BASIC PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATA

Generally, there are fundamental principles regarding the processing of personal data that are accepted in international documents and reflected in the practices of many countries. Article 4 of the Law regulates the procedures and principles regarding the processing of personal data in accordance with Convention No. 108 and European Union Directive 95/46/EC. Accordingly, the general (fundamental) principles listed in the Law regarding the processing of personal data are as follows:

•Compliance with the law and rules of honesty,

•Accuracy and, where necessary, up-to-date,

•Processing for specific, clear and legitimate purposes,

•Being relevant, limited and proportionate to the purpose for which they are processed,

•Retention for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.

The principles regarding the processing of personal data must be at the core of all personal data processing activities, and all personal data processing activities must be carried out in accordance with these principles.

a. The Principle of Compliance with the Law and the Rules of Fairness

Compliance with the law and the rule of fairness refers to the obligation to act in accordance with the principles established by laws and other legal regulations in the processing of personal data. According to the principle of fairness, the data controller must take into account the interests and reasonable expectations of the data subjects while striving to achieve its data processing objectives. In other words, it must act in a way that prevents the occurrence of results that the data subject does not expect and should not expect. According to this principle, the data processing activity in question must also be transparent to the data subject, and the data controller must act in accordance with its obligations to inform and warn.

The principle of compliance with the law and the rule of fairness has a comprehensive nature that encompasses other principles as well. Compliance with the law, in general, is compliance with legal norms and universal legal principles. The scope of compliance with the law is broad, and compliance with legislation is also included. For example, an unlawful practice also brings with it illegality.

Compliance with the principles of honesty, in our legal system, means that the principle of honesty, regulated in Article 2 of the Civil Code, must not be violated when processing personal data. This principle requires compliance with the prohibition against abuse of rights when processing personal data. The principle of honesty means that individuals should act in accordance with the rules of trust and in a manner expected of a reasonable person when exercising their rights. The limits of the principle of honesty are determined according to the behavior that would be expected of an objective person in each concrete case; the subjective situation of individuals is not taken into consideration. In cases where the principle of good faith is violated, the individual is exercising their right and acting within the limits of that right, but is acting contrary to the purpose of that right.

In terms of personal data protection, the principle of good faith requires individuals, when acting based on legal rules that permit or instruct them to process data, to process the minimum amount of data possible according to the purpose of that legal rule, and not to act in a way that the data subjects could not foresee.

Data controllers must consider the interests and reasonable expectations of the data subjects as a requirement of the principle of good faith. Processing data in a way that violates the privacy and dignity of the data subject without a justifiable reason will undoubtedly constitute a violation of this principle. For example, requesting unreasonable data from a data subject within the framework of privacy, or processing it by the data controller in a manner contrary to the principles of good faith, is a violation of this principle.

The principle of good faith is concretized through other principles of data protection. Processing data without adhering to these principles will be contrary to the principle of good faith and therefore to lawful data processing.

For example, while access to personal data may be possible by those responsible for the technical storage, protection, and backup of data within a legal entity, if the number of individuals responsible for the storage, protection, and backup of data within that legal entity is excessive, access to the deleted personal data by these individuals will constitute a violation of the principle of good faith.

Whether this principle is applicable must first be evaluated within the framework of the fundamental rights and freedoms regime of the Constitution. Processing personal data means interfering with a person's fundamental rights, and for this interference to be considered good faith and lawful, it must comply with the provisions of the Constitution regarding the restriction of fundamental rights and freedoms. One of the most important points to emphasize regarding lawfulness is that this concept refers to the entire legal system. The fact that a data processing is permitted, or even mandated, by law is presumptive to its lawfulness.

b. The Principle of Accuracy and Timeliness

This principle, which emphasizes the importance of the accuracy and timeliness of personal data, is consistent with the right of the data subject to request correction of data as stipulated in the Law. Maintaining personal data accurately and up-to-date is in the interest of the data controller and is also necessary for the protection of the fundamental rights and freedoms of the data subject. The active duty of care to ensure that personal data is accurate and timely applies if the data controller derives a result related to the data subject based on this data (e.g., credit granting transactions). Otherwise, the data controller must always keep open the channels to ensure that the data subject's information is accurate and up-to-date.

It is possible for individuals to suffer material and moral damage due to outdated or inaccurate personal data. For example, if a person's phone number registered in the data controller's system is incorrect or no longer used by the data subject, this may lead to erroneous results because it does not reflect the true information about that person. Again, if a person's address information is incorrectly recorded, they may not receive their notifications on time or they may be delivered to the wrong person, resulting in material and moral damage. This principle protects the rights of the data subject as well as the interests of the data controller.

To ensure that personal data is kept accurate and up-to-date; the sources from which personal data is obtained must be specified, the accuracy of the source from which personal data is collected must be determined, claims arising from the inaccuracy of personal data must be taken into consideration, and reasonable measures must be taken in this regard.

c. Principle of Processing for Specific, Clear and Legitimate Purposes

The principle that the purposes of processing personal data must be specific, legitimate and clear;

•Ensures that the personal data processing activities are clearly understandable to the data subject,

•Ensures that the legal processing conditions on which the personal data processing activities are based are determined,

•Ensures that the personal data processing activity and the purpose of this activity are presented in sufficient detail to ensure their clarity.

This principle requires the data controller to clearly and precisely define the purpose of data processing and that this purpose is legitimate. Data controllers will be held liable for processing data for purposes other than those they have stated to the data subject. The legitimacy of the purpose means that the data processed by the data controller is related to and necessary for the work performed or the service provided. For example, while a clothing store processing its customers' first and last names falls within the scope of legitimate purposes, processing their mother's maiden name cannot be considered a legitimate purpose.

It is contrary to this principle that the purposes of processing personal data should only be known or predictable by the data controller. Therefore, in legal transactions and texts explaining the purposes of personal data processing (such as explicit consent, informing, responding to the data subject's requests, registration in the Data Controllers Registry), sensitivity should be shown in complying with the principle of certainty and clarity, and the use of difficult-to-understand, technical-legal expressions should be avoided. Adhering to this principle is also extremely important in terms of compliance with the principle of honesty.

c. The Principle of Being Relevant, Limited, and Proportional to the Purpose for Which They Are Processed

The processing of data must be suitable for achieving the determined purposes, and the processing of personal data that is not related to or needed for the achievement of the purpose must be avoided. Data processing should not be undertaken to meet potential future needs. Because processing data for potential needs would mean a new data processing activity. In this case, one of the conditions for processing personal data regulated in Article 5 of the Law must be met. In addition, the processed data will be limited only to the personal data necessary for achieving the purpose. Processing data beyond what is necessary for the purpose will constitute a violation of the principle of limitation. What is important here is to obtain sufficient data to achieve the purpose and to avoid processing data that is not necessary for the purpose. Personal data should not be collected or processed for purposes that do not currently exist and are expected to occur later.

The principle of proportionality means establishing a reasonable balance between the data processing and the purpose to be achieved. In other words, data processing must be proportionate to the extent necessary to achieve the purpose. For example, requesting information about a credit card applicant's preferences regarding their social life and social activities could constitute a violation of the principle of proportionality.

d. Principle of Retention for the Duration Stipulated in the Relevant Legislation or for the Purpose for Which They Are Processed

Personal data must be retained for the period necessary for the purpose for which they are processed, as a requirement of the "principle of purpose limitation". In this regard, the data controller is obliged to take administrative and technical measures. As stated in Article 12 of the Law, the data controller is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.

In this regard, the data controller is obliged to determine the necessary technical and administrative measures and to ensure the preservation of personal data in accordance with these principles.

Data controllers who are obligated to prepare a personal data retention and destruction policy (those with registration obligations in the Registry) must also act in accordance with these principles.

In addition to the retention periods determined by the data controller in accordance with the principle of purpose limitation for the retention of personal data, there are also retention periods determined within the scope of the relevant legislation to which the data controller is subject. Accordingly, data controllers will comply with the period stipulated in the legislation for the relevant personal data, if such a period is stipulated; if no such period is stipulated, they can only retain the data for the period necessary for the purpose for which it was processed. If there is no valid reason for retaining a data for a longer period, that data will be deleted, destroyed, or anonymized. Personal data cannot be retained on the grounds that it may be used again in the future or for any other reason.

Furthermore, the data controller, when applying for registration with the Registry pursuant to Article 16 of the Law, must determine the maximum period necessary for the purpose of processing personal data, taking into account Article 9 of the Regulation on the Data Controllers Registry, and notify this period to the Data Controllers Registry Information System (VERBIS).

The processing purposes of the data categories notified to the Registry by the data controller, and the maximum retention periods necessary for processing based on these purposes, may differ from the periods stipulated in the legislation. In this case, if a maximum retention period is stipulated in the legislation, that period will be used; otherwise, the longest period among them will be taken as the basis for notification to the Registry for that data category.

It is important to note here that; If the retention activities carried out to comply with the periods stipulated in the legislation exceed the retention periods determined by the data controller, these activities should be carried out only as a retention and processing activity limited to fulfilling the obligations specified in the relevant legislation. If both the periods stipulated in the legislation to which the data controller is subject due to its legal obligations and the retention periods determined by the data controller are exceeded, the personal data must be deleted, destroyed, or anonymized by the data controller in accordance with the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.