Evaluation of the Constitutional Court Decision No. 2021/93: Unauthorised Access and Dismissal

The Constitutional Court’s Decision dated 16/12/2021, numbered 2020/77 Esas and 2021/93 includes important evaluations.

To summarise briefly, Mardin 2nd Administrative Court, in the lawsuit filed for the cancellation of the dismissal penalty imposed ‘on the grounds of making inquiries about personal data in electronic environment without authorisation’, concluded that the rule subject to the objection was unconstitutional and applied to the Constitutional Court for cancellation.

The article subject to the objection and requested to be cancelled is Article 8/6-aa of the Law No. 7068 on the Adoption of the Decree Law on General Law Enforcement Disciplinary Provisions:

‘Unauthorised but unlawfully making inquiries about personal data in electronic media or computer logs, sharing the information obtained in this way or announcing it through publication, changing or deleting log records’ will be punished with dismissal from the profession.

In the grounds of objection, it is stated that making inquiries requires disciplinary punishment; however, ‘only viewing’ personal data cannot be seen with the same weight as acts such as disseminating and announcing these data, in this sense, the penalty of dismissal from the profession is incompatible with the principle of proportionality, which is a requirement of the rule of law, and the disciplinary punishment and the weight of the act do not stand in a fair balance.

In its examination, the Court referred to the definition of personal data and emphasised that ‘as stated in the established decisions of the Constitutional Court’, not only the information revealing the identity of the individual, but also all data such as motor vehicle registration plate, IP address, hobbies, preferences, etc. that would make many individuals directly or indirectly identifiable fall within this scope.

According to the article, in order for the query to constitute a disciplinary offence, the personnel must make this query even though they are not authorised to make a query on the system. Therefore, the phrase ‘unlawfully without authorisation’ covers the unlawful access of the personnel to personal data to which they do not have access within the framework of their authorisation.

In accordance with Article 70 of the Constitution, it has been evaluated that no discrimination shall be made in recruitment to public service, in addition to this, the issues of observing the qualifications required by the duty and preventing the abuse of the right are regulated in the justification of the article, leaving a discretionary power to the legislator in this sense. Therefore, in order to determine whether the regulation in question has a legitimate purpose, it is necessary to determine whether the act resulting in dismissal from the profession is within the qualifications required by the duty.

The following explanations in the judgement are important ‘It is mandatory and inevitable for the law enforcement organisation, which is responsible for ensuring public order and security in society, to have the authority to question the personal data needed during the fulfilment of this duty in order to fulfil the service properly. However, the acceptance that all law enforcement personnel can make inquiries on the personal data of individuals regardless of the scope and nature of their duties and without any limitation will mean a violation of the constitutionally guaranteed right to protection of personal data by the state itself, and the formation of such a perception of law enforcement personnel in the society may lead to damage to the trust in law enforcement officers.’

‘The principle of proportionality guaranteed in the aforementioned article of the Constitution consists of three sub-principles: convenience, necessity and proportionality. Convenience refers to the fact that the foreseen restriction is suitable for achieving the desired purpose, necessity refers to the necessity of the restriction in terms of the desired purpose, in other words, it is not possible to achieve the same purpose with a lesser restriction, and proportionality refers to the necessity to observe a reasonable balance between the restriction imposed on the right and the purpose to be achieved.’

This decision of the Constitutional Court is closely related to the Law No. 6698 on the Protection of Personal Data (‘Law’) and the Board decisions.

As it is known, in its decision dated 1/03/2021 and numbered 2021/230, the Board, in the case where the former spouse, who is a public employee and ‘authorised to access’, accessed the salary information from the system and submitted it to the court in the divorce case, instructed the relevant data controller by stating that ‘the processing of personal data by using it for a purpose other than the fulfilment of defined services and legal obligations by a personnel working within the data controller’ cannot be considered within the processing conditions.

Similarly, in another decision, a fine of 450.000 TL was imposed on the data controller who did not take the necessary administrative and technical measures to ensure data security as a result of excessive queries such as querying the credit scores of the data subject many times by the bank without the knowledge of the person, taking notes and taking photographs of the credit scores.

There is also a principle decision of the Board numbered 2018/63 ‘Regarding the evaluation of the processing of personal data by the personnel who are authorised to access the personal data of the data controller for purposes other than their authorisation and purpose’. This principle decision imposes an obligation on data controllers to take all kinds of technical and administrative measures to prevent unauthorised actions of those who have access to personal data due to their position. In the light of all these explanations, the relevant provision was found to be proportionate and appropriate by the Constitutional Court and the objection was rejected.

The decision of the Constitutional Court, which we have witnessed the importance of access authorisation/authorisation matrix in the context of public institutions and organisations and public activities, and which we can see as a mechanism experiencing the consequences of the above-mentioned precedent violations, reveals once again that unauthorised access alone may be a reason for dismissal from public service, and in this sense, even if public activities are carried out, data controllers must take all necessary administrative and technical measures regarding data protection and data security, and that they have an active duty of care in this sense.

Kind regards,