In Turkish Penal Code (TPC) Actions That Constitute a Crime within the Scope of Personal Data Protection

Nowadays, personal data is processed in digital and analog media by state- owned public institutions and organizations and by natural and legal entities in the private sector. Close relations between tha personal data and the private life of the person, privacy and personel rights, made it mandatory  for the states to design the data processing methods and  determine the violation of personal data protection rights as crime in law. Some countries such as Switzerland, Austria, Germany and the Netherlands have regulated their penal provisions in special codes,  the other countries, such as France, have adopted these provisions into their panel codes. Turkey has included criminal acts within the Turkish Penal Code (TPC) and have regulated actions that constitute a misdemeanor in, first of all, the Law on the Protection of Personal Data, The Law on the Regulation of Publications Made on the Internet and the Fighting Against Crimes Committed Through These Publications and  The Electronic Communication Law and other related laws. With the regulation made in Article 17/2 of the Law on the Protection of Personal Data, reference was made to the TPC, stating that those who do not delete or anonymize personal data will be punished as stated in the seventh article of the law according to article 138th of the TPC.

When the criminal norms regarding the protection of personal data in the Turkish Penal Code are examined, it can be seen that some types of crimes directly protect personal data, and some types of crimes indirectly protect personal data. While the crimes of “recording personal data”, the crime of “unlawfully giving or obtaining the personal data”, the crime of “not destroying the personal data” provides the protection of personal data directly, the crime of “violating the confidentiality of communication”, the crime of “listening and recording the conversations between people”, ” “Violating the privacy of private life”, “disclosure of information or documents in the nature of trade secrets, banking secrets or customer secrets”, “disclosure of job-related secrets” crime of “entering the information system”, “blocking, disrupting, destroying or changing the data” indirectly provide the protection of personal data. The crimes that regulate the punishmets which directly protect personal data are regulated in the second part of the TPC under the title of “crimes against individuals” and in the ninth section titled “offenses against private life and the confidential area of life”. Under this section, also includes the crime of “violating the confidentiality of communication”, which indirectly ensures the protection of personal data, the crime of “listening and recording the conversations between people”, and the crimes of “violating the privacy of private life”.

Turkish Penal Code

Registration of Personal Data

Article 135- (1) Anyone who illegally records personal data is sentenced to imprisonment from one to three years. (2) If the personal data relates to the political, philosophical or religious views of people, their racial origin; their moral inclinations, their sexual life, their health status or their trade union connections in violation of the law, the penalty to be given in accordance with the first paragraph is increased by half.

When we consider the regulation of the article, the question of what is the value protected by crime comes to mind. The answer to this question will also form the basis of the right to personal data protection. The answer we will give to this question is human dignity, which includes the possibility of self-realization and development by creating an autonomous and free space of one’s own. The use of this opportunity makes people valuable, and allows us to see people as an value rather than a tool. A person has the opportunity to develop and realize himself in a free and autonomous space provided to him, in other words, in his private life.

When we consider the text of the article, it is seen that the subject of the crime is personal data, but the definition of personal data is not made in the text of the article. Before the Law on the Protection of Personal Data which came into force on 07.04.2016, it has been stated the fact that the definition of personal data in the Turkish Penal Code had not been made would be a problem, it should be defined in crime and punishment  complying with the principle of legality, and that personal data should be openly and clearly defined. Otherwise, it was stated that the content of the concept of personal data should be determined in doctrine and practice. The Penal General Assembly of the Court of Cassation has accepted these two articles as incomplete norms,  since the law on what personal data was not be legislated, and there is no comprehensive source or norm that can be consulted regarding in which situations the illegality occurs in articles 135 and 136 of the TPC. In its decision of the same date, the Court of Cassation stated that this ‘framework arrangement’ would be completed when the “Personal Data Protection Law” was passed by the Parliament, and that it should not be taken that all personal data should be protected with penal norms.   According to the Court of Cassation, when we take the general privacy of life into consideration, it is necessary to understand the basis of the classification of personal data as information that aims and provides the protection of the confidential area of private life. In this context, the Court of Cassation, in brief, has classified personal data as personal data related to lifestyle, economic and financial personal data, personal data related to informatics, personal data related to health, and political personal data.

Before the entry into force of the Law on the Protection of Personal Data,(PPD Law) the Constitutional Court also defines personal data as “the concept of personal data refers to all information about a person, provided that it is specific or identifiable”. After the entry into force of the PPD Law, the concept of personal data is defined in article 3 of the law. it is defined as ”any information related to a specific or identifiable person”.

As for the protection of personal data, the regulations on the protection of personal rights existing in the Turkish Civil Code and the regulations on the protection of private life existing in the eighth article of the ECHR (european convention on human rights) have been insufficient.  Taking care of  the rapid cross-border information flow between countries, especially with the developing telecommunication tools,  Turkey has signed the “Convention No. 108 on the Protection of Individuals for the Automatic Processing of Personal Data” prepared by the Council of Europe together with the Council members and approved it on 30.01.2016. In the second article of the Convention No. 108, it is defined as “personal data refers to all information about an identifiable or identifiable natural person”. It should also be taken into account that convention No. 108 is an international convention on fundamental rights and freedoms that has been entered into force and is a part of our domestic law. In the justification of the article 135th of the TPC, it is clearly stated that the aforementioned regulations are implemented to fulfill the obligations of convention No. 108.

According to the second paragraph of the article, if the personal data recorded is based on the political, philosophical or religious views, racial origins of the persons; the penalty will be increased if it unlawfully relates to their moral disposition, sex life, health status or union affiliation. In the sixth article of the Law on the Protection of Personal Data, of persons, race, ethnic origin, political opinion, philosophical belief, religion and sect, or other beliefs, costume and clothing, association or trade union membership, health, sexual life, criminal convictions and security measures, biometric and genetic data with data on qualified custom, it was stated that it is within the scope of personal data. It is observed that the personal data specified in the Personal Data Protection Law, which is supposed to increase the penalties when it is recorded, are special qualified personal data. In the sixth article of the convention No. 108 entitled special category of personal data, Unless appropriate safeguards are provided in domestic law, it is regulated that personal data revealing racial origin, political opinions, religion or other beliefs, personal data related to health or sexual life and personal data related to criminal convictions cannot be automatically processed and it is stated that these data are also in the special  category of personal data .

In terms of penal law, as mentioned above, the broad definition of personal data has been criticized because such a wide scope of crime in penal law can lead to unforeseen negative consequences. Failure to define personal data will lead to a too broad interpretation of the concept of personal data, which is the subject of the crime, and the emergence of practices that will violate the principle of legality in crime and punishment. For this reason, it has been suggested that the personal data that may constitute the subject of the crime should be personal information that only concerns the person’s private life, which the person does not want others to know.

In our opinion, considering that the definition of personal data is made in the same way in the contract No. 108 and the Law on Personal Data Protection, limiting personal data as information aimed at protecting and providing the confidential sphere of private life, ignoring the definition made in the law and the contract, will fade the concept of personal data and It will leave a wide discretion to the judge, undermine the importance of the consent of the victim.

Due to the typicality element of the crime, personal data belonging to a natural person must be illegally recorded. Saving the data on paper etc. it can be done by overwriting, drawing and marking things, as well as in the form of saving them to digital media. In this context, it will not be a crime to save personal data when memorizing personal data. Recording process, camera computer voice recorder pen, etc. can also be done with vehicles. The act of recording is an executive act and this crime cannot be committed with a negligent act. In the recording of special categories of personal data in the second paragraph, the crime will be included in the scope of the second Paragraph only when special qualified personal data specified in a limited number of articles are recorded. For the crime to occur, the record is sufficient and there is no need to process the data outside the record. In addition, there is no need to provide a benefit or harm by recording because this crime is a danger crime. The fact that the action is limited to recording only shows that this crime is regulated incompletely. Because not only the record is included in the processing action. Collecting such actions should also be included in this regulation but not.

The perpetrator of this crime may be any person and the victim must be a natural person. Because in the definition of personal data, the law has defined the relevant person or, in other words, the owner of personal data as a natural person. Since the carriers of human rights are natural persons, the carriers of personal data or related persons are each individual of the human species, that is, natural persons.

The crime is a crime that can be committed intentionally in terms of the moral element. Since the crime cannot be committed unintentionally, the perpetrator will not be responsible for the recording that took place unintentionally. The defendant, who worked in the Neurology Intensive Care Service as a computer operator affiliated with the Unit Information Processing Computer Company at Aydın State Hospital, logged into the hospital data system. The defendant recorded the information that the intervener applied to the Psychiatric Outpatient Clinic of Aydın State Hospital between 27 .04.2004 and 06.09.2004. In order to prove his claim, the defendant submitted 8 samples of hospital application documents showing the credentials of the interventionist he obtained, which polyclinic he applied to, the name and serial number of the physician to be examined. In this case, the  Court of Cassation found it appropriate to rule on the acquittal of the accused in accordance with the law

Another element of the crime is illegality. The act of crime must have taken place unlawfully. No crime will occur if another rule of law allows the act of registering. Since the reasons for compliance with the law in the TPC will be realized in the case of fulfilling the provision of the law and the order of the supervisor, self-defense, state of necessity, exercise of the right and consent of the person is concerned, the punishment will not be given. The existence of consent does not depend on the form in the sense of criminal law. In order for the consent to be valid, the person must be competent to consent, have a right that the person can freely save on, a statement of consent must be made. No crime will occur when personal data is recorded by some ministry personnel under the authority granted by the law without the consent of the relevant person in accordance with their duties. For example, the records kept by the civil regıstry of the Ministry of Interior and the Judicial Registry Directorates of the Ministry of Justice are as follows. In order for the registration process not to constitute a crime, there must be a regulation in the law. Another important point is that registration should also be carried out in a proper manner, based on the authority granted by law. For example, Penal Judgment Code (PJC) 132,133 and 134. in the transactions to be carried out within the scope of the articles, it is necessary to comply with the procedures provided for in the scope of the relevant article. In cases where it is necessary for the performance of a contract other than the TPC, the recording of personal data will not constitute a crime. The sharing of address information for the delivery of goods, the sharing of account information for payment is necessary for the performance of the contract, and often there is also the consent of the parties to the contract in this regard. Since contracts contain a general declaration of consent, it is useful to evaluate consent separately in terms of processing personal data. It will not be a crime to save personal data when protection of the life or body integrity of the person or someone else is concerned while the consent of the person will not be available. Recording the location information of an abducted person via telephone signal is an example for thi s. In order to keep the personal data of the employee within the scope of labor law and social security law, it becomes mandatory to register the personal data of the employee. In this case, the reason for compliance with the law from the employer’s point of view is realized.