Conditions for Processing of Special Categories of Personal Data

1)Introduction

Processing of personal data defined as “any operation which is performed upon personal data such as collection, recording, storage, preservation, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorisation or blocking its use by wholly or partly automatic means or otherwise than by automatic means which form part of a filing system” in the law. Processing personal data may occur through interactions such as providing a service in daily life or performing a task. In the Law No. 6698 on Protection of Personal Data, rules and procedures for processing personal data are determined.

The Law on Protection of Personal Data numbered 6698 complies with General Data Protection Regulation (on April 27, 2016 and numbered 2016/679) and Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data(on January 28,1981 and numbered 108).

2)General Principles About Processing of Personal Data

There are some principles to be followed in the processing of personal data. The data processing procedure should be carried out by data controllers, taking into account these principles.
• Personal data must be processed in accordance with law and good faith
• Processed data must be accurate and if necessary, up to date.
• The processing of personal data should be carried out for specific, clear and legitimate
purposes.
• The processing of personal data should be kept relevant, limited and proportionate for the
purpose for which they were processed.
• Personal data should be maintained for the period required by the relevant legislation or
for the purpose for which they are processed.

3)Conditions for Processing of Personal Data

Processing of personal data conditions regulated in Article 5 on Law No. 6698 Protection of
Personal Data :
ARTICLE 5 – (1) Personal data shall not be processed without obtaining the explicit consent of the
data subject.
(2) Personal data may be processed without obtaining the explicit consent of the data subject if one
of the below conditions exists:
a) It is expressly permitted by any law;
b) It is necessary in order to protect the life or physical integrity of the data subject or another person
where the data subject is physically or legally incapable of giving consent;
c) It is necessary to process the personal data of parties of a contract, provided that the processing
is directly related to the execution or performance of the contract;
ç) It is necessary for compliance with a legal obligation which the controller is subject to;
d) The relevant information is revealed to the public by the data subject herself/himself;
e) It is necessary for the institution, usage, or protection of a right; f) It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
As a rule, personal data can be processed as a result of the explicit consent to be given by the relevant persons. However, in Article no. 5 at the Law, cases which data processing can be done without applying the explicit consent of the person whose personal data will be processed are shown.These exceptions are limited and cannot be extended. It is necessary to act in accordance with the conditions of processing personal data by data controllers.
Otherwise, this process not only violate the Law on Protection of Personal Data, but also it will mean a violation of the principle of “Confidentiality of Private Life” regulated in Article 20 of the Constitution and Article 8 of the European Convention on Human Rights.

4)Conditions for Processing of Special Categories of Personal Data

Special categories of personal data defined in law; data which require information about race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics. In order to prevent these possible dangers, specially protected personal data should be provided more strictly than other personal data. In Article 6 on Law No. 6698 Protection of Personal Data, this topic regulated:

ARTICLE 6 – (1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade- union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data.
(2) It is prohibited to process special categories of personal data without obtaining the explicit
consent of the data subject.
(3) Personal data indicated in paragraph 1, other than personal data relating to health and sexual
life, may be processed without obtaining the explicit consent of the data subject if processing is
permitted by any law. Personal data relating to health and sexual life may only be processed without
obtaining the explicit consent of the data subject for purposes of protection of public health, operation
of preventive medicine, medical diagnosis, treatment, and care services, planning and management
of health services and financing by persons under the obligation of secrecy or authorized institutions
and organizations.
(4) It is additionally required to take the adequate measures designated by the Board when special
categories of personal data are processed.

In accordance with the law, explicit consent is required for the processing of special categories personal data. Explicit consent is the consent of a particular subject, informed
and free will. Special personal data can only be processed without the need for explicit
consent in the cases mentioned in paragraph 3 of article 6. The law has made a dual
distinction in terms of special personal data, health and sexual life data and other special
data.
Personal data, other than health and sexual life, can be processed without the need for
explicit consent in cases specified in the law. Here, the intentions required by law are those
that do not require explicit consent regulated in Article 5. The private data in question; It may
consist of the information gathered on the subjects such as ethnic origin, political thought,
disguise, criminal record.

The processing of private personal data on health and sexual life, as a rule, depends on the
condition of explicit consent. Personal health data is defined as any information related to the physical and mental health of a real or identifiable natural person, as well as information about the health service provided to the person. Data processing can only be done without explicit consent for the purpose of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing. The important point here is that this data processing procedure can only be carried out by persons under the obligation to keep secrets or by authorized institutions and organizations.

5)Precautions to be Taken by Data Officers in Processing Special Qualified Personal Data

Data controllers are responsible for taking the necessary precautions regarding the personal data that they process. In the law, it is stated that all necessary technical and administrative measures must be taken by data controllers to ensure the appropriate level of security in order to maintain personal data. In the letter of the Personal Data Protection Board dated 31/01/2018 and numbered 2018/10 regarding “Precautions to be Taken by Data Officers in Processing Special Qualified Personal Data” information about the duties of data controllers is given. Accordingly, by data controllers:

• A systematic, manageable and sustainable policy and procedure for the security of special personal data should be determined.
• Practices such as providing training for employees in the data processing process, concluding a confidentiality agreement, defining the scope and duration of users who have access to data, and performing regular authorisation checks should be carried out.
• Necessary security precautions should be taken depending on whether the system in which special personal data is processed is a physical or electronic system.

Av.Erdem ARDA AKAY & Av. Yalçın TORUN

UYARI
Web sitemizde yayımlanan yukarıdaki yazılı metnin, eser sahipliği hakları Av.Yalçın TORUN’a ve Av.Erdem Arda AKAY’a aittir. Bu yazılı metin hak sahipliğinin tespiti amacıyla zaman içerikli elektronik imza ile muhafaza edilmektedir. Sitemizdeki yazılı metinler avukat meslektaşlarımız tarafından dilekçelerinde serbestçe kullanılabilir, fakat metinlerin
tamamının, bir kısmının veya özetinin atıf yapılmaksızın başka web sitelerinde yayınlanmasına iznimiz yoktur