News and developments

Data Controllers’ Handbook to Inform Data Subjects About Their Rights

Under the Turkish data
protection law ("DPL"), data
subjects have the right to learn who processes their personal data, the
purposes and legal bases of these processing activities, and to whom and for
what purposes such personal data are transferred. These rights arise from the data
controllers' obligation to inform data subjects about their processing
activities. During the collection of personal data, the data controller or any
other person authorized by the data controller is obliged to provide data
subjects with certain information, such as the identity of the data controller
and of his representative (if any), the purposes of the processing, to whom and
with what purpose the processed personal data can be transferred, and the
method and legal reason/basis of collection. The same article of the DPL further
requires data controllers to provide information to data subjects about certain
other rights, as discussed below.

Data subjects have the right
to know the third parties within or outside the country to whom personal data
are transferred, and to ask for the rectification of any incomplete or inaccurate
personal data processing as well. They may also request the erasure or
destruction of their personal data (within the framework of the conditions set forth under Article 7) and request the notification of these
operations to third parties to whom personal data have been transferred.
According to this law, data subjects have the right to object to any
consequence or situation that is to his/her detriment that results from an
analysis of the processed data exclusively by means of automated systems, and
to request compensation for the damages incurred due to the unlawful processing
of personal data.

Interpretation of These Provisions

The Turkish Data Protection
Authority has published the Communiqué on the Procedures and Principles for
Compliance with the Obligation to Provide Information ("Communiqué")[1]
in order to provide guidance for the interpretation of these articles.

The Communiqué sheds light
on the methods to be used for providing information and specifies that data
controllers may provide information to data subjects either physically or by
using electronic means (e.g.,
verbally, in written format, by voice recordings, or through call centers), and
also clarifies when data subjects must be informed. According to the Communiqué,
data controllers are obliged to inform data subjects of their rights in all cases
or circumstances in which their personal data is processed. Furthermore, they must
also inform data subjects whenever the purpose of processing changes, prior to starting
the data processing activity. For instance, if a data controller processes a
data subject's address information for the purpose of delivering the goods/services
that the subject has ordered and will further process the same address information
for marketing purposes in the future, then it needs to inform the data subject
since the purpose of the data processing activity will change.

If different divisions/units
of a data controller process personal data for different purposes, then the data
controller must inform data subjects separately for each purpose. For instance,
if the name, last name and phone number of a data subject is processed by the marketing
department of a company for marketing purposes, and the same personal data is
also processed by the human resources department to evaluate the job
application of that data subject, then the data subject must be informed of both
processing purposes.

The information that the data
controllers provide to the Data Controllers' Registry must be in line with the
information they provide to the data subjects. It is also extremely critical
for data controllers to realize and keep in mind that compliance with the
obligation to provide information does not require the data subject's prior request,
and that the burden of proof is on the data controller to show that it has
complied with all its obligations under the law.

The Communiqué also states
that the explicit consent of data subjects must be obtained separately from the
information provided to data subjects. In other words, data controllers are not
allowed to obtain explicit consent from data subjects by using the same text or
document with which they inform them.

Personal data must be
processed for specific, explicit and legitimate purposes. Similarly, data
controllers must also be clear and specific when providing information to data
subjects, and they should avoid deficient, misleading or inaccurate statements.
Moreover, they must steer clear of ambiguous or broad terms in the information
provided to data subjects. For example, data controllers should not state that the
personal data of data subjects might be processed for marketing purposes in the
future. Rather, data subjects should be informed of the purpose for which their
personal data is processed, not the possible purposes that might arise in the
future. It should be noted that ambiguousness/vagueness is a crucial red line when
it comes to providing information to data subjects, and data controllers must
avoid such ambiguity whenever possible.

In addition, the information
that will be communicated to data subjects must include: (i) the legal purpose
of the personal data processing (in other words, the basis of the data
processing activity), (ii) the recipients of the personal data, and (iii) the
purpose of the data transfer.

While data controllers are
required to provide data subjects with information about the processing of
their personal data prior to data collection, this may not always be possible
in practical terms. If personal data is obtained from an indirect source, such
as the news media or public records, then data controllers must fulfill their
obligation to provide information to data subjects (i) within a reasonable
period of time after the personal data is obtained, (ii) in the first
communication, if the personal data is obtained for the purpose of
communicating with the data subject, and (iii) if the personal data is to be
transferred, then at the first moment that the personal data is being
transferred, at the latest.

Comparison
of the DPL and the General Data Protection Regulation ("GDPR")

The GDPR, which has entered into force on May 25,
2018, also brings similar requirements for data controllers. Some of the information
stipulated under the GDPR which data controllers are required to provide to
data subjects are not included in the DPL, such as (i) the right of data
subjects to withdraw their consent at any time, (ii) the right of data subjects
to lodge a complaint with a supervisory authority, and (iii) storage periods and
the criteria used to determine the duration of such data storage, even though data
subjects do, in fact, have those rights under the Turkish data protection
legislation.

Another difference between the GDPR and the Turkish
data protection legislation concerns indirect data collection practices.
According to the GDPR, when personal data is collected indirectly, data
controllers are not obliged to inform data subjects of such activity if (i) it
is impossible, or (ii) it requires disproportionate effort, or (iii) it would
render impossible or seriously impair the purpose of the data processing.
Neither the DPL nor the secondary legislation in Turkey sets out similar
exceptions or follows the GDPR on this issue. However, in practice, if a data
controller is unable to inform data subjects about indirect personal data
collection despite its best efforts and can demonstrate its efforts (i.e., show that it has genuinely
attempted to inform data subjects), such activities should not raise any legal
concerns under the DPL either. Nevertheless, keeping in mind that there is no
clear definition of "sufficient effort" or provisions regulating this matter in
the DPL, one cannot exclude the possibility of a data controller facing
sanctions in this context.

Despite these differences, the GDPR requires data
controllers to use clear and plain language in communicating with data
subjects, similar to the DPL, and to provide data subjects with the information
regulated under the DPL.

Conclusion

Interpreting
the obligation to inform data subjects correctly is of paramount importance to
data controllers, since failing to fulfill the obligation to provide
information may result in an administrative fine ranging from 5,000 Turkish
Liras up to 100,000 Turkish Liras. Therefore, data controllers should implement
the Communiqué with the utmost care and
be able and ready to demonstrate that they provide data subjects with the
necessary information in order to fulfill their legal obligations and avoid
such administrative penalties.

Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Noyan
Utkan of ELIG Gürkaynak
Attorneys-at-Law

(First published by Mondaq on May 29, 2018)

[1] See http://www.resmigazete.gov.tr/eskiler/2018/03/20180310-5.htm, last accessed on May 25, 2018.