HR’s RESPONSIBILITY ON THE PROTECTION OF PERSONAL DATA
In the beginning of April 2016, the question of how sensitive personal data shall be protected arose when the personal information of over 50 million Turkish citizens was released on internet. Coincidently, around the same date the Turkish state released new legislation on how to protect personal information. The legislation entitled the PROTECTION OF PERSONAL DATA was published on April 7, 2016 in the Legal Turkish Newspaper, and is based on the European Union Commission and EU Parliament’s 95/46/EC numbered, October 24, 1995 dated directory on the protection of the free movement of personal information and its process.
One might deliberate over whether or not our personal data was ever protected by law in the past or if there was ever legislation that considered the sharing/saving of our personal data?
As there is no uniform legislation for the protection of personal data in Turkey, the regulation with regard to the use and protection of the same tried to be regulated under various codes.
Several examples from Turkish Criminal Code dated 09/26/2001 are as follows:
- ARTICLE 135. -
- Anyone who illegally saves personal data will face six months to three years of imprisonment.
- Anyone who saves the personal data according to one’s political, philosophical, religious view, racial background, unlawful morals, sexual choices, health conditions, or union connections will face imprisonment from six months to three years.
- ARTICLE 136. -
- Anyone who possesses or releases personal data unlawfully will face one to four years of imprisonment.
- ARTICLE 139. -
- Aside from the saving of personal data, gaining the personal data unlawfully or not terminating the data; investigation of the crimes are dependent on the complaint.
Thus, according to Article 20 of the Turkish Constitution (Appendix: 7.5.2010 5982/2) every citizen has the right to ask for the protection of personal data. This right also consists of being informed about his/her personal data usage, correction, demand to have it deleted etc. Personal data can only be processed by the assent of the person to whom the information belongs to. The protection of the data is set and supported by the Law.
As seen, with some verification of articles of the Turkish legislation, the usage of personal data tried to be legalized to technological innovations and internet usage by the modification of specific articles of several laws.
With the personal data protection law, the incorporated body and its employees have to re-check the data exchanges among them and re-regulate it, if needed. In order to achieve this, corporate HR and IT departments have to step in. Another point which should not be overlooked is that any sort of misdemeanor act towards the law can result in fines up to 1.000.000 TRY.
Incorporated body is need of personal data of its employees as a source in personal contact, outsource and similar usage. As stated in the new Law (Article 4), the personal data to be processed are as follows;
- Needs to be coherent with honesty and law
- Needs to be accurate and up to date, when in need
- Needs to be specific, blatant and serve to legitimate means
- Needs to be limited and purposeful
- Shall not be saved and kept in excess of what is needed
Thus, the law brought up the concepts of data responsible, data processor and database system.
Data Responsible:The body who/that is responsible for establishing and managing the personal data system, alongside defining why the personal data is in need of specifically.
Data Processor:The body who/that incorporates the personal data for the Data Responsible, by the given right.
Database System:Defines the record system of personal data that is established according to the certain given criteria.
As stated in ARTICLE 4', the personal data has to be accurate and up to date since it is crucial for the employer, the employee and the third party firm involved in the process (such as; payroll outsource provider, HR consultant, accountant etc.) Thus, Human Resources Management Systems (HRM’s) have to be reconfigured according to the criteria stated in the new legislation. Since the legislation is new and includes clauses taken direct from the EU order; definitions, concepts and responsible will be interoperable, therefore have to be arbitrated in the future.
The new legislation will be completely effective in six months. It is beneficial for HR departments to take preventative measures considering the new law and re-evaluate the employees business contracts. Employees’ consent might be needed if, the sensitive personal data is being shared with any third party firms for payroll outsourcing or for any other reason. To achieve this, it is necessary for the firms’ consultants, IT, and HR departments to co-operate. According to a temporary article of the new law,personal data that has been put through the system before the publish date of the law will need to be adjusted according to the regulations of the new law in two years. Data that is determined to be against the Law will have to be deleted or become anonymous. Only the data that is accepted to be compliant with the Law are the personal data which are gained lawfully, before the release date of the Law.
- 26/9/2004 tarihli ve 5237 sayılı Türk Ceza Kanunu
- T.C. Anayasası
- 24/3/2016 tarihli 6698 sayılı Kişisel Verilerin Korunması Kanunu
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data