About Protection of Personal Data

Personal data can be defined as any information that is suitable for identifying individuals. In this context, the identity, communication, health and financial information of the person, as well as the information related to his private life, religious belief and political opinion are considered as personal data. For example; name, surname, date of birth, mobile phone number, e-mail, gender, address, profession, education, shopping point and time, how much he paid, which campaign he used, the amount of discount he received, product information in his shopping, browsing and clicking on the application information, location information where he opened the application, etc.

Today, these data are frequently used by both the private and public sectors by automated means over information systems. Although the use of this information provides some conveniences or advantages for individuals and those who provide goods and services, this situation brings the risk of abuse of the information in question. Obtaining, using and disclosing this data by unauthorized persons is a violation of both the contracts we are a party to and the fundamental rights protected by our Constitution. A reasonable balance must be struck between these two interests. The absence of a special law and an effective control mechanism regarding the processing of personal data causes a negative perception in our society. In order to eliminate this perception, it is necessary to determine the principles regarding the processing, storage and control of personal data under certain conditions.

Parallel to the development of the awareness of the protection of human rights in our age, the importance of the protection of personal data is increasing day by day. For this reason, it is seen that detailed legal regulations are being implemented in the field of personal data protection in developed countries.

On the other hand, in our country, there is no law that regulates the field of personal data protection as a whole, and the provisions regarding this issue are included in different laws. In addition, there is no institution in our country to control and supervise the processing of personal data. As a result of this, personal data can still be used by many individuals or institutions without adequate regulation and supervision, and this may cause some violations of rights.

In our country, there are various reasons that require the entry into force of a law that will ensure the protection of personal data. First of all, the illegal acquisition, recording or disclosure of personal data is regulated as a crime and sanctioned in Articles 135 and the following of the Turkish Penal Code No. 5237. However, due to the lack of a special law for the processing of personal data, it is seen that there are hesitations in determining when these acts are illegal and when they are legal.

On the other hand, with the amendment made in Article 20 of the Constitution with the Law No. 5982, which was accepted as a result of the referendum held on 12 September 2010, the protection of personal data was guaranteed as a basic human right and the details were envisaged to be regulated by law.

Again, in the ongoing European Union full membership process regarding our country, four of the negotiation chapters are directly related to personal data. In order for the process regarding these chapters to progress, a fundamental law on the protection of personal data should be enacted in our country.

The issue of protection of personal data has started to take place in international documents since the 1980s. First of all, "Guidelines on the Protection of Personal Space and Transboundary Personal Information Traffic" were adopted by the Organization for Economic Cooperation and Development (OECD), of which our country is a member, on 23/9/1980. 108 "Convention on the Protection of Individuals Against Automatic Processing of Personal Data", which was prepared by the Council of Europe in order to protect personal data at the same standards in all member countries and to determine the principles of cross-border data flow, was opened for signature on January 28, 1981 and signed by our country.

The Council of Europe has also adopted recommendations for the protection of personal data that set out the principles to be applied in various sectors such as medical data banks, scientific research and statistics, direct marketing, social security, insurance, police records, employment, electronic payment, telecommunications and the Internet. While the aforementioned recommendations were taken into consideration during the preparation of the Draft, the "framework draft" character of the Draft was preserved. Considering that if regulations related to all sectors are included, the volume of the Draft Bill would be greatly expanded, the aforementioned recommendations were not included in the Draft. It has been evaluated that the principles contained in these recommendations may be included in the regulations to be made regarding different sectors in the future.

On the other hand, the European Union has put into effect the "Protection of Real Persons During the Processing of Personal Data and the Free Data Traffic Directive" (95/46/EC) on 24/10/1995 in order to harmonize the legislation of the member states on the protection of personal data. With this Directive, it is aimed to protect the personal data of individuals in member countries at a high level and to make a clear and permanent regulation that will ensure the free movement of personal data within the European Union. Considering the international documents on the protection of personal data; In the law to be prepared on this subject, it is seen that the conditions for the processing of personal data, the clarification of individuals, the establishment of an authority to supervise and regulate this area, and taking the necessary measures regarding data security are accepted as basic principles.

In the face of the fact that the agreements and directives before and during the VKD were insufficient in the face of current events and the agreements and directives signed from country to country differed, an agreement was reached on a reform that would cover the entire EU on 15 December 2011. In this context, GDPR, which was prepared in 2012, was adopted by the EU Parliament on April 14, 2016. While repealing Article 94 of GDPR 95/46 VKD, it expanded the scope of application of the 2002/58/EC Electronic Data Protection Directive.

An additional paragraph was added to Article 20 of the Constitution with the constitutional amendment made in 2010 with the Law No. 5982. In the mentioned paragraph; “Everyone has the right to demand the protection of their personal data. This right; It also includes being informed about the personal data about the person, accessing these data, requesting their correction or deletion and learning whether they are used for their purposes. Personal data can only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data are regulated by law. provision is included.

It is stated in the Constitution that detailed regulations regarding the protection of personal data will be made by law. In this context, the “Draft Law on the Protection of Personal Data” was submitted to the Presidency of the Turkish Grand National Assembly on December 26, 2014. The Draft Law was enacted on March 24, 2016 and the Law on Protection of Personal Data No. 6698 was published in the Official Gazette dated April 7, 2016 and numbered 29677 and entered into force.

With the Draft, which was prepared by taking into account international documents, comparative law practices and the needs of our country, it is aimed to process and protect personal data in modern standards.