Legitimate Interest of the Data Controller in Data Processing
The Personal Data Protection Law (“KVKK”) is a young law adopted in 2016 and published in the Official Gazette. Personal data is clearly defined in Article 3 of the Law as “any information relating to an identified or identifiable natural person”. In today’s world where technology is developing every day, personal data and protection of personal data are becoming more and more important day by day. As social media platforms, systems used in corporate life and digital communication develop, people are in a difficult position to protect their personal data. The Personal Data Protection Law reveals its main purpose at this point.
The Personal Data Protection Law aims to protect the fundamental rights and freedoms of individuals, especially the right to privacy, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed. In order to protect the fundamental rights and freedoms of individuals, the law has introduced different provisions and provided explanations to various concepts.
The Personal Data Protection Law clearly defines the concept of “processing of personal data”. Pursuant to subparagraph e of Article 3 of the Law, the term “processing of personal data” refers to “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof”.
The processing of personal data is subject to certain conditions. These conditions are discussed in Article 5 of the Law. First of all, it should be emphasized that personal data cannot be processed without the explicit consent of the data subject. However, in some cases, personal data may be processed without the explicit consent of the data subject. Paragraph 2 of Article 5 of the KVKK lists the conditions that make it possible to process personal data without the explicit consent of the data subject, if any. These conditions are limited. This situation is explained by the principle of “numerus clausus”. Numerus clausus is a concept meaning “limited number”. In other words, with this article, the conditions indicating the cases where personal data can be processed without obtaining explicit consent are determined and limited one by one. These conditions are as follows:
- It is expressly provided for by the laws.
- It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
- Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
- It is necessary for compliance with a legal obligation to which the data controller is subject.
- Personal data have been made public by the data subject himself/herself.
- Data processing is necessary for the establishment, exercise or protection of any right.
- Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.”
The “legitimate interests of the data controller” referred to in subparagraph f of this Article is an important issue that needs to be explained. The data controller must have a legitimate interest and the fundamental rights and freedoms of the data subject must not be harmed. Particular attention should be paid to the concept of “legitimate interest”, as this concept may become inclusive in a way that may cause problems. It is important what is meant by the concept of legitimate interest.
Benefit, as it is known, means “interest, benefit”. What these interests may be can be explained with examples. For example, the processing of personal data of the employees of a company owner, provided that it does not harm the fundamental rights and freedoms of its employees, in order to be taken as a basis in the organisation of their promotions, salary increases or social rights or in the distribution of duties and roles in the process of restructuring the enterprise, is included within the scope of the legitimate interest of the company owner. Again, data processing in order to apply rewards and premiums to increase employee loyalty is within this scope. These are the correct examples given in the publications prepared by the Personal Data Protection Authority.
Again, in the publication titled “Personal Data Processing Conditions” published by the Personal Data Protection Authority, it is stated that “legitimate interest” should be “related to an effective, specific and already existing interest that can compete with the fundamental rights and freedoms of the data subject”.
While the interest exists, it must also be “legitimate”. As it is known, this concept means “right, justified, legal, what the law considers right”. For example, continuing to process the information of people who have been dismissed from a company is usually not based on a legitimate basis.
If personal data is processed for the legitimate interests of data controllers, certain conditions must be met. In the decision of the Personal Data Protection Board dated 25 March 2019 and numbered 2019/78, which is a very important decision, these conditions are listed as follows:
- The benefit to be obtained as a result of the processing of personal data and the fundamental rights and freedoms of the person concerned are at a competitive level,
- Processing of personal data is mandatory in order to achieve the interest in question,
- The legitimate interest is already present, specific and clear,
- A benefit will be provided if the legitimate interest, which is competing with the fundamental rights and freedoms of the data subject, is obtained and it is not possible to obtain this benefit in any other way and method without processing personal data,
- When determining the legitimate interest, criteria that are transparent and accountable should be taken as basis, such as that the benefit in question affects a large number of people, that it is not only for the purpose of making profit or providing economic benefit, that it facilitates business processes or a functioning (for example, in a way that affects the organization as a whole, not a unit or a small number of personnel),
- In this respect, the data subject should be kept away from any foreseeable, clear and imminent danger in order to prevent damage to his fundamental rights and freedoms, especially the protection of his personal data,
- Taking all kinds of technical and administrative measures to ensure the lawful functioning of personal data in a data recording system limited to the purpose and to prevent damage and violations,
- Ensuring compliance with general principles in the processing of personal data,
- In this context, the fundamental rights and freedoms of the person and the legitimate interest of the data controller are compared
The evaluation in this regard is made in two stages. Firstly, it is determined whether the data controller has a legitimate interest. Then, it should be determined whether it harms the fundamental rights and freedoms of the data subject, i.e. the person whose personal data will be processed.
The legitimate interest of the data controller is related to the benefit to be obtained as a result of data processing. The benefit to be obtained by the data controller must be legitimate, effective enough to compete with the fundamental rights and freedoms of the data subject, specific and related to an already existing interest. An interest that is uncertain in time, whether it will arise or not, will not have a legal basis for this article. This interest must be a real interest and at the same time the legitimate interest must be serious and important.
It must be a transaction that is relevant to the current operations of the data controller and that will benefit the data controller in the near future. As given as an example by the Authority in its own publications, in the event of a situation such as the sale, takeover or change in the shareholding structure of the company, it may also be considered within the scope of legitimate interest in cases where the person who will buy the company examines certain information, including personal data, by taking measured and necessary security measures in order to have a command of the current situation of the company.
After determining whether the data controller has a legitimate interest, the fundamental rights and freedoms of the data subject whose personal data will be processed should be determined. It is useful to mention the “balance test”, which is a different concept here. This test will be between the legitimate interest and the fundamental rights and freedoms of the data subject, and the legitimate interest and fundamental rights and freedoms will be compared. In cases where the legitimate interest of the data controller is not very strong and effective, the rights and freedoms of the data subject will prevail over the legitimate interest of the data controller. If the legitimate interest of the data controller is stronger, the data may be processed without obtaining explicit consent within the scope of subparagraph f of Article 5 of the KVKK. This is also seen in the decision numbered 2019/78, which we mention as an example.
In the light of all these, it is seen that the relevant provision does not grant unlimited authorization for data processing. A balance must be struck between the legitimate interest of the data controller and the rights and freedoms of the data subject.
The decision of the Personal Data Protection Board dated 25 March 2019 and numbered 2019/78, which we have quoted before, is related to the “application made to the Board with the request to use the personal data processed by the data controller to fulfil its legal obligation within the framework of legitimate interest”. The applicant is a company operating in the petroleum market within the scope of the “Distributor License” in accordance with the Petroleum Market Law №5015. Within the framework of the obligation imposed by the Decision of The Energy Market Regulatory Authority, it has been communicated by the company that it has established an automation system that allows the dealer to query the pump sales movements including various information and is open to instant access of the relevant Authority and that they will use this data, which is kept open to the instant access of the the Energy Market Regulatory Authority for the “Vehicle Recognition Project” developed by their company to prevent “faulty fuel refueling”. They stated that the realization of the Vehicle Recognition Project would end the problems arising from faulty fuel supply and thus the legitimate interests of the Company and the dealers would be protected, and in this context, they made an application with the request whether the use of some data processed by the company for the automation system for the Vehicle Recognition Project without the explicit consent of the data subjects can be evaluated within the scope of subparagraphs (ç) and (f) of paragraph (2) of Article 5 of The Personal Data Protection Law №6698. The Board, on the other hand, evaluated the situation according to Article 5. The Board evaluated the situation according to subparagraph (f) of Article 5 and counted the conditions we have previously mentioned and took into account that the applicant is jointly and severally liable for the damages incurred by consumers due to vehicle malfunctions caused by the supply of a product different from the product requested by the consumer to the vehicles arriving at the fuel stations and that the applicant is also jointly liable as a distributor company together with the operator in accordance with the Consumer Protection Law №6502, and that, taking into account the judicial decisions in this direction, it is understood that the situation may lead to financial loss of both the consumer and the distributor company, as well as losses in the brand value and service quality of the company. As a result, it was concluded that the data controller’s use of the consumers’ license plate and product type information is in compliance with Article 5, subparagraph f of the KVKK, and that the Company is responsible for fulfilling its obligation to inform in an accessible and visible manner and not to use it for any other purpose.
In the decision of the Constitutional Court numbered 2016/125 E and 2017/143 K, “In the third paragraph of Article 20 of the Constitution, “Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law.” The right to protection of personal data, as a special form of the right to privacy, aims to protect the rights and freedoms of the individual during the processing of personal data. In order for the constitutional guarantee provided for the right to request the protection of personal data to be implemented, the legal regulations concerning this right must be clear, understandable and suitable for individuals to exercise their rights. Only with such a regulation can it be possible to protect data and information concerning the private lives of individuals against arbitrary interventions by official authorities.” explanations are included. This statement shows the importance of the rights and freedoms of individuals and is a very important statement. As a matter of fact, Article 20 of the Constitution. In the article, personal data has been given a constitutional character. At the same time, Article 13 of the Constitution. Article “Fundamental rights and freedoms may be restricted only by law and in conformity with the reasons mentioned in the relevant articles of the Constitution without infringing upon their essence. These restrictions shall not be contrary to the letter and spirit of the Constitution and the requirements of the democratic order of the society and the secular republic and the principle of proportionality.” This decision and the provisions of the law show the importance that should be given to the protection of personal data and how fundamental rights and freedoms should be positioned.
It is seen in the decisions of the KVKK, the Constitution, the Constitutional Court and the Personal Data Protection Board that the issue we focus on is a very important issue that concerns people closely. For this reason, it is necessary to make a decision by carefully examining it.
Review from the Perspective of GDPR
The European Union General Data Protection Regulation (GDPR) is a regulation in European Union Law regarding data protection and privacy for individuals within the entire European Union and the European Economic Area. Data controllers residing in countries that are not in the European Union and the European Economic Area must also comply with the GDPR if they process the personal data of natural persons residing in the European Union.
If we examine our subject in terms of GDPR, we cannot come across a regulation in the same way as the Personal Data Protection Law. Article 6 titled “Lawfulness of processing”. In the article, some conditions are listed by stating that “Processing shall be lawful only if and to the extent that at least one of the following applies:”. One of these conditions is “f.processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
First of all, we should point out that the concept of “data controller” in KVKK is referred to as “controller” in GDPR. 6 of the GDPR. In paragraph f of the article, the interests or fundamental rights and freedoms of the data subject are compared with the legitimate interests of the data controller and it is explained that if they outweigh, the interests or fundamental rights and freedoms of the data subject will be taken into consideration.
Although this article will be seen as a similar regulation in the KVKK in terms of GDPR, which we have explained at length, it is clear that they do not mean exactly the same thing. While there is no mention of a third party in the KVKK, the GDPR has also evaluated third parties. In addition, the GDPR underlined a different point by saying “in particular where the data subject is a child”
However, the concept of legitimate interest can also be considered within the scope of the basic norms and evaluations we have explained above within the scope of GDPR, and the existence of the legitimate interest of the data controller can be evaluated in terms of each concrete data processing activity.
RESULT
In the Personal Data Protection Law №6698, a balance has been tried to be established between protecting the fundamental rights and freedoms of personal data owners and protecting the freedom of data processing of individuals and institutions. For this purpose, Article 5 of the Law stipulates that the explicit consent of the data subject must be obtained in the processing of personal data; Subsequently, if the data controller has a legitimate interest, the cases where it is possible to process the personal data of the data subject are listed.
Pursuant to paragraph 2 f of Article 5 of the KVKK №6698, data controllers may process their personal data without the need for the explicit consent of the data subject, provided that it does not harm the fundamental rights and freedoms of the person concerned, when it is necessary for their own legitimate interests. In accordance with the said regulation, in order to process personal data without seeking consent; Data controllers must have a legitimate, specific, already existing and effective interest that can compete with the fundamental rights and freedoms of the person concerned. When processing personal data without seeking consent based on legitimate interest, the criteria in the decisions of the Personal Data Protection Board must be present and evaluated.
Should you have any queries or need further details, please contact us.