Legal officer | Tanı Pazarlama ve İletişim Hizmetleri
Aslı Şahinkaya
Legal officer | Tanı Pazarlama ve İletişim Hizmetleri
During the last two years, I’ve been working intensively on compliance issues related to the Law on the Protection of Personal Data. As Tanı is a company that operates highly on IT and marketing projects as well as customer loyalty programmes, it has been both a legal necessity and a challenge to lead the compliance project. The compliance project that I managed, included forming the data inventory of the company, composing/revising the clarification texts and consents for each product, drafting the necessary agreements, policies and other related documents, determining the necessary administrative measures, advising the IT necessities regarding data protection, completing the VERBIS registration and finally, internal audit. Taking the data size of the company into consideration, it has been a real, solid learning.
The major external trend that has impacted my work over the past two years has been the Law on the Protection of Personal Data and related legislations.
The main focus for the company in the next 12 months is likely to be improving the business models of the company’s loyalty programs. My assistance on these projects will highly consist of advising the company on a “privacy by design” approach, and try to ease the project with legally solid solutions to meet the business and also technical needs in the best possible way.
The in-house legal role is growing stronger I believe. Companies are slowly but surely getting to know that compliance is crucial, which is an important reason [for this growth]. You can always work with external advisors but the outcome will definitely be more reliable if there’s an in-house lawyer involved. Some companies still tend to evaluate the position as an expense, however in the long run there can be no doubt that a good in-house lawyer is one of the most valuable assets that a company can possess.
The common challenges of compliance on data protection.
The Law on the Protection of Personal Data has had a big effect on most businesses during the last three years. Both data controllers and processors have been trying to comply with the needs of the law ever since. As the final date for VERBIS registration approaches, I want to focus on some of the challenges faced related to data protection compliance.
Consent management: Having decided whether the data controller should apply a clarification text or take consent for the data processing operation, the real problem begins – consent management. Most of us think that forming the appropriate consent solves the problem – but it does not. The problem also involves what data to store and where, how and for how long to store the consent. Let us imagine you placed the consent on your website, and some time later you decided you need to alter the text of the consent. You have to ask yourself; is your database capable of keeping track of this alteration? Now that you have two (or more) versions of consent, do you know which data subject has consented to which version? And do you process data in accordance with the specific version of consent that data subject has given? This is a big challenge that needs to be handled, but the next one is no smaller.
Burden of proof: In cases where processing of data is based on consent, data controllers should be able to demonstrate that the data subject has given consent for the data processing operation. How can we prove their consent? How can we prove – not just claim – which text was consented, at what time and by whom? Except for signed documents, this is not easy to demonstrate. Furthermore it’s the data controller’s duty to decide which methods to use for proof; signed documents, voice records, time stamp, database log records et cetera, and also implement the selected solution to its systems in an easily trackable and accessible way.
Deletion,destruction and anonymisation of personal data: One of the obligations with which data controllers have to comply is the deletion,destruction and anonymisation of personal data. While the issue seems clear at first sight, it usually is not. The first issue is getting to know in detail what deletion, destruction and anonymisation is, and what the differences are. Only then you will be able to evaluate if the method you choose for deletion, destruction or anonymisation is in accordance with the legislation.
Transferring data abroad: The law states that personal data cannot be transferred abroad without the consent of the data subject. It also states that in some circumstances and if the receiving country is “secure”, personal data can be transferred abroad without consent; and the secure countries are to be determined and declared by the Board of Protection of Personal Data. These “secure” countries are still not declared. While an opinion argues that until the secure countries are declared, all the countries should be deemed “insecure”; another opinion argues that according to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Treaty No.108) which was ratified by Turkey in 2016, it is prohibited to ban the transfer of data within the signing countries. I should note that “not transferring data abroad” means not only avoiding to transfer your customer database to a company abroad for analytic purposes, but also avoiding to work with a service provider for e-mail hosting that stores its servers in the cloud system abroad. In an age of digitalisation, the issue is deeper than it seems, and both data controllers and processors need the issue to be cleared.
In conclusion, taking all the abovem entioned issues into consideration, it will be accurate to say that the compliance process has been and will continue to be a strong area of learning for the compliance teams.