Principles Governing the Processing of Personal Data
Compliance with Law and Principles of Fairness
According to Article 6/1(a) of the European Union Data Protection Directive, the processing of personal data must be lawful and in accordance with the principles of fairness. Similarly, Article 5/1(a) of the European Union General Data Protection Regulation (GDPR) stipulates that processing must be lawful, fair, and transparent. In Turkey, Article 4/2(a) of the Personal Data Protection Law (KVKK) states that processing must comply with the law and the principles of fairness.
What is meant by the lawful and fair processing of personal data? To understand this, we must first look at the regulations in Articles 13 and 20 of the Turkish Constitution. Article 20, titled “Privacy of Private Life,” states, “Everyone has the right to request respect for their private and family life. The privacy of private life and family life cannot be violated… Everyone has the right to request the protection of their personal data. This right includes being informed about personal data related to oneself, accessing this data, requesting its correction or deletion, and learning whether it is being used for its intended purposes. Personal data can only be processed in cases stipulated by law or with the explicit consent of the individual.” The text clearly states that personal data can only be processed in cases provided for by law or with the individual’s explicit consent. Article 13 further states that “Fundamental rights and freedoms can only be restricted by law and solely based on the reasons specified in the relevant articles of the Constitution, without affecting their essence. These restrictions cannot be contrary to the wording and spirit of the Constitution, the requirements of a democratic social order, and the principle of proportionality.” From this regulation, it can be inferred that the right to request respect for private life can only be limited by law, and such limitations cannot contradict the democratic social order.
As stated above, in the processing of personal data, either the explicit consent of the data subject or the law must permit the processing of the data in question. Article 5 of the KVKK explicitly states that personal data can be processed if provided for by law or for other reasons specified in that article. Article 4 states, “Personal data can only be processed in accordance with the procedures and principles set forth in this Law and other laws.”
Considering all the aforementioned regulations together, for personal data to be processed lawfully, either the explicit consent of the data subject must be obtained, or the law must explicitly allow for the processing of such data in cases where consent is not present. Additionally, the processing of personal data must adhere to the procedures and principles specified in the KVKK or other relevant laws.
What does it mean for personal data to be processed in accordance with the principle of fairness? When seeking an answer to this, we see that the principle of fairness is not applied in isolation; there are regulations stating that personal data must be processed in accordance with both law and fairness principles. The GDPR also stipulates that personal data must be processed in a “transparent” manner in accordance with legal and fairness principles. Therefore, the principle of fairness in processing personal data is not an independent principle but one that must be applied alongside the principle of legality. This principle indicates that the authority granted by law should not be misused when processing personal data. The principle of fairness is expressed in Article 2 of the Turkish Civil Code, stating, “The law does not protect the obvious misuse of a right.” Here, it is clearly stated that when there is an explicit regulation regarding the use of personal data in the law or the explicit consent of the data subject, we must ask, “Is there a need to process the personal data?” If the answer is “yes,” then we must also ask whether the method and principles used are the most appropriate and least restrictive of the right to respect the data subject’s private life as mandated by law. If the law explicitly allows for the processing of personal data or if the data subject has given explicit consent, the data processor must perform a data processing action that balances the “legitimate expectations” and “legitimate interests” of the data subject against the conflicting values of the data processor. This is a requirement of the principle of legality and fairness in the processing of personal data.[1]
The principles of lawful and fair processing of personal data should be evaluated alongside the principle of transparency. The best authority to oversee whether personal data is being processed lawfully and fairly is the individual who is the data subject. In the processing of personal data in accordance with law and fairness, the legitimate interests and rights of the data subject will not be harmed. To be able to monitor whether their legitimate interests and rights are being harmed, the data subject must have access to information regarding which of their personal data is being processed, whether the data is accurate, and the methods and principles by which it is being processed. Article 11 of the KVKK enumerates the rights of the data subject. The data subject has the rights to learn whether their personal data is being processed, request information if it is processed, learn the purpose of processing their personal data and whether it is being used in accordance with that purpose, know the third parties to whom their personal data is transferred, request corrections if their personal data is incomplete or incorrect, request deletion or destruction of their personal data, request notification of any corrections, deletions, or destructions to third parties to whom their personal data has been transferred, object to the processing of their data that leads to unfavorable results against them solely through automated systems, and demand compensation for damages incurred due to unlawful processing of personal data. These rights provided to the data subject enable them to detect any processing of data that is contrary to law and fairness, thereby allowing them to request the cessation of such unlawful processing and redress for damages, facilitating the implementation of the principle of lawful and fair processing. The principle of transparency, which should be applied alongside the principle of law and fairness in data processing, requires that the data processor be transparent towards the data subject.
Obtaining Explicit Consent of the Data Subject
To process personal data, the explicit consent of the data subject is required. This is clearly regulated for all personal data under Articles 5/1 and for special categories of personal data under Article 6/2 of the KVKK (Personal Data Protection Law). Article 8/1 of the law states that personal data cannot be transferred without the explicit consent of the data subject, and Article 9/1 specifies that personal data cannot be transferred abroad without explicit consent, except in the cases specified in the article. However, since the act of transferring personal data to another party or abroad is also considered within the scope of personal data processing under Article 3/1(e) of the KVKK, it raises the question of why the legislator established such regulations. In the absence of consent, personal data can only be processed when explicitly provided for by law. Article 5/2 of the KVKK outlines conditions where personal data can be processed without consent, including when necessary to protect the life or physical integrity of the data subject or another person, for the establishment of a contract, for compliance with a legal obligation of the data controller, or when necessary for the establishment, exercise, or protection of a right, provided that the fundamental rights and freedoms of the data subject are not violated. It also allows the processing of personal data for the legitimate interests of the data controller without consent. The conditions under which personal data can be processed without consent are detailed in Article 6 of the GDPR (General Data Protection Regulation). Although the regulations are broadly similar, the GDPR does not specify the provision regarding the publication of personal data by the data subject, while it does include provisions for processing by public authorities for public interest.
In Article 3/1(a) of the KVKK, the legislator defines explicit consent as “the consent that is freely given, informed, and specific to a particular subject.” The justification for the article states that “explicit consent is defined considering Directive 95/46 EC. Accordingly, explicit consent should be understood as a declaration of consent given by the data subject, freely, with adequate knowledge about the matter, in an unequivocal manner, and limited to that processing.” It is clear from this definition that information must be provided about a specific subject before consent is obtained, and that consent must be based on free will afterward. It is necessary to determine the specific subject for which personal data is being obtained before explicit consent is given, to inform the data subject, and to obtain consent without misleading or impairing their will.
Article 4/11 of the GDPR defines the consent of the data subject as “a statement or a confirming action indicating that the data subject has been informed about the processing of their personal data, given freely and specifically for a particular subject.” Regarding consent in the context of personal data protection, it is essential to examine the extent to which individuals can limit their right to respect for private life, which is one of the fundamental rights and freedoms that cannot be waived. When we consider the value of human rights from the perspective of human dignity, it is evident that individuals cannot completely waive these rights, as possessing these rights is a necessary condition of being human. “Are there personal data that cannot be processed even with the consent of the data subject?” “Are there personal data for which processing would be unlawful, even if the data subject consents?” These questions arise. There may be cases where processing personal data without consent could violate the right to respect for private life, as certain personal data may be such that consent cannot legitimize its processing. Such personal data will not be protected by ethical and legal standards even against explicit consent. Sometimes, when the other fundamental rights and freedoms of the person are at risk, the necessity of processing personal data without consent may arise. “In this context, what criteria should determine which types of personal data can be processed with consent and which cannot?” Additionally, since we cannot waive fundamental rights and freedoms, and given that the value of being human is having these rights, it is crucial to establish an area where protection can be provided for these rights without consent, indicating that while consent may not be valid in this area, certain personal data not falling under fundamental rights and freedoms can be processed with consent.
Various opinions have been expressed in comparative law regarding the legal nature of consent. These views consider it as a legal transaction, a material act, or akin to a legal transaction. If consent is considered a legal transaction, regulations concerning legal transactions will apply, thus making it possible to invalidate such transactions retroactively in cases of deceit or fraud. Generally, a legal transaction aims to produce legal consequences based on a declaration of intent. If explicit consent is deemed a material act, regulations on legal transactions would not apply. Here, the purpose of consent is not to produce legal consequences. A person who consents to an infringement of their personality rights is, in this context, exercising control over a fundamental right. In acts similar to legal transactions, the will “is directed towards a factual result, yet the legal system links this expression of will to a legal consequence.”
It is accepted that the person giving consent must have the capacity to discern, and for those under 18, consent will be valid only if they possess the capacity to discern. Article 8 of the GDPR states that the consent of children over the age of 16 legitimizes data processing activities. Consent must be obtained before data processing. Consent given after data processing does not legitimize the action. The first step in the data processing phase is obtaining the data. Article 10 of the KVKK stipulates that, under the obligation to inform, data controllers must provide information about the identity of the data controller and, if applicable, their representative, the purposes for which personal data will be processed, to whom and for what purposes the processed personal data may be transferred, the method of collecting personal data, its legal basis, and other rights. In this context, it is understood that consent should be obtained after the obligation to inform is fulfilled at the stage of data acquisition.
There is no explicit regulation in the law regarding the form of consent. Considering that explicit consent legitimizes an infringement on fundamental rights and freedoms, it is clear that the burden of proof regarding the existence of consent should rest with the data controller rather than the data subject. The timing, method, type of information provided before obtaining consent, and who obtained the consent must be recorded and evidenced by the data controller. The GDPR mentions that consent can be given in writing, orally, or electronically. Particularly in the online environment, practices where consent is accepted through tick boxes when entering a website are common. Silence, failure to tick, or pre-ticked boxes will not be accepted as consent. Requests for consent to use personal data in electronic environments must be clear and straightforward.
The will must be free; the person must truly have a right to choose. Any undue pressure or influence that could affect the outcome of this choice invalidates consent. If consent is given under duress or threat, the will cannot be considered free. In this context, the economic imbalance or dependency between the data controller and the data subject must be examined. Article 7/4 of the GDPR states that if the processing of personal data is conditional upon the provision of services under a contract and if the sharing of personal data is not necessary for the execution of the service, consent is not considered free. It is also argued that if the data subject has the option to obtain services from elsewhere and no monopoly exists, it cannot be claimed that consent for the processing of personal data was given under duress.
Another aspect of consent is the requirement for a single consent request for multiple processing activities. While the data controller can request different consents for different processes, they cannot force the data subject to give blanket consent for the entire process. This could violate the prohibition of linking consent. The data controller must continuously monitor the process when processing data and should renew consent for each situation as needed. Before obtaining consent, detailed information must be provided to the data subject regarding the content of the processing to be performed on their personal data, the duration of this processing, and where the personal data will be used. If a text was used in informing the data subject, this text must be understandable. A legal text that cannot be understood by everyone will not serve the purpose of informing the data subjects, thus rendering the consent invalid. Article 7/2 of the GDPR stipulates that if general written consent covering all matters is provided, the consent requested for the processing of personal data must be distinct, understandable, easily accessible, clear, and straightforward. Otherwise, consent will not be valid. On September 21, 2012, the Hamburg Data Protection Commission issued an administrative decision against Facebook regarding its friend-finding system through facial recognition. The usage conditions and terms that new users must explicitly approve during registration included consent to the recognition of their face for finding friends. The Hamburg Data Protection Commission believes that merely referring to standard terms and conditions will not be considered informed consent. The Commission decided that if the administrative decision was not fulfilled within the specified time, Facebook’s biometric profile database should be deleted. Facebook reported that it had complied with the decision on February 7, 2013.[2]
Purpose Limitation
Article 4/2 of the Personal Data Protection Law (KVKK) states that personal data may only be processed for specific, explicit, and legitimate purposes and that this processing should be limited and proportionate to those purposes. It also indicates that personal data will be retained for as long as necessary for the purpose for which it was processed. The regulation establishes that personal data can only be processed for a clearly defined and legitimate purpose, and once that purpose no longer exists, the data cannot be processed further. The duration of processing and retention of personal data is determined by clear, specific, and legitimate criteria. The scope of data processing is also defined by specific, explicit, and legitimate purposes. From a different perspective, the principle of purpose limitation determines which data will be collected, what operations can be performed on that data, how long the data will be retained, and under what circumstances it can be stored. This principle imposes restrictions on data processing activities to be related to the specified purpose. An example that illustrates this is that a store cannot transfer personal data collected for the purpose of notifying customers about new products to other stores or companies, and must delete this data when it ceases operations. Article 10 of KVKK, titled “Obligation of the Data Controller to Inform,” mandates that the data controller must clarify the purposes for which personal data will be processed, as well as to whom and for what purposes the processed data may be transferred. When Articles 4 and 10 are considered together, it becomes clear that the data controller must provide information about the purpose before the collection phase, which serves as the threshold for data processing. The specified purpose must be clear and legitimate. When the purpose is sufficiently clear and specific, it will also clarify which data the data subject will consent to be processed.
The purpose may consist of one or more objectives. The data controller must inform the data subject of the specific purpose or purposes before processing the data. Personal data may only be processed to achieve the purpose for which it was collected. If the data controller later changes the purpose, they must fulfill their obligation to inform by notifying the data subject of the new clear and specific purpose and must obtain the data subject’s consent. Otherwise, the limiting function of the purpose will not be fulfilled. If a new purpose arises later, the obligation to inform must be fulfilled, and as stated in the justification of the law, “to meet potential future needs, the processing must comply with one of the conditions for processing personal data outlined in Article 5.” Additionally, the processed data must be limited to what is necessary to achieve that purpose.
The purpose must be clear and specific. General statements like “for future use,” “for research purposes,” “for marketing,” etc., do not clarify the purpose adequately. In this context, the purpose must be concretely defined, avoiding vague and open-ended expressions. Another important aspect of the purpose is that it must be legitimate. The legitimacy of the purpose means that, according to the law’s justification, “the data processed by the controller must be related to the business or service provided and necessary for those purposes.” For instance, processing customer identity and contact information in a retail store is a legitimate purpose, while processing blood types would not be considered legitimate. To justify the collection of data, there must be a legal basis for the data processing activity. Situations that allow for data processing include the explicit consent of the data subject or circumstances specified in the law. In cases defined by the law where processing can occur without consent, the law has established the purpose, and personal data can be processed as long as it does not contradict that purpose. For data that can be processed with explicit consent, the purpose must also be legitimate. Consent cannot legitimize processing for illegitimate purposes, nor does simply obtaining consent make the purpose legitimate.
Article 16 of KVKK states that “natural and legal persons processing personal data must register with the Data Controllers Registry before starting data processing.” When applying for registration, they must notify the registry of the purposes for which personal data will be processed and the maximum duration for which the data will be retained. This regulation indicates that data controllers cannot process personal data beyond the stated purposes and can only retain it for the period they have disclosed. The justification of Article 16 specifies that “personal data must be retained only for the duration necessary for the purposes foreseen in the relevant legislation.” Therefore, data controllers must comply with any retention periods stipulated in the law; otherwise, they may only retain the data as long as necessary for the purposes for which it was processed. If there is no valid reason for retaining the data longer, it must be deleted or anonymized. Storing data based on the possibility of future use would be contrary to this principle. Processing personal data beyond its intended purpose could harm an individual’s material and moral integrity, their right to develop their personality, and the fundamental values of individual autonomy in contemporary democratic societies.[3]
Proportionality
The principle of proportionality requires that the minimum amount of personal data necessary for the specified purpose be collected, that the least intrusive methods for processing personal data are chosen, and that methods and precautions that best protect the privacy, personal life, and autonomy of the data subject are implemented. The principles of purposefulness and proportionality complement each other. When collecting and processing data for a specific purpose, instead of collecting all data needed to achieve that purpose, only the minimum necessary data should be collected. For example, to send a notification, only one contact detail, such as a phone number or email address, should be recorded instead of multiple pieces of information. Similarly, during criminal investigations via phone tapping, only the data of individuals connected to the crime should be collected, avoiding data collection from those unrelated.
In each specific case, it should be evaluated whether the chosen method of processing data is useful for achieving the goal and whether it requires the least amount of data. For instance, a camera installed outside a store may serve the purpose of preventing theft by monitoring the entrance and surrounding area. While a camera capturing a wider area could also meet this purpose, it may not be considered proportional. In a system that recrds and recognizes fingerprints for entry and exit control, and another that reads identity cards, both would serve the same purpose. However, an employee who refuses to provide their fingerprint may have a justified request within the framework of the principle of proportionality.
Accuracy and Currency of Data
Article 4/(b) of KVKK states that it is mandatory for personal data to be accurate and, where necessary, up-to-date. This regulation is parallel to Article 4/1(ç) of the Personal Data Protection Authority’s regulation, which also mandates that data must be accurate and updated as necessary. Each personal data processing activity has a specific, explicit, and legitimate purpose. Achieving this purpose is only possible with accurate and up-to-date data. Inaccurate or outdated data may prevent the data controller from achieving their objectives and can harm the material and moral personality, fundamental rights and freedoms, and sometimes even the economic interests of the data subject. The European Court of Human Rights, in the Rotaru/Romania case, ruled that keeping incorrect information about an individual for over fifty years harmed their reputation, thus violating Article 8 of the Convention.[4] The principle of accuracy is closely linked to the right of access to personal data. When personal data cannot be accessed, it will not be clear whether the data is accurate or up-to-date. Thus, the right to know whether personal data is being processed, as stated in Article 11/1(a) of KVKK, becomes significant. The data subject has the right to request the correction of inaccurate data as specified in Article 11/1(ç) of the law.
Maintaining the accuracy and currency of personal data is a responsibility of the data controller and is non-transferable. However, interpreting this principle to mean that data controllers must continuously and forcibly investigate the changing circumstances of individuals is unreasonable. It should also be acknowledged that when there is a change in the individual’s personal information, they must inform the data controller. Article 6/d of the European Union Data Protection Directive states that “personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that inaccurate or incomplete data is erased or rectified, regardless of the purposes for which they were collected or processed.” However, there is no sanction for violating this regulation, and Germany has not included it in its Data Protection Law. Conversely, Austria and Switzerland have incorporated it into their respective laws. The Court of Justice of the European Union emphasized the importance of data accuracy in the Google case, indicating that it would not accept any justification and referenced Article 6 of the Data Protection Directive. The Court ruled that even if a piece of data was originally published lawfully (in this case, as a newspaper article), its dissemination could become unlawful over time as it loses relevance. Consequently, search engine operators are obliged to remove links to web pages containing such data from their search results. The first regulation regarding data accuracy dates back to the Privacy Act enacted in the United States in 1974. After 1974, the Data Quality Act, which came into effect in 2001 in the U.S., also included the same principle, stating that accuracy, currency, and completeness in data processing are necessary for justice. During the transition from the DPD to the GDPR, sanctions were introduced for non-compliance with this rule, and monetary penalties were foreseen. In Article 5/1/d of the Regulation, the provisions found in the Directive are almost identical to those in Article 6/d of the Directive. However, Article 83/5 of the Regulation foresees financial penalties for violations of the obligations in Article 5/1/d.[5]
[1] ÇEKİN, s. 45.
[2] Ayazgör. S. 126
[3] Küzeci s.215
[4] Akgül, s.139
[5] Hoeren Thomas. (2018) Big Data and Data Quality. In: Hoeren T., Kolany-Raiser B. (eds) Big Data in Context. SpringerBriefs in Law. Springer, Chams.,
Av. Yalçın Torun
WARNING
The written text published on our website is owned by Attorney Yalçın TORUN. This written text is preserved with a time-stamped electronic signature for the purpose of verifying ownership rights. The written texts on our site can be freely used by our lawyer colleagues in their petitions; however, we do not permit the publication of the entire text, a portion of it, or a summary on other websites without citation.