Turkish Personal Data Protection Board ("Board") published a landmark decision (2020/13) at the Data Protection Authority's ("DPA") website on March 13, 2020 regarding data subjects' "right to access personal data". Before this precedent, Turkish data protection laws did not expressly provide a "right to access personal data", unlike the European General Data Protection Regulation ("GDPR") and thus there was an uncertainty on how a data subject request for access to personal data would be processed in the Turkish jurisdiction. The Board has now, with this recent precedent, recognized data subjects' right to access personal data within the scope of their right to obtain information on the processing conducted on their personal data and provided data controllers with guidance on how to process and comply with such requests, without harming or violating rights of third parties.
A data subject filed a complaint to the Board against two banks (data controller) providing services under the capital markets legislation. Data subject claimed that he/she requested records of his/her phone conversations with the data controllers but the data controllers rejected to do so. That said, it was not disputed between the data subject and the data controllers that the banks allowed the data subject to listen to the phone conversations in their physical facilities (i.e. bank's branch). Data subject stated that some parts of the phone conversations were incomprehensible due to technical reasons and claimed that the rejection of his/her request to access the personal data is against the provisions of the Law No. 6698 on the Protection of Personal Data ("Law No. 6698").
II. Board's Evaluations
In its decision of January 14, 2020 with number 2020/13, the Board stated that Article 11/1(b) of the Law No. 6698 which states that everyone has the right to apply to the data controller to request relevant information if personal data related to him/her have been processed includes the right to access the relevant data as well.
The Board explained that the right to access the personal data does not indicate (i) access to the data filing system or filing medium directly, (ii) handing over of the relevant filing system to the data subject or (iii) the data subject obtaining the actual personal data. Instead, right to access the personal data entails the possibility for the data subject to reasonably access the content of the data as much as possible based on the technical and physical circumstances and taking into consideration the data controllers' responsibilities concerning data safety.
The Board struck a balance between the data subject's right to access his/her personal data and the data controllers' reasonable argument that the actual data filing medium would only be handed over in response to a formal request by the legal authorities to make sure that (i) the relevant personal data is not compromised by technological interferences and (ii) third parties' sensitive personal data are not disclosed.
On that note, the Board ordered the data controller to provide the data subject with the right to access the transcripts of the phone conversations (enabling the data subject to fully comprehend the contents of his/her personal data) instead of the filing mediums pertaining to the voice recordings within thirty (30) days of the formal service of the decision and inform the Board of the actions taken.
The Board's decision sets a significant precedent in Turkish data protection laws. Although the data subject's right to access is expressly regulated under Article 15 of the GDPR, such right was not expressly regulated under the Turkish data protection laws.
By evaluating "the right to access data" within the scope of the data subjects' rights (right to obtain information) under Law No. 6698, the Board shed light on the implementation of the right to access in Turkey.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.