Head of legal and compliance | Danone Turkey
Sevda Aydın Alemdar
Head of legal and compliance | Danone Turkey
Head of legal and compliance | Danone Turkey
Senior Legal Counsel | PepsiCo
Having started her in-house legal career at PepsiCo Snacks in 2008, Sevda Aydın Alemdar has since become a key figure in the in-house legal department at the global food and...
FMCG is a very fast and a dynamic sector where changes and transformations occur constantly, and I have been involved in a lot of organisational changes and restructuring projects in the last two years. These include switching to an automation system, shutting down an entire unit, merging the units.
I have taken role in the designing all the processes from start to finish working very closely with the HR team. In this process, I contributed not only to the creation of the termination process, but to the creation of the whole process from beginning to end. We decided why this change was needed, why people were chosen and even how to talk, what to wear on the day of communication with people we call “tell day” working with teams. In this period, I supported the re-establishment of disciplinary processes by giving labour law trainings across locations in order to standardise and simplify processes. By designing the processes together with human resources and team managers we have ensured that all stakeholders participate and embrace the process. By adding standard texts to this internalized process, we have both reduced the workload for all parties and re-created the process, designated the risks and eliminated implementation errors.
For the last three months, I’ve been pursing my career in a different company. I work here in the country solution centre, which supports 3 different business units. It is necessary to know what each business does by providing the same quality of service at equal distance to these three different business units. Before my position, the legal team was working as separate supporting departments for each unit, so I focused primarily on ensuring that the team was a single legal unit and support each other in every condition. Especially, I directed my team to make it a culture to follow our work through a common area by creating common texts to make processes as systematic and standardized as possible. My most important work area and priority right now is to get used to cultural diversity and manage change.
The in-house lawyer firstly needs to know the company well they work for. They should follow annual targets, market share and sales of company. In addition, they should be able to follow, analyse and inform business units about what is happening in the sector where they work and what is on the agenda. It is not enough just to have good legal knowledge to have a good relationship with business. It is necessary to understand business, to analyse expectations well and look in the same direction.
Especially in FMCG, lawyers should be fast and always accessible, giving messages to business very clearly but it not a unit that only says yes or no. When evaluating risks, lawyers should determine what the red lines are and what risks the business can take. The business should know when to come to law department, for this, legal procedures should be available to everyone, and should be simple plain as communication and closeness are very important. In-house lawyers must also [make efforts to] go to the field if necessary, so if there is production, they must go to the factory, make field visits etc.
In-house lawyers are usually approached with an urgent message and asked to find solutions without telling the cause of the issue, so my most important advice is that the lawyer should always analyse the demand that comes to them whether urgent or not well and ask the right question.
I believe that in-house lawyers should be informed about the subject outsourced. I believe that the outsourcing lawyers should feel that we have outsourced the work for a more in-depth assessment and for a second look at the matter.
Outsourced lawyers need to have a good understanding of the company, the culture, the business conduct model and the priorities of it. Thus, they should be included in the processes as much as possible even from outside. The outsourced lawyers need to embrace the company they are advising and understand its expectations.
As it is known, the legal infrastructure of the concept of personal data has not been established for very long in Turkey, and while some legislation such as the Turkish Penal Code refers to the concept, the legal definition of personal data has not been codified for a long time. Subsequently, the Law on the Protection of Personal Data (“Law”) no. 6698 published in the Official Gazette in March 2016 attempted to correct this deficiency.
Since its practice has still not been established and there are many vague concepts in its contents, the law is constantly being tried to be applied using interpretation principles for judicial authorities, including lawyers.
For practitioners, a regulation in the Article 5 of the Law has particularly attracted attentions and its scope caused controversies. According to the article in question, the main principle is that personal data is not processed without the express consent of the person concerned. However, the second paragraph of the article makes exceptions to this main principle; accordingly, the consent of the person concerned shall not be sought in the event of certain conditions, including:
It is debatable what the scope of this exception is. What should be the legitimate interests of the data controller? Do all rights arising from the contract fall under the scope of legitimate interest? What should be the limit of it?
Personal Data Protection Board (“Board”) makes a highly controversial comment, in our opinion, on this matter with its decision no. 2019/4, dated 03.01.2019.
The application subject to the decision comes from the General Directorate for Highways. In summary, the application asks for opinions on (i) the appropriateness of sharing auto pass/fast pass system account information of vehicle owners with the operators of motorways and (ii) sending SMS to the mobile phones of the vehicle owners for informational purposes related to the transit of vehicles.
At this point, to sum up with quotes from the letter of application, motor vehicle users can make their payments through the electronic payment systems defined for their vehicles when they use the toll roads. The accounts connected to the payment systems mentioned are provided by the banks and a contract is signed between the users of auto and fast pass systems and banks. At the time of the crossing, readers of the highway operator identify the vehicle label and make a provision query from the relevant bank. As a result of this provision query, the bank’s negative response to the query was made without payment of the toll, which is considered a violation of the pass.
The board’s decision on the subject, again in summary,
(i) In the bank’s relations with its customers, since all the information obtained before and after the contract (the status of the customer’s cash and assets, creditworthiness, investment activities, profit and loss accounts, legal proceedings and litigation about the customer, the address and telephone information of the customer etc.) is considered a customer secret in the context of the Banking Law, sharing the account information would not be appropriate in the sense of the Law
(ii) if SMS is sent to the telephone numbers associated with the TR ID number of the vehicle owners who are violating the pass, one of the conditions stated in Article 5 of the Law no. 6698 must exist, since the processing of the TR ID number and telephone information of the person concerned will be in question. Accordingly, if the mobile phone numbers are registered in the subscriber directories, the personal data in question will be made public by the contact person and it is thought that the personal data in question can be processed without seeking the explicit consent of the contact person. In addition, it judged that the vehicle owners not registered in the subscriber directories will be notified with an SMS to the telephone numbers related to the TR ID number and considering that persons concerned will make their payments within 15 daily legal duration in order to prevent administrative fines, if it prevents public loss or provides different legitimate interests to the administration/operator companies, it will be determined what GSM operator the mobile telephone numbers of the persons concerned are registered in and only that operator will be sent the information of the persons related and the operation of the data in question will be legal according to the (f) clause of the paragraph (2) of the article 5 of the Law on the operation of the data in question.
At this point, it is clear that the information of the person’s OHS/HGS account remains within the scope of the customer’s secret and we believe that in this regard the decision of the Board is appropriate.
On the other hand, in our opinion, it has been an appropriate determination that if the person records the phone number in the directory, the personal data will be deemed to be publicized. Because the person makes their phone number with personal data accessible at their own will. At this point, it is obvious, that it is not reasonable that the publicized personal data of the person benefits from a protection in this scope.
The most remarkable aspect of decision of the Board is the permission given to send SMS to the phone numbers mentioned above, which have not been publicized and which are not recorded in the directory. At this point, the Board relies on the clause f of Paragraph 2 of Article 5 of the law and has assessed that conditions may exist “not to harm fundamental rights and freedoms” and that “it should be mandatory for the legitimate interests of the data responder”. In accordance with this decision, the Board has also allowed the creditor to process the personal data of the debtor for the performance of this act in the event that a contractual counteract is not fulfilled. In accordance with this decision, data collectors will now be entitled to send debtors’ identification numbers to telecommunications operators to inform them of a claim, whether or not it is registered in the directory or not, and to send a notice to the debtors.
“To prevent public harm” in the resolution is a new concept that is not included in law. As is known, the Board does not have the capacity to legislate, nor does it have the powers or duties to make changes to any law. At this point, the Board has adopted the criterion for the prevention of public harm with a comment that can be interpreted differently for many data collectors and, unfortunately, can be misused. With this acceptance, the result may be that the use of clause 5/II-f of the Law may be possible for savings preventing public harm.
In this respect, it may be said that the Institution has exceeded the limits of authority with the decision taken. It is thought that the decision of the Board which should not be against the law in terms of hierarchy of norms, can also be questioned by court decision.
Likewise, even though such a decision was made by the Board, for the cell phone line owners who do not allow their phone numbers registered in the directory (or whose phone numbers have not been publicized in any way), it seems possible to go to data collector boards and institutions and criminal and legal responsibilities due to SMS that were sent to them.
As we stated at the start of our review, we hope that the very new legislation on the protection of personal data will be strengthened with practice and such ambiguities will be corrected especially with the judicial decisions that will become permanent.
