The Turkish Data Protection Authority Publishes an Information Note on the "Personal Data Processing Requirement Stipulated in the Laws"

Information Note published by the Turkish Data Protection Authority ("Authority") on the official website of the Authority on 12 February 2024 on the "Personal Data Processing Condition Stipulated in the Laws" ("Information Note") and the Personal Data Protection Law No. 6698 ("Law" or " PDPL") "Explicitly stipulated by law" in subparagraph (a) of paragraph 2 of Article 5 is examined within the scope of Turkish law and European Union ("EU") law regarding the personal data processing condition and explanations regarding the limitation of fundamental rights and freedoms are given.

With Information Note;

• Regarding Articles 20 and 13 of the Constitution, it is possible to process personal data only as a result of an explicit provision in the laws or as a result of guidance to secondary legislation with an explicit provision, and the PDPL provision in the form of "In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the person concerned: e) Data processing is mandatory for the establishment, exercise or protection of a right" is regulated as a result,
• For example; the employer's organising the employee's personal file and obtaining identity information is based on the Labour Law No. 4857,
• That the right to protection of personal data as defined in the Constitution cannot be limited by statute, regulation or any other administrative act and that the regulation authorising the Information and Communication Technologies and Communication Authority ("ICTA") to directly regulate the processing and privacy of personal data has been cancelled by the Constitutional Court ("AYM"),
• In its recent decisions, the Constitutional Court cancelled the authorisation granted by the Decree Law to the Turkish Language Institution ("TDK") and the Turkish Historical Society ("TTK") to request from all public institutions and organisations and real persons the information it deems relevant to its field of duty, as it was deemed contrary to the principle of legality of the Constitution in terms of privacy of private life and protection of personal data,
• Unlike the Turkish legislation, the EU General Data Protection Regulation ("General Data Protection Regulation" "GDPR") does not distinguish between the conditions of being expressly provided for by law and the fulfilment of a legal obligation,
• The Irish Data Protection Authority's "Guidance Note on the Legal Basis for Processing Personal Data"[1] states that data controllers should indicate the specific law, recommendation, board or court decision, case law or guidance that requires legal processing,
• Pursuant to Article 41 of the Preamble to the Income Tax Law, where the application of the law to persons subject to the law is foreseeable, it need not be an express legal obligation,
• For example, a court judgement may require the processing of personal data for a specific purpose, in which case compliance with the judgement is mandatory,
• Regulatory acts established by the administration within the scope of EU law shall be deemed to be legal obligations if they have a legal basis,
• In conclusion, the personal data regulations of the PDPL is a restrictive regulation within the scope recognised by the Constitution, but administrative regulatory acts that concern the entire public, such as regulations and policy decisions issued by the Ministry of Health, should be implemented if they are duly put into effect by the administration and are binding within the administrative organisation,
• That there are no strict rules in terms of the interpretation of the said Article 5 of the PDPL and that the fulfilment of the legal obligation or explicitly stipulated in the laws is within the discretion of the administration in a narrow and broad manner and that this discretion will not restrict fundamental rights and freedoms,
• For example, pursuant to the Regulation on the Implementation of the Law on Foreigners and International Protection issued with reference to the Law No. 6458 on Foreigners and International Protection, the processing of "fingerprint" data, which is biometric data, from foreigners, applicants and international protection status holders by the Directorate General of Migration Management complies with the condition of "explicitly stipulated in the laws" regulated in Article 6/3 of the PDPL,
• For example, issues regarding the transfer of traffic and location data to third parties are regulated in the Regulation on the Processing of Electronic Data and Protection of Privacy,
• As another example, pursuant to Article 6 titled "Mandatory content of the contract" of the Regulation on Sales Contracts by Instalments prepared pursuant to the Law No. 6502 on the Protection of Consumers, the personal data to be included in the sales contract such as the name, surname, contact information, open address of the consumer and the seller are also regulated by the regulation.

The Authority underlined that if the general framework is drawn by the legal provision on the processing of personal data, as in the examples above, the inclusion of detailed regulations in the regulations will not prejudice this condition.

You can access the Authority's announcement on the subject here.

The full text of the Authority's Information Note is available here.

Kind regards,

Zumbul Attorneys-At-Law

info@zumbul.av.tr