EXPRESS CONSENT AND OBLIGATION TO INFORM IN PROTECTION OF PERSONAL DATA
In today's age of communication, we have to share our personal data in order to be able to use technological devices, smartphones , computers and applications in all areas of our lives and to benefit from the convenience of these tools. Although the sharing and processing of this data provides many advantages, the fact that the data can easily be used for the other purpose required legal regulations regarding the sharing of personal data.
With the amendment whcih was made in 2010, within the scope of article 20 of the Constitution titled as the Privacy of Private Life, the people were given the right to request protection of their personal data, to be informed about this matter, to request deletion and to find out whether they are used for their intended purposes or not. It is also stated that personal data can only be processed in cases stipulated by law or with the express consent of the person.
With the Law No. 6698 on Personal Protection, which entered into force on 07.04.2016, the procedures and principles regarding the protection of personal data were regulated. In the article 5 of the Law, the processing conditions of the personal data are included and in order to process the personal data, the consent of the relevant person is firstly sought. However, personal data may be processed without obtaining the express consent of the data subject if one of the below conditions exists:
1) It is expressly permitted by any law;
2) It is necessary in order to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent;
3) It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract;
4) It is necessary for compliance with a legal obligation which the controller is subject to;
5) The relevant information is revealed to the public by the data subject herself/himself;
6) It is necessary for the institution, usage, or protection of a right;
7) It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed.
What is the Express Consent of the Relevant Person?
Express consent, as regulated by law, means consent disclosed with free will on a particular subject, based on information. In order for the relevant person's express consent to the processing of his/her personal data to be valid: It is necessary that:
-It should not indeterminate,
-the relevant person should informed,
-It should not involve force, cheat and threat.
The main responsibility in this matter belongs to the data controller who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
Data Controller’s Obligation to Inform
Obligation to inform is regulated in Article 10 of The Law on Protection of Personal Data No 6698. According to the Article:
Data controller or the person it authorized is obligated to inform the data subjects while collecting the personal data with regard to
1) The identity of the data controller and if any, its representative,
2) The purposes for which personal data will be processed,
3) The persons to whom processed personal data might be transferred and the purposes for the same,
4) The method and legal cause of collection of personal data,
5) The rights set forth under Article 11.
In addition, it is stated in Article 18 of the law that those who do not fulfill the obligation of obligation to inform will be fined from 5.000 TL to 100.000 TL.
To illustrate, a person using a platform that provides transportation services requested information from the platform when he figured out that he was scored by the drivers on his journeys, and as a result of this request was left unanswered, the matter was transferred to the Personal Data Protection Authority. In the decision of the Personal Data Protection Board dated 27/01/2020 and numbered 2020/65, an administrative fine of 10.000 TL was given because the data processing activity, which is based on the scoring of the travels made by the customers / passengers by the drivers and the average of these scores, does not meet the data processing conditions and the data controller did not take the necessary security measures.
In the Board's decision dated 08/07/2019 and numbered 2019/206, it was assested that the website does not fulfill its obligation to inform since it is not clearly stated whether the personal data of the users are processed within the framework of the legal obligation arising from the legislation or the express consent of the users.