DRAFT LAW ON PERSONAL DATA PROTECTION AND ASSESSMENT REGARDING THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

Turkey signed the Convention For The Protection of Individuals with regard to Automatic Processing of Personal Data, which has been opened for signature by European Council on 28 January 1981 and the relevant law of ratification is published in Official Gazette on 18 February 2016. In the scope of this Convention, the enactment of the Draft Law On Personal Data Protection is expected within the next month.

The legal gap regarding the data privacy was drawing attention for years. For the reason that there is no legal regulation on personal data protection in Turkey, an operational cooperation agreement and the electronic data interchange could not be accomplished between the security units of Turkey and EUROPOL. Similarly, Turkey was not able to cooperate with EUROJUST in order to fight transnational crimes.

Besides of this, numerous personal data of patients were kept in healthcare organisations and the lack of legal foundation on the preservation of this data, the lack of necessary measures for data protection and the disclosure of this data by unauthorized persons were considered as violation of privacy by the European Court of Human Rights. Similarly, it was observed that there are various problems on data sharing related to the foreigners in Turkey and Turkish citizens abroad.

The necessary data transfer regarding the foreign capital’s investment and its effective management in our country cannot be realized because of the lack of legal regulation and this situation causes a deterrent factor for the foreign investors. Nevertheless, the necessary data transfer that the business world need for their investments and partnerships abroad is problematic.

For all these reasons, the Convention For The Protection of Individuals with regard to Automatic Processing of Personal Data dated 1981 has been brought into force and the draft law prepared in the respect of European Union Directives will be legislated within the next month in order to fill the legal gap in this matter.

  1. CONVENTION FOR THE PROTECTION OF INDIVIDUALS WITH REGARD TO AUTOMATIC PROCESSING OF PERSONAL DATA

According to the Convention, the personal data being subject to automatic processing shall be rightfully and legally obtained, registered for specific and lawful purposes and not used against these purposes, appropriate and suitable with registration purposes, not extreme, reflect the truth, updated when needed, stored in a way that it enables the determination of identifying information of the relevant persons without exceeding the required period for realizing the registration purposes. In brief, the truthful personal data obtained through legal means for lawful purposes shall be updated and stored for a reasonable time.

As long as the national law does not provide assurance, the personal data setting forth the racial origin, political opinion, religion or other beliefs or those regarding criminal conviction and those concerning health and sexual life cannot be subject to automatic processing.

Contracting states can bring some exceptions for the purpose of protection on state security, public security, state’s financial interest, the prevention of crimes, protection of rights and freedoms in the event that it is foreseen in their laws and constitutes a necessary measure in a democratic society.

In consideration of these provisions, “personal data protection” is conceptualized and it is understood that the protection concerns the preservation and management of the personal databases regarding the public and private sector.

  1. DRAFT LAW ON PERSONAL DATA PROTECTION

The draft law prepared in the light of the European Union Directive 95/46/EC on the personal data protection, will render possible the personal data processing and transferring to the third parties in the following circumstances without the express consent of the relevant person:

  • The law clearly foresees;
  • In case of a direct relation with a contract, the process of the personal data of the contracting parties is needed;
  • The data supervisor is obligated in order to fulfil his legal obligations;
  • The data owner made this data public;
  • The data processing is obligatory in order to establish or use or protect a right;
  • The data processing is obligatory for the legitimate interest of data supervisor provided that it does not violate the fundamental rights and freedoms of the relevant

Pursuant to the draft law; the data of the persons regarding the race, ethnic origin, political opinion, philosophical belief, religion, communion or other beliefs, dress, association, foundation or syndicate membership, health, sexual life, criminal conviction and security measures and biometric data are special quality data. It is possible to process and transfer to the third parties special quality data without express consent of the relevant persons in the circumstances when it is clearly foreseen by law; the relevant person makes it public; the data processing is obligatory in order to establish or use or protect a right; it is processed by the authorized institutions or persons having confidentially obligation for the purpose of protection of public health, planning, managing and financing the preventive medicine, medical diagnosis, nursing and treatment services.

The draft law regulates that the consent of the relevant person is not required for the data and special quality data processing and its transfer to the third parties, besides of this it also regulates exceptional cases in which this law will never be enforced. These exceptional cases are such as follows: anonymously processing for research, planning and statistic; the personal data processing in scope of preventive, protective and informative activities in order to provide national defence, national security, public security, public order and economic security; personal data processing by the authorities concerning with investigation, prosecution, jurisdiction and execution and disciplinary proceeding.

  1. CONCLUSION

Firstly, for the reason that European Union Directive being resource for the draft law is out-dated, the proposal for the directive concerning the protection of individuals with regard to the personal data processing numbered 12/10 is drafted. When the draft of the directive comes into force in future, the resolution of the future compliance problems will be possible before the enactment of the draft.

Pursuant to the Convention, the issues that cannot be subject to the automatic processing without an assurance in national law, are considered special quality personal data and rendered

possible to be processed. Moreover, article 26 of the same Convention clearly states that the contracting states cannot put reservation, however Turkey declared that the Convention would not be enforced for the personal data processed by the governmental institutions for the purposes of national security, defence, prosecution and crime prevention in accordance with the European Union Directive numbered 95/46/EC. Besides, the “criteria of proportionality” in the directive should have taken place in the restriction conditions of the draft and the standards used in the ordinary term restrictions for the fundamental human rights should be considered.

The draft brings some restrictions for the private sector in order to protect the individuals, however without considering the same balance for the relation between individual and the government, it foresees some exemptions for the governmental institutions despite of the fact that the article 20/3 of the Constitution regulates the personal data protection as a fundamental human right and the jurisprudences of the Constitutional Court are in the same direction. Additionally, the international technology companies express their responsibility to protect the personal data against the requests based on the exceptions such as public order or natural security. By being recently on the agenda, the dispute on data sharing between Apple and American Government will definitely bring new perspectives to the definition of personal data and the legal regulations on their protection.

The rights and utilizable protections of the personal data owners have importance in the mentioned Convention, as for that the draft law on the personal data protection carefully regulates the rights of the data processors however the rights of the data owners fall behind the liberal policy of today.

OBEN