With the enactment of the Law No. 6698 on the Protection of Personal Data (“KVKK” or “Law“), it has emerged that companies operating in our country must comply with the provisions of the Law and relevant legislation. Before evaluating the use of social media by companies in accordance with the Law, we believe that it will be useful to briefly touch upon the basic principles that form the basis of these evaluations.
Basic Principles Regarding Processing Personal Data
The Principle of Compliance with Law and Good Faith Rules
Compliance with the law and the good faith means the obligation to act in accordance with the principles established by laws and other legal regulations in the processing of personal data.
The Principle of Being Accurate and Updated When Necessary
The right of the person concerned to request the correction of the data stipulated in the law is a reflection of this principle, which emphasizes the importance of the accuracy and actuality of personal data.
The Principle of Processing the Data for Specific, Explicit and Legitimate Purposes
This principle requires the data controller to clearly and precisely determine the purpose of data processing and that this purpose be legitimate.
The Principle of Being Related, Limited and Proportionate to The Purpose of Process
The fact that the processed data is suitable for the realization of the specified purposes requires avoiding the processing of personal data that is not related or is not needed to the realization of the purpose. (Data Minimization)
The Principle of Retaining for the Period Stipulated in the Relevant Legislation or for the Purpose for which they are Processed.
Personal data should be kept in accordance with the time required for the purpose for which they were processed. The data controller is obliged to take administrative and technical measures regarding the personal data that need to be deleted, destroyed or anonymized after the expiry of the relevant period.
Relevant Articles to be Interpreted on Social Media Usage
Since the articles of the Law on the Protection of Personal Data No.6698 (“Law”) contain provisions that should be evaluated in order not to encounter any violations in the use of social media by companies, we will consider them separately below:
Article 5: Conditions of processing personal data
Article 6: Conditions for the processing sensitive personal data
Article 7: Deletion, destruction or anonymization of personal data
Article 8: Transfer of personal data
Article 9: Transfer of personal data abroad
Article 10: The data controller’s obligation to inform
Article 11: Rights of the person concerned
Article 12: Obligations regarding data security
Evaluation of Use of Social Media in the Context of Articles 5[1] (Conditions of processing personal data) and Article 6[2] (Conditions for the processing sensitive personal data)
As a rule, personal data publicized by sharing on social media cannot be collected and processed. As stated in the announcement of the Personal Data Protection Board (“Board”) dated December 16, 2020[3], the concept of “publicizing” can be defined briefly as sharing the personal data by the person concerned with the public. On the other hand, the Law deals with the concept of publicization in a much narrower sense. In order to be able to speak of a publicization within the scope of the law, it is necessary to determine whether the person concerned has the will to publicize and what the purpose of publicization is. Use of personal data will be limited to the will and purpose of the person concerned.
In the Board Decision dated 07/11/2019 and numbered 2019/331[4], an insurance company processed the name-surname-phone information on an internet site and held an advertisement / proposal meeting by calling the relevant person.
Thereupon, the Board, which dealt with the issue, decided to impose an administrative fine on the data controller, since the insurance company which is data controller did not take the necessary administrative and technical measures, when the personal data of the person concerned was processed and used except for the purpose of publicizing.
Evaluation of Social Media Usage in the Context of Article 7[5] (Deletion, destruction or anonymization of personal data)
Sharing personal data in social media networks and / or communication applications prevents the fulfillment of the obligations under Article 7 of the Law titled deletion, destruction or anonymization of personal data. The obligation of the data controller to delete, destroy or anonymize is included as well in detail in Article 12 of the Regulation on Deletion, Destruction or Anonymization of Personal Data.
On the other hand, although the obligation in question is included in detail in the Law and the relevant legislation, the data controller no longer has control over personal data shared on social media. This situation makes it very difficult for the data controller to fulfill his obligation to delete, destroy or anonymize the relevant personal data.
In its decision of the data controller bank, dated 05/12/2018 and numbered 2018/142[6], although the Board decided not against the data controller bank since the personal data within the scope of the application of the relevant person was within the period required to be stored in accordance with the relevant legislation, Board explained in detail that the relevant person should be able to delete and / or destroy personal data on his own request and / or on request.
In this context, we can say that it will be almost impossible to fulfill its obligations in Article 7 of the Law, as it will no longer possess control over personal data to be shared on social media by the data controller companies.
Evaluation of Social Media Use in the Context of Articles 8[7] (Transfer of personal data) and Article 9[8] (Transfer of personal data abroad)
Since the servers of social media applications are not under the control of the data controller, violations may occur at the point of domestic and / or international data transfer.
The transfer within the country can be carried out in the presence of the conditions specified in Article 5/2 or Article 6/3 or with the explicit consent of the person concerned. Transfer abroad, on the other hand, can be carried out with the explicit consent of the person concerned or in cases where there is sufficient protection specified in Article 9 or where sufficient protection is committed.
In the decision of the Board dated 22/07/2020 and numbered 2020/559 on the storage of data in foreign servers[9], detailed evaluations were made by the Board regarding the use of cloud computing by the data controllers upon the complaint made by an automotive company about the SMS sent for advertising / information purposes. In the aforementioned case, the data controller kept the personal data of the relevant persons on the servers of the cloud computing service provider located in one of the EU countries. Although the data controller automotive company stated that personal data may be shared with third parties when necessary in the clarification made to the relevant persons and the explicit consent it received, it did not obtain an explicit consent to the transfer of data abroad. In the defense given, it was stated that the relevant EU country should be accepted as the country with sufficient protection since it is a party to the Contract No. 108, and the data transfer abroad made in accordance with paragraph 5/2 (f) of the Law should not constitute a violation. The Board, on the other hand, ruled the violation by giving the following evaluations against the defense of the data controller automotive company:
- Data storage on abroad servers of cloud computing companies is data transfer abroad.
- The explicit consent to be obtained for data transfer abroad must meet the conditions of statement with free will, being based on information and being related to a specific subject, otherwise, explicit consent will not be accepted because it will not be in accordance with the law.
- Being a party to the Contract No. 108 does not allow the relevant country to be defined directly as a “country with sufficient protection”. These countries must be designated by the Board.
- Mutual commitment and approval of the Board must be obtained in order to transfer to data controllers or data processors in countries where there is sufficient protection.
This decision of the Board signifies that companies’ sharing of personal data by using social media and / or communication applications whose servers are located abroad can be considered as the transfer of relevant personal data abroad. This may result in companies facing administrative fines as a result of serious violations.
Evaluation of Social Media Usage in the Context of Article 10[10] (The data controller’s obligation to inform)
In cases where data is collected and processed through social media, problems arise in fulfilling the obligation to clarification, which is stipulated in Article 10 of the Law and emphasized in many decisions of the Board. In cases such as receiving job applications through social media applications, providing customer support services through social media applications only or as an alternative, the clarification, explicit consent and follow-up processes become quite difficult and even impossible in some cases.
The detailed criteria included in the Board’s Public Announcement on Fulfilling the Clarification Obligation[11] dated 26.06.2020 causes us to state that it will be very difficult to fulfil the clarification obligation duly.
In parallel, in the Board’s decision of Amazon Turkey[12] dated 27/02/2020 and numbered 2020/173, the defense of the data controller that the users visiting the website may learn under which conditions the data was processes and/or transferred by examining the texts titled “Terms of Use” and “Privacy Statement” was not accepted because the clarification in question did not meet the necessary conditions. In addition to the administrative fine imposed on Amazon Turkey for failure to comply with the necessary administrative and technical measures, a separate administrative fine has been imposed for failure to fulfill the clarification obligation.
Evaluation of Social Media Usage in the Context of Article 11[13] (Rights of the person concerned)
Regarding the personal data shared by the data controller on social media, if the person concerned wants to use his / her rights later, it will be considerably difficult to meet the requests of the person concerned. The data controller has no control over the data shared through social media applications. In case the person concerned requests especially the deletion / correction / updating of his / her personal data, it will not be possible to take action on all of the countless copies that may have arisen due to sharing with social media applications.
Evaluation of Social Media Usage in the Context of Article 12[14] (Obligations regarding data security)
Data controller in accordance with Article 12 of the Law must; prevent unlawful processing of personal data, prevent unlawful access to personal data, and take all necessary technical and administrative measures to ensure the appropriate level of security in order to protect personal data. It is observed that this statement stipulated in the Law in broad sense, is also applied in the same broad scope by Board. Data controllers should be able to prove that they have taken all necessary administrative and technical measures in case of any data breach. In case of violation of data shared in social media or communication applications, it will not be possible for the data controller to prove that it has taken the necessary measures.
The following statements are included in the Decision Summary dated 03.08.2018[15] regarding the violation by sharing sensitive personal data on the internet and social media channels:
“Considering the health report, which is the sensitive personal data of the relevant person, is shared on the internet and social media channels by the physicians involved in the treatment process of the patients at a hospital by taking a screen image taken from a mobile application of the data controller by another device and in this respect, that sensitive personal data was disclosed to a wide audience via social media, as a result of ex officio examination by the Board, an administrative fine was imposed on the data controller who could not provide the appropriate level of security in order to ensure the protection of personal data.”
Similarly, in the decision of Medula Eczane Yazılımı dated 07/05/2020 and numbered 2020/355, the board interpreted the 12th Article quite broadly. Medula software, which can be accessed by pharmacies within the framework of the contract made with Social Security Institution, it is possible to access both personal data and sensitive personal data of individuals by logging in with their ID numbers. In this context, administrative fines were imposed on the pharmacy that did not take the necessary security measures to prevent third parties from accessing the Medula system due to the use of personal data obtained by the spouse of the data controller pharmacist.
The examples given above demonstrate that data controllers should take all administrative and technical measures to the fullest extent in order not to disclose the personal data processed by them. On the other hand, if personal data is shared using social media and / or foreign communication applications and this situation causes a violation, it will not be accepted by the Board that the relevant data controller company has taken the necessary and sufficient precautions.
CONCLUSION
We are of the opinion that collecting and processing personal data by companies from social media and / or communication applications constitutes violation of their obligations under the Law and the relevant legislation. We believe that the use of social media and / or communication applications by companies in internal / external communication will increase the risk of data breach by sharing the personal data they have as a data controller in these channels. In such cases, it is clearly observed in the jurisprudence of the Board that the data controller may face serious administrative fines.
Kind regards,
Av. Dr. Oğuzkan Güzel
Av. Bekir Bozdağ
[1] Processing conditions of personal data – ARTICLE 5- (1) Personal data shall not be processed without the explicit consent of the data subject. (2) Personal data may be processed without obtaining the explicit consent of the data subject if one of the below conditions exists: a) It is expressly permitted by any law; b) It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent; c) It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract; ç) It is necessary for compliance with a legal obligation which the controller is subject to; d) The relevant information is revealed to the public by the data subject herself/himself; e) It is necessary for the institution, usage, or protection of a right; f) It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed..
[2] Conditions for Processing of Special Categories of Personal Data – ARTICLE 6- (1) Data relating to race, ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, appearance and dressing, membership of association, foundation or trade-union, health, sexual life, criminal conviction and security measures, and biometrics and genetics are special categories of personal data. (2) It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject. (3) Personal data indicated in paragraph 1, other than personal data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations. (4) It is additionally required to take the adequate measures designated by the Board when special categories of personal data are processed.
[3] https://www.kvkk.gov.tr/Icerik/6843/-ALENILESTIRME-HAKKINDA-KAMUOYU-DUYURUSU
[4] https://kvkk.gov.tr/Icerik/6623/2019-331
[5] Deletion, destruction or anonymization of personal data – ARTICLE 7- (1) Personal data that is processed in accordance with this Law or relevant other laws shall be deleted, destroyed or anonymised either ex officio or upon request by the data subject in case the reasons necessitating their processing cease to exist. (2) Provisions of other laws relating to deletion, destruction, and anonymization of personal data are reserved. (3) Procedures and principles relating to deletion, destruction and anonymization of personal data shall be set forth by a regulation.
[6] https://www.kvkk.gov.tr/Icerik/5424/2018-142
[7] Transfer of personal data – ARTICLE 8- (1) Personal data shall not be transferred without obtaining the explicit consent of the data subject. (2) Personal data may be transferred without obtaining the explicit consent of the data subject if one of the conditions set forth under the following exists a) The second paragraph of article 5, b) On the condition that adequate measures are taken, the third paragraph of article 6 . (3) Provisions of other laws relating to the transfer of personal data are reserved.
[8] Transfer of personal data abroad – ARTICLE 9- (1) Personal data shall not be transferred abroad without obtaining the explicit consent of the data subject. (2) Personal data may be transferred abroad without obtaining the explicit consent of the data subject if one of the conditions set forth in the second paragraph of article 5 or third paragraph of article 6 is present and ; a) If the foreign country to whom personal data will be transferred has an adequate level of protection b) In case there is not an adequate level of protection, if the data controllers in Turkey and abroad commit, in writing, to provide an adequate level of protection and the permission of the Board exists. (3) The countries where an adequate level of protection exist shall be declared by the Board. (4) The Board shall decide whether there is adequate level of protection in a foreign country and whether approval will be granted in terms of indent (b) of the second paragraph by evaluating; a) the international agreements to which Turkey is a party, b) Reciprocity regarding transfer of personal data between the country requesting personal data and Turkey, c) With regard to each present transfer of personal data, nature of personal data and purpose of processing and retention ç) Relevant legislation and practice of the country to whom personal data will be transferred. d) Measures committed by the data controller in the country to whom personal data will be transferred and if it requires, by obtaining the opinion of relevant public institutions and organizations (5) Save for the provisions of international agreements, in cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organizations. (6) The provisions of other laws regarding the transfer of personal data abroad are reserved.
[9] https://www.kvkk.gov.tr/Icerik/6790/2020-559
[10] Disclosure obligation of the data controller – ARTICLE 10– (1) Data controller or the person it authorized is obligated to inform the data subjects while collecting the personal data with regard to; a) Identity of the data controller and, if any, its representative, b) The purpose for which personal data will be processed, c) The persons to whom processed personal data might be transferred and the purposes for the same, ç) The method and legal cause of collection personal data, d) The rights listed in Article 11.
[11] https://www.kvkk.gov.tr/Icerik/6765/AYDINLATMA-YUKUMLULUGUNUN-YERINE-GETIRILMESI-HAKKINDA-KAMUOYU-DUYURUSU
[12] https://www.kvkk.gov.tr/Icerik/6739/2020-173
[13] Rights of the data subject – ARTICLE 11- (1) Everyone, in connection with herself/himself, has the right to ;a) Learn whether or not her/his personal data have been processed; b) Request information as to processing if her/his data have been processed; c) Learn the purpose of processing of the personal data and whether data are used in accordance with their purpose; ç) Know the third parties in the country or abroad to whom personal data have been transferred; d) Request rectification in case personal data are processed incompletely or inaccurately; e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7; f) Request notification of the operations made as per indents (d) and (e) to third parties to whom personal data have been transferred; g) Object to occurrence of any result that is to her/his detriment by means of analysis of personal data exclusively through automated systems; ğ) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data by applying to the data controller.
[14] Obligations regarding data security – ARTICLE 12 – (1) Data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to a) Prevent unlawful processing of personal data, b) Prevent unlawful access to personal data, c) Safeguard personal data. (2) In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph. (3) The data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of this Law. (4) Data controller and persons who process data shall not disclose and misuse personal data they learned contrary to the provisions of this Law. This obligation shall continue after leaving office. (5) In case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.
[15] https://www.kvkk.gov.tr/Icerik/5408/Ozel-Nitelikli-Kisisel-Verilerin-Kanuna-Aykiri-Sekilde-Internet-ve-Sosyal-Medya-Mecralarinda-Paylasilmasi