THE CONCEPT OF PROCESSING PERSONAL DATA

The concept of processing personal data is defined in the European Union directive (EU 95/46/EC) in ‘2/b’ as “any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; classification, storage, use, retrieval, distribution, erasure, destruction, collection, etc.”

In the General Data Protection Regulation (GDPR), it is defined in Article 4/2 as “any operation or set of operations performed upon personal data or a set of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; classification, storage, use, retrieval, distribution, restriction, erasure, destruction, collection, etc.” It appears that there is no fundamental difference between the definitions in the directive and the regulation, with only a few word changes that do not affect the essence of the regulation.

The concept of processing personal data is also explained in the Personal Data Protection Law (KVKK) in Article 3/E. The law states, “Processing of personal data: It refers to any operation performed on personal data, fully or partially by automatic means or as part of a data recording system, including collection, recording, storage, preservation, modification, restructuring, disclosure, transmission, acquisition, making available, classification, or preventing its use.”

In the legal definitions related to the processing of personal data, it is noted that the actions to be performed on personal data are determined by enumeration, but it is also regulated that similar activities to those listed will be considered within the scope of data processing. Similarly, the methods used for data processing are not limited. Data can be processed by computer and similar automated systems, as well as by individuals without automated systems, and actions like those listed will still result in the processing of personal data. For example, merely negotiating on personal data without recording it will also imply that the data has been processed.

The collection of personal data is one of the actions considered as data processing. How personal data is collected and for what purpose is not significant. Activities such as taking photographs of individuals through surveillance, recording a person’s GPS coordinates, or listening to phone calls to capture personal data fall within the scope of personal data processing. The action of recording collected personal data onto CDs, MP3s, DVDs, USB drives, etc., constitutes a separate processing method outside of mere collection. The preservation of recorded personal data is another distinct processing method. Actions like copying personal data, organizing image files, audio files, etc., are also separate processing methods. Modifying personal data is another separate processing method. The deletion and destruction of personal data that has been collected, stored, preserved, and subsequently grouped or altered is also a separate processing method. The transfer of personal data between individuals will also be considered data processing. Both the transferor and the transferee will be deemed to have processed the data. Especially in the context of data mining and big data, acquiring numerous data from different sources, classifying these data, analyzing and combining them to arrive at new conclusions will also be considered actions within the scope of data processing. The actions listed above do not exhaustively describe all actions related to data processing. In a broader sense, any operation or action performed on personal data will imply data processing. The law does not provide a consumer-style definition for the actions and operations referred to by the word “like.”

The concept of processing personal data has also been a subject of decisions by the European Court of Justice. In particular, uploading personal data to websites has been defined as processing personal data. Regardless of whether the data are personal data, systematic scanning of data on the internet by search engines and presenting them in lists has been characterized as the collection, recording, classification, disclosure, and making personal data available, thus constituting personal data processing. The fact that data has been made public in other channels beforehand does not bear any significance concerning the existence of data processing activities.[1]

[1] Mesut Serdar SEÇKİN, Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 sayılı Kişisel Verilerin Korunması Kanunu, Onikilevha,2018, p.40.

Av.Yalçın TORUN

WARNING

The written text published on our website above is owned by Attorney Yalçın TORUN. This written text is preserved with a time-stamped electronic signature for the purpose of verifying ownership rights. Written texts on our site may be freely used by our lawyer colleagues in their petitions; however, we do not permit the publication of the entire text, any part of it, or a summary on other websites without proper attribution.