About Personal Data Protection

Personal data can be defined as any information that can identify individuals. This includes personal information such as identity, contact, health, and financial details, as well as private life information, religious beliefs, and political opinions. For example; name, surname, date of birth, mobile phone number, email, gender, address, profession, education, shopping location and time, amount paid, used campaigns, discounts received, product details in accounts, browsing application information, click patterns, location data when opening the app, etc.

Today, this data is frequently used by both private and public sectors through automated information systems. While the use of this information provides some conveniences or advantages to individuals and service providers, it also poses risks of misuse. Unauthorized access, use, or disclosure of this data violates both the contracts we are party to and the fundamental rights guaranteed by our Constitution. A reasonable balance must be established between these two interests. The lack of a specific law and effective supervision mechanism on personal data protection creates a negative perception in our society. It is necessary to establish principles regarding the processing, storage, and control of personal data under certain conditions to eliminate this perception.

As awareness of human rights protection develops in our age, the importance of personal data protection is increasing day by day. Therefore, detailed legal regulations on personal data protection are seen in developed countries.

On the other hand, there is no comprehensive law regulating personal data protection in our country, and provisions on this subject are found in different laws. Also, there is no institution to control and supervise personal data processing in our country. As a result, personal data can still be used by many individuals or institutions without sufficient regulation and supervision, leading to some rights violations.

There are various reasons requiring the enactment of a law ensuring personal data protection in our country. Firstly, unlawful obtaining, recording, or disclosure of personal data is criminalized and penalized under Articles 135 and following of the Turkish Penal Code No. 5237. However, there are uncertainties about when these acts are unlawful or lawful.

Moreover, with the constitutional amendment enacted by Law No. 5982 after the referendum on September 12, 2010, a new paragraph was added to Article 20 of the Constitution. It stipulates that personal data protection is a fundamental human right and its details should be regulated by law.

Additionally, four negotiation chapters in Turkey’s ongoing European Union full membership process are directly related to personal data. To advance these chapters, a fundamental law on personal data protection must be enacted in our country.

Personal data protection began to be included in international documents since the 1980s. First, the Organization for Economic Cooperation and Development (OECD), of which our country is a member, adopted the "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data" on September 23, 1980. The Council of Europe prepared the Convention No. 108 "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data," opened for signature on January 28, 1981, which was signed by our country as well.

The Council of Europe also adopted recommendations on principles for personal data protection applicable in various sectors such as medical databases, scientific research and statistics, direct marketing, social security, insurance, police records, employment, electronic payments, telecommunications, and the internet. While preparing the draft law, these recommendations were considered, but the draft was kept as a "framework draft" to avoid excessively expanding the scope. It is envisaged that these principles may be included in future sector-specific regulations.

Due to the inadequacy of previous agreements and directives regarding personal data and the inconsistencies across countries, the EU agreed on a comprehensive reform on December 15, 2011. Accordingly, the GDPR prepared in 2012 was adopted by the EU Parliament on April 14, 2016. GDPR repealed Article 94 of Directive 95/46/EC and expanded the scope of Directive 2002/58/EC on electronic data protection.

With Law No. 5982 enacted in 2010, an additional paragraph was added to Article 20 of the Constitution: "Everyone has the right to request the protection of their personal data. This right includes the right to know the personal data concerning themselves, to access these data, to request their correction or deletion, and to learn whether they are used in accordance with their purpose. Personal data can only be processed in cases stipulated by law or with the explicit consent of the person. Procedures and principles regarding the protection of personal data shall be regulated by law."

Detailed regulations regarding the protection of personal data are to be made by law as specified in the Constitution. Accordingly, the "Draft Law on the Protection of Personal Data" was submitted to the Turkish Grand National Assembly on December 26, 2014. The Draft Law was enacted on March 24, 2016, and the Law on the Protection of Personal Data No. 6698 was published in the Official Gazette No. 29677 dated April 7, 2016, entering into force.

The Draft prepared by considering international documents, comparative law practices, and our country's needs aims to ensure that personal data are processed and protected according to contemporary standards.