Av. Ali Yurtsever L.L.M
The Law on Personal Data Protection
With the implementation of the Law on Personal Data Protection No. 6698 (‘the LPDP’), new rules and obligations were imposed on data controllers and data processors. The LPDP further stipulated serious monetary fines and prison sentences to those who violate these obligations. Unfortunately, most data controllers/processors in Turkey failed to grasp the potential liabilities arising from the LPDP provisions. One of the more common mistakes among data controllers/processors is that they tend to believe the LPDP and the personal data protection provisions are only applicable to those required to register to the Data Controllers Registry (VERBIS).
This assumption is, of course, false as the VERBIS registration requirement is a separate requirement/obligation and is not tied to the applicability of the LPDP provisions. Therefore, it is extremely important for all companies (or individuals) that process personal data to comply with the rules and procedures set forth at the LPDP, independent from the VERBIS registration obligation.
Fact Check – Does the LPDP Apply to Your Business?
One of the main issues with the applicability of the LPDP is that the companies, shareholders, and/or individuals wrongfully interpret the terms noted within the legislation. The most common mistakes concern the terms “data processing” and “data controller”, as most company representatives mistakenly think that storing and processing of data are two different concepts and since they only store personal data they cannot be deemed as data controllers, which in turn leads to the company not taking any action with regards to compliance with LPDP and personal data protection.
Therefore, it is crucial that the shareholders and company representatives fully understand the concepts/terms of personal data, data processing, the data controller, and data processor to accurately determine which LPDP/personal data protection provisions are applicable to them.
a. Personal Data is defined in a very broad manner within the LPDP. As per this definition personal data means “all information belonging to a natural person whose identity is or can be determined”. With this broad definition, any and all information that may allow the data holder to identify a specific person shall be deemed as personal data. These may include ID details, name, surname, date of birth, phone numbers, CV, photos, income, expense preferences, address, number of children, e-mail and IP addresses, hobbies, location information, etc. Accordingly, the general rule is, if any snippet of information can allow the identification of a specific person, that information is deemed as personal data.
b. Personal Data Processing is further defined at the LPDP as “any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means”. Therefore, even the mere act of storing any one of the above-mentioned personal shall be deemed as an act of processing, even if the relevant data controller does not use the data in any meaningful or impactful way.
c. Data Controller is defined as “the natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system”. To illustrate, if your company processes any personal data such as a customer’s e-mail address, phone number, home address, name, surname, or birthdate, either in a physical medium, digitally in a server, or via third-party service providers, then your company shall be deemed as a data controller as per the LPDP and you will need to comply with personal data protection rules.
d. Data Processor is defined as “the natural or legal person who processes personal data on behalf of the controller upon his authorization”. In this context, if for example, the finances of your company and its tax returns are handled by a third-party accountant, either a natural person or a third party company, this third party accountant processing these accounting documents (such as invoices which may contain personal data) shall be deemed as data processors.
e. Data Registry System is defined as, “the registry system which the personal data is registered into through being structured according to certain criteria”. Therefore, all systems designed to store and otherwise process data shall be deemed as a data registry system.
LPDP Requirements and Potential Liabilities
As noted above, any person and/or a legal entity that can be classified either as a personal data controller and/or a personal data processor will be required to adhere to the rules set forth by the LPDP when processing personal data. These terms are collectively known as general conditions for data processing, which are analyzed in detail in a separate article. Accordingly, most data processing performed in adherence to these general conditions will be deemed to be in compliance, provided the personal data controller/processor fully complies with the LPDP and its secondary regulations.
Conversely, failure to abide by the rules and conditions set forth by the LPDP may result in the application of a number of restrictions and fines against the personal data controller/processor. These can range from restrictive measures to administrative fines up to TRY 1.000.000.- (even higher fines may be applicable depending on the violation).
The determination of the administrative fines is left to the discretion of the personal Data Protection Authority (DPA), as Article 18 of the LPPD only provides a lower and upper limit for administrative fines that can be issued. Accordingly, the DPA is authorized to impose administrative sanctions on those who violate the obligations set forth at the LPPD as per Article 22 of the LPDP.
This broad discretionary power of the DPA has caused some issues in certain administrative measures applied to different data controllers/processors in the past, as some have argued that the DPA has abused its authority by issuing fines from the upper limit without providing a just cause to do so (some have even filed lawsuits against the imposed fines). To better understand these issues surrounding the administrative fines issued by the LPDP, please refer to our previous article titled “Appeals Against Administrative Fines Imposed by the Turkish Data Protection Authority” (also available here).
Conclusion
To be fair, the rules and regulations governing data processing can seem complex, especially to foreign entities trying to operate within the Turkish market. The main source of confusion is, of course, the LPDP text, and the fact that data controllers and data processors also need to take DPA decisions into account when implementing new internal data processing rules, which can be challenging to foreigners as the DPA decisions are generally not available in any language other than Turkish.
Furthermore, this personal data protection legislation is still quite new and is therefore continuously evolving and changing mainly with new DPA decisions and fines. This evolving nature of the compliance mechanisms also presents significant challenges and issues if the data controllers/processors opt to use standardized legal text to ensure compliance with these rules, as these standardized texts are usually heavily outdated and contain wrong or in some cases outright insufficient wordings and mechanisms.
It is therefore imperative for data controllers and/or data processors to consult an expert to ensure that their personal data protection compliance mechanisms are implemented properly to avoid any unnecessary and avoidable fines in the future.