purpose of processing any personal data already processed in accordance with the law ceases to exist, the data subject will have the right to ask the data controller to delete, destroy or anonymize his/her personal data. In fact, processing of personal data is subject to prior consent from the data subject except for certain cases, it will be a natural for data subjects to ask data controllers to delete their personal data after the purpose of processing the same ceases to exist.

Furthermore, data subjects have the right to ask data controllers to delete or destroy their personal data if the latter have been processed in a wrong way or the purpose of processing the same ceases to exist, and to notify the fact that their personal data have been deleted or destroyed to the third parties to whom their personal data were transferred.

Data subjects also have the right to object negative results which may emerge if and when their personal data are analyzed by automatic systems.

Furthermore, data subjects have the right to claim compensation for losses they may suffer because of any illegal processing of their personal data. Such illegal processing of their personal data will violate their civil rights, in which case they will be entitled to file a lawsuit.

Applications:

A data subject may give a notice to the relevant data controller or use any of the other methods determined by the Personal Data Protection Committee to notify his/her demands concerning the enforcement of the Personal Data Protection Law. At this stage such notice must be given to the data controller because of the hierarchical application steps stipulated in the law, and no application may be filed with the Personal Data Protection Committee before giving such notice to the data controller.

The law orders the data controller to meet the demands stated in such application as soon as possible, but within maximum thirty days in any case, free of charge. If a charge is incurred in meeting such demand, the relevant price stated in the price tariff issued by the Personal Data Protection Committee can be collected.

After receiving such notice, the data controller will either accept the demand or refuse it by explaining the relevant reason and send his/her answer in writing or online to the data subject. If the data controller accepts the demand, he/she must meet it.

The law orders that if the demand is the outcome of an error committed by the data controller, the above mentioned fee will be refunded to the data subject.

Complaints:

If the above mentioned application right is used but the data controller refuses the demand, or if the data subject considers that the data controller’s answer is not satisfactory, or if the data controller fails to answer within the period described above, the data subject will have a right to file a complaint.

In this case the data subject may file a complaint with the Personal Data Protection Committee within thirty days after receiving an answer refusing his/her demand and within maximum sixty days in any case.

Upon receiving such complaint or acting ex-officio, the Committee will review the case falling in its scope of powers. The Committee has the right to review at its initiative too.  To be able to perform such review, the notice or complaint must comply with the conditions stipulated in Section 6 of the Law on the Right to File Petitions as follows:.

1-It must describe a certain matter

2-It must not be related to subjects falling in jurisdiction of courts of justice

3-The petition must state the full name and work address or home address of the applicant and bear his/her signature.

Furthermore, if such complaint is filed, the data controller will be obliged to send the Committee all information and documents which the Committee may request within fifteen days after receiving such request except for information and documents classified as state secrets, and allow the Committee to perform a review on site.

Upon receiving it, the Committee will review the complaint and send an answer to the applicant. If the Committee does not answer a complaint within sixty days after receiving it, it will be considered refused. The applicant may file a law suit at the end of the said sixty-day period.

If the Committee finds out as a result of performing such review after receiving such complaint or acting ex-officio that a right of the applicant has been violated, the Committee will instruct the data controller to cure the violation it committed. Such instruction must be followed without delay and within maximum thirty days.

If the Committee finds out as a result of performing such review after receiving such complaint or acting ex-officio that the violation is wide-spread, it will resolve on a principle and announce that resolution. The Committee may ask relevant institutions and agencies to inform their opinions before resolving on such resolution.

In case a difficult or impossible to repair loss arises and the law is explicitly violated, the Committee may resolve to order the data controller to stop processing the personal data or transferring them to abroad.   The data subject may file a lawsuit against any step taken by the Committee at each stage of this process.

Crimes

Personal Data Protection Law does not define any crime, but its Section 17 orders that Sections 135 to 140 of the Turkish Criminal Law No. 5237 will apply for personal data.

Section 135 of the Turkish Criminal Law is captioned Recording Personal Data and its first paragraph stipulates that a person who records any personal data in an unlawful way will be sentenced to imprisonment of one to three years. It also orders that if any political, philosophical or religious view, race, moral tendencies, sex life, health condition or union ties of a person is recorded, the sentence stipulated in the first paragraph will be doubled.

Section 136 of the Turkish Criminal Law orders that if a person gives any personal data to somebody else, or disseminates or captures any personal data in an unlawful way, he/she will be sentenced to imprisonment of two to four years.

If any of these two crimes is committed by a civil servant by misusing his/her position or by any other person using the facilities provided by a certain profession or trade, it will be considered aggravated fraud under Section 137 of the Turkish Criminal Law and the relevant sentence will be doubled.

Section 138 of the Turkish Criminal Law governs the crime of not deleting any personal data.  It orders that if a person obliged to delete any data after the period stipulated in the law has elapsed fails to perform this obligation, he/she will be sentenced to imprisonment of one to two years. If such personal data must have been deleted or destroyed under the Criminal Proceedings Law, the above mentioned sentence will be doubled.

Section 139 of the Turkish Criminal Law orders that “Investigation and prosecution of the crimes defined in this section, except for the crime of recording, transferring or retrieving any personal data in an unlawful way and the crime of not deleting or destroying any personal data, is subject to filing a complaint.” Therefore the crime of recording, transferring or retrieving any personal data in an unlawful way may be investigated and prosecuted without a complaint.

Section 140 of the Turkish Criminal Law orders that if any of these crimes is committed by a legal person, security measures will be taken against that legal person.

Misdemeanors:

Misdemeanors are defined in Section 18 of the Personal Data Protection Law. If a data controller fails to fulfill his/her obligation to give information, or if a person obliged to take measures to safeguard personal data fails, or if a data controller or such person fails to obey an instruction given to him/her by the Committee after a complaint is filed with the Committee, or if a data controller fails to check in with or notify the Data Controller Register, he/she will have committed a misdemeanor and be charged with the applicable fine stipulated in the law.

The law also orders that if such misdemeanor is committed by an employee of a public authority, public institution or public agency, the management of such authority, institution or agency will take disciplinary action against such employee after receiving a notice from the Committee and will notify the said action to the Committee.

In general, the law aims to protect the personal rights of individuals and to punish violators of those rights or persons who process personal data in an unlawful way.

TERMS AND CONDIDITIONS OF USE AND DISCLAIMER

Information given in this website only contains general information and opinions, does not substitute legal recommendation or professional legal service, and may not be used as legal recommendation or professional legal service. You are highly recommended to receive professional legal service and opinion for each case depending on its peculiar circumstances.

Lawyers employed by Gulis Law and Counseling Office are definitely not responsible for the accuracy or completeness of the information given here. Given that information, laws and stare decisis may abruptly change, the information given here may not be undertaken or guaranteed to be current. You are recommended not to make a business decision based on any part of the information given here, and to buy professional legal service for each case depending on its peculiar circumstances.
Gulis Hukuk & Danışmanlık Bürosu
Gulis Law & Consultancy Office

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

Hızlı İletişim

Nefes alıyorsak eğer, herşey mümkün bu hayatta. Çünkü hayat, umutla güzel. Hayat, tecelli eden ve hızla gelen adaletle güzel…