The processing of personal data is considered to be any operation performed on personal data, whether wholly or partially automated or not, which includes collection, recording, storage, retention, alteration, restructuring, disclosure, transfer, retrieval, making available, classification, or use of data. Any activity carried out from the collection of personal data to its deletion, destruction, or anonymization is considered as the processing of personal data within the scope of the Law.
There are basic principles regarding the processing of personal data, which are recognized in international documents and reflected in the practices of many countries. Article 4 of the Law regulates the procedures and principles regarding the processing of personal data in parallel with the European Convention 108 on the Protection of Individuals with regard to Automatic Processing of Personal Data and the European Union Data Protection Directive 95/46/EC. Accordingly, the general principles listed in the Law for the processing of personal data are as follows:
- Compliance with the law and good faith,
- Being accurate and up to date when necessary,
- Processing for specific, explicit and legitimate purposes,
- Being relevant, limited and proportionate to the purpose for which they are processed,
- Retention for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
The principles regarding the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles.
Personal data is any information relating to an identified or identifiable natural person.
Processing of personal data is possible in the presence of at least one of the conditions listed in Article 5 of the Law. According to this;
- Explicit consent of the person concerned,
- Explicitly stipulated in the law,
- It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid,
- It is necessary to process personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract,
- That it is mandatory for the data controller to fulfill its legal obligation,
- It has been made public by the person concerned,
- Data processing is mandatory for the establishment, exercise or protection of a right,
- The processing of personal data of the data subject is permissible if it is necessary for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
The conditions for the processing of personal data, i.e. the cases of lawfulness, are listed in a limited number in the Law and these conditions cannot be expanded.
If personal data processing is based on one of the conditions other than explicit consent in the Law, then there is no need to obtain explicit consent from the data subject. While it is possible to carry out the data processing activity on a basis other than explicit consent, basing it on explicit consent will be deceptive and an abuse of right. As a matter of fact, if the explicit consent given by the data subject is withdrawn, the data controller’s continuation of the data processing activity based on one of the other personal data processing conditions will mean a transaction contrary to the law and good faith.
In this context, it should be evaluated by the data controller whether the purpose of the personal data processing activity is primarily based on one of the processing conditions other than explicit consent, and if this purpose does not meet at least one of the conditions other than explicit consent specified in the Law, then the explicit consent of the person should be obtained for the continuation of the data processing activity.
Special categories of personal data are those that, if disclosed, could lead to discrimination or potential harm to the individual. Therefore, they require even stricter protection compared to other personal data. Special categories of personal data may only be processed with the explicit consent of the data subject or in limited circumstances specified by law.
Special categories of personal data are defined in the Law through limited enumeration. These are; race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal conviction and security measures, and biometric and genetic data. It is not possible to extend special categories of personal data by analogy.
The Law also makes a distinction between special categories of personal data. Accordingly, the processing of personal data relating to health and sexual life and the cases where personal data of special categories other than these can be processed without explicit consent are regulated differently
According to the law, the processing of special categories of personal data is possible without the explicit consent of the data subject in the following cases:
Personal data of special nature other than health and sexual life may be processed only in cases stipulated by law, Personal data relating to health and sexual life may be processed only for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of confidentiality.