Personal Data Processing & LPDP
The legal landscape surrounding digital data has been steadily changing and evolving over the years. The overall pace of this change increased with Europe’s implementation of the GDPR, which pushed other countries to adapt to this new set of rules and regulations. To keep up with the international legislative changes, Turkey also enacted the Law on Personal Data Protection No. 6698 (‘the LPDP’) and imposed new rules and obligations (similar to Directive 95/46/EC) for personal data processing in Turkey. (Please refer to our previous article “Personal Data Protection in Turkey” for an overview of LPDP provisions).
The implementation of the LPDP also meant additional compliance requirements and liabilities for businesses that control and/or otherwise process personal data. However, attaining full compliance to LPDP and the Data Protection Authority’s (DPA) decisions is no easy task, as businesses are required to implement various measures, from drafting new documents relating to the personal data processing to additional administrative and technical measures as outlined by the DPA. To have a better understanding of the LPDP and its potential liabilities, please refer to our previous article “Data Protection in Turkey” (also available here).
Although it may seem complex, one of the most important steps in attaining full compliance with the LPDP is to fully understand when and where businesses, data controllers, and data processors can lawfully conduct personal data processing activities. Accordingly, Article 5 of the LPDP outlines 8 principles (also known as general conditions) for lawful data processing:
General Conditions for Lawful Personal Data Processing
As illustrated in the above graphic, the LPDP allows for the processing of personal data if; (i) the data owner gives explicit consent, (ii) it is clearly provided for within the legislation, (iii) necessary to protect the legitimate interests of the data controller, (iv) mandatory for the establishment, exercise or protection of a right, (v) is disclosed to the public by the relevant data owner, (vi) relevant for the signing, performance, and conclusion of a contract, (vii) necessary for the protection of life and/or physical integrity of the data owner, in situations where it is no possible to obtain explicit consent, or (viii) mandatory for the data controller to perform its legal obligations.
The main reason for the LPDP providing numerous legal bases for data processing is to prevent these personal data protection rules from hindering the day-to-day B2C commercial activities. Especially the bases concerning legitimate interest, the exercise of a right, and the performance of a contract are specifically designed to enable the data controllers/processors to process their customers’ data required for the performance of the specific contract signed between them.
However, this does not mean that data controllers/processors can process any data they like without performing the necessary checks and review, as certain conditions noted above are mutually exclusive, meaning one cannot be present if another legal basis is applicable to that specific personal data processing.
Accordingly, one of the main issues to note here is that if the legality of the data processing is not based on explicit consent but is rather based on one of the remaining 7 conditions noted above, data controllers should refrain from obtaining additional consent.
Issues With Obtaining Guarantee Consents
One of the most common mistakes data controllers and processors make is that they try to obtain consent from the relevant data owners, event when one or more of the other data processing conditions are met. Obtaining separate consent from a customer for personal data that is required to execute a contract can be a good example here.
These are called “Guarantee Consents”, as they are generally obtained because data controllers want to guarantee that they are protected against LPDP sanctions. However, these guarantee consents do more harm than good, as the DPA does not accept such guarantee consent clauses and explicitly states that if one of the other 7 general conditions (other than consent) is applicable for the processing of personal data, then the data controllers should not obtain separate consent for that processing.
The DPA argues that a (guarantee) consent clause will lead the data owner to believe that they can withdraw the consent at any time and therefore demand the data controller to stop processing. However, in cases where one of the other 7 conditions applies, this false impression caused by the consent clause misleads the data owners, as the data controller can (and in some cases is required to) continue to process the data even if the data owner withdraws the consent, based on one or more of the 7 other general conditions, as applicable to the relevant data.
These “guarantee” consents can even lead to administrative measures and fines issued by the DPA, as the DPA considers these types of consents as violations of the LPDP principles [for a detailed review of LPDP administrative fines, please refer to our previous article “How to Appeal Against Administrative Fines Imposed by the Turkish Data Protection Authority”, (also available here)].
It is, therefore, imperative that businesses and data controllers conduct a full assessment of the personal data they are going to process to accurately determine whether one or more of the above-mentioned 7 conditions (except for consent) are applicable to that specific data set. If yes, they should refrain from obtaining additional consent from data owners. Whereas if none of the 7 conditions apply to the specific data set, then explicit consents will be required to lawfully process that data.