- What is the purpose of Law on the Protection of Personal Data?
Law No. 6698 that was prepared by the Personal Data Protection Authority that came into effect after it was published in the Official Gazette on April 7th, 2016 is an adjustment law that aims to protect fundamental rights and liberties of persons, primarily the right to privacy and determine the obligations of real and legal persons that process personal data and the processes and principles that they will comply with and that aims to protect personal data of employees and customers of firms.
Protection of privacy and ensuring of data security are also evaluated in this scope. With the aforementioned law, prevention of collecting of personal data in an unlimited and arbitrary manner and violation of personal liberties as a result of enabling access of unauthorized persons to such data or their disclosure or misuse or abuse is intended.
- As employees and citizens, what will change in our lives with the Law on the Protection of Personal Data?
After the Law on the Protection of Personal Data came into effect in Turkey nearly two years ago, in line with the obligations imposed by the law, companies have started to implement some procedures within the company and with regard to their customers.
Considering that the Law on the Protection of Personal Data is a law that is dynamic and continuously updated by regulations, in order to ensure data security of employees and customers, each department should control and update their business processes and would need to make operational changes such as establishing new departments and employment.
In order to avoid becoming subject to administrative and penal sanctions of the law, as employees, while carrying out our existing duties and responsibilities, we have to perform our business processes in a much more careful manner at each point we are in contact with personal data and being fully aware of the importance of personal data and obviously, this means implementation of new procedures in our existing business processes.
Most important change as citizens is that now we shall be able to make an official application to all organizations that maintain our personal information and obtain answers to our inquiries regarding for which legal reason and by which method our personal information is being collected, for what reason they are being processed and to whom and for what reason our processed personal information is conveyed to.
Moreover, we shall not only be content with receiving answers but we shall be able to demand deleting of our information. If the institution that we have made an application does not reply within 30 workdays, you will be entitled to place a complaint with The Organization for the Protection of Personal Date.
- What is personal information and what is specific personal information?
Personal information means all types of information about a real person whose identity is determined or that can be determined easily. In this context, not only the name, surname, date and place of birth that enable definite identification of a person but also information regarding that persons physical, family, economic and social characteristics are also considered personal information.
Name, telephone number, license plate number of a person’s motor vehicle, social security number, passport number, CV, picture, audio and visual recordings are also personal information since, although indirectly, they have features that enable identification of a person.
Specific personal information is information that could cause a person’s unjust suffering or discrimination if learnt by others. In above mentioned law, each specific personal data are indicated separately and other data not indicated in law may not be considered as specific personal data.
Data on persons race, ethnic origins, political views, religion, sect or other beliefs, attire or appearance, health, sexual life, penal sentences and security measures, genetic and biometrical data and information on foundation or labor union memberships are defined as “personal data of specific nature” and it is stipulated that that saving for the data regarding health and sexual life, other “personal data of specific nature” could not be processed without explicit consent of the related person except for exceptional circumstances explicitly indicated in law.
- Under which circumstances can institutions may demand and use our personal information?
Pursuant to Labor Law, institutions are obliged to obtain some personal information of their employees; apart from that it is also stipulated that personal data can be processed provided that related persons fundamental rights and liberties are not harmed and if procession of data is necessary for legitimate interests of the institution.
- What are the sanctions stipulated for those that do not comply with the rules?
Other than the exceptions stipulated in law, personal data could not be processed without obtaining explicit consent of the related person and could not be conveyed to third persons or abroad. In case of failure to comply with these rules that are indicated in several different articles of the law, institutions could be penalized with administrative penalty fines. 1 to 3 years of prison sentence is stipulated by law for people who violate personal data. Moreover, 2 years to 4 years of prison sentence may also be given to those persons who have acquired such personal data through violation of law. Administrative penalty fines vary between 5,000 TL and up to 1,000,000 TL, depending on the article or articles of law that were failed to comply with.
- Could you please brief us about the Adjustment Works carried out at TAV Group and companies?
Within the scope of “Law on the Protection of Personal Data”, a program has been started in order to evaluate the obligations of TAV Airports Holding and Group Companies with regard to aforementioned law, to determine the needs and to ensure TAV Airports Holding and Group Companies to comply with the law.
In line with the Law on the Protection of Personal Data Adjustment Program that we have started under the leadership of TAV Airports Holding, we are carrying out a joint and simultaneous study as TAV Airports Holding and 11 TAV Group Companies. For this adjustment law, in which I have undertaken the responsibility of program management, we have established three committees with the Program Sponsor Hakan Öker, as well as Melis Erkun Kartal under Legal Committee Presidency, Emre Onan under IT Committee Presidency, Zeynep Derya Levent and Saliha Güneş under Personnel/Human Resources Committee Presidency and 12 project managers from each subsidiary (Ömer Sezgi, Canan İnce, Ezgi Doğu Öcal, Begüm Yılmaz, Başak Helen Taşkan, Emre Onan, Ufuk Kavlak, Emre Demircioğlu, Ozan Olgaç, Yasemin Elverici, Çağkan Koru) and with one person in charge of each department selected from the companies participating in the projects. The team consists of a total of 240 people, who carry out TAV’s Law on the Protection of Personal Data Adjustment Program.
The most important reasons why we have preferred to manage this critical process based on TAV Airports Holding and the Group Companies are as follows:
1) Any penalty fine that to be received within the scope of the Law on the Protection of Personal Data Adjustment would affect TAV’s brand perception;
2) Pursuant to Law, obligation to comply with the law is on the level of members of the Board of Directors,
3) Sharing of experiences and evaluating synergy opportunities
- Could you please brief us what kind of regulations are in effect in other countries TAV is operating?
The Law on the Protection of Personal Data is a new law in Turkey but relatively old in other countries. In 1995, with coming into effect of European Union Data Protection Directive No. 95/46/AT served as the foundation of GDPR (General Data Protection Regulation), which was re-arranged and came into effect on April 14th, 2016 for all European Countries. Although the Law on the Protection of Personal Data has similar features with its outline and purpose with GDPR, there are differences with regard to implementations and obligations. Accordingly, TAV Airports Holding and TAV Group Companies are operating in countries that are members of European Union, GDPR adjustment programs are being carried out under their operation responsibilities. Not only in countries that are members of the European Union but also in other operations, there are different laws in effect that are directed to the Protection of Personal Data and programs are being carried out under the responsibility of the operations.