Personal data can be defined as any information that can identify individuals. In this context, a person's identity, contact, health and financial information, as well as information regarding his private life, religious belief and political opinion are considered personal data. For example; name, surname, date of birth, mobile phone number, e-mail, gender, address, profession, education, shopping point and time, how much he paid, which campaign he benefited from, the discount amount he received, product information about his purchase, navigation and click on the application. information, location information where the application is opened, etc.
Nowadays, these data are frequently used by both the private and public sectors automatically through information systems. Although the use of this information provides some conveniences or advantages for individuals and those who provide goods and services, this also brings with it the risk of misuse of the information in question. Obtaining, using and disclosing this data by unauthorized persons is a violation of both the agreements to which we are a party and the fundamental rights protected in our Constitution. A reasonable balance needs to be struck between these two interests. The absence of a special law and an effective control mechanism regarding the processing of personal data causes a negative perception in our society. In order to eliminate this perception, it is necessary to determine the principles regarding the processing, preservation and control of personal data under certain conditions.
In parallel with the development of awareness of the protection of human rights in our age, the importance of protecting personal data is increasing day by day. For this reason, it is seen that detailed legal regulations are implemented in the field of personal data protection in developed countries today.
On the other hand, in our country, there is no law that regulates the field of protection of personal data in a holistic manner, and the provisions regarding this issue are included in different laws. In addition, there is no institution in our country that will control and supervise the processing of personal data. As a result of this, personal data can still be used by many individuals or institutions without sufficient regulation and control, and this may cause some rights violations.
There are various reasons that require a law to protect personal data to come into force in our country. First of all, in Article 135 and following articles of the Turkish Penal Code No. 5237, acts of illegally obtaining, recording or disclosing personal data are regulated as crimes and sanctions are imposed. However, since there is no specific law for the processing of personal data, there are hesitations in determining when these actions are unlawful and when they are legal.
On the other hand, with the regulation made in Article 20 of the Constitution with Law No. 5982, which was accepted as a result of the referendum held on September 12, 2010, the protection of personal data was guaranteed as a fundamental human right and the details were envisaged to be regulated by law.
Again, in the ongoing European Union full membership process for our country, four of the negotiation chapters are directly related to personal data. In order for the process regarding these chapters to progress, a basic law on the protection of personal data must come into force in our country.
The issue of protection of personal data has started to be included in international documents since the 1980s. Firstly, the "Guidelines for the Protection of Personal Space and Transnational Personal Information Traffic" were adopted by the Organization for Economic Co-operation and Development (OECD), of which our country is a member, on 23/9/1980. "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data", No. 108, prepared by the Council of Europe with the aim of protecting personal data at the same standards in all member countries and determining the principles of cross-border data flow, was opened for signature on January 28, 1981 and was signed by our country.
The European Council has also adopted recommendations setting out the principles for the protection of personal data to be applied in various sectors such as medical data banks, scientific research and statistics, direct marketing, social security, insurance, police records, employment, electronic payment, telecommunications and the internet. Although these recommendations were taken into consideration during the preparation of the Draft, the "framework draft" nature of the Draft was preserved. Considering that the volume of the Bill would expand too much if regulations related to all sectors were included, these recommendations were not included in the Draft. It has been evaluated that the principles included in these recommendations can be included in the regulations to be made regarding different sectors in the future.
On the other hand, the European Union enacted the "Directive on the Protection of Natural Persons During the Processing of Personal Data and Free Data Traffic" (95/46/EC) on 24/10/1995, in order to harmonize the legislation of the member countries on the protection of personal data. With this Directive, it is aimed to create a clear and permanent regulation that will ensure the high level of protection of personal data of individuals in member countries and the free movement of personal data within the European Union. Considering international documents for the protection of personal data; In the law to be prepared on this subject, it is seen that the conditions for processing personal data, informing individuals, establishing an authority to supervise and regulate this area, and taking the necessary measures regarding data security are accepted as basic principles.
In view of the fact that the said TPA and previous agreements and directives were inadequate in the face of current events and that the agreements and directives signed from country to country differed, an agreement was reached on 15 December 2011 on a reform that would cover the entire EU. In this context, GDPR, prepared in 2012, was accepted by the EU Parliament on 14 April 2016. Article 94 of the GDPR repealed the 95/46 DPA and expanded the scope of application of the 2002/58/EC Electronic Data Protection Directive.
With the Constitutional amendment made by Law No. 5982 in 2010, an additional paragraph was added to Article 20 of the Constitution. In the said paragraph; “Everyone has the right to request the protection of personal data concerning him/her. This right; It also includes being informed about personal data about oneself, accessing this data, requesting its correction or deletion, and learning whether it is used for its purposes. Personal data can only be processed in cases stipulated by law or with the express consent of the person. "The principles and procedures regarding the protection of personal data are regulated by law." provision is included.
The Constitution also states that detailed regulations regarding the protection of personal data will be made by law. In this context, the "Draft Personal Data Protection Law" was submitted to the Presidency of the Turkish Grand National Assembly on 26 December 2014. The bill became law on 24 March 2016 and the Personal Data Protection Law No. 6698 came into force by being published in the Official Gazette No. 29677 dated 7 April 2016.
The Draft, prepared by taking into account international documents, comparative law practices and the needs of our country, aims to process and protect personal data at contemporary standards.