HHK Legal

Turkey And EU Perspective On The Exemptions For The Obligation To Provide Information

January 1, 2021

Data Controllers are burdened with obligation to inform data subjects pursuant to the General Data Protection Regulation (“GDPR”) and Personal Data Protection Law (“the Law No. 6698”). Data controllers must follow the information obligation in principle. However, GDPR and Law No. 6698 include several exemptions with regard to the information obligation.

 

 

 

Information Obligation Exemptions Within the Scope of Law No. 6698

 

The exemptions are regulated in the Article 28 of the Law No. 6698. As per the first paragraph of the said article, the Law No. 6698 shall not be applied to the following circumstances:

 

  1. Processing of personal data by natural persons in the course of a purely personal or household activities related to the family members who live in the same residence,
  2. Processing of personal data for the purposes of official statistics and, through anonymization, research, planning, statistics and similar to such.
  3. Processing of personal data for the purposes of art, history, and literature or science, or within the scope of freedom of expression,
  4. Processing of personal data within the scope of investigation, prosecution, prodceedings and execution-related activities by judicial and execution authorities.

 

In the event of the activities listed in the second paragraph of the same article, Article 10 (information obligation), Article 11 (the rights of the data subjects) and Article 16 (the obligation to register with the Data Controllers’ Registry) shall not be applicable.

 

  1. Processing of personal data within the scope of preventive, protective and intelligence-related activities
  2. Processing of personal data revealed to the public by the data subject herself/himself.
  3. Processing of personal data is necessary, deriving from the performance of supervision or regulatory duties, or disciplinary investigation or prosecution by assigned and authorized public institutions and organizations and professional organizations with public institution status.
  4. Processing of personal data is necessary for the protection of economic and financial interests of the state related to budget, tax, and financial matters.

 

Information Obligation Exemptions Within the Scope of GDPR

 

To begin with, as per the Article 2, any provisions of GDPR including the ones which are related to information obligation do not apply to the processing of personal data:

 

  • in the course of an activity which falls outside the scope of Union law;
  • by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU (“General Security and Defence Policy”);
  • by a natural person in the course of a purely personal or household activity;
  • by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

 

 

In addition, Article 13 (“Information to be provided where personal data are collected from the data subject”) and Article 14 (“Information to be provided where personal data have not been obtained from the data subject”) bear a common exemption: the data controllers shall not be responsible for obligation to provide information where and to the extent to, the data subject already has the information. According to the Guidelines on transparency under Regulation 2016/679 of Working Party 29 (“the Guideline”), data controllers demonstrate (and document) what information the data subject already has, how and when they received it and that no changes have since occurred to that information that would render it out of date.

 

Also, Article 14 sets out further exemptions in consideration with the obligation to provide information:

 

  1. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or in so far as the obligation is likely to render impossible or seriously impair the achievement of the objectives of that processing.
  2. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  3. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

 

RESULT

 

Taken into consideration the exemtions regulated in the Law and GDPR, similar exemptions have been accepted and mostly such exemptions are related to the public order.

 

Within the scope of the Law and GDPR, parallel exemptions have been included in terms of maintaining the social order, conducting investigation and prosecution procedure truely, operations of public organisations and institutions especially in economical and financial manners.

 

However, there are limited number of provisions in relation to the real persons with regard to the exemptions from the obligation to inform. Processing personal data by real persons regarding the activities inside home are subject to exemption from obligation to inform in case that the activity is linked to the family members as set out in the Law. In contrast, GDPR ensures that household activities are exempted from the obligation to inform without limited to the family members.

 

Also, the Law regulates that data controller will be exempted from the obligation to inform the data subject in the circumstances where the data subject reveals the personal data himself. Since the exemption is for only a few articles, the personal data revealed by the data subject must still be processed in accordance with the purposes of revelation.

 

As mentioned and explained in detail above, GDPR exempts the data controllers from their obligation to inform the data subject in compliance with the GDPR. Such circumstances where the information is already in possesion of the data subject or criteria of “impossibility of information obligation”, “disproportionate effort”, “impossibility of processing activity” or “impairment of the objectives of processing” are applicable to the situation are interpreted really narrowly, thus, in practice, it is rare to experience and run into such cases.