Principles Governing the Processing of Personal Data

Processing in accordance with the Law and the Rule of Honesty

Article 6/1(a) of the European Union Data Protection Directive stipulates that the processing must be in accordance with the law and good faith, and Article 5/1(a) of the European Union Data Protection Regulation (EU GDPR) stipulates that the processing must be in accordance with the law and good faith and must be transparent. In our country, Article 4/2(a) of the Law on the Protection of Personal Data (KVKK) states that the processing must comply with the law and good faith.

What should be understood from the processing of personal data in accordance with the law and good faith? In order for personal data to be processed in accordance with the law, we must first look at the regulations in Articles 13 and 20 of the Constitution of the Republic of Turkey. Article 20 of the Constitution titled ‘Privacy of Private Life’ states that ‘Everyone has the right to demand respect for his private and family life. The privacy of private and family life shall be inviolable. Everyone has the right to demand the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning oneself, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data shall be regulated by law.‘’ The text of the article clearly stipulates that personal data can only be processed in cases stipulated by law or with the explicit consent of the person. Article 13 of the Constitution states that ‘Fundamental rights and freedoms may be restricted without prejudice to their essence only for the reasons specified in the relevant articles of the Constitution and only by law. These limitations cannot be contrary to the word and spirit of the Constitution, the requirements of democratic social order and secular Republic and the principle of proportionality.’ It is understood from this regulation that the right to demand respect for private life can only be restricted by law and that this restriction cannot be contrary to the democratic social order.

As can be understood from the above-mentioned regulations, in the processing of personal data, either the explicit consent of the personal data owner or the law must have authorised the processing of the data in question. In Article 5 of the LPPD, it is clearly regulated that personal data may be processed if expressly stipulated by law or for other reasons specified in Article 5. Article 4 of the Law stipulates that ‘Personal data may only be processed in accordance with the procedures and principles stipulated in this Law and other laws.

When all the above-mentioned regulations are taken into consideration together, in order for personal data to be processed in accordance with the law, either the personal data owner must have explicit consent, and in the absence of explicit consent, the law must expressly permit the processing of personal data or it must be clearly regulated in the law that personal data can be processed. In order for personal data to be processed in accordance with the law, personal data must be processed in accordance with the procedures and principles specified in the KVKK or other laws, except for explicit consent or explicit regulation in the law.

When we look for an answer to the question ‘What does it mean to process personal data in accordance with the rule of good faith?’, we see that the rule of good faith is not used alone in the processing of personal data, and that there are regulations that personal data must be processed in accordance with the law and the rules of good faith. In addition, there is a regulation stipulating that personal data should be implemented in a ‘transparent’ manner in accordance with the law and good faith. In this case, the principle of processing personal data in accordance with the rule of good faith is not an independent principle, but a principle that should be applied together with the principle of compliance with the law. This principle states that while processing personal data in accordance with the law, the authorisation granted by the law should not be abused. The principle of integrity is expressed in Article 2 of the Turkish Civil Code as ‘The legal order does not protect the flagrant abuse of a right. What is clearly stated here is that when there is a clear regulation on the use of personal data in the law or when there is an explicit consent of the personal data carrier, ‘is there a need to process personal data?’, if the answer to this question is ‘yes’, ‘is the procedure and principle used the most appropriate procedure within the principles determined in the law and the procedure that will least restrict the right to respect the private life of the personal data carrier?’ In ‘yes’ cases, we can accept that personal data is processed in accordance with the law and good faith. Even in cases where it is clearly regulated in the law that personal data can be processed or where there is explicit consent of the data carrier, it is a requirement of the principle of lawfulness and honesty in personal data processing to perform a data processing action that will balance the ‘justified expectations’ and ‘justified interests’ of the data carrier and the conflicting values of the data processor and the data carrier when processing personal data.[1]

It is necessary to evaluate the principle of processing personal data in accordance with the law and good faith together with the principle of transparency. It is the individual, who is the carrier of personal data, who can best control whether personal data is processed in accordance with the law and good faith. In the processing of personal data in accordance with the law and good faith, the justified interest and interest of the data carrier will not be harmed. In order to be able to control whether his/her justified interest and interest is damaged, the data carrier must be able to see and control which of his/her personal data are processed, whether the data about him/her are correct and with which procedures and principles they are processed. In Article 11 of the LPPD, the rights of the data carrier are determined by enumeration method. To learn whether personal data is processed, to request information if personal data has been processed, to learn the purpose of processing personal data and whether it is used in accordance with its purpose, to know the third parties to whom personal data is transferred domestically or abroad, to request correction of personal data in case of incomplete or incorrect processing, to request deletion or destruction of personal data, In cases where personal data are corrected, deleted or destroyed, to request notification of the transactions to third parties to whom personal data are transferred, to object to the occurrence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems, to demand compensation for the damage in case of damage due to unlawful processing of personal data. These rights provided to the personal data carrier enable the data carrier to determine the processing of data contrary to the law and good faith and thus to prevent the continuation of the processing contrary to the law and good faith and to apply the principle of processing in accordance with the law and good faith by requesting the compensation of the damage. The principle of transparency to be applied together with the principle of compliance with the law and good faith in data processing only requires the data processor to be transparent to the data carrier.

Obtaining the Explicit Consent of the Data Subject

In order to process personal data, the explicit consent of the data carrier is required. This issue is clearly regulated in Article 5/1 of the LPPD for all personal data and Article 6/2 for special categories of personal data. Article 8/1 of the Law stipulates that personal data cannot be transferred without the explicit consent of the data subject, and Article 9/1 stipulates that personal data cannot be transferred abroad without the explicit consent of the data subject, except for the exceptions specified in the text of the article. However, when it is evaluated that the act of transferring personal data to another person or abroad is also within the scope of processing personal data within the definition of Article 3/1(e) of KVKK, it raises the question of why the legislator has made such an arrangement. In the absence of explicit consent, personal data can only be processed when expressly stipulated in the law. Article 5/2 of the LPPD stipulates that personal data may be processed without explicit consent in cases where it is necessary for the protection of the life or bodily integrity of the data subject or another person, for the establishment of a contract, in case the personal data is made public by the carrier, in case it is mandatory for the data controller to fulfil its legal obligation, in case data processing is mandatory for the establishment, exercise or protection of a right, for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. The conditions under which personal data may be processed without consent are regulated under Article 6 of the TFEU. Although the regulation is similar in general terms, it is seen that the regulation on the use of personal data in case the personal data is made public by the carrier of the personal data does not exist in the TFEU, while the regulation that personal data can be processed by public authorities for public interest is available in the TFEU.

In Article 3/1(a) of the LPPD, the Legislator defines the definition of explicit consent as ‘Explicit consent: Consent regarding a specific subject, based on information and expressed with free will’. The justification of the article is as follows: ‘Explicit consent is defined by taking into account Directive 95/46 EC. Accordingly, explicit consent should be understood as the declaration of consent given freely, with sufficient information on the subject, in a clear manner that leaves no room for doubt and limited to that transaction. As it is understood from the definition, it is clearly seen that information should be provided on a certain subject before obtaining consent and consent based on free will should be obtained after the information. Here, it is clearly understood that before obtaining consent, the subject matter of the personal data should be determined, the data carrier should be informed and then his/her consent should be obtained without being misled and without impairing his/her free will.

In Article 4/11 of the GDPR, the consent of the data subject is defined as ‘a declaration or an affirmative act of the data subject's free will, which includes an agreement to process personal data relating to the data subject, which states with certainty that he/she has been informed on a specific subject’. Regarding consent within the scope of protection of personal data, it is necessary to examine whether there is an area where individuals can limit, limit and give up their right to respect for personal life, which is among the fundamental rights and freedoms that human beings cannot give up. When we look at human rights with the approach of the value of human possibilities, in other words, the dignity of human beings, which we have tried to justify above, it is obvious that individuals cannot completely give up these possibilities, because we must have these possibilities as a necessary requirement of being human. ‘In this case, are there any personal data that cannot be processed even with the consent of individuals that they do not have the right to dispose of?’ “Are there any personal data that would not be lawful to be processed even with the consent of the personal data carrier?” With a different approach, which type of personal data may result in violation of the right to respect for private life in case of processing with consent. ‘On the other hand, can there be situations where the right to respect for private life will be violated in cases specified by law where personal data can be processed without consent?’ Questions come to mind. Personal data within the limits of the right to respect for private life, which belongs to our fundamental rights and freedoms, will be personal data that cannot be processed even with consent. The moral order and legal order will not protect the processing of such personal data even against explicit consent. Sometimes, even without consent, when the other fundamental rights and freedoms of the person are endangered, the obligation to process personal data without consent arises. ‘In this context, what should be the criteria determining which types of personal data can be processed with explicit consent and which types of personal data cannot be processed with consent?’ On the other hand, considering that we cannot give up fundamental rights and freedoms, and that the value of being a human being is to have these rights, it is necessary to determine an area where protection of these rights will be provided without consent, consent will not be valid in this area, but consent may be given to the processing of some personal data that do not fall within the field of fundamental rights and freedoms.

Different views on the legal nature of explicit consent have been put forward in comparative law. These views are that it is a legal transaction, a material act and similar to a legal transaction. In the event that it is accepted as a legal transaction, the regulations regarding legal transactions will be applied and therefore, in cases such as misleading and deception, the legal transaction in question can be eliminated retroactively. In general terms, legal transactions are such declarations and declarations of will that aim to produce legal results, and based on these declarations of will, the legal order realises the legal result in accordance with the declaration of will. When explicit consent is accepted as a material act, the regulations for legal transactions will not be applicable. Here, the purpose of consent is not to produce results in the legal realm. In this context, the person who consents to the interference with the right of personality disposes of a fundamental right. In acts similar to legal transactions, although the will is ‘directly directed towards an actual result, the legal order binds a legal result to this expression of will.’

It is accepted that the person who gives consent must have the power of discernment, and the consent of persons under the age of 18 will be valid if they have the power of discernment. Article 8 of the GDPR stipulates that the consent of children over the age of 16 shall legitimise the data processing activity. Consent must be given before data processing. Consent given after data processing does not legitimise the processing. The first step in data processing is to obtain the data. Article 10 of the LPPD stipulates that data carriers are obliged to inform data carriers about the identity of the data controller and its representative, if any, the purpose for which personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data and other rights. In this context, it is understood that consent must be obtained after the obligation to inform is fulfilled before the data acquisition phase.

There is no clear regulation in the law on the form of consent. Considering that explicit consent legitimises an interference with fundamental rights and freedoms, there is no doubt that the burden of proving the existence of consent should be on the data controller, not the data carrier. The data controller should record and prove when the consent was obtained, how the consent was obtained, what kind of clarification the consent was obtained, by whom the consent was obtained, and by whom the consent was obtained. In the preamble of the GDPR, it is mentioned that consent may be given in written, verbal or electronic media. Especially in the internet environment, it is common that the boxes ticked when entering the website are accepted as consent in electronic environment. It will not be accepted that consent has been obtained by remaining silent, not ticking or pre-marked boxes. The request for consent for the use of personal data in electronic environment should be clear and simple.

The will must be free, the person must actually have the right to make a choice. Any improper pressure or influence that may affect the outcome of this choice invalidates the consent. Free will cannot be mentioned in case of a consent declaration under coercion or threat. The issue to be examined in this context is the economic imbalance or dependency relationship between the data controller and the data carrier. When the processing of personal data is conditional for the provision of the service within the scope of the contract under Article 7/4 of the GDPR, if the sharing of personal data is not necessary for the execution of the service, it is accepted that the consent is not free consent. It is also argued that if it is possible for the data carrier to obtain the service from someone else within the scope of the connection prohibition and no monopoly is created, there is no consent to the processing of personal data by force.

Another situation regarding consent is when a single consent is requested for multiple processing processes. While the data controller may request different consent in different processes, it forces the data subject to give wholesale consent for an entire process. In this case, it may constitute a violation of the connection prohibition. The data controller should continuously control the process while processing the data and renew the consent in every situation if necessary. In order for the consent to be valid before the consent is obtained, the data carrier should be informed in detail about the content of the process to be carried out on personal data, how long this process will take, and where the personal data will be used. If a text is used to inform the data subject, this text must be understandable. Since a legal text that cannot be understood by everyone will not serve the purpose of informing the persons concerned, it is clear that the consent given in this direction will not be valid. Article 7/2 of the GDPR stipulates that in the event that a general written consent including all matters is given, the consent to be requested for the processing of personal data must be requested in a clear and plain language that is separate from the others, understandable, easily accessible, clear and plain. Otherwise, the consent will not be valid. On 21 September 2012, the Hamburg Data Protection Commission issued an administrative decision against Facebook regarding the friend finding system through facial recognition. Facebook had included consent to facial recognition for finding friends in its terms and conditions of use, which must be expressly approved by new users when subscribing. The Hamburg Data Protection Commission is of the opinion that the reference to standard terms and conditions does not constitute explicit informed consent. The Commission ordered the deletion of Facebook's biometric profile database if the administrative order was not complied with within the given time limit. Facebook notified its compliance with the decision on 7 February 2013.[2]

Commitment to Purpose

Article 4/2 of the LPPD states that personal data may be processed for specific, explicit and legitimate purposes, limited and measured in connection with these purposes, and that they will be retained for the period required for the purpose for which they are processed. The article regulates that personal data can be processed for a purpose, that this purpose must be a clear, specific and legitimate purpose, that personal data can only be processed in proportion and limitation to achieve this purpose, that they cannot be processed after the purpose disappears and that they can be kept within the period of achieving the purpose. The processing and retention period of personal data is determined by the explicit, specific and legitimate means. The limit within which personal data may be processed is also determined by the explicit and legitimate purpose. With a different approach, the principle of purposefulness determines which data will be collected, which operations can be performed on this data, and how long the data can be retained and stored. The principle of purposefulness limits data processing activities in relation to the purpose. The example of a store not being able to transfer the personal data it collects in order to notify when new products arrive to other stores and companies, and destroying this data when it ceases its activities, explains this. In Article 10 of the LPPD titled ‘Data Controller's Obligation to Inform’, the data controller has the obligation to inform about the purpose for which personal data will be processed, to whom and for what purpose the processed personal data may be transferred. When Articles 4 and 10 of the Law are evaluated together, it is understood that the data controller must inform the data carrier about the purpose before the collection stage, which is the threshold of the data processing step, the purpose must be specific and clear and the purpose in question must be legitimate. When the purpose is sufficiently specific and clear, it will be clear and evident which data of the data subject will consent to the processing of his/her data.

The purpose may be one or more than one purpose. The purpose or purposes for which the data controller will process the data must be notified to the data carrier in advance. Personal data may be processed to fulfil the purpose for which they were collected. The data controller is obliged to obtain the consent of the data carrier after fulfilling the obligation to inform the data carrier of the specific and explicit purpose by fulfilling the obligation to inform in case the purpose changes later. Otherwise, the limiting function of the purpose is not fulfilled. In the event that a new purpose emerges later, the issue of fulfilling the obligation to inform again is stated in the justification of the law as follows: ‘In order to process data to meet the needs that may arise later, one of the conditions for the processing of personal data regulated in Article 5 will have to be fulfilled, as if the processing is started for the first time. In addition, the processed data will be limited only to what is necessary for the realisation of the purpose.‘’

The purpose must be clear and distinct. In order to be used when needed, in order to be used when necessary, for research purposes, for advertising and marketing purposes, etc. Generic expressions are far from making the purpose clear and clear. In this context, the purpose should be stated concretely and vague open-ended expressions and purposes should be avoided. Another issue regarding the purpose is the legitimate purpose. The legitimate purpose is defined in the preamble of the law as ‘the data processed by the data controller is related to and necessary for the business or service provided by the data controller. For example, while it is within the scope of legitimate purpose for a garment store to process the identity and contact information of its customers, it will not be considered within the scope of legitimate purpose to process blood groups. In order for the collection of data to be based on a legitimate purpose, there must be a legal basis that can justify the data processing action. The situations that allow data processing are the explicit consent of the data carrier or the situations specified in the law. In cases where the law stipulates that personal data can be processed without the need to obtain consent, the law has determined the purpose, and in these cases, personal data can be processed without contradicting the purpose determined by the law. In the data that can be processed with explicit consent, the purpose of processing personal data must also be legitimate. Explicit consent cannot be obtained for non-legitimate purposes, and the mere fact that explicit consent has been obtained will not legitimise the purpose.

Article 16 of the LPPD stipulates that ‘real and legal persons who process personal data are obliged to register with the Data Controllers Registry before starting data processing, and in the application for registration with the Data Controllers Registry, it is regulated that they must notify the purpose for which personal data will be processed and the maximum period of time required for the purpose for which personal data are processed. It is understood from this regulation that data controllers cannot process personal data for purposes other than the purpose they have notified and that they can keep personal data for the period they have notified. The justification of Article 16 of the Law states that ‘Personal data must be retained only for the period stipulated in the relevant legislation or for the period required for the purpose for which they are processed. Accordingly, data controllers shall comply with this period if there is a period stipulated in the relevant legislation for the storage of data; otherwise, they shall be able to keep the data only for the period required for the purpose for which they are processed. If there is no valid reason for further retention of a data, that data will be deleted or anonymised. Data shall not be retained based on the possibility of future use.‘’ Storing personal data without anonymising it, thinking that it will be necessary one day, will be contrary to the purpose. Processing of personal data beyond the purpose may harm the fundamental values of the contemporary democratic society such as the material and moral integrity of the person, the right to develop his/her personality, and individual autonomy.[3]

Proportionality

The principle of proportionality requires the collection of the least amount of personal data for the purpose that necessitates the collection of data, the selection of the method that will process the least amount of data in the processing of personal data, the selection of methods and methods that will protect the privacy, private life and autonomy of the data carrier to the maximum extent during the processing of data, and taking the necessary measures. The principles of being purposeful and proportionate are complementary principles. In collecting and processing data for a specific purpose, collecting the minimum data instead of all the data that will fulfil the purpose in question, for example, collecting and recording a single address where the notification can be made instead of a fixed telephone number, mobile telephone number, e-mail address, other address information in order to make a notification, for example, while tracking crimes and criminals through wiretapping, not collecting the information of other persons who are not in contact with the crime and the criminal, can be given as examples.

In each concrete case, the issue of whether the processing method chosen in the processing of data will be useful in achieving the purpose and whether it is the method that requires the least data should be evaluated separately. For example, a camera placed outside a shop to prevent theft may serve this purpose when it sees only the front of the shop, but it may serve the same purpose when it sees a very large area other than the front of the shop. In this case, although the camera that sees a wide area is suitable for the purpose, it may not be a proportional camera. For example, in order to keep the entrances and exits of the workplace under control, a system that records and recognises fingerprints at the entrance and exit of the workplace will serve the same purpose as a system that reads and recognises the identity card. This request of an employee who does not want to give his/her fingerprints may be justified within the scope of the principle of proportionality.

Accuracy and Currency of Data

In KVKK 4 / (b), it is stated that it is obligatory to comply with the principle of being accurate and up-to-date when necessary in the processing of personal data. It is stated that it is obligatory to comply with the principle. The regulation in KVKK 4/(b) is a parallel regulation to the principle that the data should be accurate and updated when necessary in the processing of personal data in Article 4/1(ç) of EHSKVİY. There is a clear and legitimate purpose in the processing of each personal data. Achieving this purpose will only be possible with accurate and up-to-date data. If the data is not accurate and up-to-date, it will prevent the data controller from achieving its purpose and may cause damage to the material and moral personality, fundamental rights and freedoms, and sometimes economic interests of the data carrier. In the Rotarou v. Romania judgement, the ECtHR ruled that the inaccurate data kept for more than fifty years about the plaintiff, who was a lawyer and was convicted for two letters he wrote as a student, violated Article 8 of the Convention due to the damage to the plaintiff's reputation. [4] The principle of data accuracy is closely related to the right of access to personal data. When personal data cannot be accessed, it will not be understood whether the data is accurate and up-to-date. For this reason, Article 11/1(a) of KVKK a) The right to learn whether personal data is processed or not gains importance. The data carrier, who will check whether the personal data is correct and up-to-date, has the right to request correction of the data by using the right in Article 11/1(ç) of the Law. Article 11/1(ç) of the Law regulates the right of the data carrier to apply to the data controller and ‘request correction of personal data in case of incomplete or incorrect processing’.

Keeping personal data accurate and up-to-date is an obligation of the data controller and cannot be transferred. However, it is not reasonable to perceive this principle as data controllers forcibly and continuously investigating the new situations in which the data subjects are involved in order to determine the currency of personal data. In this case, it would also be necessary to recognise that the data subject must inform the data controller when there is a change in his/her personal data. Article 6/d of the European Union Data Protection Directive stipulates that ‘personal data shall be kept accurate and, where necessary, up to date; every reasonable step shall be taken to ensure that inaccurate or incomplete data, irrespective of the purposes for which they were collected or the purposes for which they are processed, are deleted or rectified’. However, there is no sanction for an action contrary to this in the directive. Germany has not included this regulation in its Data Protection Act. On the contrary, Austria and Switzerland have included this regulation in their Data Protection Laws. The European Court of Justice emphasised the nature of the data in the Google decision on the accuracy of the data and stated that it would not accept any justification in this regard, citing Article 6 of the Data Protection Directive. In this decision, which forms the basis of the right to be forgotten, the Court of Justice of the European Union ruled that even if accurate data is published in accordance with the law (in the concrete case, as newspaper news), the dissemination of this data may become unlawful with the passage of time and outdated. Accordingly, search engine operators are obliged to remove links to websites containing such data from search results. The first regulation regarding the accuracy of data comes from the United States Privacy Act, which entered into force in 1974. After 1974, the same principle is included in the Data Quality Act, which entered into force in the United States of America in 2001. In this law, it is stated that accuracy, timeliness and completeness in data processing are necessary for justice. During the transition from the VKD to the GDPR, non-compliance with this rule has been sanctioned and a fine has been stipulated. The regulation in the Directive in paragraph 5/1/d of the Regulation is almost identical to the regulation in Article 6/d of the Directive. However, Article 83/5 of the Regulation provides for a fine for the breach of the obligation in Article 5/1/d.[5]

Footnotes

[1] ÇEKİN, p. 45.

[2] Ayazgör. S. 126

[3] Küzeci p.215

[4] Akgül, p.139

[5] Hoeren Thomas. (2018) Big Data and Data Quality. In: Hoeren T., Kolany-Raiser B. (eds) Big Data in Context. SpringerBriefs in Law. Springer, Chams., pp.