Under the Turkish data

protection law ("DPL"), data

subjects have the right to learn who processes their personal data, the

purposes and legal bases of these processing activities, and to whom and for

what purposes such personal data are transferred. These rights arise from the data

controllers' obligation to inform data subjects about their processing

activities. During the collection of personal data, the data controller or any

other person authorized by the data controller is obliged to provide data

subjects with certain information, such as the identity of the data controller

and of his representative (if any), the purposes of the processing, to whom and

with what purpose the processed personal data can be transferred, and the

method and legal reason/basis of collection. The same article of the DPL further

requires data controllers to provide information to data subjects about certain

other rights, as discussed below.

Data subjects have the right

to know the third parties within or outside the country to whom personal data

are transferred, and to ask for the rectification of any incomplete or inaccurate

personal data processing as well. They may also request the erasure or

destruction of their personal data (within the framework of the conditions set forth under Article 7) and request the notification of these

operations to third parties to whom personal data have been transferred.

According to this law, data subjects have the right to object to any

consequence or situation that is to his/her detriment that results from an

analysis of the processed data exclusively by means of automated systems, and

to request compensation for the damages incurred due to the unlawful processing

of personal data.

Interpretation of These Provisions

The Turkish Data Protection

Authority has published the Communiqué on the Procedures and Principles for

Compliance with the Obligation to Provide Information ("Communiqué")[1]

in order to provide guidance for the interpretation of these articles.

The Communiqué sheds light

on the methods to be used for providing information and specifies that data

controllers may provide information to data subjects either physically or by

using electronic means (e.g.,

verbally, in written format, by voice recordings, or through call centers), and

also clarifies when data subjects must be informed. According to the Communiqué,

data controllers are obliged to inform data subjects of their rights in all cases

or circumstances in which their personal data is processed. Furthermore, they must

also inform data subjects whenever the purpose of processing changes, prior to starting

the data processing activity. For instance, if a data controller processes a

data subject's address information for the purpose of delivering the goods/services

that the subject has ordered and will further process the same address information

for marketing purposes in the future, then it needs to inform the data subject

since the purpose of the data processing activity will change.

If different divisions/units

of a data controller process personal data for different purposes, then the data

controller must inform data subjects separately for each purpose. For instance,

if the name, last name and phone number of a data subject is processed by the marketing

department of a company for marketing purposes, and the same personal data is

also processed by the human resources department to evaluate the job

application of that data subject, then the data subject must be informed of both

processing purposes.

The information that the data

controllers provide to the Data Controllers' Registry must be in line with the

information they provide to the data subjects. It is also extremely critical

for data controllers to realize and keep in mind that compliance with the

obligation to provide information does not require the data subject's prior request,

and that the burden of proof is on the data controller to show that it has

complied with all its obligations under the law.

The Communiqué also states

that the explicit consent of data subjects must be obtained separately from the

information provided to data subjects. In other words, data controllers are not

allowed to obtain explicit consent from data subjects by using the same text or

document with which they inform them.

Personal data must be

processed for specific, explicit and legitimate purposes. Similarly, data

controllers must also be clear and specific when providing information to data

subjects, and they should avoid deficient, misleading or inaccurate statements.

Moreover, they must steer clear of ambiguous or broad terms in the information

provided to data subjects. For example, data controllers should not state that the

personal data of data subjects might be processed for marketing purposes in the

future. Rather, data subjects should be informed of the purpose for which their

personal data is processed, not the possible purposes that might arise in the

future. It should be noted that ambiguousness/vagueness is a crucial red line when

it comes to providing information to data subjects, and data controllers must

avoid such ambiguity whenever possible.

In addition, the information

that will be communicated to data subjects must include: (i) the legal purpose

of the personal data processing (in other words, the basis of the data

processing activity), (ii) the recipients of the personal data, and (iii) the

purpose of the data transfer.

While data controllers are

required to provide data subjects with information about the processing of

their personal data prior to data collection, this may not always be possible

in practical terms. If personal data is obtained from an indirect source, such

as the news media or public records, then data controllers must fulfill their

obligation to provide information to data subjects (i) within a reasonable

period of time after the personal data is obtained, (ii) in the first

communication, if the personal data is obtained for the purpose of

communicating with the data subject, and (iii) if the personal data is to be

transferred, then at the first moment that the personal data is being

transferred, at the latest.

Comparison

of the DPL and the General Data Protection Regulation ("GDPR")

The GDPR, which has entered into force on May 25,

2018, also brings similar requirements for data controllers. Some of the information

stipulated under the GDPR which data controllers are required to provide to

data subjects are not included in the DPL, such as (i) the right of data

subjects to withdraw their consent at any time, (ii) the right of data subjects

to lodge a complaint with a supervisory authority, and (iii) storage periods and

the criteria used to determine the duration of such data storage, even though data

subjects do, in fact, have those rights under the Turkish data protection

legislation.

Another difference between the GDPR and the Turkish

data protection legislation concerns indirect data collection practices.

According to the GDPR, when personal data is collected indirectly, data

controllers are not obliged to inform data subjects of such activity if (i) it

is impossible, or (ii) it requires disproportionate effort, or (iii) it would

render impossible or seriously impair the purpose of the data processing.

Neither the DPL nor the secondary legislation in Turkey sets out similar

exceptions or follows the GDPR on this issue. However, in practice, if a data

controller is unable to inform data subjects about indirect personal data

collection despite its best efforts and can demonstrate its efforts (i.e., show that it has genuinely

attempted to inform data subjects), such activities should not raise any legal

concerns under the DPL either. Nevertheless, keeping in mind that there is no

clear definition of "sufficient effort" or provisions regulating this matter in

the DPL, one cannot exclude the possibility of a data controller facing

sanctions in this context.

Despite these differences, the GDPR requires data

controllers to use clear and plain language in communicating with data

subjects, similar to the DPL, and to provide data subjects with the information

regulated under the DPL.

Conclusion

Interpreting

the obligation to inform data subjects correctly is of paramount importance to

data controllers, since failing to fulfill the obligation to provide

information may result in an administrative fine ranging from 5,000 Turkish

Liras up to 100,000 Turkish Liras. Therefore, data controllers should implement

the Communiqué with the utmost care and

be able and ready to demonstrate that they provide data subjects with the

necessary information in order to fulfill their legal obligations and avoid

such administrative penalties.

Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Noyan

Utkan of ELIG Gürkaynak

Attorneys-at-Law

(First published by Mondaq on May 29, 2018)

[1] See http://www.resmigazete.gov.tr/eskiler/2018/03/20180310-5.htm, last accessed on May 25, 2018.