PERSONAL DATA PROTECTION LAW

The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.

Due to the earthquake disaster in our country, it was decided to declare a State of Emergency for three months, and public institutions took additional measures related to their areas of responsibility and announced them to the public. Within the scope of KVKK, postponements have been made regarding the periods to be taken into consideration by data controllers and data subjects regarding complaints, notifications, data breach notifications and other obligations. In this respect, the Agency did not publish any content, except for earthquake-related issues.

INFORMATION & PERSONAL DATA SHARING IN CASE OF DISASTER

Article 217/A titled “publicly disseminating misleading information” has been added to the Turkish Penal Code with Article 29 of the Law No. 7418 on the Amendment of the PRESS LAW and SOME LAWS, which was published in the Official Gazette dated 18 October 2022. The relevant article stipulates that “Anyone who publicly disseminates untrue information about the internal and external security, public order and public health of the country, with the sole purpose of creating anxiety, fear or panic among the public, in a way that is conducive to disrupting public peace, shall be sentenced to imprisonment from one year to three years.” Disinformation has been criminalised. Therefore, not only news organisations but also individuals may be the perpetrators of the relevant offence.

Obtaining accurate information and providing correct guidance in the face of disasters and emergencies constitutes an extremely important issue in terms of preventing disinformation. The presence of personal data in the information content and indiscriminate sharing of personal data may cause irreparable damages in moral and material terms and may cause loss of time in terms of disaster-related activities.

It is the most important element of confirmed information sharing that the accuracy of the information content is confirmed and the source of the communication can be verified.

Posts that may cause discrimination and victimisation should be avoided, and posts that support practices that may constitute a violation of the law should be avoided.

The relevant public institutions and organisations should be informed in case of detection of phishing content, which is known to be harmful and aims to capture personal data, especially banking information, and care should be taken to ensure that the sites where personal data is made public are secure and that no password or password information is shared in case of suspicion.

It should be taken into consideration that people exposed to disasters may experience secondary trauma especially due to posts containing personal data and the effects of posts should be taken into consideration.

Although many basic needs are interrupted during a disaster, it should be a basic principle to fulfil basic needs only in scenarios where the best interest is considered.

For example, while a person’s name, surname and residence information should be protected in the ordinary course of life and in case of disclosure, it can be claimed that the privacy of private life is violated, sharing the same information on social media has become a very important supporter of search and rescue operations in order to reach people trapped in the rubble of collapsed buildings in the earthquake zone. For this reason, it can be interpreted that the measures related to the protection of the right to privacy may be flexed in the sharing of the relevant information.

Continuing with the same scenario, it can be interpreted that if the moments when people are pulled out of the wreckage are broadcasted in a way that their faces can be seen in the live broadcasts of television channels, the “superior benefit” criterion mentioned in the balance mechanism explained above will not be met.

In particular, minors deserve special protection regarding their personal data, as they may be less aware of the risks and consequences to their detriment and are vulnerable in securing their rights.

On 06.02.2023, due to the earthquake disaster, it has been witnessed that many children’s personal data have been shared in the conventional press and social media regarding children who were pulled out of the rubble, lost their lives in the rubble, could not reach their families or were left without families.

The publication on the internet of photographs and videos of the most desperate moments of earthquake survivor children may cause severe traumas to follow them in the coming years.

What is the Right to be Forgotten?

The right to be forgotten is the right of the person not to want the data such as news, photos, videos, information, etc. that appear about him/her in the internet search results to be in the internet search results.

With the exercise of the right to be forgotten, it will result in the fact that the content that is legally legitimate on the internet is no longer accessible in search engines. The right to be forgotten can be briefly described as the right to request that the lawful content not be listed in search engines.

The right to be forgotten, which is not directly regulated in the Constitution of the Republic of Turkey, imposes a positive obligation on the State under the heading “to endeavour to prepare the necessary conditions for the development of the material and spiritual existence of man”. The existence of the right to be forgotten will also be accepted when we evaluate the provisions on the inviolability of the person, material and spiritual existence, personal freedom and security and privacy of private life in the second part of the Constitution titled Rights and Duties of the Person within the scope of the purposive interpretation method.

The right to be forgotten is not the right to demand the removal of the content from the internet. As stated in the article titled Right to be Forgotten prepared by Dr. Mehmet Bedii Kaya, the right to be forgotten is the right to request that the content on the internet not be listed in search engines (delisting).

Therefore, although the right to be forgotten may minimise the possibility of people being affected by trauma, it will not completely eliminate it. For this reason, the main solution is to mask these publications in such a way that the individuals are not recognisable and such victimisation is not created in the first place.