PRİNCİPLES GOVERNİNG THE PROCESSİNG OF PERSONAL DATA
Processing Data in Accordance with the Law and the Principle of Fairness
Article 6(1)(a) of the EU Data Protection Directive stipulates that processing must be lawful and fair, while Article 5(1)(a) of the EU General Data Protection Regulation (GDPR) requires that processing be lawful, fair, and transparent. In Turkey, Article 4(2)(a) of the Turkish Personal Data Protection Law (TPDPL) also states that processing must be lawful and fair.
What is meant by the lawful and fair processing of personal data? To understand this, we must first examine the provisions of Articles 13 and 20 of the Turkish Constitution. Article 20 of the Constitution, titled “Privacy of Private Life,” states:
“Everyone has the right to request respect for their private and family life. The privacy of private and family life shall not be violated. Everyone has the right to request the protection of their personal data. This right includes the right to be informed about the personal data concerning them, to access these data, to request their correction or deletion, and to learn whether they are being used for their intended purposes. Personal data can only be processed in cases foreseen by law or with the explicit consent of the individual. The principles and procedures concerning the protection of personal data are regulated by law.”
This provision explicitly states that personal data can only be processed either in cases explicitly foreseen by law or with the explicit consent of the individual.
In Article 13 of the Constitution:
“Fundamental rights and freedoms may only be restricted by law and for reasons set forth in the relevant provisions of the Constitution. Such restrictions must not be contrary to the letter and spirit of the Constitution, the requirements of a democratic society, or the principles of a secular Republic, and must be proportional.”
This provision clarifies that the right to request respect for one’s private life can only be restricted by law, and such restrictions must not be contrary to the democratic order or the principles of a secular Republic.
Based on these constitutional provisions, it can be understood that personal data can only be processed with the explicit consent of the individual or where the law explicitly permits such processing. Article 5 of the TPDPL states that personal data may be processed in cases explicitly foreseen by law or for other reasons specified in that article. Furthermore, Article 4 of the TPDPL provides:
“Personal data may only be processed in accordance with the procedures and principles specified in this Law and other relevant laws.”
When considering all the above regulations, it can be concluded that for personal data to be processed lawfully, either the explicit consent of the data subject must be obtained, or the law must explicitly permit the processing of that data. In cases where there is no explicit consent, personal data can only be processed if the law expressly allows for it or specifies that such processing is allowed. It is also important to note that personal data must be processed in accordance with the procedures and principles outlined in the TPDPL and other relevant laws.
What does it mean for personal data to be processed in accordance with the principle of fairness?
The principle of fairness is not applied in isolation; it must be considered in conjunction with the lawful processing principle. Moreover, the GDPR requires that personal data be processed in a lawful, fair, and transparent manner. Therefore, the principle of fairness in data processing is not an independent principle but one that must be applied together with the principle of lawfulness. This principle implies that the rights granted by law should not be abused during the processing of personal data.
The principle of fairness is expressed in Article 2 of the Turkish Civil Code: “The law does not protect the misuse of a right.” This clearly indicates that when personal data is processed based on explicit legal provisions or the explicit consent of the data subject, the question to be asked is not “Is there a need to process the personal data?” but rather “Is the method of processing the data the most appropriate, in accordance with the law, and with the least intrusion into the privacy of the data subject?”
In cases where personal data processing is allowed by law or based on the data subject’s explicit consent, the principle of fairness requires that the data controller takes into account the “legitimate expectations” and “legitimate interests” of the individual, and balances these with any conflicting interests of the data controller. This ensures that personal data processing respects both the legal framework and fairness principles.
The principle of processing personal data in accordance with the law and the principle of honesty should be evaluated together with the “transparency” principle. The individual, as the data subject, is the best person to supervise whether personal data is processed in accordance with the law and principles of honesty. In the processing of personal data in accordance with the law and the principle of honesty, the legitimate interests and rights of the data subject will not be harmed. In order to supervise whether their legitimate interests and rights are harmed, the data subject must be able to see and verify which personal data is being processed, whether the data is accurate, and the procedures and principles under which it is being processed.
Article 11 of the Law on the Protection of Personal Data (TPDPL) sets out the rights of the data subject in a manner that lists them individually. The data subject has the right to learn whether their personal data is being processed, to request information about the processing of their personal data if it has been processed, to learn the purpose of processing their personal data and whether it is being used in accordance with that purpose, to know the third parties to whom their personal data has been transferred, both domestically and internationally, to request the correction of their personal data if it has been processed incorrectly or incompletely, to request the deletion or destruction of their personal data, to request that the third parties to whom their personal data has been transferred be notified of any corrections, deletions, or destructions, to object to any result that is reached exclusively through automated processing of their data which negatively impacts them, and to request compensation for any damage suffered due to the unlawful processing of their personal data.
These rights granted to the data subject enable them to detect personal data processing that is contrary to law and the principles of honesty, thereby preventing further unlawful processing and requesting the rectification of any damage caused. This ensures the implementation of the principle of processing personal data in accordance with the law and principles of honesty. The principle of transparency, which must be applied alongside the principle of compliance with the law and honesty in data processing, only requires the data controller to be transparent towards the data subject.
Obtaining the Data Subject’s Explicit Consent
In order for personal data to be processed, the explicit consent of the data subject is required. This is explicitly regulated in Article 5/1 for general personal data and in Article 6/2 for special categories of personal data under the Law on the Protection of Personal Data (TPDPL). According to Article 8/1, personal data cannot be transferred without the explicit consent of the data subject, and Article 9/1 establishes that, except for the exceptions stated in the article, personal data cannot be transferred abroad without the explicit consent of the data subject. However, since the action of transferring personal data to another party or abroad is considered part of the processing of personal data as defined in Article 3/1(e) of TPDPL, this raises the question of why the legislator has made such a regulation. In the absence of explicit consent, personal data can only be processed if explicitly provided for by law.
Article 5/2 of the TPDPL further specifies that, in certain circumstances, personal data can be processed without the explicit consent of the data subject. These circumstances include the protection of the life or physical integrity of the data subject or another person, the necessity of processing for the establishment of a contract, the obligation of the data controller to perform a legal obligation, the necessity for the establishment, exercise, or protection of a legal right, and when processing is necessary for the legitimate interests of the data controller, provided it does not harm the fundamental rights and freedoms of the data subject. The regulation regarding the conditions under which personal data can be processed without consent is also outlined in Article 6 of the General Data Protection Regulation (GDPR). While the regulation is broadly similar, it should be noted that the GDPR does not include a provision regarding the processing of personal data when made public by the data controller, nor does it include provisions regarding processing for the public interest by public authorities, which is present in the TPDPL.
In Article 3/1(a) of TPDPL, the legislator defines explicit consent as follows: “Explicit consent refers to the consent expressed with sufficient information on a specific issue, voluntarily and clearly, and limited to that specific process.” The rationale behind the provision states that “Explicit consent is defined taking into account Directive 95/46 EC. According to this, explicit consent must be understood as the statement of consent given freely, with sufficient knowledge of the subject, in a manner that leaves no doubt, and limited only to that particular processing activity.” From the definition, it is clear that prior information must be provided on a specific matter, and the consent must be freely given based on this information. It is understood that before obtaining explicit consent, the specific subject matter of the personal data being processed must be identified, the data subject must be informed, and the consent must be given freely, without any misleading or manipulation, and with the data subject’s genuine will.
“In Article 4/11 of the ABGVKT, the consent of the data subject is defined as a statement or confirmatory action given freely, indicating that the data subject has been informed about the processing of their personal data related to them, and this statement or action is made with their explicit will regarding a specific matter.”
In the context of personal data protection, it is necessary to examine to what extent individuals, with their free will, can limit or waive their right to respect for private life, which is among the fundamental rights and freedoms that cannot be renounced, and whether there is a domain in which they cannot limit or waive this right.
When we approach human rights from the perspective of the value of human capabilities and human dignity, it becomes evident that individuals cannot completely renounce these capabilities, as it is a necessary consequence of our humanity that we must possess these rights. In this regard, the question arises: ‘Are there personal data that cannot be processed even with the consent of the data subject, as individuals do not have the right to dispose of them?’ Additionally, ‘Are there types of personal data whose processing, even with the consent of the data subject, would not be legally compliant?’ Another question that arises from a different perspective is: ‘Which types of personal data may lead to a violation of the right to respect for private life if processed with consent?’ Furthermore, ‘In cases where personal data can be processed without consent according to the law, can there still be situations where the right to respect for private life would be violated?’
Personal data falling within the scope of the right to respect for private life, which is a fundamental human right, may include types of personal data that cannot be processed even with consent. The legal and moral order will not protect the processing of these types of personal data, even with explicit consent. Sometimes, even in the absence of consent, when an individual’s other fundamental rights and freedoms are at risk, there may be a necessity to process personal data without consent. This raises the question: ‘What criteria should determine which types of personal data can be processed with explicit consent and which cannot?’
On the other hand, considering that we cannot renounce our fundamental rights and freedoms and that the value of being human is based on the possession of these rights, it becomes clear that a specific area should be established where protection will be ensured without the need for consent. In this domain, consent would not be valid, yet consent may be given for the processing of certain personal data that do not fall under fundamental human rights and freedoms.
Various views have been presented in comparative law regarding the legal nature of consent. These views include the opinions that consent is a ‘legal act,’ a ‘material act,’ or an ‘act similar to a legal act.’ If consent is considered a legal act, the regulations regarding legal acts will apply, and thus, in cases of deception or fraud, such a legal act can be retroactively nullified. In general, a legal act refers to a declaration of will or wills aimed at producing legal effects, where the legal order carries out the legal consequence in accordance with the declared will. If consent is accepted as a material act, the regulations related to legal acts will not apply. In this case, the purpose of consent is not to produce legal effects in the legal realm. The individual who consents to an intervention in their personality right is, in this context, exercising control over a fundamental right. In acts similar to legal acts, the will is directly directed towards a factual result, but the legal order attaches a legal consequence to the expression of this will.
It is generally accepted that the person giving consent must have the capacity to distinguish, and consent will be valid if minors over 18 years of age possess this capacity. Article 8 of the ABGVKT states that consent given by children who are 16 years old or older will legitimize data processing activities. Consent must be given before the data is processed. Consent given after the processing of data does not legitimize the action. The first step in the data processing phase is obtaining the data. Under Article 10 of the TPDPL, data controllers are required to provide information to data subjects regarding the identity of the data controller and, if applicable, their representative, the purposes for which personal data will be processed, the recipients of the processed data and the purposes of data transfer, the method and legal grounds for data collection, and other rights of the data subjects. Therefore, it is clear that consent must be obtained after the obligation to inform has been fulfilled during the data collection phase.
There is no clear regulation in the law regarding the form of consent. Given that explicit consent legitimizes an intervention in fundamental rights and freedoms, it is clear that the burden of proof for the existence of consent should fall on the data controller, not the data subject. The time, manner, type of information provided prior to consent, and who obtains the consent should be recorded and proven by the data controller. The ABGVKT’s rationale mentions that consent can be given in written, oral, or electronic form. In particular, the practice of checking boxes on websites as a form of consent in the electronic environment is widespread. Silence, failure to uncheck boxes, or pre-checked boxes will not be considered as consent. Requests for consent to use personal data in the electronic environment must be clear and simple.
The free nature of the will is a critical element; the individual must genuinely have the right to choose. Any improper pressure or influence that could affect the outcome of this choice invalidates the consent. If consent is given under duress or threat, it cannot be considered free will. This context requires an examination of the economic imbalance or dependency relationship between the data controller and the data subject. Article 7(4) of the ABGVKT stipulates that if the processing of personal data is made a condition for providing a service under a contract, and if sharing personal data is not necessary for the performance of the service, it is accepted that the consent is not free. In cases where the data subject can obtain the service from another provider and a monopoly is not created, it can be argued that consent to the processing of personal data is not freely given.
Another aspect related to consent is the situation where a single consent is requested for multiple processing activities. While the data controller may request separate consents for different processes, it should not force the data subject to provide blanket consent for the entire process. In such cases, this may constitute a violation of the prohibition on bundling. The data controller should continuously monitor the process while processing the data and, if necessary, renew consent for each specific situation.
Before obtaining consent, in order for the consent to be valid, detailed information must be provided to the data subject regarding the content of the processing activity, the duration of the processing, and where the personal data will be used. If a text is used to inform the data subject, it must be clear and understandable. A legal text that cannot be understood by everyone would not serve the purpose of informing the data subject, and therefore, the consent given based on such a text would clearly be invalid.
The 7/2 article of the GDPR stipulates that in the case of providing a general written consent covering all matters, the consent required for processing personal data must be requested separately from other consents, in a clear, easily accessible, and simple language. Otherwise, the consent will not be valid.
On September 21, 2012, the Hamburg Data Protection Commission issued an administrative decision against Facebook regarding its facial recognition-based friend-finding system. In the terms and conditions, which new users had to explicitly approve during subscription, Facebook included a provision for consent to the recognition of faces for the purpose of finding friends. The Hamburg Data Protection Commission held that referring to this in the standard terms and conditions would not be considered as valid informed consent. The Commission decided that if the administrative decision was not complied with within the given time, Facebook would be required to delete its biometric profile database. Facebook reported that it had complied with the decision on February 7, 2013.
Purpose Limitation
Article 4/2 of the Turkish Personal Data Protection Law (TPDPL) states that personal data may only be processed for specific, explicit, and legitimate purposes, and that processing should be limited and proportional to these purposes. It also emphasizes that personal data will be kept only for as long as necessary to achieve the intended purpose. This provision establishes that personal data can only be processed for a specific, legitimate, and clearly defined purpose, and that the processing must be limited to what is necessary to achieve that purpose. Once the purpose is fulfilled, the data must no longer be processed, although it may be stored for the duration necessary to achieve the purpose.
The period of processing and retention of personal data is determined by the clearly defined, legitimate purpose. The scope within which personal data can be processed is also determined by this clear and legitimate purpose. From a different perspective, the principle of purpose limitation determines which data will be collected, what actions will be taken on the data, how long the data will be kept, and where it will be stored. This principle imposes limitations on data processing activities, linking them directly to the purpose. An example of this principle would be a store collecting personal data to notify customers when new products arrive, but not being allowed to transfer this data to other stores or companies, and being required to delete it once the activity has ceased.
Article 10 of the TPDPL, titled “Obligation to Inform the Data Subject,” outlines the data controller’s obligation to inform the data subject regarding the purpose of processing the personal data, as well as who the data may be shared with and for what purpose. When Articles 4 and 10 are considered together, it is clear that the data controller is required to inform the data subject of the purpose of processing before the data collection stage, ensuring that the purpose is specific, clear, and legitimate. Once the purpose is sufficiently clear and explicit, the data subject will understand which data they are consenting to have processed.
A purpose may involve one or more objectives. The data controller must inform the data subject about the specific purpose(s) before processing begins. Personal data may only be processed to fulfill the purpose for which it was originally collected. If the purpose changes later, the data controller must fulfill the obligation to inform the data subject by clearly stating the new and legitimate purpose. After providing this information, the data controller must seek the data subject’s consent again. Otherwise, the limitation imposed by the principle of purpose limitation will be violated.
In cases where a new purpose arises later, the obligation to inform the data subject must be fulfilled once again. The justification of the law states that “in order to process personal data for potential future needs, one of the conditions for processing, as regulated in Article 5, must be met, as if processing is starting for the first time.” It further specifies that the data processed must be limited to what is necessary to achieve the specific purpose.
The purpose of data processing must be clear and specific. Vague terms such as “for future use,” “when necessary,” “for research purposes,” or “for marketing and advertising purposes” do not make the purpose clear and specific. Therefore, the purpose should be concretely stated, avoiding ambiguous or open-ended expressions.
Another aspect related to the purpose is that the purpose must be legitimate. The legitimacy of the purpose means that “the data processed by the data controller must be related to the work performed or the service provided and must be necessary for these purposes,” as stated in the justification of the law. For example, the processing of customers’ identity and contact information by a ready-to-wear store is within the scope of legitimate purposes, while processing their blood types would not be considered a legitimate purpose.” The processing of personal data must have a legal basis that justifies the data processing action. The situations that allow data processing are either the explicit consent of the data subject or the circumstances specified in the law. In situations where personal data can be processed without the need for explicit consent, the purpose is determined by law, and in these cases, personal data may be processed as long as it does not contradict the purpose specified by the law. For data that can be processed with explicit consent, the purpose of processing personal data must also be legitimate. For purposes that are not legitimate, explicit consent cannot be obtained, and merely obtaining consent will not make the purpose legitimate.
Article 16 of the Turkish Personal Data Protection Law (TPDPL) states that “natural and legal persons who process personal data are required to register with the Data Controllers’ Registry before starting to process data. In the registration application, they must notify the data subjects about the purposes for which personal data will be processed and the maximum period necessary for processing the data for those purposes.” From this provision, it can be understood that data controllers cannot process personal data beyond the purpose they have notified and can only retain the data for the period they have stated. The justification of Article 16 of the law states: “Personal data must only be retained for as long as is required by the relevant legislation or the purpose for which they are processed. If the law specifies a retention period, data controllers must comply with it; if there is no retention period specified by the law, the data must be kept only for the time necessary for the purpose for which they are processed. If there is no valid reason to keep the data for a longer period, it will be deleted or anonymized. Data cannot be stored based on the mere possibility of future use.”
Storing personal data without anonymization, based on the thought that it may be needed one day, would constitute a violation of the purpose. Processing personal data outside of the purpose could harm an individual’s material and spiritual integrity, their right to develop their personality, individual autonomy, and other fundamental values of a modern democratic society.
Proportionality
The principle of proportionality requires that the least amount of personal data be collected for the purpose that justifies the data collection, the method that processes the least amount of data is chosen for processing, and methods and techniques that maximize the protection of the privacy, personal life, and autonomy of the data subject are selected, and necessary precautions are taken. The principles of being “purpose-oriented” and “proportional” complement each other. In data collection and processing for a specific purpose, instead of collecting all the data that could fulfill the purpose, only the minimum necessary data should be collected. For example, to make a notification, instead of collecting a home phone number, mobile phone number, email address, and other address information, only one address, where the notification can be made, may be sufficient. Similarly, when monitoring criminals through wiretapping, data on persons who are not connected to the crime or the criminal should not be collected.
In each specific case, the method chosen for processing the data should be assessed to see if it serves the purpose effectively and whether it is the least data-intensive method. For example, a camera placed outside a store to prevent theft could serve the purpose if it only shows the front of the store; if it covers a much wider area than the store’s front, it may still serve the purpose, but it may not be considered a proportional method. Similarly, if a biometric fingerprint system or an identity card reading system is used to monitor entrances and exits at a workplace, both would serve the same purpose. A request from an employee who does not want to provide a fingerprint may be justified under the principle of proportionality.
Data Accuracy and Currency
Article 4(b) of the TPDPL stipulates that “personal data must be accurate and, when necessary, kept up to date” and requires compliance with this principle. The regulation in Article 4(b) of the TPDPL is parallel to the provision in Article 4/1(c) of the EHSKVİY, which also emphasizes that personal data must be accurate and updated when necessary. Every personal data processing activity must have a specific, clear, and legitimate purpose. Achieving this purpose is only possible with accurate and up-to-date data. Failure to keep the data accurate and up-to-date may prevent the data controller from achieving the intended purpose and may also harm the data subject’s material and moral personality, fundamental rights and freedoms, and sometimes even their economic interests.
In the case of Rotaru v. Romania (European Court of Human Rights), the applicant, who was an attorney and convicted for writing two letters during his student years, challenged the inaccurate retention of personal data for over fifty years. The European Court of Human Rights ruled that the incorrect retention of this information violated Article 8 of the European Convention on Human Rights, as it damaged the applicant’s reputation.
The principle of data accuracy is closely related to the right of access to personal data. When personal data is not accessible, it will not be possible to determine whether the data is accurate and up-to-date. For this reason, the right to learn whether personal data is being processed, as stated in Article 11/1(a) of the Turkish Personal Data Protection Law (TPDPL), becomes important. The data subject, who is responsible for verifying whether their personal data is accurate and up-to-date, has the right to request correction of the data if they find that the data is inaccurate or outdated, using the right provided under Article 11/1(ç) of the Law. According to Article 11/1(ç), the data subject has the right to apply to the data controller and request the correction of personal data if it is found to be incomplete or incorrectly processed.
The principle of keeping personal data accurate and up-to-date is an obligation for the data auditor and is non-transferable. However, it is not reasonable to interpret this principle as requiring data auditors to constantly and forcibly investigate the new situations that individuals are in to determine the accuracy and currency of the data. In such cases, it should also be acknowledged that the individual must inform the data auditor whenever there is a change in their personal data.
Article 6(d) of the European Union Data Protection Directive states that “personal data must be kept accurate and, where necessary, up to date; every reasonable step must be taken to ensure that inaccurate or incomplete data is erased or corrected, irrespective of the purposes for which it was collected or processed.” However, there is no specific sanction in the directive for actions contrary to this provision. Notably, Germany did not include this provision in its Data Protection Law. In contrast, Austria and Switzerland incorporated this regulation into their own data protection laws.
The Court of Justice of the European Union (CJEU) addressed the issue of data accuracy in the “Google Judgment”, emphasizing the characteristics of data and stating that no justification for data inaccuracies would be accepted, citing Article 6 of the Data Protection Directive. In this case, the CJEU ruled that even if accurate data has been legally published (such as in a newspaper article), over time, its dissemination could become unlawful if it loses its relevance or accuracy. This ruling formed the basis for the “right to be forgotten” and imposed the obligation on search engine operators to remove links to websites containing outdated or irrelevant data from search results.
The first legal framework on data accuracy came from the U.S. Privacy Act of 1974. A similar principle is found in the 2001 U.S. Data Quality Act, which asserts that data accuracy, timeliness, and completeness are necessary for fairness. While transitioning from the Data Quality Directive (DQD) to the General Data Protection Regulation (GDPR), non-compliance with this rule was met with sanctions, including fines.
The regulation in Article 5(1)(d) of the GDPR is almost identical to the one in Article 6(d) of the Directive, and in Article 83(5), a monetary penalty is specifically prescribed for violations of the obligations under Article 5(1)(d).
Av. Yalçın TORUN
Web sitemizde yayımlanan yukarıdaki yazılı metnin, eser sahipliği hakları Av.Yalçın TORUN’a aittir. Bu yazılı metin hak sahipliğinin tespiti amacıyla zaman içerikli elektronik imza ile muhafaza edilmektedir. Sitemizdeki yazılı metinler avukat meslektaşlarımız tarafından dilekçelerinde serbestçe kullanılabilir, fakat metinlerin tamamının, bir kısmının veya özetinin atıf yapılmaksızın başka web sitelerinde yayınlanmasına iznimiz yoktur.