PERSONAL DATA
With the e-information note here, you can find general information about ‘personal data’ in line with short Q&As.
We would also like to underline that legal regulations can change constantly, especially in the light of legal updates, and the recency of the legal legislation should be followed.
-What is personal data?
Definitions of Personal Data are mainly included in the paragraph (d) of Article 3 titled ‘Definitions’ of the Law on the Protection of Personal Data No.6698, and paragraph (ğ) of Article 4 titled ‘Definitions’ of the Regulation on the Registry of Data Controllers, according to the law Personal data refers to all kinds of information regarding an identified or identifiable natural person.
In this way, with a broad definition, the point that should be especially noted can be considered as ‘every information that transmits us to a real person’ as personal data.
– What is the processing of personal data?
Again, the processing of personal data is defined in the clause (e) of the 3rd article titled ‘Definitions’ of the Personal Data Protection Law No. 6698. The related article is as follows;
‘… e) Processing of personal data: Obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over personal data fully or partially by automatic means or by non- automatic means provided that it is a part of any data recording system. All kinds of operations performed on the data such as making it available, classifying or preventing its use, …’
What is meant in the processing of personal data according to that article, personal data ‘automatically or non-automatically’ to be subject of various processes is understood.
In addition, in the law and relevant regulations about processing, all kinds of transactions related to data such as recording, storing or preserving, changing or arranging, disclosing, sharing, transferring and obtaining data are mentioned.
-What is the importance of personal data in terms of company law?
Compliance with the existing legal regulations on personal data is important for companies in many ways.
In the establishment and follow- up activities of companies, transactions with employees or customers during their daily operations, or in processes such as purchasing, sales, service delivery, which are important in terms of commercial activities, many data should be followed on personal data. The regulations that will have to be followed in the categorization and processing of these personal data are also important in terms of company law.
Compliance with legal obligations on the protection of personal data is also important especially for companies with foreign capital or having branches abroad or conducting business interactively, especially with abroad.
In Article 9 of the Personal Data Protection Law no.6698, there is a separate regulation on the transfer of personal data to abroad. The related article is below;
Transfer of personal data abroad
ARTICLE 9 – (1) Personal data shall not be transferred abroad without explicit consent of the data subject.
(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;
(a) Adequate protection is provided,
(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Board.
(3) The Board determines and announces the countries with adequate protection.
(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:
a) the international conventions to which Turkey is a party,
b) the state of reciprocity relating to data transfer between the requesting country and Turkey,
c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,
ç) the relevant legislation and its implementation in the country to which the personal data are to be transferred,
d) the measures committed by thedata controller in the country to which the personal data are to be transferred,
5) Without prejudice to the provisions of international agreements, in cases where interest of Turkey or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations.
6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.
These regulations stated in the law are about the procedures and conditions to be followed in the transfer of personal data abroad, and the conditions under which personal data can be transferred abroad.
-How are personal data processed?
Personal data may only be processed in accordance with the processing conditions regulated in Article 5 of the Personal Data Protection Law.
According to this article of the law, first of all, personal data can be processed as the explicit consent of the person concerned. In cases where the person concerned does not have express consent, the existence of one of the other exceptional cases specified in the law will be sought, that is, the explicit consent of the person concerned will not be required to be or have any of the other conditions.
These are again regulated in article 5 of the relevant law and are repeatedly and briefly as follows; if it is explicitly stipulated in the law, in cases of actual impossibility, the person concerned is unable to explain his consent or if the consent of the person whose consent is not legally valid is necessary for the protection of himself or another person’s life or body integrity, provided that it is directly related to the establishment or performance of a contract, the personal if the processing of data is necessary or if it is necessary for the data controller to fulfill his legal obligation, or if the data subject is made public by himself or if data processing is necessary for the establishment, use or protection of a right, or on the condition that the fundamental rights and freedoms of the data subject are not damaged data processing is mandatory for the legitimate interests of the responsible person.
-What is the responsibility for the data controller as real or legal persons according to the personal data legislation?
In the paragraph (ı) of Article 3 of the Personal Data Protection Law, it is defined as ‘… Data Controller: the real or legal person who determines the purposes and means of processing personal data, and who is responsible for the establishment and management of the data recording system.’ Once more, this definition is identified in Article 4 of the Regulation on Data Controllers Registry.
At this point, we would like to take attention to who will be the data controller in legal persons, because in legal entities, the data controller will be the legal entity itself, not a natural person.
As a data controller in companies, it is the company itself, not the person representing the company or outsourcing such as employee, manager, company owner, chairman of the board of directors, members of the board of directors or attorney. However, in practice, the company can assign these people to carry out the work and transactions related to the implementation of the Personal Data Protection Law. This assignment will not mean that that person is the data controller.
– What is the inventory according to the personal data regulations and how should the inventory be prepared?
In the paragraph (h) of the 4th Article titled ‘Definitions’ of the By-Law on Data Controllers Registry ‘…Personal data processing inventory means the inventory which are detailed by explanations of the followings; personal data processing operations performed by data controllers according to their business processes, purposes and legal basis of personal data processing, data category, recipient group, maximum storage period which is formed relating to the group of person subject to data and necessary for the purpose for which personal data are processed, personal data envisaged to be transferred to foreign countries, and measures taken relating to data security…’.
As stated in the Personal Data Processing Inventory Preparation Guide organized by the Personal Data Protection Authority, it will be beneficial to follow the inventory preparation stages step by step in accordance with the definition in the law.
In the light of all these; the checklist regarding the preparation of the inventory and the things to be done are listed below, respectively.
-First of all, determination of personal data on the basis of process or activity
-Determining the characteristics of personal data detected
-Determining the legal reason for the processed personal data
-Determination of personal data processing purposes
-Determining the data subject group of people
-Determination of the storage period of processed personal data
-Determining the recipient/recipient groups to which the processed personal data are transferred
-Identification of personal data transferred to foreign countries
-Determination of technical and administrative measures taken for personal data processed
Proceeding with these steps will not only be classified in accordance with the regulations in the law and regulation, but also will be beneficial in terms of preparing more functional and legally appropriate auditing inventories.
In the informative video broadcast on the link, definitions and regulations stated in the personal data protection law and bylaws were mentioned.
The informative video contains answers to questions as follows;
-What is personal data?
-What is the processing of personal data?
-What is the importance of personal data in terms of company law?
– How is personal data processed?
-What is the responsibility for the data controller as natural or legal persons according to the personal data legislation?- What is the inventory according to the personal data regulations and how should the inventory be prepared?