Data Protection Impact Assessment Under Turkish Personal Data Protection Legislation
As known, one of the personal data protection legislations' essential tool for compliance is the principal of accountability and therefore promoting compliance. Within this framework, a dynamic instrument to ensure appropriate protection of personal data is data protection impact assessment (“DPIA”). DPIA constitutes a systematic and comprehensive analysis of the data controllers, allowing them to mitigate the possible compliance issues before initiating a data processing activity which might pose high risks to the rights and freedoms of individuals by virtue of its nature, scope, context and purposes1. A DPIA may be in particular required for large-scale processing operations, processing special categories of personal data (biometric data, data on criminal convictions etc.), systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, or where a new technology is used. A risk-based approach is useful for determining the necessity of a DPIA and for taking appropriate security measures accordingly.
Also, DPIA is a method for data controllers to comply with the requirement of “data protection by design” (as defined by the European General Data Protection Regulation; “GDPR”) and it is also foreseen under Council of Europe's legal framework, more specifically under the Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data. There are sector specific DPIA approaches as well (such as IAB Europe's DPIA for digital advertising guidance). However, as said above, DPIA may be considered as a general tool for ensuring protection of personal data since its main purpose is to ensure that appropriate security measures are taken pursuant to the outcome of the assessment2. Accordingly, DPIA may also be an applicable method of compliance within the scope of the Turkish personal data protection legislation.
While the Turkish Law on the Protection of Personal Data (“Law”) does not directly foresee an obligation to conduct a DPIA, it regulates the obligation to take all necessary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data. Law also foresees certain principles that must be complied with during all data processing activities. Accordingly, personal data must be processed lawfully; for specific, explicit and legitimate purposes; and relevant with, limited to and proportionate to the purposes for which they are processed. Lastly, Turkish Constitution also protects persons right to privacy and their rights with respect to their personal data. Data controllers are consequently under the obligation to avoid from processing personal data in a way that may pose high risks to the rights and freedoms of individuals and that may result in violation of the Law. Therefore, DPIA may be a useful tool for ensuring compliance with such obligations.
In parallel with this framework, Turkish Personal Data Protection Authority (“DPA”) has established in its Personal Data Security Guideline (Technical and Administrative Measures) that, in order to ensure the security of personal data, data controllers must initially and correctly determine which personal data are being processed, the possibility of risks being occurred with regard to the protection of such data and the relevant possible damages and then, they must take appropriate measures. This process described by the DPA indirectly reflects the DPIA instrument foreseen under European Union's and Council of Europe's legislative framework. Further to this, DPA states that data controllers must take into account the following during such risk assessment; (i) whether personal data is a special category of personal data, (ii) what level of confidentiality/privacy does it require with regards to its nature and (iii) the quality and quantity of the damage that may be suffered by the relevant natural personal due to a security breach. It may be said that these criteria are mainly in line with the GDPR's DPIA.
While DPA's such guidance is not binding or directly enforceable for data controllers, it constitutes good practice, presents the expected level of risk/impact assessment from data controllers, and presents DPA's approach (DPA has been already referring to its guidelines under certain decisions).
Pursuant to the Article 35 of the European General Data Protection Regulation (“GDPR”), “where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons”, data controllers are under the obligation to carry out a DPIA prior to the processing. According to the GDPR, below are the main features of DPIA;
Article 29 Data Protection Working Party provides certain examples of data processing activities that are likely to result in a high risk; evaluation or scoring, including profiling and predicting; automated-decision making with legal or similar significant effect; systematic monitoring; processing special category of personal data; data processed on a large scale; datasets that have been matched or combined; data concerning vulnerable data subjects; innovative use or applying technological or organizational solutions; data transfer across borders outside the European Union and/or when the processing in itself “prevents data subjects from exercising a right or using a service or a contract”.
UK's personal data protection authority Information Commissioner's Office (“ICO”) has also established DPIA steps to be taken by the data controllers; (1) identify the need for a DPIA, (2) describe the processing, (3) consider consultation, (4) access necessity and proportionality, (5) identify and assess risks, (6) identify measures to mitigate risk, (7) sign off and record outcomes, (8) integrate outcomes into plan and (9) keep under review. These steps of ICO mainly presents the purpose and effectiveness of a DPIA and allows data controllers to ensure compliance with the legislation.
European Data Protection Supervisor (“EDPS”) has underlined a parallel approach and stated that, by providing a structured way of thinking about the risks to data subjects and how to mitigate them, DPIA helps organizations to comply with the requirement of “data protection by design” with respect to risky processing operations. Please note that EDPS does not impose a standard methodology for DPIA but instead, expects any methodology used to comply with the GDPR.
Lastly, in 2020, EDPS has published the EDPS Survey on Data Protection Impact Assessment under Article 39 of the Regulation which presents how the EU institutions, bodies and agencies have implemented the DPIA tool and best practice recommendations. Within this publication, EDPS considers DPIA as an accountability tool and “amongst the most valuable sources to understand how the data processing landscape on the ground is changing”. The survey shows how DPIA tool is used by such EU data controllers in practice; reasons to conduct a DPIA, whether DPIA shall be presented to third parties or kept internal/confidential, methodologies used and lessons learned during data controllers' DPIA experiences. Such surveys and publications may be useful for data controllers aiming to conduct an appropriate DPIA for their full compliance with the data protection legislation.
1 European Union Agency for Fundamental Rights and Council of Europe, Handbook on European Data Protection Law, 2018 edition
2 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Recital 84