‘Personal Data' Concept within the Scope of Personal Data Protection Law No. 6698
I. THE CONCEPT OF PERSONAL DATA
Along with the Personal Data Protection Law (" PDPL") entered into force on April 7, 2016, the topic of personal data protection was regulated by law and systematized under Turkish domestic law. After the PDPL entered into force, towards the by-laws issued and decisions, guides published by Personal Data Protection Board; the applicability of the PDPL has been embodied to a great extent. In order to determine the rights and responsibilities, to be able to make a claim on the basis of Personal Data Protection Law legislation, and to fulfill the legislative harmonization works; the first thing to do is to determine whether the data is "personal data", or not.
The concept of personal data is defined under the Article 3(1)(ç) of the PDPL, as "all kinds of information relating to an identified or identifiable natural person". According to this definition, the elements of 'personal data' concept can be explained as follows:
i. Information belonging to a natural person: As a rule, data related legal entities, decedent, and unborn children are out of scope towards the emerging and developing nature of the right to data protection on the basis of the right to privacy. However, some of them may exceptionally be considered under the scope of the PDPL, based upon the criteria of 'scope', 'purpose' and/or 'outcome' by evaluating in each specific case. 1, 2
ii. Being identified or identifiable: The data must be able to directly (such as name, surname, ID number etc.) or indirectly (such as job, age, weight etc.) associate with an identified or identifiable natural person. 3 The identifiability of the person may vary according to the particular circumstances of the case.4
iii. All kinds of information: At the point of qualifying a data as personal data; it does not have an importance of the objectivity/specificity and/or correctness/wrongness and/or confidentiality of the term containing the data, as well as the form and the quality of the data.
II. EUROPEAN COURT OF JUSTICE'S RECENT DECISIONS CONSIDERING THE CONCEPT OF PERSONAL DATA
1) Protection of a dynamic IP address as Personal Data: On the decision of the European Court of Decision ("ECJ"), Patrick Breyer v. Germany5 came to the conclusion that dynamic IP addresses should be considered as personal data, even in
situations of that the data controller does not have the tools that can associate the IP address with the person who owns it.
2) Protection of an examination script as Personal Data: On the decision of ECJ, Peter Nowak v. Data Protection Commissioner6 interpreted answers given by a candidate during a professional examination as personal data. The court especially examined two facts; the name and surname of the candidate, the answers and interpretations in result of the assessment stated in the examination script.
In this regard, all kinds of information that can associate with a natural person; -not being on the point of numerus clausus-, so that tax number, image, physical characteristics, genetic information, computer IP address, answers on the examination script, shares on social media websites can be treated as 'personal data' according to the particular circumstances of the case. And, the necessity to comply with the foreseen principles and obligations within the PDPL and relevant legislation, and having the chance to benefit from the underlying rights of this legislation come to exist.
Should you need any further clarification, please contact the below stated person.
Author : Hatice Zumbul Email : email@example.com
(Previously published in Mondaq)
1 Article 29 Working Party, Opinion 4/2007 on the concept of personal data, Adopted on 20th June, 01248/07/EN WP 136, s. 23-24, http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf
2 Please find detailed information in Article 29 Working Party, Opinion 4/2007 on the concept of personal data, s. 22.
3 Please find detailed information in Handbook on European Data Protection Law, European Union Agency for Fundamental Rights, 2014, s.39 vd.
4 Article 29 Working Party, Opinion 4/2007 on the concept of personal data, Adopted on 20th June, 01248/07/EN WP 136, s.13,http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf
5 For the decision text: http://www.alstonprivacy.com/wp-content/uploads/2016/10/ECJ_Breyer_Judgment.pdf