Turkey: New Guideline From Turkish Data Protection Authority On The Processing Of Turkish Republic Identity Numbers

On January 16, 2024, the Turkish Data Protection Authority ("DPA") published the Guideline on the Processing of Turkish Republic Identity Numbers¹ ("T.R. ID number") ("Guideline") on its official website².

The DPA indicates in the Guideline that they have prepared this Guideline to explain lawful processing of T.R. ID numbers upon the receipt of various complaints on processing of T.R. ID numbers, which is a critical personal data by its nature enabling access to data subject's other personal data, while the same data processing purpose would be achieved by processing other types of personal data.

I. General Principles and Considerations on Lawful Processing of T.R. ID Numbers

The term of personal data is defined as "any information relating to an identified or identifiable natural person" in Article 3/1-d of Law No. 6698 on the Protection of Personal Data ("Law"). T.R. ID number that identifies the person also falls under this definition and is personal data. As stated in the Guideline, although the T.R. ID number is not among the special categories of personal data that are listed in the Law, if it is obtained, it may have significant negative impacts on the data subjects since other personal data associated with it can also be accessed via T.R. ID number. Therefore, the T.R. ID number has a significance among general categories of personal data. Data controllers tend to prefer the processing of the T.R. ID number because it is official, unique, and unchangeable and provides convenience in accessing other personal data of the data subjects.

In any case, the Guideline provides that such personal data processing activities must be carried out in accordance with the procedures and principles under the Law. Accordingly, Article 4 of the Law³ indicates that personal data shall only be processed in accordance with the procedures and principles stipulated in the Law and other laws and sets forth the general principles that must be followed in the processing of personal data.

The Guideline indicates that the allegations in the complaints submitted to the DPA are mainly related to the failure to comply with the "principle of being relevant, limited and proportionate to the purposes for which they are processed", which is one of the general principles under Article 4 of the Law, and the necessary conditions for a personal data processing activity to comply with the principle of proportionality are listed.

The term "proportionality" refers to the establishment of a reasonable balance between the personal data processing activity and the purpose to be achieved. In order for a personal data processing activity to comply with the principle of proportionality the personal data processing activity must be;

• suitable for achieving the purpose to be achieved (convenience),
• necessary for the purpose to be achieved (necessity), and
• proportionate to the purpose to be achieved by personal data processing (proportionality).

The Guideline provides an example of a mobile application to explain these pre-requisites in detail. Accordingly, in a mobile application, verification with a T.R. ID number would be an intervention that further limits the right to protection of personal data while verification can be made with a phone number, and it cannot be accepted that the processing in question is necessary and proportionate. In this framework, it is important to consider whether there are other methods that interfere less with the right to protection of personal data of the data subjects are possible while considering the processing of the T.R. ID number and, if any, to prefer these methods, and thus, to take the necessary technical and administrative measures by the data controllers to carry out personal data processing activities in accordance with the Law.

II. Turkish Regulation which Foresees Processing of the T.R. ID Number

The DPA mentions in the Guideline that they aim to provide guidance to practitioners by setting forth the provisions of the Turkish legislation stipulating the processing of T.R. ID numbers, deriving from the cases subject to the DPA's review. The first circumstance is related to the invoices, defined as a commercial document given to the customer by the merchant selling the goods or providing the services to show the amount owed by the customer in return. Accordingly, if the customer is a real person taxpayer, the invoice shall include the T.R. ID number, which is paired with the tax identification number as of 01.07.2006 and invoices issued to end-consumers who are not taxpayers are in no way required to include the customer's T.R. ID number as per Article 232/1 of Law No. 213.

As for the order/cargo deliveries, which is growing day by day and has been the subject of the DPA's decisions in various ways, the carrier company official must record the recipient's T.R. ID number, among other personal data listed in the respective legislation during the delivery of the order to the recipient. Similarly, for mail deliveries, service providers should record the T.R. ID number of the recipient and the sender's T.R. ID number as per Article 4 of the Procedures and Principles for Security Measures Regarding Mail Deliveries.

In addition, the Trade Registry Regulation regulates the circumstances in which T.R. ID numbers would be processed by the trade registries. As stated in the Guideline, the registry certificate issued upon the registration of a commercial enterprise and its title to the trade registry will include the T.R. ID number of the real persons, however, the T.R. ID number of the real persons which are registered are not announced. The T.R. ID numbers of the members of the board of directors and managers of the companies, other persons authorized to represent the company, and the real person who will act on behalf of the legal entity in case the legal entity is elected as a board member must be also registered with the trade registry.

According to the Regulation on the Measures Regarding Prevention of Laundering Proceeds of Crime and Financing of Terrorism, obligors, as defined under the respective legislation, are obliged to determine the identity of customers or those acting on their behalf and account by obtaining information on identity and confirming the accuracy of this information;

- regardless of the amount, in cases of the establishment of a continuous business relationship, when there is doubt about the adequacy and accuracy of customer identification information previously obtained and in cases requiring suspicious transaction notification,

- when the transaction amount or the total amount of multiple interconnected transactions is TRY185,000 or more, or in case of electronic transfers, when the total amount of the transaction or the total amount of multiple interconnected transactions is TRY15,000 or more.

The Guideline also lists the conditions for the processing of the T.R. ID number under other Turkish legislation, including but not limited to, in the petitions for filing a lawsuit and appeal, registration with the land registry, and transactions of insured persons within the scope of social insurance and general health insurance.

III. Sharing Documents that Contain T.R. ID Number or Identification Information with the Authorities for Identification or Similar Purposes

The Guideline also lists the regulations under which sharing documents containing the T.R. ID Number or identification information for the identification or similar purposes are foreseen. Some significant examples given in the Guideline are listed below;

• Under Article 5/1-c of the Distance Contracts Regulation, the identity of the person acting on behalf or account of the seller or provider must be notified to the consumer by the seller or provider before the conclusion of the distance contract or acceptance of any offer corresponding thereto.
• Pursuant to Article 415 of the TCC, real person shareholders who will attend the general assembly meeting are required to show their T.R. ID cards.
• Article 61 of the Notarial Law No. 1512 stipulates that the notaries shall ascertain the identity and statements of the relevant persons; and Article 72/3 stipulates that the notaries are obliged to learn the identities of the persons to whom they will have transactions done.
• Article 12/3 of the Law No. 6493 on the Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions stipulates that an information system or electronic communication device, which has been evaluated by the Ministry of Treasury and Finance as a substitute for the written form, should enable verification of customer identity.
• Regulation on the Process of Verifying the Identity of the Applicant in the Electronic Communications Sector regulates the processes regarding the verification of the identity of the applicant in case the documents related to the subscription agreement, number porting application, operator change application, registered electronic mail application and SIM change application are issued electronically. Accordingly, the identity verification of the applicant can be performed by means of creating a PAdES (electronic signature) with a T.R. ID card or taking a video image of the applicant in face-to-face channels together with the applicant's identity document.

The Guidelines list many more examples where documents containing a T.R. ID number or identity information can be checked under Turkish legislation. Since the T.R. ID number can provide access to other personal data of data subjects, it would be prudent to analyze under which circumstances the T.R. ID number or identity information can be lawfully checked for identification or similar purposes.

IV. Conclusion

To conclude, the T.R. ID number is crucial personal data although not listed among the sensitive personal data categories under the Law since, if it is obtained, other personal data associated with it can also be accessed. Therefore, it should be considered by the data controllers whether the same personal data processing purpose would be achieved by processing personal data rather than the T.R. ID number that would less interfere with the right to protection of personal data of data subjects. If less intrusive processing methods are available, these methods should be preferred, and necessary technical and administrative measures should be taken by data controllers to ensure that personal data processing activities are carried out in accordance with the Law.

Footnotes

1. The T.R. identification number is a personalized number issued to Turkish citizens by the Directorate General of Civil Registration and Citizenship Affairs of the Republic of Turkiye Ministry of Interior, generated exclusively by computer, consisting of an eleven-digit sequence of numbers, the last digit of which is an even number.

2. https://www.kvkk.gov.tr/Icerik/7798/Turkiye-Cumhuriyeti-Kimlik-Numaralarinin-Islenmesi-Hakkinda-Rehber (Last accessed on February 28, 2024)

3. Article 4 of the Law: "(1) Personal data may only be processed in accordance with the procedures and principles stipulated in this Law and other laws.

(2) The following principles must be complied with in the processing of personal data;

a) Being in accordance with the law and good faith.

b) Being accurate and, where necessary, up to date.

c) Being processed for specific, explicit, and legitimate purposes.

d) Being relevant, limited, and proportionate to the purpose for which they are processed.

e) Being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.