Legal Support and Consultancy Provided by Our Law Office to Natural and Legal Persons in The Field of Personal Data Protection

Lawyer Erdem Arda Akay

Introduction

»In connection with economic and technologic improvement, data on individuals are collected by natural and legal persons. This data collection can be done by way of performing a task or providing a service. This situation also affected the legal field. With the Law on Protection of Personal Data published in the Official Newspaper on April 7, 2016 and numbered 29677, a legal framework for the protection of recorded personal data belonging to individuals with whom natural and legal persons interact. The Law on Protection of Personal Data numbered 6698 complies with General Data Protection Regulation (on April 27, 2016 and numbered 2016/679) and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data(on January 28,1981 and numbered 108).

Who are the data controllers and data processors?

»With the enactment of the Personal Data Protection Law No.6698, the concepts of data controller and data processor have also entered our lives in the context of the protection of personal data. The law clearly states who is the data controller and who is the data processor and has taken care not to leave a gray area. In Law No. 6698, the data controller is defined as “the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system”, while the data processor is “the natural or legal person who processes personal data on behalf of the data controller” shown as. In some cases, these two concepts can be combined in the same natural and legal person, or they can also be encountered as two separate natural or legal persons. The main distinction here is while the data controller is the person who has the authority to make decisions regarding all kinds of processing and action on the personal data in the period from the acquisition of the personal data until the end of the storage period, the data processor is the natural or legal person who fulfills his instructions under the actual control of the data controller.

For example; A company X, operating in the field of sales and marketing, works with a research company to determine the impact of the product launched on the targeted customer base and the reflection of this effect on sales rates. “Who will be the targeted customer mass in the field research to be conducted?”, “What personal data will be collected from these people?”, “How long will the collected data be processed and stored ?” topics are at the disposal of X company and company X will be qualified as the data controller. The research company, on the other hand, can only carry out the research in line with the instructions of the X company and is in the position of data processor in the context of processing personal data.

Lawyers Role in Protection of Personal Data Law

»After the law, the most important consequence of this area is obligation to register with the Data Controller Registry for data controller legal entities. However, taking into account the objective criteria to be determined by the Board, such as the nature and number of the personal data processed, whether the data processing originates from the law or the status of transfer to third parties, the Board may make exceptions to the obligation to register in the Data Controllers Registry.

»In terms of legal entities, the process of compliance with the law, which entered into force in 2016, includes a number of procedures to be fulfilled. At this stage, the first thing to decide is to decide on the scope of the adaptation project to be implemented, taking into account the size of the company, and to determine with whom the harmonization project will be carried out. The processing of personal data is not a one-off job for data controllers; It is a process that they have to perform continuously within the scope of their activities. It would be appropriate to seek help from legal experts and data security experts in order to ensure this continuity and to ensure that the steps taken are legal.

»The task of our lawyers and our law firm working in the field of Protection of Personal Data is primarily to provide consultancy to the client before the competent authorities regarding the representation and protection of personal data. This representation sometimes short time, sometimes take long time for conducting projects for compliance with personal data legislation for companies. Our lawyers and law firm working in Protection of Personal Data, will act in favor of the client in the interests and will help to realize the plans and strategies that are desired to be implemented within the legal limits.

Consultancy and services offered by our law firm working in the field of personal data protection can be counted as follows:

Developing an overall strategy for complying with data protection requirements

»Natural and legal persons will be able to process the personal data of their employees and customers within the limits set by the Personal Data Protection Law. There are some principles to consider about processing personal data. The processing of personal data should be done in accordance with the law and the honesty rule; the processed data must be accurate and up-to-date; data should be processed for specific, clear and legitimate purposes; be limited and restrained for the purpose for which they are processed; processed data should be maintained for the period required by the relevant legislation or for the purpose for which they are processed.

»In case of failure to comply with these rules, the data controller will be under administrative and criminal liability. Working with lawyers or law firms which have experience in data protection would be helpful to avoid this situation. It should be emphasized that the strategy to be determined for the processing of personal data is not a move to save the day against sanctions; It will be to take the first step in the tradition of the legal entity regarding data processing.

Drafting necessary documents, in particular employee privacy policies, access procedures

»Clear consent of natural persons whose personal data will be processed must be taken. Data can only be processed without explicit consent in cases specified in the law. Before take the clear consent, the person whose personal data will be processed should be informed about the process. However, within the framework of the privacy policy with the data subjects, the contract will be signed stating that the personal data obtained will not be shared with third parties. This issue is very important for the fundamental rights and freedoms of the person and should be taken into consideration by the data responsible clients in order not to cause violations of rights.

»Regardless of the way express consent will be obtained, in cases where the law stipulates explicit consent, this situation will bring along the obligation to inform. Obligation to inform can be defined as transparent information regarding the rights of the data owner. One of the three conditions for the occurrence of explicit consent, being based on information, can only be mentioned as a result of duly fulfilling the obligation to inform.

»As a minimum in the obligation to inform to be fulfilled by the data controllers or the persons they authorize; Identity of the data controller and its representative, if any, the purpose for which the personal data will be processed, to whom and for what purpose it can be transferred, the method and legal reason to be adopted in the collection of personal data, and other rights of the person whose personal data will be collected, enumerated in Article 11 of Law No. 6698. While fulfilling the obligation, the text to be used must be suitable for the purpose, clear, specific and legitimate, and it is important to adopt a plain and understandable language by avoiding ambiguous expressions. Thus, the relevant person will be able to have information about what purpose and how the data to be processed can be processed, and the explicit consent to be given can be the product of his free will.

»In addition to the express consent obtained as a result of the obligation to inform, a contract will be signed with the relevant persons whose data is processed, stating that the personal data obtained will not be shared with third parties within the framework of the privacy policy. This issue is extremely important in terms of fundamental rights and freedoms of the person and should be taken into consideration by the data controller clients in order not to cause violations of rights.

Prepare regulatory filings, including notification of data processing to the DPAs

»Natural and legal persons, who are named as data responsible in the law, refer to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. They must register with the Data Controllers Registry before data can be reported. The data officers registered in this registry within the body of the Personal Data Protection Institution will notify this registry about the personal data available to their customers and employees. In addition, applications will be made to the institution for the statements, complaints and other transactions of the data responsible for personal data. It is important that data reporting and other applications are made duly. For this reason, the process to be carried out by lawyers working in this field will prevent possible loss of rights.

Advising Companies and Institutions on the Protection of Personal Data and Organizing Educational Programs

»Protection of personal data topic is still developing in our country. The personal data subject, which has been developing in our country in recent years, draws a new framework with both the regulations issued and the decisions made by the Authority. Lawyers operating in this field should be open to self-improvement and share information on the subject with their clients they provide representation and consultancy services. In this context, written clarification and informative texts can be prepared for the persons whose personal data are processed, training seminars can be held to inform the client and employees on the protection of personal data, regularly meet with the personnel working within the company and take an active role in the processing of personal data. Board decisions and legislative changes that may concern the policy can be shared. It should not be forgotten that the process of processing personal data is not a short-term project, but a continuous project that needs to be up-to-date. If all stakeholders involved in the process are aware of the data processing process and work consciously, it will help the data strategy to be implemented more successfully.

Assisting the client in developing procedures to deal with data security breaches

»The data responsible will also be responsible for the security of personal data. In accordance with Article 12 of the Law, data responsible to prevent personal data from being processed illegally, to prevent personal data from being accessed illegally and to take all necessary technical and administrative measures to ensure the appropriate level of security to ensure the retention of personal data.

»In this context, the development of security procedures with technical and legal assistance will prevent data risks from being prevented. It will be beneficial for the client to determine a procedure that is low cost, has high security in terms of data protection and complies with both national and international legislation.

Evaluating the various mechanisms for the transfer of personal data outside the country and advising the client on the one that is appropriate for its particular circumstances

»The issue of transferring personal data abroad is regulated in Article 9 of the Personal Data Protection Law. According to this provision, the explicit consent of the person concerned is required in order to transfer the data abroad. However, while the law of the 5th and 6th conditions in the material provided, there is adequate protection in the country where transmission of personal data is not sufficient protection in question is an adequate protection of responsible data in Turkey and in the foreign countries to commit themselves in writing and the person concerned, subject to the approval of the Council open Personal data can be transferred abroad without seeking consent. In which countries there is sufficient protection, it is determined by the Personal Data Protection Board.

»Considering the provisions of the legislation, it will be possible to transfer the data to abroad in accordance with the procedure and to collect them in a center. Here, the legal, technical and financial conditions should be evaluated together in order to determine the most appropriate method. It will be beneficial for the client to determine a procedure that is low cost, has high security in terms of data protection and complies with both national and international legislation.

Development of Personal Data Protection Law and Advocacy

»While the issue of protecting personal data, which we are intertwined with in all areas of life, has shown itself as a separate area of expertise in Europe for more than thirty years, it has transformed from a narrow niche to a wide field of work after the transformation to electronic commerce, which has reached enormous dimensions in the last five years. Along with the studies carried out in our country in recent years on the Law on the Protection of Personal Data, the EU Parliament and Council’s European Union General Data Protection Regulation dated 27 April 2016 and numbered 2016/679 and “Personal Data No. Law No. 6698 on the Protection of Personal Data and its related regulations, which is compatible with the “Convention on the Protection of Individuals Against Automatic Processing”, has come into force.

»At the same time, as a result of the decisions taken within the Personal Data Protection Authority, a decision case law on personal data law is gradually being formed. The issue of processing personal data, which was considered regional and national until recently, has become international with the widespread use of the internet and electronic commerce as mentioned above; This situation has also taken the consultancy and service activities carried out by lawyers and law offices outside the borders of the country in the context of Personal Data Protection Law. While this provides lawyers with a new field of expertise, it has brought the necessity of being familiar with the laws of many different jurisdictions. At this point, the main duty of lawyers working in the relevant field is to convey the legal and technical support they need to their clients in the fastest and most practical way, regardless of the stage of personal data processing.

»As mentioned above, data processing procedures for natural and legal persons are not a short period of time, but a long process. At this point, taking the right steps will not only lead to win today, but also help invest in tomorrow and put data processing operations on a solid ground.