Personal Data Protection Code Enacted Following a Massive Leak

Personal Data Protection Code Enacted Following a Massive Leak

In the year 2010, personal data of about 50 million Turkish Citizens, who were at the age of voting and candidacy have been leaked and made available to the whole world. Hard to believe but unfortunately true. Accesing this list is as easy as entering the site and filling out the name, surname data and then a whole bunch of detailed information including ID numbers, parental names, place and date of birth, provincial registers and place of residence appear before your eyes.

It took six years and two days for the state to take any measure addressing the leak: The Presidency of Telecommunication and Communication blocked access to the said site. Thus now we cannot access our own data in Turkey but everyone else in the world can! Elsewhere I had touched upon the rather ludicrous nature of Turkish personal data protection regulations as reminiscent of a famous Nasreddin Hodja joke. A truly tragic situation.

Against such background came into force the Code number 6698 on the Protection of Personal Data. It’s drafting has a history of 35 years with numerous  instances of obsoletions and ammendments along the way- calling this process simply “delayed” would be at best an euphemism. Even in the Code’s preamble, legislators conceded as such: “without regulation and supervision, personal data are susceptible to use by many individuals and institutions- a fact which causes rights violations...” Again, it was admitted in the same Preamble that lack of legislation on the issue had precluded any possibility of cooperation with EUROPOL and EUROJUST in the context of transboundary criminal matters.

Whereas the recent Code defines “any information relating to an identified or identifiable natural person ” as personal data,  “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, storage, alteration, rearrangement,  disclosure, transmission, making available, classification, blocking” qualifies as data processing.

In such regard, it envisages the establishment of the Personal Data Protection Authority (KVKK) and its decision making organ; the Data Protection Board. Formulated as a public institution affiliated with the Office of the Prime Minister, it is bestowed with seperate legal personality as well as administrative and fiscal autonomy. Authority and the Board are thus formulated as the major responsible and determinant organs on the protection of personal data.

Board members’ election procedure, which will take place within six months of the Code’s adoption, has a rather majoritarian tone, especially in terms of Board composition. Out of a total number of nine members, five are to be appointed by the Grand National Assembly, two by the President of Republic and two by the Executive. The Board will then hold internal elections for the seats of presidency and second-presidency.

One of the novel concepts introduced by the Code strikes the eye as the “Data Controller”, referring to a natural or legal person who determines the purpose and manner of data processing as well as being responsible with the establishment and supervision of data recording systems. It is thus apparent that corporations, associations, foundations and the like can be “data controllers” alongside individuals. Whereas every request related with the implementation of the Code shall be first directed towards the Data Controller, the Code recognizes a right to lodge complaints with the Data Protection Board in cases of rejection or insufficient answer to such request by the Controller.
In its present form, the Code entails general exceptions, allows processing of even sensitive data and under certain conditions transfer of data abroad. Given such ambiguities we can expect that many details about the Code will be clarified through practice and jurisprudence.

Time limits for the adoption of complementary regulations and activation of the Board together with the Authority are one year and six months respectively, starting from the Code ‘s publication date (07.04.2016). Similarly, enactment of certain important provisions of the Code are postponed to the completion of the same six months duration. Against this background, it would be adequate to predict that the implementation of the Code will materialize in the coming one year period.

Given the large extent of changes it introduces, both in terms of individual and institutional practice, discussions around the recent Personal Data Protection Code are likely to gain pace. In our day, when internet based services have become so intrinsic to our daily lives, the dilemma of protecting human rights on one hand and economic considerations on the other will be even more pervasive… (Translated by Gizem Koç)