Media and entertainment

Turkish Constitutional Court granted a decision on April 17, 2019 regarding an applicant's claims on violation of his freedom of expression and press due to access ban of a news article (which is taken from a newspaper) posted by his social media account with the comment "Interesting confession from the judge of the July 22th investigation". The decision was published on the Official Gazette on May 15, 2019. The Constitutional Court accepted the applicant's claim by stating that the access ban of the news article violated the applicant's right to freedom of expression and press. Background of the Case The applicant ("Applicant") is a journalist and also a member of parliament. The applicant is the owner of a social media account on a social media website, wherein he shares news content. According to the decision, the Applicant shared a news article (which is taken from a Turkish newspaper) on his social media account under the title "Parallel Judge: I have my signature in the wiretapping" along with the comment "Interesting confession from the judge of the July 22th investigation". The news article related to the statements of a criminal judgeship of peace's judge, who was assigned for a case regarding the arrest of policemen based on the claim that the policemen, who allegedly had connections with an illegal organization infiltrated into the government, conspired against high-level public officials. The news article further stated that the judge did not accept the case, due to his workload and that he was the one who decided to wiretap in one of the investigations carried out regarding a terrorist organization. After the news article was published on the Applicant's social media account, the criminal judgeship of peace, which is subject to the news article, has filed a complaint before Istanbul 6th Criminal Judgeship of Peace and obtained an access ban decision regarding the news article published on the social media account on the basis that the content violates his personal rights. Applicant filed an objection against Istanbul 6th Criminal Judgeship of Peace's decision and his objection is rejected by Istanbul 1st Criminal Judgeship of Peace, as the higher court. Accordingly, the Applicant filed an individual application before the Constitutional Court (2015/4821) on March 16, 2015 by claiming that its freedom of expression and press has been violated. The Constitutional Court's Evaluation Constitutional Court evaluated the access ban procedure under Turkish law and noted that access ban decision based on the Law No. 5651 should only be granted in urgent cases of the existence of a "prima facie violation", where the violation is apparent without the need of a detailed examination, such as the cases of nude pictures or videos of an individual and cited its earlier Ali Kidik decision. According to the Constitutional Court, the individual has the option to file a lawsuit before civil or criminal courts, since, in the present case, there has to be detailed information to determine whether the content of the news article mirrors the reality and whether this publication harms the honor and dignity of the relevant judge, who is the complainant of the access ban. Constitutional Court stated that Istanbul 6th Criminal Judgeship of Peace failed to provide a convincing decision regarding the urgent need to access ban the news article by proving the prima facie violation, considering that the access ban decision is granted after four years of the publishing of the news article. Constitutional Court also noted that there is not enough reason for applying access ban measure in the case at hand considering the content of the news article. The Constitutional Court emphasized that access ban decision granted by way of non-contentious jurisdiction can only be acceptable if there is an imminent and visible violation occurring at the first glance. The Constitutional Court evaluated that in the case at hand, the lower court failed to explain the need to immediately and swiftly eliminate the alleged attack against the honor and dignity through the relevant content, without applying to a contentious trial, as the content of the articles subject to the complaint are not as serious as to grant an access ban decision as per Article 9 of the Law No. 5651. The Constitutional Court finally stated that in unlawful interventions against people's honor and dignity due to expressions of ideas and thoughts on the internet medium, the main goal is to relieve the damages of the injured party, and there are more effective, useful and beneficial legal and criminal remedies, especially in terms of the disputes such as the case at hand. Consequently, the Constitutional Court concluded that the reasons for access banning of the content without a detailed examination are not relevant and adequate and thus the Applicant's freedom of expression and press which is protected under Articles 26 and 28 of the Constitution is violated. Authors: Gönenç Gürkaynak Esq., Ceren Yıldız, Burak Yeşilaltay and Yasemin Doğan, ELIG Gürkaynak Attorneys-at-Law (First published by Mondaq on August 19, 2019)

Presidential Circular on Information and Communication Security Measures ("Circular") is published in the Official Gazette of July 6, 2019. The aim of the Circular is reducing of security risks and governing measures to be taken to ensure safety of information which is critical to national security and public order. The Circular imposes several security obligations on public institutions regarding (i) storage and transfer of critical information (i.e. health, contact and biometric information), confidential information and corporate information, (ii) cyber threat notifications and (iii) industrial check systems. According to the Circular, "Information and Communication Security Guidelines" ("Guidelines") will be prepared and published by the Presidency's Digital Transformation Office ("Office") in light of the national and international standards on information security on the Office's website at www.cbddo.gov.tr. All public institutions and operators providing critical infrastructure services will be obliged to (i) comply with the procedures and rules in the Guidelines when setting up new information systems and (ii) review and revise the existing systems to ensure compliance with the Guideline. The Circular also obliges public institutions to set up internal reviewing mechanisms and examine compliance with the Guidelines at least once a year. Public institutions will be reporting the examination results and corrective and preventative actions taken by the relevant institution to the Office. While the Circular generally imposes information security obligations on public institutions, the following measures listed in the Circular and which are new to this regulatory landscape can be relevant for the providers of cloud services and electronic communication services: - Information pertaining to public institutions shall not be stored in cloud services. The exception to this is the storage on relevant institutions' private systems or on the systems provided by local service providers which are under the control of the relevant public institution. - Authorized electronic communication service providers (operators) are obliged to set up internet exchange points in Turkey. According to the Circular, measures will be taken in order to prevent the cross-border transmission of domestic communication traffic which needs to be exchanged domestically.   Authors: Gönenç Gürkaynak Esq., Ceren Yıldız, Burak Yeşilaltay and Ekin Ince, ELIG Gürkaynak Attorneys-at-Law (First published by Mondaq on July 9, 2019)

On November 1, 2018, Personal Data Protection Board ("Board"), acting under the Personal Data Protection Authority, published its principle decision with number 2018/119 in the Official Gazette, which then corrected on November 7, 2018 ("Decision"). Board's Decision is regarding prevention of promotional notifications, e-mail messages, text messages and calls that data subjects might receive from data controllers and data processors. A. Rationale In the beginning of the Decision, the Board indicates that they received numerous complaints based on the Law No. 6698 on Protection of Personal Data ("Law No. 6698") from individuals, who claim to have received promotional and advertorial calls, text messages, e-mail messages from parties, whom they did not give consent for such communications. The Board also indicates that, upon receiving such complaints, an investigation has been conducted on the matter by the Board, results of which were used for determining the principles set forth in the Decision. B. Obligations of Data Controllers & Processors I. Cease of Activity The Decision orders data controllers, which direct promotional communications to data subjects without obtaining data subjects' consents or without meeting the conditions under Article 5/2 of the Law No. 6698, to immediately cease such processing activities immediately. Additionally, the Decision also orders data processors that send such communications on behalf of data controllers, to cease their data processing activities immediately, as well. The Decision lists sending text messages to or calling data subjects phone numbers; and sending e-mails to data subjects; as methods of communication. Although, the wording of the Decision appears to be limited to these methods of communication, considering the purpose of Board's decision, one might argue that the Board will highly likely apply this principle to every other form of electronic communication, provided that it is promotional and/or advertorial and the conditions of the Law No. 6698 are not met. According to Article 5/2 of the Law No. 6698, it is possible to process personal data without the explicit consent of the data subject where one of the conditions below apply; it is explicitly foreseen by laws data has been made public by the data subject processing personal data of the parties of a contract is necessary, on condition that processing is directly related to the execution or performance of such contract processing is necessary; for compliance with a legal obligation which the data controller is subject to for the establishment, exercise or defense of a legal claim for the purposes of the legitimate interests of the data controller, provided that such interests do not violate the fundamental rights and freedoms of the data subject to protect the vital interests or the bodily integrity of the data subject or of another person where the data subject is physically or legally incapable of giving his consent In this order, the Board refers to its authority under Article 15/7 of the Law No. 6698, which entitles the Board to decide on cease of data processing or transfer of data abroad, if there is an obvious violation of laws and there are irrevocable damages or damages that are hard to recover. In that sense, one might argue that the Board evaluates such activities as violations of the Law No. 6698 and is inclined to interpret such activities as damaging to data subjects, which might be used against data controllers within the scope of claims by data subjects pertaining to non-pecuniary damages. II. Precautions By referring to Article 12 of the Law No. 6698, the Decision explicitly states that data controllers are obliged to take all technical and administrative measures in order to ensure an adequate level of security for the purposes of (i) preventing unlawful processing of personal data, (ii) preventing unlawful access to personal data; and (iii) protecting personal data. Furthermore, it is also noted in the Decision that if personal data is processed by another real person or legal entity on behalf of the data controller, the data controller shall be jointly liable with the data processor for taking the foregoing measures. III. Sanctions The board states that they will impose the measures provided under Article 18 of the Law No. 6698 for those who conduct such processing activities, which sets forth administrative fines for those who fail to comply with certain obligations under the Law No. 6698. Article 18/1(b) Article 18/1(c) Those who fail to fulfill the obligations relating to data security referred to in Article 12 of this Law shall be subject to an administrative fine ranging from 15,000 Turkish Liras up to 1,000,000 Turkish Liras. Those who fail to abide by the decisions rendered by the Board per Article 15 of this Law shall be subject to an administrative fine ranging from 25,000 Turkish Liras up to 1,000,000 Turkish Liras. The Board also warns that, taking into account the possibility that personal data process for such activities might be collected unlawfully, they will notify the relevant public prosecutor's office, so that criminal proceedings could be initiated for the crime of illegal dissemination and seizure of data in accordance with Article 136 of the Turkish Criminal Code, under which illegal seizure, transfer or dissemination of personal data constitutes a crime under and is subject to an imprisonment up to four years. Although the Decision does not explicitly indicates any time period for data controllers and processors to cease their activities found to be in violation of the Law No. 6698, it is implied in the Decision that the Board is not eager to punish on-going activities of data controllers and processor, but merely confines itself to warn and urge them to cease such activities and act in accordance with their obligations within the scope of the Law No. 6698. IV. Checklist for Compliance Please find below a short checklist of items that might be considered by data controllers before sending out promotional communications, for the purposes of compliance with the Law No. 6698 and Board's principle decision. 1.      Taken necessary precautions and measures to protect the contact information which will be collected from data subjects (such as creating a dedicated storage space for the relevant data, limiting the number of personnel accessing such data to senior marketing managers etc.), 2.      Informed data subjects about using their contact information for promotional communications before or, at the latest, during collection of their personal data and recorded such notice for evidential purposes (be it on paper with data subject's signature, a voice record or vie electronic logging), 3.      If using contact information collected previously for other purposes where data subject might not be reasonably expected to know that it might be used for such communications, informed data subject about using their contact information for this new purpose, before starting processing activities for that purpose; and recorded such notice for evidential purposes, 4.      Have a legal basis for using their contact information for such communications (please see the table above for the list of valid legal grounds), 5.      If not, obtained data subject's explicit consent; and recorded such consent for evidential purposes. Please note that data processors should also consider whether the data controllers, on whose behalf they process personal data and send promotional communications, are in compliance with the Law No. 6698; and vice versa, since they are both jointly liable for violations of the Law No. 6698, as explained above. In any case, it is clear that individuals are starting to take control of their personal data more and more, as legislations provide them with new ways to exercise their rights. The Board's decision show that complaints from individuals impelled the Board to act on its authority and warn data controllers and processors about the current state of affairs with respect to their promotional activities. Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Türker Doygun, ELIG Gürkaynak Attorneys-at-Law (First published by Mondaq on February 6, 2019)

Under the Turkish data protection law ("DPL"), data subjects have the right to learn who processes their personal data, the purposes and legal bases of these processing activities, and to whom and for what purposes such personal data are transferred. These rights arise from the data controllers' obligation to inform data subjects about their processing activities. During the collection of personal data, the data controller or any other person authorized by the data controller is obliged to provide data subjects with certain information, such as the identity of the data controller and of his representative (if any), the purposes of the processing, to whom and with what purpose the processed personal data can be transferred, and the method and legal reason/basis of collection. The same article of the DPL further requires data controllers to provide information to data subjects about certain other rights, as discussed below. Data subjects have the right to know the third parties within or outside the country to whom personal data are transferred, and to ask for the rectification of any incomplete or inaccurate personal data processing as well. They may also request the erasure or destruction of their personal data (within the framework of the conditions set forth under Article 7) and request the notification of these operations to third parties to whom personal data have been transferred. According to this law, data subjects have the right to object to any consequence or situation that is to his/her detriment that results from an analysis of the processed data exclusively by means of automated systems, and to request compensation for the damages incurred due to the unlawful processing of personal data. Interpretation of These Provisions The Turkish Data Protection Authority has published the Communiqué on the Procedures and Principles for Compliance with the Obligation to Provide Information ("Communiqué")[1] in order to provide guidance for the interpretation of these articles. The Communiqué sheds light on the methods to be used for providing information and specifies that data controllers may provide information to data subjects either physically or by using electronic means (e.g., verbally, in written format, by voice recordings, or through call centers), and also clarifies when data subjects must be informed. According to the Communiqué, data controllers are obliged to inform data subjects of their rights in all cases or circumstances in which their personal data is processed. Furthermore, they must also inform data subjects whenever the purpose of processing changes, prior to starting the data processing activity. For instance, if a data controller processes a data subject's address information for the purpose of delivering the goods/services that the subject has ordered and will further process the same address information for marketing purposes in the future, then it needs to inform the data subject since the purpose of the data processing activity will change. If different divisions/units of a data controller process personal data for different purposes, then the data controller must inform data subjects separately for each purpose. For instance, if the name, last name and phone number of a data subject is processed by the marketing department of a company for marketing purposes, and the same personal data is also processed by the human resources department to evaluate the job application of that data subject, then the data subject must be informed of both processing purposes. The information that the data controllers provide to the Data Controllers' Registry must be in line with the information they provide to the data subjects. It is also extremely critical for data controllers to realize and keep in mind that compliance with the obligation to provide information does not require the data subject's prior request, and that the burden of proof is on the data controller to show that it has complied with all its obligations under the law. The Communiqué also states that the explicit consent of data subjects must be obtained separately from the information provided to data subjects. In other words, data controllers are not allowed to obtain explicit consent from data subjects by using the same text or document with which they inform them. Personal data must be processed for specific, explicit and legitimate purposes. Similarly, data controllers must also be clear and specific when providing information to data subjects, and they should avoid deficient, misleading or inaccurate statements. Moreover, they must steer clear of ambiguous or broad terms in the information provided to data subjects. For example, data controllers should not state that the personal data of data subjects might be processed for marketing purposes in the future. Rather, data subjects should be informed of the purpose for which their personal data is processed, not the possible purposes that might arise in the future. It should be noted that ambiguousness/vagueness is a crucial red line when it comes to providing information to data subjects, and data controllers must avoid such ambiguity whenever possible. In addition, the information that will be communicated to data subjects must include: (i) the legal purpose of the personal data processing (in other words, the basis of the data processing activity), (ii) the recipients of the personal data, and (iii) the purpose of the data transfer. While data controllers are required to provide data subjects with information about the processing of their personal data prior to data collection, this may not always be possible in practical terms. If personal data is obtained from an indirect source, such as the news media or public records, then data controllers must fulfill their obligation to provide information to data subjects (i) within a reasonable period of time after the personal data is obtained, (ii) in the first communication, if the personal data is obtained for the purpose of communicating with the data subject, and (iii) if the personal data is to be transferred, then at the first moment that the personal data is being transferred, at the latest. Comparison of the DPL and the General Data Protection Regulation ("GDPR") The GDPR, which has entered into force on May 25, 2018, also brings similar requirements for data controllers. Some of the information stipulated under the GDPR which data controllers are required to provide to data subjects are not included in the DPL, such as (i) the right of data subjects to withdraw their consent at any time, (ii) the right of data subjects to lodge a complaint with a supervisory authority, and (iii) storage periods and the criteria used to determine the duration of such data storage, even though data subjects do, in fact, have those rights under the Turkish data protection legislation. Another difference between the GDPR and the Turkish data protection legislation concerns indirect data collection practices. According to the GDPR, when personal data is collected indirectly, data controllers are not obliged to inform data subjects of such activity if (i) it is impossible, or (ii) it requires disproportionate effort, or (iii) it would render impossible or seriously impair the purpose of the data processing. Neither the DPL nor the secondary legislation in Turkey sets out similar exceptions or follows the GDPR on this issue. However, in practice, if a data controller is unable to inform data subjects about indirect personal data collection despite its best efforts and can demonstrate its efforts (i.e., show that it has genuinely attempted to inform data subjects), such activities should not raise any legal concerns under the DPL either. Nevertheless, keeping in mind that there is no clear definition of "sufficient effort" or provisions regulating this matter in the DPL, one cannot exclude the possibility of a data controller facing sanctions in this context. Despite these differences, the GDPR requires data controllers to use clear and plain language in communicating with data subjects, similar to the DPL, and to provide data subjects with the information regulated under the DPL. Conclusion Interpreting the obligation to inform data subjects correctly is of paramount importance to data controllers, since failing to fulfill the obligation to provide information may result in an administrative fine ranging from 5,000 Turkish Liras up to 100,000 Turkish Liras. Therefore, data controllers should implement the Communiqué with the utmost care and be able and ready to demonstrate that they provide data subjects with the necessary information in order to fulfill their legal obligations and avoid such administrative penalties. Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Noyan Utkan of ELIG Gürkaynak Attorneys-at-Law (First published by Mondaq on May 29, 2018) [1] See http://www.resmigazete.gov.tr/eskiler/2018/03/20180310-5.htm, last accessed on May 25, 2018.

I. Introduction Turkey recently enacted an amendment to the Turkish radio and television legislation that will regulate radio, television and on-demand broadcasts provided through internet and have these services and their providers (media service providers and platform operators - please see their definitions under II) under the supervision and authority of the Radio and Television Supreme Council ("RTUK"). The amendment entered into force on March 28, 2018. Providers of radio, television and on-demand services through internet and platform operators transmitting these broadcasts will need to obtain a license from the RTUK as of this date. The amendment does not only relate to local broadcasters in Turkey, but also concerns and covers foreign media service providers and platform operators targeting audience in Turkey, regardless of whether they provide their service and broadcasts in Turkish language. This amendment was included in "the Draft Law Amending the Tax Law, Certain Laws and Certain Decrees", which was enacted on March 21, 2018 with the law number 7103 ("Law No. 7103") and published in the Official Gazette of March 28, 2018 and entered into force on the publication date. The amendment proposes addition of a new article (Article 29/A) to the Law No. 6112 on the Establishment and Broadcasting Services of Radio and Television Enterprises ("RT Law") with the title "Broadcasting services through internet". This amendment had wide media coverage and created a serious public discussion throughout its legislative process. The initial text of this amendment was quite controversial and raised concerns as to whether RTUK will be vested with an authority to regulate, monitor and supervise all contents in the internet medium and to impose restrictions on social media websites, video sharing platforms and other websites. By virtue of these discussions, the text of this amendment was subject to certain modifications before its enactment, in a way to make its scope clearer. II. Legislation Prior to the Amendment RT Law was previously not applicable to and RTUK did not have authority over broadcasts through internet. The scope of the RT Law covered the services that are provided by conventional broadcast entities operating under a license obtained from the RTUK who broadcast directly to customers, such as radio programs or television channels operating under an authorization obtained from RTUK. RT Law defines media service providers under Article 3 as legal entities that have the editorial responsibility to choose content for radio, television and on-demand-broadcast services and who choose the way to regulate and broadcast these services. As per RT Law, media service providers are obliged to obtain broadcast license from RTUK to broadcast through means of terrestrial, satellite and cable transmissions. RT Law also defines platform operators as enterprises which transform multiple media services or multiple signals into one and provide their transmission, through satellite, cable and similar networks either in an encoded and/or decoded form that is accessible directly by viewers. As both definitions did not refer to broadcasts through internet and only refer to means of terrestrial, satellite or cable transmission, RTUK did not have authority over broadcasts through internet under the legislation. However, now that the new amendment (Article 29/A) entered into force, RT Law is applicable to certain broadcasts through the internet. III. Changes Introduced by the Amendment According to first paragraph of Article 29/A of RT Law, which has been introduced by the recent amendment, even if the services are provided through internet, media service providers willing to broadcast their radio, television and on-demand broadcast services through internet are obliged to obtain a broadcasting license from RTUK and platform operators willing to transmit these broadcasts are obliged to obtain broadcast transmission authorization from RTUK. The article also states that media service providers which have temporary broadcast right and/or broadcast license from RTUK (e.g. radio and television channels operating under a license and/or right issued by RTUK) may broadcast through Internet and in accordance with the RT Law and the Law No. 5651 on Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts ("Law No. 5651"). In other words, RTUK is now authorized to monitor such broadcasts and their contents, and decide on measures such as banning broadcasts or imposing monetary fines that are determined within the scope of RT Law. The reasoning of the foregoing as explained in negotiation process of the amendment indicates that "Due to technological developments in information technologies sector and the widespread use of broadband internet services, radio and television broadcasts started to gravitate to the internet. Special contents to be broadcasted through internet are also being produced frequently. Media service providers making licensed broadcasting through terrestrial, satellite and cable means started to broadcasting through internet at the same time. Additionally, many institutions that do not have a license obtained from RTUK began to broadcasting their radio and television contents through internet without permission.". Taking into account the reasoning and the letter of the law together, the main purpose behind this article appears to be to regulate institutions that are broadcasting through both conventional means and internet such Fox TV, CNN Turk or the institutions broadcasting radio and television contents through internet such as BluTV. The second paragraph of Article 29/A states that, in the event that RTUK determines that broadcasting services of real persons or legal entities who do not have temporary broadcast right and/or broadcast license or whose broadcasting license has been cancelled are transmitted through internet, criminal judgeships of peace may render a decision for removal and/or access ban of contents upon RTUK's request. While the initially proposed version of second paragraph stated that criminal judgeships of peace decisions shall be sent to Access Providers Union for execution, the final and published version of Article 29/A refers to Information and Communication Technologies Authority ("ICTA") instead of Access Providers Union. Criminal judgeship of peace judge shall render its decision within twenty four hours at the latest, without hearing. However, it is still possible to appeal such decisions within the scope of provisions of the Turkish Code of Criminal Procedure. The article also refers to third and fifth paragraphs of Article 8/A of the Law No. 5651 which requires access ban decisions to be rendered regarding specific URL addresses and sets forth monetary fines for those who do not comply with access ban decisions, respectively. The newly introduced Article 29/A further states that even if the content or hosting provider is in a foreign country, the foregoing principles and restrictions also apply to transmission of broadcasting services of platform operators or of media service providers that are under the jurisdiction of another country if RTUK determines these broadcasts to be in violation of RT Law, international treaties which the Republic of Turkey is a party to and RTUK's assigned position; and in terms of broadcasting institutions which broadcast in Turkish through internet targeting Turkey or in another language but targeting Turkey and including commercial broadcasts. The provision explicitly dictates that such entities are obliged to broadcast license if they fall under the definition of media service operators; or transmission authorization certificate if they fall under the definition of platform operators. The initial text of Article 29/A (prior to modifications) consisted of four paragraphs. However, the latest published version includes an additional paragraph, which is the main change that is made on the amendment before it became effective. This additional paragraph (paragraph four) clarifies the concerns on the scope of this regulation and states that, notwithstanding, duties and authorizations of ICTA, individual communication cannot be considered within the scope of Article 29/A and platforms that are not dedicated to transmitting radio, television and on-demand broadcast services through internet medium and real persons and legal entities who only provide hosting services to radio, television and on-demand broadcast services shall not be considered as platform operators within the scope of this article. The last and fifth paragraph of Article 29/A provides that RTUK and ICTA shall jointly issue a regulation that determines the procedures and principles regarding presentation of radio, television and on-demand broadcasting services through internet, transmission of such services, broadcast license for the media service providers through internet, broadcasting transmission authorization for platform operators, monitoring of broadcasts and implementation of Article 29/A. IV. Conclusion The latest changes on the amendment certainly brought some degree of clarity to the scope of this provision and RTUK's authority over internet medium. Still, as the implementation and interpretation of this new article is yet unknown, all broadcasters and platforms whose services could fall under the scope of Article 29/A will need to assess whether this provision will be applicable to them, whether they would need to obtain a license from RTUK and adjust the contents of their broadcasts in line with the RT Law to avoid potential restrictions on or penalties related to their services in Turkey. Authors: Gönenç Gürkaynak, Esq., İlay Yılmaz and Burak Yeşilaltay, ELIG, Attorneys-at-Law                                                                (First published in Mondaq on March 28, 2018)

I. Introduction   Turkey recently enacted an amendment to the Turkish radio and television legislation that will regulate radio, television and on-demand broadcasts provided through internet and have these services and their providers (media service providers and platform operators – please see their definitions under II) under the supervision and authority of the Radio and Television Supreme Council (“RTUK”). The amendment entered into force on March 28, 2018. Providers of radio, television and on-demand services through internet and platform operators transmitting these broadcasts will need to obtain a license from the RTUK as of this date. The amendment does not only relate to local broadcasters in Turkey, but also concerns and covers foreign media service providers and platform operators targeting audience in Turkey, regardless of whether they provide their service and broadcasts in Turkish language.   This amendment was included in “the Draft Law Amending the Tax Law, Certain Laws and Certain Decrees”, which was enacted on March 21, 2018 with the law number 7103 (“Law No. 7103”) and published in the Official Gazette of March 28, 2018 and entered into force on the publication date. The amendment proposes addition of a new article (Article 29/A) to the Law No. 6112 on the Establishment and Broadcasting Services of Radio and Television Enterprises (“RT Law”) with the title “Broadcasting services through internet”.   This amendment had wide media coverage and created a serious public discussion throughout its legislative process. The initial text of this amendment was quite controversial and raised concerns as to whether RTUK will be vested with an authority to regulate, monitor and supervise all contents in the internet medium and to impose restrictions on social media websites, video sharing platforms and other websites. By virtue of these discussions, the text of this amendment was subject to certain modifications before its enactment, in a way to make its scope clearer. II. Legislation Prior to the Amendment   RT Law was previously not applicable to and RTUK did not have authority over broadcasts through internet. The scope of the RT Law covered the services that are provided by conventional broadcast entities operating under a license obtained from the RTUK who broadcast directly to customers, such as radio programs or television channels operating under an authorization obtained from RTUK.   RT Law defines media service providers under Article 3 as legal entities that have the editorial responsibility to choose content for radio, television and on-demand-broadcast services and who choose the way to regulate and broadcast these services. As per RT Law, media service providers are obliged to obtain broadcast license from RTUK to broadcast through means of terrestrial, satellite and cable transmissions. RT Law also defines platform operators as enterprises which transform multiple media services or multiple signals into one and provide their transmission, through satellite, cable and similar networks either in an encoded and/or decoded form that is accessible directly by viewers. As both definitions did not refer to broadcasts through internet and only refer to means of terrestrial, satellite or cable transmission, RTUK did not have authority over broadcasts through internet under the legislation.   However, now that the new amendment (Article 29/A) entered into force, RT Law is applicable to certain broadcasts through the internet.   III. Changes Introduced by the Amendment   According to first paragraph of Article 29/A of RT Law, which has been introduced by the recent amendment, even if the services are provided through internet, media service providers willing to broadcast their radio, television and on-demand broadcast services through internet are obliged to obtain a broadcasting license from RTUK and platform operators willing to transmit these broadcasts are obliged to obtain broadcast transmission authorization from RTUK. The article also states that media service providers which have temporary broadcast right and/or broadcast license from RTUK (e.g. radio and television channels operating under a license and/or right issued by RTUK) may broadcast through Internet and in accordance with the RT Law and the Law No. 5651 on Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts (“Law No. 5651”). In other words, RTUK is now authorized to monitor such broadcasts and their contents, and decide on measures such as banning broadcasts or imposing monetary fines that are determined within the scope of RT Law.   The reasoning of the foregoing as explained in negotiation process of the amendment indicates that “Due to technological developments in information technologies sector and the widespread use of broadband internet services, radio and television broadcasts started to gravitate to the internet. Special contents to be broadcasted through internet are also being produced frequently. Media service providers making licensed broadcasting through terrestrial, satellite and cable means started to broadcasting through internet at the same time. Additionally, many institutions that do not have a license obtained from RTUK began to broadcasting their radio and television contents through internet without permission.”. Taking into account the reasoning and the letter of the law together, the main purpose behind this article appears to be to regulate institutions that are broadcasting through both conventional means and internet such Fox TV, CNN Turk or the institutions broadcasting radio and television contents through internet such as BluTV.   The second paragraph of Article 29/A states that, in the event that RTUK determines that broadcasting services of real persons or legal entities who do not have temporary broadcast right and/or broadcast license or whose broadcasting license has been cancelled are transmitted through internet, criminal judgeships of peace may render a decision for removal and/or access ban of contents upon RTUK’s request. While the initially proposed version of second paragraph stated that criminal judgeships of peace decisions shall be sent to Access Providers Union for execution, the final and published version of Article 29/A refers to Information and Communication Technologies Authority (“ICTA”) instead of Access Providers Union. Criminal judgeship of peace judge shall render its decision within twenty four hours at the latest, without hearing. However, it is still possible to appeal such decisions within the scope of provisions of the Turkish Code of Criminal Procedure. The article also refers to third and fifth paragraphs of Article 8/A of the Law No. 5651 which requires access ban decisions to be rendered regarding specific URL addresses and sets forth monetary fines for those who do not comply with access ban decisions, respectively.   The newly introduced Article 29/A further states that even if the content or hosting provider is in a foreign country, the foregoing principles and restrictions also apply to transmission of broadcasting services of platform operators or of media service providers that are under the jurisdiction of another country if RTUK determines these broadcasts to be in violation of RT Law, international treaties which the Republic of Turkey is a party to and RTUK’s assigned position; and in terms of broadcasting institutions which broadcast in Turkish through internet targeting Turkey or in another language but targeting Turkey and including commercial broadcasts. The provision explicitly dictates that such entities are obliged to broadcast license if they fall under the definition of media service operators; or transmission authorization certificate if they fall under the definition of platform operators.   The initial text of Article 29/A (prior to modifications) consisted of four paragraphs. However, the latest published version includes an additional paragraph, which is the main change that is made on the amendment before it became effective. This additional paragraph (paragraph four) clarifies the concerns on the scope of this regulation and states that, notwithstanding, duties and authorizations of ICTA, individual communication cannot be considered within the scope of Article 29/A and platforms that are not dedicated to transmitting radio, television and on-demand broadcast services through internet medium and real persons and legal entities who only provide hosting services to radio, television and on-demand broadcast services shall not be considered as platform operators within the scope of this article. The last and fifth paragraph of Article 29/A provides that RTUK and ICTA shall jointly issue a regulation that determines the procedures and principles regarding presentation of radio, television and on-demand broadcasting services through internet, transmission of such services, broadcast license for the media service providers through internet, broadcasting transmission authorization for platform operators, monitoring of broadcasts and implementation of Article 29/A. IV. Conclusion   The latest changes on the amendment certainly brought some degree of clarity to the scope of this provision and RTUK’s authority over internet medium. Still, as the implementation and interpretation of this new article is yet unknown, all broadcasters and platforms whose services could fall under the scope of Article 29/A will need to assess whether this provision will be applicable to them, whether they would need to obtain a license from RTUK and adjust the contents of their broadcasts in line with the RT Law to avoid potential restrictions on or penalties related to their services in Turkey.   Authors: Gönenç Gürkaynak, Esq., İlay Yılmaz and Burak Yeşilaltay, ELIG, Attorneys-at-Law   (First published in Mondaq on March 28, 2018)

I. Introduction The Working Party on the Protection of Individuals with regard to the Processing of Personal Data ("Working Party") which is established as per the Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 ("EU Directive") updated their opinion on consent under General Data Protection Regulation ("GDPR") which will be effective on May 28, 2018. The GDPR evolved the concept of consent under the EU Directive and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector ("E-privacy Directive) by providing further clarification and specification of the requirements for obtaining and demonstrating valid consent. The Working Party's opinion of November 28, 2017 mainly focuses on this evolution and sheds more light onto EU Directive - GDPR - Turkish Data Protection Law ("Law No. 6698") triangle. Law No. 6698 is based on the EU Directive, whereas its consent related provision for processing personal data is adopted from the GDPR. Hence the updated opinion answers most of the questions raised by Turkish companies during their compliance processes. II. Elements of Valid Consent Article 4(11) of the GDPR defines consent as: "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". According to this provision, the consent of the data subject means any (i) freely given, (ii) specific, (iii) informed and (iv) unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.   (i) The Consent Must be Freely Given Working Party in their opinion stated that consent will not be considered as "free" if the data subject is unable to refuse his or her consent and it can only be valid if the data subject is able to exercise a real choice. Consent will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. Working Party also mentioned that the imbalance between the data subject and the controller (which mostly occurs in the events where the data controller is a public authority or where the data subject is an employee) is also taken into consideration by the GDPR. The Article 7(4) of the GDPR plays an important role while determining whether consent is freely given or not. According to this article, when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. By regulating this provision GDPR aims to narrow the term "the performance of a contract". The Working party states that there needs to be a direct and objective link between the processing of the data and the purpose of the execution of the contract (e.g. processing the address of the data subject in order to deliver the goods which were purchased online). The Working Party also mentions the terms "granularity" while determining the existence of freely given consent. In cases where a service involves multiple processing operations for more than one purpose, the data subjects should be free to choose which purpose they accept. Therefore, several consents may be warranted for each purpose. In other words, consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of these purposes. For example, a company asks from its customers to give their consent to send them their campaigns and promotions by e-mail messages and also to share their personal data with other companies within their group at the same time. According to the GDPR, this consent cannot be considered as granular since there are no separate consents for these two separate purposes. Therefore, the consent will not be valid. According to the GDPR, the data controller also needs to demonstrate that the data subject is free to refuse or withdraw consent without detriment and it should be able to prove that the data subject has a free or genuine choice on giving consent.   (ii) The Consent Must be Specific: According to the Working Party, to comply with the element "specific" which is stated in the definition of "consent" under the GDPR, the data controller must apply the following: a. If a data controller processes data based on consent and intends to process the data for a new purpose, the data controller needs to obtain a new consent from the data subject for the new processing purpose. The original consent will not legitimize new purposes for processing. b. If the data controller seeks consent for various different purposes, it should provide a separate opt-in for each purpose, to allow users to give specific consent for specific purposes. c. The data controllers should provide specific information regarding each separate consent request about the data in order to make data subjects aware of the impact of the different choices that they have.   (iii) The Data Subject Must be Informed: According to the Working Party, it is essential to provide information to data subjects before obtaining their consent since it will enable them to make informed decisions, understand what they are giving consent to, and exercise their rights regarding their consent. The Working Party listed the minimum information required for obtaining valid consent in terms of GDPR. These are: a. the identity of the data controller, b. the purpose of each of the processing operations for which consent is sought, c. the type of data which will be collected and used by the data controller, d. the existence of the right to withdraw consent, e. information about the use of the data for decisions based solely on automated processing, f. if the consent relates to data transfers, information about the possible risks of data transfers to third countries in the absence of an adequacy decision and appropriate safeguards Even though most of the information listed above were also included in the EU Directive, the GDPR expands the information that should be provided with the data subject by stating that the data controller should also inform the data subject that he/she can withdraw his/her consent. This requirement was not included in the EU Directive. Similar to the EU Directive, the GDPR also does not require a certain form or shape of such information. Hence, the valid information may be provided in various ways (e.g. written, orally, via audio or video messages). However the GDPR also brings higher standards for the clarity and accessibility of the information. Accordingly the Working Party stated that the data controller should use clear and plain language which can be easily understood by an average person. The Working Party does not allow long illegible privacy policies or statements full of legal jargon.   (iv) Unambiguous Indication of the Data Subject's Wishes The Working Party exemplifies Article 7 (2) of the GDPR which addresses pre-formulated written declarations of consent. According to the Working Party, when consent is requested as part of a contract, the request for consent should be clearly distinguishable from the other matters. Also, if consent is requested by electronic means, the consent request has to be separate and distinct; it cannot simply be a paragraph within terms and conditions. This is especially of importance for e-commerce websites, along with many other online platforms and other real and legal persons processing personal data. That means no more incorporating data protection clauses into Terms & Conditions or into employment contracts. The principle of being "clearly distinguishable" is also linked with being "freely given". For instance, if consent is indistinguishable and incorporated into an agreement along with many other provisions, the data subject cannot consent freely and separately but sign the agreement as a whole. The EU Directive described consent as an "indication of wishes by which the data subject signifies his agreement to personal data relating to him being processed". The GDPR expands this definition, by clarifying that valid consent requires an unambiguous indication by means of a statement or by a clear affirmative action which means that the data subject must have taken a deliberate action to consent to the particular processing. The GDPR also brings new requirements for the data controllers regarding the explicit consent they obtain. According to Article 7 of the GDPR, the data controller is obliged to demonstrate the data subject's consent. The same provision also states that data controller must ensure that consent can be withdrawn by the data subject as easy as giving consent and at any given time.   III. Reflections of Article 29 Working Party's Updated Opinion to Turkish Personal Data Legislation Law No. 6698 is based on the EU Directive which is currently in force. The obligations of data controllers and the rights of the data subjects set forth under the Law No. 6698 are basically in line with the provisions under the EU Directive. Having said that, the Law No. 6698 requires "explicit consent" of the data subjects for any kind of personal data processing, not only for sensitive personal data, which is in line with the GDPR. Accordingly, the Working Party's updated opinion for the GDPR may also guide Turkish businesses in terms of structuring their processes. For instance, according to the GDPR, the data controller must be able to demonstrate that valid consent was obtained. Also, mechanisms for data subjects to withdraw their consent must be available and easy to apply, and the data controller must provide information on how to withdraw consent. The Law No. 6698 also brings similar obligations to the data controllers. The Law No. 6698 is a separate and independent local regulation. However, it is likely that the Turkish Data Protection Board, which is the main authority on data protection related matter, would take the opinion of Working Party as a basis while evaluating the convenience of the consent, as the Law No. 6698 is mainly based on the EU legislation and the implementation in the EU is currently the primary source. Turkish Data Protection Board has already published its guideline document on consents, and stated that umbrella consents will be invalid, which is in parallel with the "specific consent" principle in the EU. We expect that the opinion of the Turkish Data Protection Board takes shape in time by also taking into account the implementation in the EU. Data controllers may benefit from the Working Party's updated opinion for clarity on explicit consent and assess whether their current flow for consent needs updates. Authors: Gönenç Gürkaynak, Esq., İlay Yılmaz and Noyan Utkan, ELIG, Attorneys-at-law   (First published by Mondaq on January 16, 2018)

Regulation on Erasure, Destruction or Anonymization of Personal Data: First Prong of the Secondary Legislation I. Introduction The Regulation on Erasure, Destruction or Anonymization of Personal Data ("Regulation") is published on the Official Gazette of October 28, 2017 and will enter into force as of January 1, 2018. Regulation has been issued based on Article 7 of the Law No. 6698 on Protection of Personal Data ("DPL"). The article stated that personal data shall be erased, destroyed or anonymized by the data controller ex officio or upon the demand of the data subject, in the event that the reasons for which it was processed are no longer valid but left the principles and procedures regarding erasure, destruction and anonymization of personal data to be determined by a regulation. The regulation was issued later then contemplated by the DPL, as the DPL provided that all regulations will be put into force by the Personal Data Protection Authority ("Authority") within a year as of publication of the law (i.e. until April 7, 2017). Regulation applies to data controllers which, by way of repeating the DPL, are defined as real persons or legal entities which set the objectives and means of processing personal data and are in charge of establishing and managing the data filing system (Article 4/1-I of the Regulation). Regulation is essentially a brief legal text mainly consisting of two provisions on personal data storage and demolition policy (Section II, Articles 5 and 6 of the Regulation); and six provisions on the erasure, destruction and anonymization of personal data (Section III, Article 7-12 of the Regulation). II. Personal Data Storage and Demolition Policy Data controllers that are required to register with the data controller's registry per DPL are obliged to prepare a personal data storage and demolition policy in accordance with their personal data inventory (Article 5/1 of the Regulation). It should be noted that DPL requires all data controllers to register with the relevant registry as a principle. That said the Authority is entitled to provide an exemption from this obligation based on objective criteria to be determined by the Personal Data Protection Board ("Board"), such as the nature and the number of the processed data, whether or not data processing is required by law or whether or not data will be transferred to third parties (Article 16/2 of DPL). Therefore, an exemption from the obligation to register means an exemption from the obligation to prepare a storage and demolition policy. The Regulation also makes clear that neither preparing a personal data storage and demolition policy nor being exempt from preparing such policy, affects data controllers' obligation to comply with the principles, requirements and obligations set forth in the regulation (Article 5/2 & 5/3 of the Regulation). According to Article 6 of Regulation, a personal data storage and demolition policy shall at least include the following: a)  Purpose of preparing the personal data storage and demolition policy, b)  Filing mediums regulated under the personal data storage and demolition policy, c)  Definitions of legal and technical terms mentioned in the personal data storage and demolition policy, d) Explanations regarding legal, technical or other reasons that require storage or demolition of personal data, e)  Technical and administrative measures taken in order to store personal data safely, and prevent personal data from being illegally processed and accessed, f)  Technical and administrative measures taken in order to demolish personal data in compliance with the law, g)  Titles, departments and job descriptions of those taking part in the personal data storage and demolition processes, h)  Table displaying the personal data storage and demolition periods, i)   Time periods of periodic demolitions. j)   Changes made in the existing personal data storage and demolition policy. III. Erasure, Destruction and Anonymization of Personal Data In terms of data controllers' erasure, destruction and anonymization responsibilities, Regulation refers to conditions, principles and procedures set forth in DPL, other related legislation and the relevant data controller's own policy on the matter and states that data controllers are obliged to comply with the foregoing. (i) General Data controllers are obliged to register and keep records of all transactions relating to erasure, destruction and anonymization of personal data at least for three (3) years (Article 7/3 of the Regulation). Moreover, data controllers are also required to disclose the methods they apply in relation to these processes in their policies and procedures (Article 7/4 of the Regulation). The method can be chosen by the data controller freely, in cases of ex officio erasure, destruction or anonymization of personal data, if Board did not decide otherwise on the matter. If erasure, destruction or anonymization is conducted upon request of the data subject, data controller should explain the reason behind choosing the relevant method as well (Article 7/5 of the Regulation). (ii) Erasure Erasure of personal data means the operation of rendering the relevant personal data inaccessible and non-reusable in any way for the relevant users (Article 8/1 of the Regulation). Relevant users are those who process personal data in accordance with the authority and the instructions given by the data controller or within data controller's organization except persons or units responsible for technical storage, protection and backing up of data (Article 4/1-b of the Regulation). (iii) Destruction Destruction of personal data means the operation of rendering the relevant personal data inaccessible, irrecoverable and non-reusable in any way for everyone (Article 9/1 of the Regulation). Therefore, while erasure only affects the relevant data controller and relevant users thereof, in cases of destruction everyone is affected by the process and the relevant data becomes unavailable for use by everyone. (iv) Anonymization Anonymization of personal data is rendering personal data anonymous in such a way that it cannot be related to an identified or identifiable real person in any way even through matching that to another data (Article 10/1). According to Regulation, personal data is anonymous, if it cannot be related to an identified or identifiable real person by the data controller, recipient or recipient groups through techniques appropriate in terms of the filing medium and the relevant area of activity such as recovery and matching the data with other data (Article 10/2 of the Regulation). (v) Time Periods In terms of data controllers which have personal data storage and demolition policies, personal data shall be erased, destructed or anonymized during the first periodic demolition operation following the date on which such obligation arises (Article 11/1 of the Regulation). The data controllers are free to determine demolition periods. However, this time period may not exceed six (6) months. If the data controller does not have such policy, the obligation should be fulfilled within three (3) months of the date on which the obligation arises. These time limits were determined in the draft of Regulation as ninety (90) days and thirty (30) days, respectively. Board is authorized to shorten this time periods if there may be irrevocable damages or damages that are hard or impossible to recover and there is an obvious violation of laws. (vi) Data Subject' Request In terms of data subjects' demands for erasure and destruction, Regulation requires data controllers to decide within thirty (30) days and inform the data subjects regardless of the outcome of their requests (Article 12 of the Regulation). Additionally, if personal data is transferred to third parties, data controllers are also obliged to inform third parties of the requests and ensure third parties' compliance with data subjects' request. If all of the conditions for personal data processing are not eliminated, data controller is entitled to reject a request by explaining its reasons and the data subject should be notified of the rejection within 30 days at the latest in writing or in the electronic environment. IV. Conclusion Regulation certainly brings more specific and clear instructions and obligations regarding erasure, destruction and anonymization of personal data considering the general frame provided by the DPL. However, one might still argue that Regulation took it too far in terms of providing specific restrictions and obligations to the point where data controllers are left with a narrow range of flexibility to determine their own procedures and measures particular to their needs. Considering the speed of technological developments and change in everyday business activities in connection with these developments, adopting an approach based on principles rather than determination of specific limitations applicable all data controllers regardless of the nature of their activities and sector might be of importance for the effective enforcement of the Regulation. Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Burak Yeşilaltay of< ELIG, Attorneys-at-Law (First published in Mondaq on November 8, 2017)

Data Controller or Data Processor? How to Interpret Two Core Definitions of Data Protection Legislation Companies and individuals may face difficulties in determining which one of the definitions they fall under and whether they or the ones they are working with have data protection responsibility. Interaction between these two concepts is of paramount importance, as it imposes obligations in terms of liability. This piece aims to inform companies involved in the processing of personal data to be able to determine whether they are or the third parties they work with are acting as a data controller and/or as a data processor under Turkish data protection legislation. Along with information systems, business models become more complex. A number of organizations may be working together in an initiative that involves processing personal data. Even if the "data controller" and the "data processor" are defined under the data protection legislation, companies and individuals may face difficulties in determining which definition they fall under and whether they or the company they are working with have data protection responsibility within the scope of the Law No. 6698 on Protection of Personal Data. Processing of personal data means any operation performed on personal data, wholly or partly, whether through automatic means, or if the data is part of a data filing system, through non-automatic means, such as collection, recording, storage, preservation, alteration, retrieval, disclosure, transfer, acquisition, making available, categorizing or blocking. Considering this wide definition, entities and individuals who are involved in the aforementioned activities may fall under the scope of data controller or data processor, and might be held liable for their actions. According to Article 3/1(i) of the DP Law; data controller is; "the real person or legal entity which sets the objectives and means of processing personal data and who is in charge of establishment and management of data filing system". Data processor on the other hand is defined as; "the real person or legal entity, which processes personal data based on the authority given by and on behalf of the data controller" under Article 3 (1-g) of the DP law. One of the main reasons there is a distinction between the two terms are to prevent loss of a right when the data is being processed. There is a significant line in between the data controller and processor because the data controller will be the one to determine the reason for process, and the processor will be the one to act within the scope of framework determined by the controller. As indicated under Article 12(3) of the DP Law the data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of the DP Law. Within the scope of EU Data Protection Directive 95/46/EC ("Directive") data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. A data controller must be a "person" recognized in law, that is to say: individuals; organizations; and other corporate and unincorporated bodies of persons. For example; a government department sets up a database of information about every child in the country. It does this in partnership with local councils. Each council provides personal data about children in its area, and is responsible for the accuracy of the data it provides. It may also access personal data provided by other councils (and should comply with the data protection principles when using that data). The government department and the councils should be deemed data controllers in relation to the personal data on the database. As a general principle under DP Law and EU legislation, data controller determines the purposes for which and the manner in which personal data will be processed. Therefore, the data controller is the actor who decides "how" and "why" personal data is processed. Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. For example a utilities company engages another company which operates call centers to provide its customer services functions on its behalf. The call center staff has access to the utilities company's customer records for the purpose of providing those services but may only use the information they contain for specific purposes and in accordance with strict contractual arrangements. The utilities company remains the data controller. The company that operates the call center would be considered as a data processor.[1] In some cases, there are difficulties in determining data controller and processor responsibilities. For example, in the franchise business model, the parent company decides which personal data will be collected and how personal data will be processed, and the company with the branch must comply with these rules. However, the branch that collects personal data is directly related to the data subjects and is the first point of contact where personal data is collected. If the branch makes the decision on setting the objectives and means of processing personal data and who is in charge of establishment and management of data filing system, the parent company should not be considered "data controller" but the branch should. With regards to determining whether an organization is a data controller or a data processor the following list can be useful; [2] to collect the personal data in the first place and the legal basis for doing so; which items of personal data to collect, i.e. the content of the data; the purpose or purposes the data are to be used for; which individuals to collect data about; whether to disclose the data, and if so, who to; whether subject access and other individuals' rights apply ie the application of exemptions; and how long to retain the data or whether to make non-routine amendments to the data. According to Article 29 Data Protection Working Party, an independent EU advisory body, there are three ways a controller can be appointed[3]; (a) Control stemming from explicit legal competence: establishes a task or imposes a duty on someone to collect and process certain data. For example, this would be the case of an entity which is entrusted with certain public tasks (e.g., social security) which cannot be fulfilled without collecting at least some personal data, and sets up a register with a view to fulfil them. (b) Control stemming from implicit competence: stems from common legal provisions or established legal practice pertaining to different areas for example the employer in relation to data on his employees, the publisher in relation to data on subscribers, the association in relation to data on its members or contributors. (c) Control stemming from factual influence. This is the contractual relations between the different parties involved. According to Information Commissioner's Office data processor may decide: what IT systems or other methods to use to collect personal data; how to store the personal data; the detail of the security surrounding the personal data; the means used to transfer the personal data from one organization to another; the means used to retrieve personal data about certain individuals; the method for ensuring a retention schedule is adhered to; and the means used to delete or dispose of the data[4]. In order for data subjects to securely disclose their personal data, the data controllers and data processors are obligated to process the personal data within the scope of the purpose of processing. The data controller has the right to decide on which items to collect, to determine the purpose of processing and whether to disclose the data or not which gives the controller a freedom to carry out its activities in a manner and technical style, and as per Article 17 of the Directive, must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction. Whereas, the processor mainly is given the option to rely on decisions taken by controller and will be obliged to follow the rules and take necessary steps determined by the controller. As per Article 16 of the Directive, the data processor acting under the authority of the controller who is allowed to process the data and has access to it, is required to act based on the controller's instructions or based on law. Authors: Gönenç Gürkaynak, Esq., Ilay Yilmaz and Nazli Pinar Taskiran, ELIG, Attorneys-at-Law First published in Mondaq on April 25, 2017. [1] https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/ [2] http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf [3] http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf [4] http://www.thesolicitorsgroup.com/News/Article.aspx?ArticleID=3569921a-a91a-4eaf-a712-f71147164715

Processing Personal Data Based on Legitimate Interest: A Comparison of Turkish Data Protection Law, the Directive 95/46/EC and the GDPR  Turkey's first and only law specifically dedicated to data protection and privacy, the Law No. 6698 on Protection of Personal Data ("Law No. 6698"), came into force on April 7, 2016 with certain transition periods. The Data Protection Board has been formed, but is not yet functioning. The secondary legislation is still pending, although certain sector-specific regulations have been put in place, and is expected to be completed by April 7, 2017. The Law No. 6698 is essentially based on the EU Directive 95/46/EC ("Directive") with particular differences. As Turkey does not have a history of data protection laws and practice, the interpretations of the Directive in the EU will shed a light unto the interpretation of the Law No. 6698. That said, EU is in a period of transition to a new data protection regime and has recently introduced a game changer, the General Data Protection Regulation ("GDPR"), which will enter into force on May 25, 2018. Directive will no longer be applicable once the transition is over. Therefore the Directive should not alone be taken into account when construing the provisions and implementation of the Law No. 6698. Among the provisions of the Law No. 6698, one of the most debated provisions and the one which is highly likely to lead to further discussions and disputes in the future, is Article 5/2(e) of the Law No. 6698. The article provides a legal ground for processing of personal data without the data subjects' explicit consent (which is the primary requirement for processing personal data), if the processing is necessary for the legitimate interests of the data controller. The provision corresponds to Article 7(f) of the Directive and Article 6/1(f) of the GDPR. The next part of this article will demonstrate how this provision (Article 5/2(e) of the Law No. 6698) is articulated in these three different regulations separately and will be followed by a comparison, highlighting their similarities and differences. The final part will consist of conclusions on the possible impacts of these differences in the Turkish jurisdiction and a discussion on whether the reasons that led to changes in the Directive could be used as tools of interpretation of the Turkish data protection law as well. II. Conditions for processing personal data based on legitimate interest under the Directive Article 7(f) of the Directive states that personal data may be processed if it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. The Directive provides that personal data may be processed for the purposes of the legitimate interests pursued by (i) the data controller or by (ii) the third party or (iii) parties to whom the data are disclosed. Then requires an evaluation of interests of the data controller/third parties versus interests "or" (this has been mistyped in the English version of the Directive as "for" (Art. 29 WP's Opinion 06/2014)) fundamental rights and freedoms of the data subject. This evaluation is commonly referred to as a "balancing test". In this balancing test, one should weigh the nature and source of the legitimate interests and the necessity of processing for pursuing those interests, against the impact of the processing on the data subjects. As for the data subjects' right to object such processing, the Directive requires the data subject to justify its objection (Article 14 of the Directive). If there is a justified objection, then the processing instigated by the data controller no longer involves those data. III. Conditions for processing of personal data based on legitimate interest under the GDPR Article 6/1(f) of the GDPR states that processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests "or" fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. GDPR articulates this complementary legal ground quite similar to the Directive and requires the same balancing test. That said, the GDPR brings a significant difference regarding the personal data that belongs to children and the data processing performed by public authorities. GDPR expressly requires particular consideration onto children's interests or fundamental rights and freedoms and information provided to them when processing of their personal data based on this provision. In practice this might lead to obtaining a parental consent before processing personal data of children or providing age restrictions as legal safeguards. Considering the purposes of this addition, the application might even be extended to the vulnerable segment of the population such as handicapped people or people who does not have or significantly lost their power of discernment for other reasons. Paragraph 75 of the GDPR's recital also uses the term "vulnerable natural persons", which is obviously broader and more comprehensive than "children". The other addition to the relevant provision in the GDPR is the second paragraph, which has not been mentioned above. According to this paragraph (Article 6/2 of the GDPR), Article 6/1(f) does not apply to processing carried out by public authorities in the performance of their tasks. This newly introduces exception prohibits public authorities from relying on their legitimate interests in processing of personal data, for the processing carried out in the performance of their tasks. The recital of the GDPR clarifies the reason of this amendment by stating that the legislators have the duty to provide legal basis through issuing laws for public authorities to process personal data in the performance of their tasks and prevents the public authorities from processing personal data based on their legitimate interest in the processing. GDPR shifts the burden of proof, as to data subjects' objection to processing, from the data subjects onto the data controllers. According to the GDPR, if the data subject objects to processing of its personal data, which is processed based on legitimate interests of the data controller, the data controller may no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. IV. Conditions for processing of personal data based on legitimate interest under the Law No. 6698 Article 5/2(f) of Law No. 6698 also provides a quite similar provision which states that personal data may be processed without data subject's explicit consent, if processing is necessary for the purposes of data controller's legitimate interests, provided that the processing does not harm the data subject's fundamental rights and freedoms. The reasoning of this provision issued by the legislator provided an example for implementation of this provision stating that owner of a company may process its employees' personal data for arranging their promotions, salary increases or social rights or determining their role in the restructuring of the company, which constitute legitimate interests of that company. The legislator also indicates that although the explicit consent of the data subject is not required in these cases, the fundamental principles as to protection of personal data should still be complied with and the balance of "interests" of the data controller and the data subject should be taken into account. The wording used in the provision's reasoning is interesting considering that the provision does not mention the "interest" of the data subject but rather requires the processing not to harm the data subject's fundamental rights and freedoms. The reasoning provides a wider protection in favor of the data subjects, which would also be consistent with the Directive and the GDPR. V. Comparison of the conditions provided under the Law No. 6698 with the Directive and the GDPR The Law No. 6698 provides that personal data may be processed without obtaining consent, for the data controller's legitimate interests, whereas the Directive and the GDPR provides that personal data may be processed for the purposes of the legitimate interests pursued by (i) the controller or by (ii) the third party or (iii) parties to whom the data are disclosed. The balance test provided under the Directive and the GDPR require an evaluation of interests of the data controller/third parties versus interests or fundamental rights and freedoms of the data subject. However the Law No. 6698 only requires an evaluation of interests of the data controllers versus fundamental rights and freedoms of the data subject, without including the "interests" of data subjects in this assessment. As mentioned above, the reasoning of the law emphasizes the balance between "interests". However this was not expressly articulated in the provision. Besides, the GDPR expressly indicates emphasizes that data controllers should be more careful in processing data subject's personal data based on their legitimate interest where the data subject is a child. The Law No. 6698 does not put a special emphasis on protection of personal data in cases where the data subject is child or any other person which might be considered vulnerable. GDPR excludes public authorities from relying on their legitimate interests in processing of personal data, for the processing carried out in the performance of their tasks. The Law No. 6698 does not provide such an exception and allows public authorities to process personal data in the performance of their duties, based on their legitimate interest as well. Since the last two were not also included in the Directive, they might not have been consequently incorporated into the Law No. 6698. As for the data subjects' right to object, the Law No. 6698 does not include a provision particular to processing conducted based on legitimate interests, and is silent on the burden of proof. VI. Conclusion The legal ground provided under the Law No. 6698 for processing personal data based on legitimate interest is overall in line with the Directive and the GDPR. However there are particular differences in the wording of the provisions, which could lead to a significant deviation from the EU practice. Turkish legislators excluded the legitimate interests of third parties and the parties to whom data are disclosed from the scope of this exception. This brings the question of whether the public's overriding interest in having access to certain information, for instance the public's interest in receiving information regarding the whistleblowing of irregularities in the public authorities or regarding felonies that concern the public or other information disclosed for transparency and accountability, will not be sufficient for disclosure and dissemination of such information to public or other groups (e.g. employees of a company) that are concerned. Would it be necessary to obtain the data subject's explicit consent even when there is an overriding public interest in the processing in Turkey? This question might find its answer in the forthcoming days through Data Protection Board decisions and court precedents on the matter or in the secondary legislation to be issued. Nevertheless, there are currently a couple of other provisions in the Law No. 6698, which might serve for the same purpose through interpretation. For instance the Law No. 6698 provides a number of exemptions from the application of the law. Among these exemptions, one of them provides exemption to processing of personal data within the scope of freedom of speech, but only if the processing does not breach national defense, national security, public safety, public order, economic safety, privacy of private life or personal rights. This provision might be construed for the interests of the public and third parties, and might serve as a legal ground for processing of data when there is public's overriding interest, without requiring explicit consent of the data subject. The Directive and the GDPR requires both "interests" and "fundamental rights and freedoms" of the data subjects to be considered when exercising a balancing test, whereas the Law No. 6698 does not mention the "interests" of the data subjects. Therefore the scope of application of the relevant exception provided under the Law No. 6698, in this respect, is broader when compared to the Directive. This would allow a wider area of processing personal data when there is a legitimate interest of the data controller, since data controller would be obliged to consider whether the data subject's fundamental rights and freedoms override, rather than also considering whether their interests override the data controller's legitimate interest in processing the data without the data subject's consent. There has been a quite important change in the GDPR, which shifted the burden of proof as to objections regarding processing based on legitimate interests, from the data subjects onto data controllers. On the other hand, the Law No. 6698 does not include any provision as to cases where the data controller has legitimate interest in processing personal data but the data subject objects to such processing and remains silent as to burden of proof in such cases. Adoption of a supra-national regulation (Directive) rather than a directly applicable law inevitably leads to certain gaps in the legislation for a civil law country. Nevertheless, the legislators could have at least addressed all the issues addressed in the Directive. This could have prevented further gaps and ambiguities in the legislation in addition to the ones inevitably borne. Furthermore the supra-national regulation that the Law No. 6698 is based on, is older than twenty years. As the EU legislation evolves, the Turkish legislators and the Data Protection Board should make use of the past experiences of the EU and construe and implement the Law No. 6698 and issue the secondary legislation in light of the GDPR which was a result of the remarkable data protection history of EU. (First published in Mondaq on February 24, 2017)