HR's Responsibility on The Protection of Personal Data
In the beginning of April 2016, the question of how sensitive personal data shall be protected arose when the personal information of over 50 million Turkish citizens was released on internet. Coincidently, around the same date the Turkish state released new legislation on how to protect personal information. The legislation entitled the Protection Of Personal Data was published on April 7, 2016 in the Legal Turkish Newspaper and is based on the European Union Commission and EU Parliament’s 95/46/EC numbered, October 24, 1995 dated Directive on the protection of the free movement of personal information and its process.
One might deliberate over whether our personal data was ever protected by law in the past or if there was ever legislation that considered the sharing/storing of our personal data?
As there is no uniform legislation for the protection of personal data in Türkiye, the regulation with regards to the use and protection of the same tried to be regulated under various codes.
Several examples from Turkish Criminal Code dated 26th September 2001 are as follows:
- Article 135. -
- Anyone who illegally stores personal data will face six months to three years of imprisonment.
- Anyone who stores personal data according to one’s political, philosophical, religious view, racial background, unlawful morals, sexual choices, health conditions, or union connections will face imprisonment from six months to three years.
- Article 136. -
- Anyone who possesses or releases personal data unlawfully will face one to four years of imprisonment.
- Article 139. -
- Aside from the storing of personal data, gaining the personal data unlawfully or not destructing the data; investigation of the crimes are dependent on the complaint.
Thus, according to Article 20 of the Turkish Constitution (Appendix: 7.5.2010 5982/2) every citizen has the right to demand for the protection of personal data. This right also consists of being informed about his/her personal data usage, rectification, demand to have it deleted etc. Personal data can only be processed by the explicit consent of the data subject. The protection of the data is set and supported by the Law.
As seen, with some verification of articles of the Turkish legislation, the usage of personal data is tried to be legalized to technological innovations and internet usage by the modification of specific articles of several laws.
With the personal data protection law, the incorporated body and its employees have to reconsider the exchange of data between themselves and regulate it, if needed. In order to achieve this, HR and IT departments of organizations have to step in. Another point which should not be overlooked is that any sort of misdemeanor act towards the law can result in fines up to 1.000.000 TRY.
Legal entities need personal data of their employees as a source in personal contact, outsource and similar usage. As stated in the Article 4 of the new Law, the following principles shall be complied within the processing of personal data:
- Lawfulness and conformity with rules of bona fides,
- Accuracy and being up to date, where necessary,
- Being processed for specific, explicit and legitimate purposes,
- Being relevant with, limited to and proportionate to the purposes for which they are processed,
- Being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed
Thus, the law brought up the concepts of data controller, data processor and data registry system.
Data Controller: The natural or legal person who determines the purpose and means of processing personal data and is responsible for establishing and managing the data registry system.
Data Processor: The natural or legal person who processes personal data on behalf of the controller upon his authorization.
Data Registry System: The registry system which the personal data is registered into through being structured according to certain criteria.
As stated in Article 4, the personal data has to be accurate and up to date since it is crucial for the employer, the employee and the third party firm involved in the process (such as; payroll outsource provider, HR consultant, accountant etc.) Thus, Human Resources Management Systems (HRMS) have to be reconfigured according to the criteria stated in the new legislation. Since the legislation is new and includes clauses taken direct from the EU Directive, definitions, concepts and responsible will be interoperable, therefore have to be arbitrated in the future.
The new legislation will be completely effective in six months. It is beneficial for HR departments to take preventative measures considering the new law and reconsider the employment contracts. Employees’ consent might be needed, if the sensitive personal data is being shared with any third party organizations for payroll outsourcing or for any other reason. To achieve this, it is necessary for the organization’s consultants, IT, and HR departments to cooperate. According to a temporary article of the new law, personal data that has been put through the system before the publish date of the law will need to be adjusted according to the regulations of the new law in two years. Data that is determined to be against the Law will have to be deleted or become anonymous. Only the data that is accepted to be compliant with the Law are the personal data which are gained lawfully, before the effective date of the Law.
- Turkish Criminal Code dated 26th September 2004 and numbered 5237
- The Law on the Protection of Personal Data dated 24th March 2016 and numbered 6698
- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data