Evaluation of Personal Data Breaches within the Scope of Turkish Penal Code

CottGroup
11 min readApr 24, 2024

--

Technology, which develops day by day, has carried people’s daily life to a different dimension. Conveniences that did not exist before have emerged. People have started to carry out many of their business online. Private sector and even public institutions carry out many transactions in this way. For this reason, almost everyone has information registered in multiple websites and databases. Many information such as T.R. identity numbers, home addresses, height of the person are included and stored in the systems. In other words, data is obtained, stored, or more accurately, processed. In the face of this convenience, mankind, which continues many of its business through the internet, has of course met some dangers that it has not faced before. One of these is personal data breaches.

Data breach can be explained as the unlawful acquisition of processed personal data by others. However, firstly, the concept of “personal data” should be mentioned. Personal data is defined in the Personal Data Protection Law. This definition is “any information relating to an identified or identifiable real person”. The Law is a very young law that entered into force in 2016. The regulation of this law is very important due to the widespread use of personal data.

At this stage, it would be appropriate to mention the history of personal data in our country. In fact, this issue has a history that is not new for us. Türkiye is one of the first countries to sign the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, which was opened for signature by the Council of Europe in 1981. This Convention is also known as Convention №108. Although the date of signature is old, it has been incorporated into domestic law by being published in the Official Gazette dated 17 March 2016 and numbered 29656. Its main purpose is to guarantee, in each Member State, the fundamental rights and freedoms of natural persons, regardless of nationality or residence, and in particular their right to privacy against automated processing of personal data concerning them. Additional Protocol To The Convention For The Protection Of Individuals With Regard To Automatic Processing Of Personal Data Regarding Supervisory Authorities And Transborder Data Flows was adopted by Turkey in 2001 and incorporated into domestic law by being published in the Official Gazette in 2016. In this protocol, the state parties undertook to establish a supervisory authority that will fulfil its duties with full independence in the field of personal data protection to be implemented in their countries.

It is also necessary to mention the national regulations in this regard. In 2004, the Turkish Penal Code №5237 and the articles of law that will be mentioned in the rest of this article entered into force. In 2010, the provision on the protection of personal data was included in the Constitution. Paragraph 3 of Article 20 of the Constitution, which regulates the privacy of private life, is related to personal data. This article states that “Everyone has the right to request the protection of personal data concerning him/her. This right includes the right to be informed about personal data concerning him/her, to access such data, to request their correction or deletion, and to learn whether they are used for their intended purposes. Personal data may only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data shall be regulated by law.” In 2016, the aforementioned international regulations were incorporated into domestic law and most importantly, the Personal Data Protection Law №6698 was published in the Official Gazette and entered into force. However, in this article, personal data violations will be addressed within the scope of the Turkish Penal Code.

Turkish Penal Code №5237 includes offences related to personal data in Chapter 9 titled “Offences against Private Life and Confidentiality of Life”. Article 135 provides for the acts of recording personal data, Article 136 provides for the acts of unlawfully giving or obtaining data, and Article 138 provides for the acts of not destroying data. Article 140 mentions the application of security measures about legal entities.

Recording Personal Data

The first paragraph of Article 135 of the Turkish Penal Code stipulates that “Anyone who unlawfully records personal data shall be sentenced to imprisonment from one to three years.” The second paragraph reads as follows: “Anyone who unlawfully records personal data on political, philosophical or religious opinions, racial origins, moral tendencies, sexual life, health status or trade union affiliations of persons shall be punished in accordance with the provision of the above paragraph.”

KVKK should be taken as a basis for recording personal data in accordance with the law. Recording personal data also means processing. Because in the definition made by the KVKK for the processing of personal data, it is also mentioned to be recorded. The conditions for processing personal data are listed in Article 5 of the KVKK. Accordingly, firstly, the explicit consent of the data subject is required for the processing of personal data. The article also lists the cases where personal data can be processed without explicit consent. If the data is recorded without explicit consent and these conditions are present in the relevant case, the recording will not have an unlawful result. These situations are as follows;

  • “It is expressly provided for by the laws.
  • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
  • It is necessary for compliance with a legal obligation to which the data controller is subject.
  • Personal data have been made public by the data subject himself/herself.
  • Data processing is necessary for the establishment, exercise or protection of any right.
  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.”

The absence of explicit consent and these conditions will result in a violation of the law. As a result, it is regulated by the Turkish Penal Code that the person will be sentenced to imprisonment from one year to three years.

In the decision of the Penal Department no. 12 of the Supreme Court File No: 2019/14037, decision no: 2022/2232 “The concept of “personal data”, which constitutes the material subject of the offence of recording personal data and unlawfully giving or obtaining data, refers to the identity information (such as T.R. identification number, name, surname, place and date of birth, mother and father’s name), criminal record, place of residence, education status, profession, bank account information (such as T.R. identity number, name, surname, place and date of birth, mother’s and father’s name), criminal record, place of residence, educational status, occupation, bank account information, telephone number, e-mail address, blood type, marital status, fingerprints, DNA, biological samples such as hair, saliva, nails, sexual and moral tendency, “Personal data” shall be understood as any information belonging to a natural person that identifies or makes identifiable the identity of the person, such as health information, ethnic origin, political, philosophical and religious views, trade union affiliations, which distinguishes the person from other individuals in the society and is suitable for revealing his/her qualities.”, indicating what is to be understood from the concept of “personal data”.

Unlawful Delivery or Acquisition of Data

Article 136 of the Turkish Penal Code stipulates that “Any person who unlawfully delivers data to another person, or publishes or acquires the same through illegal means is punished with imprisonment from one year to four years.”

Here, it can be said that the transfer is in question in the transfer and dissemination of personal data to another person. Transferring personal data is also within the definition of processing personal data of the KVKK. Likewise, obtaining personal data is also included in this definition. As we mentioned before, the conditions for processing personal data are stipulated in Article 5 of the KVKK. Here, giving, disseminating or obtaining personal data to another person who does not comply with the conditions will be considered an offence according to Article 136.

Article 137 of the Turkish Penal Code lists the qualified forms of these offences. This article states that “The offences defined in the above articles;

  • By a public official and by abusing the authority of his/her office,
  • By taking advantage of the convenience provided by a certain profession and art,

If it is committed, the penalty to be imposed shall be increased by half.”

In the decision of the Penal Departmant no. 12 of the Supreme Court File No: 2015/4349 and Decision No: 2016/5349 The concept of personal data, which is the subject of the offences of “Recording Personal Data” and “Illegally Giving or Obtaining Data” regulated in Articles 135 and 136 of the Turkish Penal Code, refers to the concept of personal data that the person does not submit to the information of unauthorised third parties, discloses it to other persons when desired and shares it only with a limited environment, is not known by everyone and / or cannot be easily accessed and known, Any information belonging to a real person that identifies or makes identifiable the identity of the person, distinguishes the person from other individuals in the society and is suitable for revealing his/her qualities should be understood, unlawful recording of any information belonging to a specific or identifiable person is defined under Article 135 of the Turkish Penal Code. The unlawful recording of any information belonging to a specific or identifiable person is defined under the title of “Recording of personal data” in Article 135 of the Turkish Penal Code, and the giving, dissemination or seizure of any information belonging to a specific or identifiable person is defined as two separate and independent crimes under the title of “Unlawful giving or seizure of data” in Article 136/1 of the same Law.”, drawing attention to the difference between the two separate crimes we examined.

In addition, it has been pointed out that personal data that are easy to access with the decisions of the Supreme Court, which are not confidential, are also protected by these provisions. In the decision of the Penal Departmant no. 12 of the Supreme Court File No: 2019/14037 and Decision No: 2022/2232 “As emphasised in the decision of the Supreme Court Assembly of Penal Chambers dated 17.06.2014 and numbered 2012/1510–2014/331; In the regulations regarding the protection of personal data in Articles 135 and 136 of the Turkish Penal Code, there is no provision that only confidential personal data will be protected, and on the contrary, in the justification of Article 135. On the contrary, in the preamble of Article 135, it is stated that all kinds of information related to the real person should be accepted as personal data, the acts of recording, giving, disseminating and obtaining all kinds of personal data illegally constitute the offences of recording personal data under Article 135 of the Turkish Penal Code and illegally giving or obtaining data under Article 136 of the same Law. For this reason, personal information that is known by everyone and/or can be easily accessed and known is also considered as “personal data” in the legal sense. However, in order to prevent negative consequences such as uncertainty in practice and almost every action constituting a crime by expanding the scope of application of the offences of recording personal data and unlawfully giving or obtaining data more than intended, it is necessary to make a meticulous evaluation by taking into account the characteristics of the concrete case, and to consider any branch of law in the case.

“Furthermore, although there is no doubt that a private life image or voice is “personal data”, fixing the image or voice of a person’s private life to a certain electronic, digital, magnetic place with a device capable of taking or recording pictures without his/her knowledge is defined in Article 134/1. and paragraph 2. In the second sentence of Article 134/1 of the Turkish Penal Code; disclosure without consent, i.e.; dissemination, disclosure, exposure, publicising, publicising, publicising, making public, in summary; making it available to the information of persons or persons who are not authorised to learn its content 134/2 of the TCK. Since it is regulated within the scope of the offence of violating the privacy of private life in Article 134/2 of the Turkish Penal Code, the image or voice of the person’s private life cannot be considered as personal data within the scope of Article 135/1 of the Turkish Penal Code and Article 136/1 of the same Law.”, the issue of the image and voice of the person has also been clarified.

Failure to Destroy Data

Article 138 of the Turkish Penal Code stipulates that “In case of failure to destroy the data within a defined system despite expiry of legally prescribed period, the persons responsible from this failure is sentenced to imprisonment from six months to one year.”

The second paragraph of the article states that “If the subject of the offence is data that must be eliminated or destroyed according to the provisions of the Code of Criminal Procedure, the penalty to be imposed is increased by one time”

Complaint

Another issue that should be mentioned is the issue of complaint, which is stipulated in Article 139 regarding the offences regulated under Chapter 9 of the Turkish Penal Code. This article states that “The investigation and prosecution of the offences under this section, except for the recording of personal data, unlawful transfer or seizure of data and failure to destroy data, are subject to complaint.” This article contains the following provision.

Offences whose prosecution is subject to complaint are the offences that are investigated or prosecuted upon the filing of a complaint by the victim of the offence or the persons harmed by the offence. With Article 139, it is understood that the offences we have examined are not subject to complaint. Accordingly, the investigation of the offences will begin when the acts constituting the offence are learnt. The withdrawal of complaints does not mean that the stages of investigation or prosecution will stop. It will be continued by the prosecutor’s office.

Imposing Security Measures on Legal Entities

Article 140 of the Turkish Penal Code stipulates that “Security precautions specific to legal entities are imposed in case of commission of offenses defined in the above articles by legal entities.” These security measures are defined in Article 60 of the TPC as follows;

  1. “In case of conviction of a crime through participation of the organs or representatives of a legal entity subject to special law and operating under the license granted by a public institution or misuse of authorization conferred upon by this license, the court may decide cancellation of this license.
  2. The provisions relating to confiscation are applied also for the legal entities involved in commission of offense.”

The activity permit of a private law legal entity that commits one of the crimes we have examined may be cancelled. For this, there must be a permit granted to this private law legal entity.

Confiscation, on the other hand, means the transfer of the ownership of certain goods or earnings related to an offence committed to the state. Goods and material gains related to the offence may be confiscated.

CONCLUSION

As can be seen, personal data has become increasingly important and its protection has also become of great importance. Accordingly, the Turkish Penal Code has also made provisions. Different judicial decisions have emerged based on these provisions. It is certain that new decisions will emerge as time progresses. For this reason, it will be an inevitable result that the protection of personal data within the scope of the Turkish Penal Code will develop and strengthen.

--

--

CottGroup

CottGroup® is a holistic service organization which offers a full range of consulting, outsourcing, technology, and training services in Turkey.