General

Personal data, which is "any information regarding an identified or identifiable natural person" as defined in the Personal Data Protection Law, has become one of the most thought-about and discussed topics in our digital age. Nowadays, personal data can be processed very easily by using the internet and computer technologies, on the one hand, and on the other hand, it becomes difficult to protect the privacy of people's private lives. The necessity of protecting people's privacy and rights over their personal data has led to some regulations in criminal laws and the emergence of new types of crimes. Some rights to protect personal data are tried to be secured through the types of crimes regulated.

In the ninth chapter of the Turkish Penal Code titled "Crimes Against Private Life and the Confidential Area of Life", crimes aimed at protecting personal data are regulated between Articles 135 and 140. These are the crimes of "recording personal data", "illegal giving or obtaining of data" and "failure to destroy data". While regulating crime types, the concept of personal data was used in the Turkish Penal Code No. 5237, which came into force in 2005, but it was not defined. What constitutes personal data was previously determined by case law in criminal proceedings, and was later defined in the Personal Data Protection Law.

Types of Crimes Regulated by Law

A) Crime of Recording Personal Data

Article 135-

(1) Anyone who records personal data unlawfully shall be sentenced to imprisonment from one to three years.

(2) Personal data may be based on individuals' political, philosophical or religious views or racial origins; If it is unlawfully related to their moral tendencies, sexual life, health status or union connections, the penalty to be imposed in accordance with the first paragraph is increased by half.

Save action; It is an executive act by nature and it is not possible to commit it by a negligent act. Registration is sufficient for a crime to occur, and there is no need to process data outside of registration. A crime is a crime that can be committed with intent. Since the crime will not be committed through negligence, the perpetrator will not be responsible for the recording that occurred through negligence. The crime is a danger crime, which means that no damage caused by the crime is required.

We understand that, in accordance with the relevant definition in the Personal Data Protection Law, the victim of this crime must be a real person, but the perpetrator of the crime can be any natural or legal person.

Another element of the crime is unlawfulness. The act of recording must have occurred unlawfully. If another rule of law permits the act of recording, a crime will not occur. In case of fulfilling the order of the superior, self-defense, state of necessity, exercise of the right and the consent of the person concerned, no punishment will be imposed as the reasons for compliance with the law in the Turkish Penal Code will be met.

B) Crime of Illegal Giving or Obtaining Data

Article 136-

(1) Any person who unlawfully gives, disseminates or obtains personal data to another person is punished with imprisonment from two to four years.

(2) (Added: 17/10/2019-7188/17 art.) If the subject of the crime is the statements and images recorded in accordance with the fifth and sixth paragraphs of Article 236 of the Code of Criminal Procedure, the penalty to be imposed is increased by one.

When the article of the law is examined; It seems that committing a limited number of actions unlawfully is regulated as a crime. Among the actions listed in the article, the act of giving is among the actions that can occur between two people, and the act of spreading is among the actions that can occur between more than one person. These actions can be carried out through mass media or directly, without using any tools. Additionally, in these cases, there is no need for personal data to have been obtained unlawfully. This crime will occur if those who hold personal data in accordance with the law give or disseminate personal data unlawfully.

The act of obtaining personal data; Obtaining someone else's personal data means keeping it at one's own disposal. Capture; It can take place in the physical environment or in the form of capture from the digital environment.

Giving, disseminating and seizing are acts of executive nature. The crime will be completed as a result of these actions being carried out unlawfully. There is no need to cause any harm.

The crime in question is a crime that can be committed with general intent and cannot be committed through negligence. A crime will occur if personal data is knowingly and willingly obtained, given and disseminated unlawfully. The motive of the perpetrator is not important.

The provisions of the Code of Criminal Procedure referred to in the second paragraph of the article are as follows:

(5) (Added: 17/10/2019-7188/22 art.) Statements during the investigation phase of children who are victims of crimes regulated in the second paragraph of Article 103 of the Turkish Penal Code are taken through experts under the supervision of the public prosecutor in the centers providing services for these. The victim child's statements and images are recorded. During the prosecution phase, only if it is necessary to take the victim child's statement or take another action in order to reveal the material truth, this process is carried out by the court or the regent judge appointed by it through experts in these centers. The procedures specified in this paragraph are carried out by taking the victim child to the nearest center, regardless of jurisdiction and territorial borders. (6) (Added: 17/10/2019-7188/22 art.) The provision of the fifth paragraph shall also apply to the statements of those who are victims of the crimes regulated in the second paragraph of Article 102 of the Turkish Penal Code during the investigation phase. However, the victim's consent is required for recording statements and images.

C) Qualified Forms of Related Crimes

Article 137-

(1) Crimes defined in the above articles;

a) By a public officer and by abusing the authority given by his/her position,

b) By benefiting from the convenience provided by a certain profession and art,

If committed, the penalty will be increased by half.

In recording personal data that is regulated in TCK Article 135; Due to the typical element of the crime, personal data belonging to a real person must be recorded unlawfully. Save data on paper etc. This can be done by writing, drawing and marking on things, or by recording them in digital media. In this context, memorizing and storing personal data will not constitute a crime of recording personal data. The recording process can be done by camera, computer, voice recorder, pen, etc. It can also be done with tools.

Considering the provision in paragraph a) of the first paragraph of the article, it is envisaged that the penalty will be increased if the crimes regulated in the previous articles are committed by a public official, but also as a result of his abuse of office. In other words, the fact that the perpetrator is only a public official is not a reason for increasing the penalty; the person must also abuse the authority given by his/her position. In subparagraph b) it is regulated that if certain crimes are committed while benefiting from the facilities provided by some professions, the penalty will be increased by half. To give an example of this situation, the scope of this provision will be increased in cases where a freelance doctor gives personal data of his patient or a computer repairman obtains personal data and shares it with others.

D) Crime of Not Destroying Data

Article 138-

(1) Those who are obliged to destroy data within the system even though the periods determined by law have passed, are sentenced to imprisonment from one to two years if they fail to fulfill their duties.

(2) (Added: 21/2/2014-6526/5 art.) If the subject of the crime is data that must be eliminated or destroyed in accordance with the provisions of the Code of Criminal Procedure, the penalty to be imposed is increased by one.

Even if personal data is collected lawfully, this does not mean that they can be stored or maintained indefinitely. In KVKK article 7; Even though it has been processed in accordance with the provisions, if the reasons requiring processing are eliminated, personal data will be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the relevant person, and the procedures and principles regarding the deletion, destruction or anonymization of personal data are specified in the regulation. It has been stated that it will be arranged.

When the legal reason requiring the processing of personal data that was initially processed or is being processed in accordance with the law for the occurrence of the crime disappears or upon the request of the relevant person; The natural person who is responsible for destroying, deleting and anonymizing personal data should not fulfill his duty.

The Turkish Penal Code does not contain any regulations regarding how long personal data will be processed and what method will be used to destroy them. It has been regulated that the periods for how long personal data will be retained will be determined in the relevant laws. The issue of whether a crime will occur or not becomes important when a period is not determined by law, when the period is determined by regulation or administrative action, or when there is no such regulation.

It is a crime that can be committed through criminal negligence. As is generally accepted, attempt is not possible in crimes committed by negligence. The victim is the real person whose privacy is violated by not deleting his personal data. The subject of the crime is the personal data detailed above. Keeping personal data in an information system or a physical filing system does not matter in terms of crime. The crime is one that can be committed intentionally and is not subject to complaint. Any kind of participation in crime is possible.

Complaint Clause

Complaint

Article 139-

(1) Except for recording personal data, illegally providing or seizing data, and not destroying data, investigation and prosecution of the crimes listed in this section are subject to complaints.

In case of committing the crimes of recording personal data, illegally giving or obtaining data, and not destroying data, which are regulated in Articles 135, 136 and 137 of the Turkish Penal Code, a complaint is not required and action is taken ex officio.

Committing Relevant Crimes by Legal Entities

Implementation of security measures for legal entities

Article 140-

(1) Due to the commission of the crimes defined in the above articles, security measures specific to legal entities are imposed on them.

KVKK art. As we understand from the definition, personal persons are certain or identifiable persons and are real persons. In other words, articles 135-137 find regulation in the Turkish Penal Code. Although the victim of the crimes listed in the articles can only be a real person, the perpetrator can also be a legal entity. If these actions are committed by legal entities, security measures specific to legal entities are imposed. Relevant security measures are regulated in TCK Article 60.

Article 60-

(1) In case of conviction for intentional crimes committed for the benefit of the legal entity with the participation of the organs or representatives of a private law legal entity operating based on the permission given by a public institution and by abusing the authority granted by this permission, the cancellation of the permission is decided.

(2) Confiscation provisions are also applied to private law legal entities in crimes committed on their behalf.

Court in Charge

In Article 12 of the Law No. 5235 on the Establishment, Duties and Powers of First Instance Courts of Judicial Justice and Regional Courts of Justice, the areas falling under the jurisdiction of the High Criminal Court are specified, and crimes related to personal data are not among the crimes listed in the article. Therefore, the competent court for relevant crimes is the Criminal Courts of First Instance.

Conciliation

CMK Article 253 includes crimes subject to reconciliation through alternative dispute resolution methods. The relevant crimes are not subject to reconciliation because they do not meet the conditions specified in the article and are not among the crimes specifically listed.

Precedent Decisions

A) Recording of Personal Data

Supreme Court Decision - 12th CD., E. 2015/15816 K. 2017/3462 T. 26.4.2017 and the concept of personal data, which is the subject of the crime of "Recording of Personal Data" regulated in the 135th article of the Turkish Penal Code, which the person does not make available to unauthorized third parties. Anything belonging to a real person that can be disclosed to other people at will and shared only with a limited circle, that is not known to everyone and/or cannot be easily reached and known, that determines the identity of the person or makes it identifiable, that distinguishes the person from other individuals in society and is suitable for revealing his/her qualities. In the face of understanding that all kinds of information should be understood and that all kinds of information belonging to a specific or identifiable person should be recorded illegally, according to the defendant's defense, which cannot be proven otherwise, the photographs published on Facebook by the participants and on the computer in common use in the institution where the defendant and the participants work, were transferred to a USB memory stick for souvenir purposes. There was no error in the local court's decision to acquit the defendant.

... It was unanimously decided on 26.04.2017 to CORRECT AND APPROVE the provision, whose other aspects were found to be in accordance with the procedure and law, by adding the phrase "to the acquittal of the defendant in accordance with Article 223/2-a of the Criminal Procedure Code".

B) Illegal Giving or Obtaining Data

Supreme Court Decision - 12th CD., E. 2022/2527 K. 2022/9314 T. 30.11.2022

In the decision of the General Criminal Assembly of the Supreme Court of Appeals dated 09.05.2019, numbered 2015/708, decision numbered 2019/414; “…The legal interest protected by the crime regulated in Article 136 of the Turkish Penal Code is the private life and confidential area of life in general, and personal data in particular. Since all personal data is protected with these regulations, personal data does not necessarily have to be confidential. Personal data that is not confidential and known to everyone must also be protected against unlawful acts. Because the legal value protected in crimes related to the protection of personal data is not a 'secret', but the personal rights of the person to whom the data is concerned..." and in the notice issued based on the request for annulment for the sake of law, contrary to the stable practices of our Department; "...According to the scope of the file, in order to commit the crime of illegally seizing or disseminating personal data, non-public personal data must be unlawfully seized, given to someone else and disseminated, and personal information that is known to everyone and/or can be easily accessed and known is legally defined" Since it is stated that "sharing the screenshot of the bar association plate photograph, which cannot be considered as "personal data" and thus visible to everyone, will not constitute the alleged crime in terms of the elements of the alleged crime...", it has caused uncertainty as to whether the request for reversal for the sake of law also includes the crime of unlawfully giving or seizing the data, and In the review of the legal remedy of overturning for the sake of law, the relevant Supreme Court chamber is bound by the request and since it is mandatory to eliminate all illegalities at once, the file is to be explained beyond any doubt whether the remedy of overturning for the sake of law has been resorted to regarding the crime of illegally giving or obtaining the data... It was decided unanimously on 30.11.2022 to be delivered to the Chief Public Prosecutor's Office of the Supreme Court of Appeals to be sent to the General Directorate of Criminal Affairs of the Ministry.

C) Qualified Situations

Supreme Court Decision - 12th CD., E. 2014/18783 K. 2015/2124 T. 9.2.2015

The verdicts regarding the convictions of the defendants for the crime of recording personal data were appealed by the defendants' defense counsel, the file was examined and the necessary consideration was taken:

According to the content of the file, the defendants' confessions, the search and seizure report and expert reports; It was understood that the defendants were the sub-dealers of a GSM company and that they had unlawfully recorded and archived the identity document samples, which were personal data, belonging to their customers who carried out transactions with them, on their personal computers and the computers belonging to their dealers, and that the alleged crime had been proven in this way, and there was no error in accepting the conviction of the defendants. Since the defendants committed the crime by taking advantage of the convenience provided by a certain profession, the fact that the penalties should be increased in accordance with Article 137/1-b of the Turkish Penal Code was not considered as a reason for reversal, as there was no appeal against it.

According to the trial conducted, the evidence collected and shown at the scene of the decision, the court's opinion and appreciation in accordance with the results of the prosecution, the scope of the examined file, the defendants' defense counsel, the incomplete examination, the absence of criminal intent, the rejection of the appeal objections regarding the evidence, the other aspects of which, apart from the criticized issue, are in accordance with the procedure and law. It was unanimously decided on 09.02.2015 to APPROVE the provisions in accordance with the request.

D) Destruction of Personal Data

Personal Data Protection Authority Decision - KVKK, K. 2022/1072 T. 7.10.2022

The advertising e-mails subject to the concrete incident were sent to the e-mail address of the relevant person via the corporate e-mail address by the personnel working within the data controller on the date of the concrete incident; It is understood that the data controller's e-mail address, which is the personal data of the relevant person, is used for advertising and marketing purposes within the scope of the data controller's field of work and that the explicit consent of the relevant person is not obtained, and in this context, personal data is processed by sending unauthorized advertising messages to the relevant person's e-mail address, pursuant to Article 5 of the Law. Based on the evaluations that there are no processing conditions in the article; In the processing of the e-mail address, which is the personal data of the relevant person, by sending unauthorized commercial electronic messages for advertising and marketing purposes by the data controller, there are no personal data processing conditions stipulated in Article 5 of the Law titled "Conditions of processing of personal data" and in this context, the data controller Due to the conclusion that the necessary technical and administrative measures have not been taken to ensure the appropriate level of security in order to prevent the unlawful processing of personal data within the scope of subparagraph (a) of paragraph (1) of Article 12 of the Law, Pursuant to paragraph (b), an administrative fine of 50,000 TL will be imposed on the data controller,

Considering that the e-mail address, which is the personal data of the relevant person in the concrete case, was processed unlawfully; It has been decided to instruct the data controller to destroy the personal data of the relevant person in accordance with Article 7 of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data and to submit documents proving such destruction to the Board.