BASIC PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA
In General
There are fundamental principles regarding the processing of personal data that are recognized in international documents and reflected in the practices of many countries. Article 4 of the Law regulates the procedures and principles for the processing of personal data in accordance with Convention No. 108 and the European Union Directive 95/46/EC. Accordingly, the general (fundamental) principles listed in the Law for the processing of personal data are as follows:
• Compliance with the law and the rules of honesty,
• Accurate and, when necessary, up-to-date,
• Processed for specific, explicit, and legitimate purposes,
• Being relevant, limited, and proportionate to the purpose for which they are processed,
• Retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
The principles regarding the processing of personal data must be at the core of all personal data processing activities, and all such activities must be carried out in compliance with these principles.
a. The Principle of Compliance with the Law and Rules of Honesty
Compliance with the law and the rules of honesty refers to the obligation to act in accordance with the principles established by laws and other legal regulations when processing personal data. Under the principle of compliance with the rules of honesty, the data controller must consider the interests and reasonable expectations of the data subjects while striving to achieve their objectives in data processing. In other words, the data controller must act in a way that prevents outcomes that the data subject does not expect and should not be expected to anticipate. Additionally, this principle requires that the data processing activity be transparent for the data subject, and the data controller must fulfill their obligations regarding informing and warning the data subject.
The principle of compliance with the law and the rules of honesty has an inclusive nature that encompasses other principles as well. Compliance with the law generally refers to adherence to legal norms and universal legal principles. The scope of compliance with the law is broad and includes compliance with legislation. For example, an action that violates the law also results in a violation of legal compliance.
Compliance with the rules of honesty, as regulated in Article 2 of the Civil Code in our legal system, ensures that the principle of honesty is not violated during the processing of personal data. This principle requires adherence to the prohibition against the abuse of rights when processing personal data. The rule of honesty refers to acting in accordance with trust-based rules and in a manner expected from a reasonable person while exercising one's rights. The boundaries of the rule of honesty are determined in each specific case based on the behavior expected from an objective person, without considering the subjective situation of individuals. In cases where the rule of honesty is violated, the individual may be acting within their rights and within the limits of those rights but is behaving contrary to the purpose of the right.
In terms of personal data protection, the rule of honesty requires individuals to act in accordance with the purpose of the legal rules that grant them permission or authority to process data. This includes processing the minimum amount of data necessary and avoiding actions that the data subjects cannot foresee.
It is a requirement of the rule of honesty for data controllers to consider the interests and reasonable expectations of data subjects. Processing data in a way that unjustifiably violates the privacy or dignity of the data subject would undoubtedly constitute a breach of this principle. For example, requesting unreasonable data from the data subject within the scope of privacy or processing such data by the data controller in violation of the rules of honesty would be contrary to this principle.
The rule of honesty is concretized through other principles of data protection. Processing data without adhering to these principles would violate the rule of honesty and, consequently, the lawful processing of data.
For example, in the case of the deletion of personal data within a legal entity, it may be technically possible for individuals responsible for the storage, protection, and backup of the data to access it. However, if the number of individuals assigned to handle the storage, protection, and backup of the data within the legal entity is unnecessarily high, allowing these individuals to access the deleted personal data would constitute a violation of the rule of honesty.
The applicability of this principle must first be evaluated within the framework of the constitutional regime of fundamental rights and freedoms. The processing of personal data constitutes an intervention in an individual's fundamental rights, and for this intervention to be considered honest and lawful, it must comply with the constitutional provisions regarding the restriction of fundamental rights and freedoms. One of the most important points to emphasize regarding compliance with the law is that this concept refers to the entire legal system. If data processing is permitted or even mandated by law, it is presumed to be lawful.
b. The Principle of Accuracy and Being Up-to-Date When Necessary
This principle, which emphasizes the importance of the accuracy and up-to-dateness of personal data, aligns with the right of the data subject to request the correction of their data as stipulated in the Law. Keeping personal data accurate and up-to-date is not only in the interest of the data controller but also essential for protecting the fundamental rights and freedoms of the data subject. The obligation of active diligence to ensure the accuracy and up-to-dateness of personal data applies if the data controller uses this data to make decisions about the data subject (e.g., credit approval processes). Beyond this, the data controller must always keep channels open to ensure that the data subject's information remains accurate and up-to-date.
Individuals may suffer material and moral damages due to personal data that is outdated or inaccurately maintained. For example, if a person's phone number recorded in the data controller's system is incorrect or no longer in use by the individual, it does not reflect accurate data about that person and may lead to erroneous outcomes. Similarly, if a person's address information is recorded incorrectly, they may fail to receive their notifications on time or the notifications may be delivered to the wrong person, causing material and moral harm to the individual. This principle not only protects the rights of the data subject but also serves the interests of the data controller.
To ensure that personal data is kept accurate and up-to-date, the sources from which personal data is obtained must be specified, the accuracy of the source from which the personal data is collected must be verified, requests arising from inaccuracies in personal data must be considered, and reasonable measures must be taken in this context.
c. The Principle of Being Processed for Specific, Explicit, and Legitimate Purposes
The principle of ensuring that the purposes for processing personal data are specific, legitimate, and explicit:
• Ensures that personal data processing activities are clearly understandable by the data subject,
• Ensures the identification of the legal basis on which personal data processing activities are carried out,
• Requires the personal data processing activity and its purpose to be defined with sufficient detail to ensure clarity.
provides.
This principle requires the data controller to clearly and definitively determine the purpose of data processing and ensure that this purpose is legitimate. If data controllers process data for purposes other than those stated to the data subject, they will be held accountable for such actions. A legitimate purpose means that the data processed by the data controller must be related to and necessary for the work they perform or the service they provide. For example, it is within the scope of a legitimate purpose for a clothing store to process its customers' name and surname information, but processing their mother's maiden name would not be considered a legitimate purpose.
It is contrary to this principle for the purposes of processing personal data to be known or predictable only by the data controller. Therefore, legal documents and texts where the purposes of personal data processing are explained (such as explicit consent, clarification, responding to data subject requests, registration in the Data Controllers Registry) must adhere to the principles of specificity and clarity. Care should be taken to avoid the use of complex, technical, or legal language that is difficult to understand. Acting in accordance with this principle is also crucial for compliance with the rule of honesty.
ç. The Principle of Being Relevant, Limited, and Proportionate to the Purpose for Which They Are Processed
The processed data must be suitable for achieving the specified purposes, and personal data that is unrelated to or unnecessary for achieving the purpose must not be processed. Data should not be processed to address potential future needs, as processing data for potential needs would constitute a new data processing activity. In such cases, one of the conditions for processing personal data outlined in Article 5 of the Law must be met. Additionally, the processed data must be limited to the personal data necessary for achieving the purpose. Processing data beyond what is necessary for the purpose would violate the principle of limitation. The key point here is to obtain sufficient data to achieve the purpose while avoiding the processing of data that is not required for that purpose. Personal data should not be collected or processed for purposes that do not currently exist or are anticipated to arise in the future.
The principle of proportionality refers to establishing a reasonable balance between the purpose intended to be achieved through data processing and the data being processed. In other words, data processing should be limited to what is necessary to achieve the purpose. For instance, requesting information about a person's social life and preferences regarding social activities during a credit card application would constitute a violation of the principle of proportionality.
d. The Principle of Retention for the Period Stipulated in Relevant Legislation or Required for the Purpose for Which They Are Processed
As a requirement of the "principle of limitation with purpose," personal data must be retained in accordance with the period necessary for the purpose for which they are processed. In this regard, the data controller is obligated to take administrative and technical measures. As stated in Article 12 of the Law, the data controller must take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the retention of personal data.
In this regard, the data controller is responsible for determining the necessary technical and administrative measures and ensuring that personal data is retained in compliance with these principles. Data controllers who are required to prepare a personal data retention and destruction policy (those obligated to register with the Registry) must also act in accordance with these principles.
For the retention of personal data, in addition to the retention periods determined by the data controller in accordance with the principle of limitation with purpose, there are also retention periods specified under the relevant legislation to which the data controller is subject. Accordingly, data controllers must comply with the retention period stipulated in the legislation for the relevant personal data; if no such period is specified, they may only retain the data for as long as necessary for the purpose for which it is processed. If there is no valid reason to retain the data for a longer period, it must be deleted, destroyed, or anonymized. Personal data cannot be retained with the justification that it may be used again in the future or for any other reason.
Additionally, the data controller, when applying for registration in the Registry under Article 16 of the Law, is required to determine the maximum retention period necessary for the purpose of processing personal data by considering Article 9 of the Regulation on the Data Controllers Registry. This period must then be reported to the Data Controllers Registry Information System (VERBİS).
The purposes of processing and the maximum retention periods necessary for processing, as reported to the Registry by the data controller for the data categories, may differ from the retention periods stipulated in the legislation. In such cases, if a maximum retention period is specified in the legislation, that period will apply; if not, the longest of these periods will be taken as the basis, and the data category will be reported to the Registry accordingly.
It is important to emphasize that if the retention activities carried out to comply with the periods stipulated in the legislation exceed the retention periods determined by the data controller, these activities should be limited solely to fulfilling the obligations specified in the relevant legislation. In cases where both the periods stipulated under the legislation applicable to the data controller's legal obligations and the retention periods determined by the data controller are exceeded, the personal data must be deleted, destroyed, or anonymized by the data controller in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.
English 
Turkish