In Personal Data Protection Law, ‘General Principles’ is regulated in the Article 4 and ‘Conditions for Processing Personal Data’ is located in the Article 5. Related articles are below.
General Principles
ARTICLE 4 – (1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.
(2) The following principles shall be complied within the processing of personal data:
a) Lawfulness and fairness
b) Being accurate and kept up to date where necessary.
c) Being processed for specified, explicit and legitimate purposes.
ç) Being relevant, limited and proportionate to the purposes for which they are processed.
d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
Conditions for processing personal data
ARTICLE 5 – (1) Personal data shall not be processed without explicit consent of the data subject.
(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) It is expressly provided for by the laws.
b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
ç) It is necessary for compliance with a legal obligation to which the data controller is subject.
d) Personal data have been made public by the data subject himself/herself.
e) Data processing is necessary for the establishment, exercise or protection of any right.
f) Processing of data is necessary for the legitimate interests pursued by the datacontroller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
It would be useful to refer to a precedent decision of the Personal Data Protection Board for the issues that are foreseen in the regulation of these articles and that need to be considered in their implementation.
In particular, an application made to the Authority regarding the request of the data controller to use personal data within the framework of legitimate interests in order to fulfill its legal obligation and the decision made by the board as a result of this application are below.
A company operating in the petroleum market under the ‘Distributor License’ in accordance with the Petroleum Market Law No. 5015,
- Within the framework of the obligation brought by the Energy Market Regulatory Board (EMRA) Decision, the dealer is open to instant access to the relevant Authority, allowing the dealer to inquire about the pump sales movements, including information on ‘plate, fuel type, quantity, price, time (hour, minute and second)’ established an automation system,
- Among these data kept open to instant access by EMRA, the data on the ‘license plate and fuel type’, they want to use for their project, ‘Vehicle Recognition’ developed by them to prevent ‘erroneous fuel filling’ which has become a big problem in the sector for vehicle owners, fuel dealers and fuel distribution companies,
- With the implementation of the Vehicle Recognition Project, the license plate data of the vehicle that will supply fuel will be automatically matched and recorded in the system with the fuel type (gasoline or diesel) used; this will automatically prevent the wrong fuel purchases,
- It has become a necessity for the company and dealers to use the license plate for the correct performance of the sales contract established during the sale of fuel to the consumer and to supply the correct product, the realization of the Vehicle Identification Project will end the problems arising from false fuel supply and thus the legitimate interests of the Company and the dealers will be protected,
in this context, an application was made with the request, whether the use of some data processed by the company for the automation system for the Vehicle Identification Project without the express consent of the relevant persons can be evaluated within the scope of subparagraphs (ç) and (f) of paragraph (2) of Article 5 of the Personal Data Protection Law (Law).
The Company, operating as a ‘Fuel Distribution Company’ within the framework of the licenses obtained from EMRA, the processing of the personal data of vehicle owners within the framework of the Petroleum Market Law No. 5015 and the obligation to establish an audit system regulated in the relevant legislation, processing of personal data is deemed to be ‘mandatory for the data controller to fulfill his legal obligation’;
- in this context, the explicit consent of the person concerned is not sought in case of processing personal data,
- however, according to sub-clause (f) of the second paragraph of Article 5 of Law No. 6698, when determining that ‘data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed’, by the data controllers;
- The fundamental rights and freedoms of the person concerned with the benefit to be obtained as a result of the processing of personal data are at a competitive level,
- It is mandatory to process personal data in order to achieve the said benefit,
- The legitimate interest is already available, specific and clear,
- If a legitimate interest that can compete with the fundamental rights and freedoms of the relevant person is obtained, a benefit will be obtained and it is not possible to reveal this benefit in another way and method without processing personal data,
- When determining legitimate interest, the benefit in question affects a large number of people, is not only for the purpose of gaining profit or economic benefit, facilitates business processes or a functioning (for example, affecting the general institution rather than a unit or a small number of personnel) based on transparent and accountable criteria,
- In this respect, keeping the relevant person away from all kinds of predictable, open and immediate dangers in order to prevent damage to his fundamental rights and freedoms, especially the protection of personal data,
- Taking all technical and administrative measures to prevent damage and violations by ensuring the legally functioning of personal data in a data recording system with a limited purpose,
- Ensuring compliance with general principles in the processing of personal data,
- In this context, the balance test by comparing the fundamental rights and freedoms of the person with the legitimate interest of the data controller
It was stated by the board that the issues should be evaluated.
In addition, the realization of a new data processing activity for a different purpose other than the purpose required for the first time processing of personal data is based on at least one of the data processing conditions listed in Article 5 of the Law and all the principles sought in the processing of personal data listed in Article 4 of the Law regardless of the first purpose must be compatible,
- Within the scope of the Vehicle Recognition Project implementation of the company, the automatic integration of the vehicle license plate and product type information of the consumers, which are currently registered in accordance with the Petroleum Market legislation, into the Vehicle Recognition Project system is also considered a new personal data processing activity.
Regarding these matters; the damaged incurred by consumers due to vehicle breakdowns caused by the supply of a product different from the product requested by the consumer to the vehicles coming to the fuel stations and the applicant as the distributor company, along with the operator and the applicant, are severally liable for these damages in accordance with the Law No.6502 on the Protection of the Consumer, and judicial decisions in this direction are Considering that the situation may lead to losses in the brand value and service quality of the company along with the financial loss of both the consumer and the distributor company, According to item (f) of the second paragraph of the Article, the data controller’s use of the license plate and product type information of the consumers ‘Provided that it does not harm the fundamental rights and freedoms of the person concerned, the data processing for the legitimate interests of the data controller it has been stated that it is within the scope of mandatory’.
In this respect, it has been decided that there is no legal obstacle in terms of Law No. 6698 for the Company to use the aforementioned system without obtaining of the relevant persons (natural person consumers whose personal data are processed), provided that the Company fulfills its obligation to inform in an accessible and visible way and does not use it for any other purpose.
According to all these issues, it is clear that there is no obstacle to data processing in accordance with the criteria set out in Article 5, which must comply with all the principles sought in the processing of personal data listed in Article 4 of the Personal Data Protection Law. In this regard, we would like to point out that the regulations in the law regarding the realization of data processing activities must be well known and the transactions must be carried out in accordance with the law.
In the informative video broadcast on the link is about, especially the regulations of the personal data protection law and the review of the board decision.
The informative video answers as follows;
– What are the general principles and the Article 4 of the Personal Data Protection Law?
– What are the processing conditions and the Article 5 of the Personal Data Protection Law?
– Who is the data controller?
– What is the duty of the data controller regarding personal data ?
– What are the legitimate interests in personal data and the issues stipulated by law?