Processing of personal data defined in Article 3 of the Personal Data Protection Law (“PDPL”) as; obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It is accepted as any kind of operation performed on the data, such as blocking the data.
The processing conditions of these data have been clarified and a framework has been drawn by arranging them in Article 5 of the PDPL. In case of at least one of the situations listed in the legislation, it is possible to process personal data.
According to this;
- Existence of the explicit consent of the person concerned,
- Stipulated in the laws clearly,
- Compulsory situation for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid,
- Necessity of processing the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,
- Being mandatory for the data controller to fulfill its legal obligation,
- Making the personal data public by the relevant person,
- Being obligatory for the establishment, use or protection of a right
- Necessity of processing data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
In such cases, the data of the persons concerned may be processed.
These reasons for compliance with the law expressed in the law have been specified by way of limited counting and cannot be expanded.
At this issue, there is a point that should be emphasized for the “explicit consent condition”. If a data processing activity can be carried out based on conditions other than express consent, then requesting explicit consent will be unethical and even deceptive for the data owner and abuse of right will arise for the data controller. Because, if the data owner exercises his/her right to not request the processing of his/her data by withdrawing explicit consent, the data controller will be able to continue processing the data based on other conditions.
However, the will of the data owner is not in this direction. Data will continue to be processed in violation of the law and the rule of good faith. Therefore, there is a special case for the “explicit consent clause” in these conditions. The data controller should determine in advance on what basis he will process the data, and in the absence of one of these conditions, relavant person should resort to obtaining explicit consent.
Explicit Consent Condition
In the absence of other conditions for a data to be processed, the explicit consent of the person must be obtained.
Clearly Provided in Laws
The processing of personal data is made possible if there is a clear regulation in any law regarding the processing of personal data or if a clear provision has been referred to the secondary legislation.
For example, in accordance with the Labor Law, the employer will be able to process the employee’s identity information while editing the employee’s personal file.
The personal data of the person concerned may be processed if it is necessary for the protection of life or bodily integrity of the person or someone else, who is unable to express his or her consent due to actual impossibility or whose consent is not given legal validity.
For example, data processing to access the location information of the missing person is considered within this scope.
Necessity for the Establishment or Performance of the Contract
The processing of the relevant data to serve the establishment or performance of a contract will benefit from this condition. For example, for a loan agreement, the bank will have the right to process its customer’s data in accordance with this condition.
Obligation of Data Controller to Fulfill the Legal Obligation
It is considered within this scope that the employer, who is also a data controller, shares the relevant data of data controller’s employees during the tax audit.
Making the Personal Data Public by the Relevant Person
With the person’s sharing their data with the public, this data will be made public and these data can be processed. However, it should not be forgotten that the fact that a data is made public does not mean that the data can be processed outside of its purpose.
Being Obligatory for the Establishment, Use or Protection of a Right
In a lawsuit filed by an employee, the use and processing of the relevant data of the defendant company for evidential purposes will be evaluated within the scope of necessity here.
The Necessity of Processing Data for the Legitimate Interests of the Data Controller, Provided That It Does Not Harm the Fundamental Rights and Freedoms of the Data Subject
At this condition, a balance needs to be struck between the legitimate interests of the data controller and the protection of the fundamental rights and freedoms of the person whose data will be processed. The aforementioned legitimate interest requirement cannot be used as a cover to bring all personal data processing activities within the framework of compliance with the law. The benefit to be obtained must be available and ready at a level that can compete with the fundamental rights and freedoms of the person.
In the absence of the conditions listed above, the processing of a personal data will constitute a violation of the law. You can contact us here for detailed information on the subject.
You can get detailed information about the work of our office in the field of Information Technology Law on our website.