Personal data of data subjects can only be processed compliantly by data controllers and other processors if there is a legal reason for the processing.
Personal data cannot be processed without the explicit consent of the data subject where other legal bases are not applicable (Article 5(1) of the Data Protection Law). Explicit consent should be freely given, specific, and informed (Article 3 of the Data Protection Law).
In case of the withdrawal of explicit consent by data subject, continuing processing by data controller which is not based on the other legal bases is deemed as processing against the rules of the Law and honesty.
Contract with the data subject
Personal data of each party to a contract may be processed by the other party provided that it is strictly necessary to execute or perform the contract, for example, processing personal information of an employee by an employer in order to execute an employment agreement (Article 5(2)(c) of the Data Protection Law).
Personal data may be processed without the explicit consent of the data subject if it is required by law or is required for compliance with a legal obligation to which the data controller is subject to. Employers, for example, prepare and maintain personnel files, banks and financial organizations collect and disclose specific information, and employers report personal information of new employees to law enforcement agencies.
Interests of the data subject
Personal data can be processed to safeguard a person’s life or physical integrity, or to protect the life or physical integrity of anybody else who is bodily incapable of giving consent or whose consent would otherwise be ruled invalid. For example, location data from a missing person’s mobile device or CCTV records can be used to track down a missing person.
The Data Protection Law does not consider public interest as a legal base to process personal data of a data subject. However, when analyzing the boundaries of independent press and the balance between the right to privacy and the right to freedom of expression, the Board considers public interest as a criterion.
Legitimate interests of the data controller
Personal data may be processed without a data subject’s explicit consent if such processing is necessary to the data controller’s legitimate interests; provided, however, that processing does not harm the data subject’s fundamental rights and freedoms (Article 5(2)(f) of the Data Protection Law). For example, the preamble of the Data Protection Law states that the owner of a company may process employee personal data to arrange job promotions, social rights, or in determining their role in the company’s restructuring, each of which constitutes legitimate interests of the company and do not harm the data subject’s fundamental rights and freedoms.
Legal bases in other instances
As per Article 5 of the Data Protection Law under the following conditions personal data can be processed without providing the explicit consent of the data subject:
- if the personal data is publicised by the data subjects themselves; and
- if it is mandatory for the establishment, exercise, or protection of certain rights.
How to compliantly transfer data abroad from Turkey
Penalties and enforcement decisions for breaches of Data Protection Law in Turkey
The rights of data subjects
The legal bases for compliant data processing
Key points on explicit consent for data protection compliance
KKTC YARGI ÖRGÜTÜNÜN GENEL YAPISI VE MAHKEME DÜZENİ
Data Controller Representation Service
Applications for international data transfers
Registration with Verbis
Data breach crisis management
Creation of information and explicit consent texts
Creation of data security, retention, erasure and privacy policies
Contracts with third party data processors & employees