First of all, we would like to state that in this decision of the Board, there is valuable information that will enlighten the data controllers and what needs to be done in the processing of special categories of personal data.

In the paragraph number (4) of Article 6 of the Law on the Protection of Personal Data (Law) numbered 6698, ‘Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.’ provision is included. Based on this, the Board took a decision and formed the regulation on this issue.

In this context, the adequate measures to be taken by data controllers who process special categories of personal data in accordance with sub-paragraphs (ç) and (e) of paragraph (1) of Article 22 of the Law are determined by the Personal Data Protection Board as follows: 

1-Establishing a systematic, clearly defined, manageable and sustainable separate policy and procedure for the security of special categories of personal data,

2- There are also specific determinations for employees involved in the  processing of special categories of personal data. 

Especially for employees involved in the processing of special categories of personal data,

• Regular trainings on the law and related regulations in the areas of security of special categories of personal data,
• Making confidentiality agreements,
• Clear definition of the users who have access to data, the scope and duration of their authorization,
• Periodically making the authorization controls,
• Immediately terminate the authorization of employees who have a change of position or leave their job.

In this context, issues such as returning the inventory allocated to her by the data controller. 

3-  Environment where special categories of personal  data is processed, stored and/or accessed, if it is an electronic environment,

• Storage of data using cryptographic methods, 
• Keeping cryptographic keys in a secure and different environment,
• Secure logging of transaction records of all transactions performed on the data,
• Continuous monitoring of the security updates of the environments where the data is located, regularly conducting/ having the necessary security tests, recording test results, 
• If the data is accessed by a software, the user authorization of this software is made, the security tests of these software are carried out regularly, the test results are recorded, 
• Providing at least two-stage authentication system if remote access to data is required, 

4- The environments where special categories of personal data are processed, stored and/or accessed, if they are the physical environment 

• Ensuring that adequate security measures (against electrical leakage, fire, flood, theft, etc.) are taken depending on the nature of the environment in which special categories of personal data is available,
• Preventing unauthorized entry and exit by ensuring the physical security of these environments, 

5- If special categories of personal data will be transferred, again 

• If data need to be transferred via e-mail, encrypted with a corporate e-mail address or using a Registered Electronic Mail (REP) account,
• Encrypting it with cryptographic methods if it needs to be transferred via media such as Portable Memory, CD, DVD and keeping the cryptographic key in a different environment, 
• If transfer is made between servers in different physical environments, transferring data between servers using VPN or sFTP method,
• If the data is to be transferred via paper, necessary measures should be taken against risks such as theft, loss or being seen by unauthorized persons and the document should be sent in the ‘confidentiality grade documents’ format. 

Of course, we would like to point out that besides these measures, technical and administrative measures to ensure the appropriate security level specified in the Personal Data Security Guide published on the website of the Personal Data Protection Authority should also be taken into account. 

Otherwise, when violations are detected by the Board, some legal and criminal sanctions may be incurred. 

In the another precedent Board decision dated 05/12/2018 and numbered 2018/143 that evaluations were made about the data controller who transfers the Health Data to third parties without relying on one of the processing conditions in Article 6 of the Law. 

This decision is about the complaint application made to the Authority regarding the sharing of this special category health data with the third party by the pharmacy where the drugs are provided, without any processing condition.

In the paragraph number (1) of Article 6 titled ‘Conditions for the processing of special categories of personal data’ of the Law on the Protection of Personal Data No. 6698 (‘Law’), it is stated that the health data of individuals are special categories of personal data. 

In paragraph (2) of the aforementioned article, it is prohibited to process special categories of personal data without the express consent of the person concerned, however, in paragraph (3), other cases where special categories of personal data can be processed without explicit consent are listed. 

Accordingly, it has been stated that health data can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality for the purpose of protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and their financing without explicit consent. 

On the other hand, clause (1) of Article 12 of the Law states that the data controller;

• To prevent unlawful processing of personal data,
• To prevent unlawful access to personal data,
• Ensuring the protection of personal data

It has to take all necessary technical and administrative measures in order to ensure the appropriate level of security. 

In the paragraph number (4) of the aforementioned article, it is stated that data controllers and data processors cannot disclose the personal data they have learned to anyone in violation of the provisions of the Law and cannot use them other than the purpose of processing. 

In this context, it is against the clause (4) of Article 12 of the Law to share the special categories of personal data of the person using the medicine under the control of a doctor by the pharmacy where the drugs are supplied with the third person without meeting the conditions listed in Article 8 of the Law on the Protection of Personal Data and an administrative fine has been imposed on the data controller pharmacy in accordance with Article 18 of the Law. 

We would like to state that with the precedent decisions above, the Law on Protection of Personal Data emphasizes the remarkable points that should be considered in practice and the necessary regulations regarding personal data are made at offices. 

The information video contains the following issues. 

• What are the sufficient precautions to be taken by the data controllers in the processing of special categories of personal data?
• Which issues were considered in the precedent Board decision in accordance with the regulation of paragraph (4) of Article 6 of the Personal Data Protection Law No.6698, as  ‘Adequate measures determined by the Board shall be also taken while processing the special categories of personal data.’?

The post WHAT ARE THE ‘ADEQUATE MEASURES’ TO BE TAKEN BY DATA CONTROLLER IN PROCESSING THE SPECIAL CATEGORIES OF PERSONAL DATA? appeared first on Kilic Tekin Law & Consulting Firm.

General Principles

ARTICLE 4 – (1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

a) Lawfulness and fairness 

b) Being accurate and kept up to date where necessary.

c) Being processed for specified, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purposes for which they are processed.

d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

Conditions for processing personal data

ARTICLE 5 – (1) Personal data shall not be processed without explicit consent of the data subject.

(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

a) It is expressly provided for by the laws.

b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.

c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

ç) It is necessary for compliance with a legal obligation to which the data controller is subject.

d) Personal data have been made public by the data subject himself/herself.

e) Data processing is necessary for the establishment, exercise or protection of any right.

f) Processing of data is necessary for the legitimate interests pursued by the datacontroller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

It would be useful to refer to a precedent decision of the Personal Data Protection Board for the issues that are foreseen in the regulation of these articles and that need to be considered in their implementation. 

In particular, an application made to the Authority regarding the request of the data controller to use personal data within the framework of legitimate interests in order to fulfill its legal obligation and the decision made by the board as a result of this application are below. 

A company operating in the petroleum market under the ‘Distributor License’ in accordance with the Petroleum Market Law No. 5015,

• Within the framework of the obligation brought by the Energy Market Regulatory Board (EMRA) Decision, the dealer is open to instant access to the relevant Authority, allowing the dealer to inquire about the pump sales movements, including information on ‘plate, fuel type, quantity, price, time (hour, minute and second)’ established an automation system,
• Among these data kept open to instant access by EMRA, the data on the ‘license plate and fuel type’, they want to use for their project, ‘Vehicle Recognition’ developed by them to prevent ‘erroneous fuel filling’ which has become a big problem in the sector for vehicle owners, fuel dealers and fuel distribution companies,
• With the implementation of the Vehicle Recognition Project, the license plate data of the vehicle that will supply fuel will be automatically matched and recorded in the system with the fuel type (gasoline or diesel) used; this will automatically prevent the wrong fuel purchases, 
• It has become a necessity for the company and dealers to use the license plate for the correct performance of the sales contract established during the sale of fuel to the consumer and to supply the correct product, the realization of the Vehicle Identification Project will end the problems arising from false fuel supply and thus the legitimate interests of the Company and the dealers will be protected,

in this context, an application was made with the request, whether the use of some data processed by the company for the automation system for the Vehicle Identification Project without the express consent of the relevant persons can be evaluated within the scope of subparagraphs (ç) and (f) of paragraph (2) of Article 5 of the Personal Data Protection Law (Law). 

The Company, operating as a ‘Fuel Distribution Company’ within the framework of the licenses obtained from EMRA, the processing of the personal data of vehicle owners within the framework of the Petroleum Market Law No. 5015 and the obligation to establish an audit system regulated in the relevant legislation, processing of personal data is deemed to be ‘mandatory for the data controller to fulfill his legal obligation’; 

• in this context, the explicit consent of the person concerned is not sought in case of processing personal data,
• however, according to sub-clause (f) of the second paragraph of Article 5 of Law No. 6698, when determining that ‘data processing is mandatory for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed’, by the data controllers; 
  • The fundamental rights and freedoms of the person concerned with the benefit to be obtained as a result of the processing of personal data are at a competitive level,
  • It is mandatory to process personal data in order to achieve the said benefit, 
  • The legitimate interest is already available, specific and clear,
  • If a legitimate interest that can compete with the fundamental rights and freedoms of the relevant person is obtained, a benefit will be obtained and it is not possible to reveal this benefit in another way and method without processing personal data, 
  • When determining legitimate interest, the benefit in question affects a large number of people, is not only for the purpose of gaining profit or economic benefit, facilitates business processes or a functioning (for example, affecting the general institution rather than a unit or a small number of personnel) based on transparent and accountable criteria, 
  • In this respect, keeping the relevant person away from all kinds of predictable, open and immediate dangers in order to prevent damage to his fundamental rights and freedoms, especially the protection of personal data,
  • Taking all technical and administrative measures to prevent damage and violations by ensuring the legally functioning of personal data in a data recording system with a limited purpose, 
  • Ensuring compliance with general principles in the processing of personal data,
  • In this context, the balance test by comparing the fundamental rights and freedoms of the person with the legitimate interest of the data controller

It was stated by the board that the issues should be evaluated. 

In addition, the realization of a new data processing activity for a different purpose other than the purpose required for the first time processing of personal data is based on at least one of the data processing conditions listed in Article 5 of the Law and all the principles sought in the processing of personal data listed in Article 4 of the Law regardless of the first purpose must be compatible,

• Within the scope of the Vehicle Recognition Project implementation of the company, the automatic integration of the vehicle license plate and product type information of the consumers, which are currently registered in accordance with the Petroleum Market legislation, into the Vehicle Recognition Project system is also considered a new personal data processing activity. 

Regarding these matters; the damaged incurred by consumers due to vehicle breakdowns caused by the supply of a product different from the product requested by the consumer to the vehicles coming to the fuel stations and the applicant as the distributor company, along with the operator and the applicant, are severally liable for these damages in accordance with the Law No.6502 on the Protection of the Consumer, and judicial decisions in this direction are Considering that the situation may lead to losses in the brand value and service quality of the company along with the financial loss of both the consumer and the distributor company, According to item (f) of the second paragraph of the Article, the data controller’s use of the license plate and product type information of the consumers ‘Provided that it does not harm the fundamental rights and freedoms of the person concerned, the data processing for the legitimate interests of the data controller it has been stated that it is within the scope of mandatory’. 

In this respect, it has been decided that there is no legal obstacle in terms of Law No. 6698 for the Company to use the aforementioned system without obtaining of the relevant persons (natural person consumers whose personal data are processed), provided that the Company fulfills its obligation to inform in an accessible and visible way and does not use it for any other purpose. 

According to all these issues, it is clear that there is no obstacle to data processing in accordance with the criteria set out in Article 5, which must comply with all the principles sought in the processing of personal data listed in Article 4 of the Personal Data Protection Law. In this regard, we would like to point out that the regulations in the law regarding the realization of data processing activities must be well known and the transactions must be carried out in accordance with the law.

In the informative video broadcast on the link is about, especially the regulations of the personal data protection law and the review of the board decision. 

The informative video answers as follows;

– What are the general principles and the Article 4 of the Personal Data Protection Law? 

– What are the processing conditions and the Article 5 of the Personal Data Protection Law? 

– Who is the data controller?

– What is the duty of the data controller regarding personal data ? 

– What are the legitimate interests in personal data and the issues stipulated by law? 

The post General Principles of Personal Data Protection and Data Controller appeared first on Kilic Tekin Law & Consulting Firm.