Data Protection in Turkey: Data exchange between Germany and Turkey

Article by Aysegül Özkan, Augsburg.

Thus far, there is no specific law in Turkey regarding data protection. However, even without a specific law, personal data are protected by constitutional and statutory provisions.

Existing law in Turkey in the area of data protection

First and foremost, personal data is protected by the Turkish constitution, in Part 2, Section 4, under the heading, “Non-Disclosure and Protection of Personal Life.” For example, Article 20 provides that everyone has the right to considerate treatment not only of his own personal life, but also of his family’s life. Paragraph 2 of this article also says that body searches may not be conducted and documents and private items may not examined or confiscated without a corresponding judicial order.

Expansion of Article 20 included in the amendment of the constitution

In addition to this direct protection of personal data by the constitution, Article 20 was expanded by the following passage as part of the most recent amendment of the constitution:

Everyone has a right to protection of his personal data. As a part of this right, everyone shall be informed of his own personal data; there shall be a possibility of accessing these data; correction or deletion of these data may be demanded, and one may obtain information about the practical use of these data. Processing of personal data is permitted, however, if this is provided under the law or if the person has given explicit consent.

Protection of personal data by the Turkish Civil Code and Turkish Criminal Code

Personal data is protected not only by constitutional provisions, but also by some paragraphs of the Turkish Civil Code, in the section, “Protection of Personal Rights.” The Turkish Criminal Code also contains sanctions for violations of data protection.

New law in the area of telecommunications

Furthermore, the Electronic Communications Act has been passed in the area of telecommunications. Prior to the enactment of this law, a “Provision on Protection of Personal Data in the Telecommunications Area” was published by the Institute of Information Technology and Communications. This provision was prepared with regard to EU legislation in the area of telecommunications.

Data protection bill

In April 2008, a law with the declared goal of data protection was drafted by the Cabinet (Council of Ministers) and forwarded to the steering committee of the National Assembly. The bill has now been awaiting codification since October 2008.

The bill is primarily based on the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and on EU directives on data protection.

Goal of the bill

The “Bill for Protection of Personal Data – Turkish Draft Data Protection Act” (Ref. No. 1/576, Gazette 27097 dated 12/31/2008) has the purpose of protecting the private sphere of natural persons in the processing of personal data (Article 1, Turkish Draft Data Protection Act). The provisions are based on the inviolability of persons guaranteed by Article 17 of the Turkish constitution. At the same time, the bill essentially corresponds to EU Data Protection Directive 95/46/EG.g

The centerpiece of the Turkish Draft Data Protection Act, which includes Article 41, is self-determination in regard to data. As a basic principle, according to Article 6, the processing of personal data requires the consent of the affected person. Also circulation to third parties is supposed to be tied to strict legal prerequisites.

Data Protection Council

Article 26 of the bill provides for the founding of a Committee for Protection of Personal Data, which will carry out the tasks assigned to it by the bill, as specified in Article 31. This committee is to be based on the German model of the Federal Data Protection Officer.

The committee is composed of seven members who are selected by the Council of Ministers for a term of six years. A special educational background in data protection is not necessary for eligibility. Article 27 of the Turkish Draft Data Protection Act only requires a university degree plus ten years of professional experience in research or in the practice of a profession.

Independence of the committee

The committee will perform its responsibilities in an independent manner. No board, department, agency or person may give the committee directions in order to influence its decisions. Judging by the preamble to the law, the committee is supposed to be patterned after the independent data protection institutions of the EU member states, through this type of autonomy.

Data transmission to foreign countries

Personal data may only be transferred to foreign countries in the following cases:

1. The affected person has given his consent.
2. A contract has been concluded between the affected person and the owner that transmits the data register, and the data transfer is necessary in order to continue pre-contractual relationships or to fulfill the contract.
3. There is a particular public interest.
4. Transmission of data to a third country is necessary or legally required in order to determine, exercise or protect a right.
5. The data transfer is essential for protection of the life or physical integrity of the affected person.
6. The data is transferred from a register that is accessible to the public and to everyone, provided that the prerequisites of the pertinent law are fulfilled.

Data exchange between Germany and Turkey

A possible exchange of data between Turkey and Germany is interesting particularly in the context of criminal proceedings.

Exchange of criminal conviction information between Germany and Turkey

Based on information provided by the [German] Federal Ministry of Justice to the Gießen Administrative Court on 8/8/1997, Turkey and the Federal Republic of German are already exchanging criminal conviction data on a regular basis.

Gießen Administrative Court (20/8/1997, Ref.: 10 E 11561/92): "This means that each country is informing the other regarding all (final) criminal judgments and subsequent measures that have been recorded in criminal records – in the [German] Federal Central Criminal Register."

Content of the criminal conviction information

According to the information [cited above], criminal conviction information includes, along with the personal data of the affected person, the conviction date and criminal act; the name of the adjudicating court; the file number of the proceeding; the criminal act on which judgment was rendered; the pertinent provision of the criminal code and other supplementary criminal laws; the nature and level of the penalty; and any additional or ancillary penalties (cited Gießen Administrative Court, 20/8/1997, Ref.: 10 E 11561/92).

Exchange of criminal conviction information is at most an administrative agreement

The agreement itself was not submitted either by the [German] Federal Ministry of Justice or by the Federal Prosecutor General, who is responsible for administering the register at the Federal Central Criminal Register. From that, one must assume that the agreement to exchange information on criminal convictions is at most an administrative agreement between the Turkish state and the Federal Government of Germany. The Law Governing the Central Criminal Register and Educational Register dated 9/21/1984 does not contain an appropriate legal provision regarding the exchange of criminal conviction information (cited Gießen Administrative Court, 20/8/1997, Ref.: 10 E 11561/92).

Legal basis for providing information

Section 57 of the Federal Central Criminal Register Act merely provides that information from the register can be given to agencies of other countries in accordance with applicable laws and agreements. The Law on International Assistance in Criminal Matters contains a similar provision. To the extent that agreements are discussed in Section 57 of the Central Criminal Register Act, these are definitely not pure administrative agreements or agreements between governments. An “agreement” here must be understood as an international agreement that has been transformed into national law through a formal law. Thus, the “agreements” specified in Section 57 of the Federal Central Criminal Register Act are actually laws in the formal and material sense. However, this kind of legal basis for an exchange of information from the Federal Central Register to the Turkish government does not exist (cited Gießen Administrative Court, 20/8/1997, Ref.: 10 E 11561/92).

European Convention on Mutual Assistance in Criminal Matters

To be sure, Article 22 of the European Convention on Mutual Assistance in Criminal Matters dated 4/20/1959 – which went into effect in Turkey on 9/22/1969 – does provide that every contracting member state will inform the others of all criminal convictions and subsequent measures affecting its citizens, which have been recorded in criminal records. According to this article, the ministries of justice must transmit these records to each other at least once a year (cited Gießen Administrative Court, 20/8/1997, Ref.: 10 E 11561/92).

Lack of legal basis

If there is thus no domestic legal basis, then the regular exchange of criminal conviction information with Turkey is against the law and unconstitutional in regard to the affected individual; and the active efforts of German agencies – regardless of whether the criminal information is delivered to Turkey by the Federal Central Criminal Register or the Federal Prosecutor General or the Federal Ministry of Justice – constitute substantial grounds for asylum after the date of flight, which blocks deportation of the affected person back to his country of origin (cited Gießen Administrative Court, 20/8/1997, Ref.: 10 E 11561/92).

Exchange of information regarding criminal convictions: an obligation under international law

There are no obvious international agreements that guarantee appropriate protection for the affected Turkish citizen from disadvantages caused by this exchange of information when the citizen returns to Turkey, and none have been cited by the federal government (the Federal Ministry of Justice); furthermore, the necessary data protection measure is absent in international treaties. Regardless of that, however – as confirmed by the Federal Ministry of Justice and by the Federal Prosecutor General – that kind of information exchange does take place, and must be taken into account in the assessment of an application for legal protection (cited Gießen Administrative Court, 20/8/1997, Ref.: 10 E 11561/92).

Information network of European customs and border protection agencies

In the case of identity checks, the EU has developed numerous measures in regard to intensifying the collaboration of member states and developing integral border protection.

Regarding the information network, for the main part there are three systems to which security services have access: the Schengen Information System (SIS), the European Union Visa Information System (VIS), and the European biometric database for comparing the fingerprints of asylum seekers and illegal immigrants (EURODAC). Furthermore, the exchange of information between national databases is supposed to be improved.

Legal basis

These information systems are administered on the basis of various legal principles:

The Schengen Information System (SIS) makes it possible for government agencies of member states to use a dialog-driven database application to prepare and administer data sets for tracing of individuals and property items by police in conformance with the Convention Implementing the Schengen Agreement.

Turkey, a potential partner

In particular, the countries bordering the EU and also Turkey (which is already close to the Schengen Area) are natural partners for expanded collaboration.

Conclusion

Thus far in Turkey, there is no legislation that deals with protection of personal data. Nevertheless, Turkey has signed international agreements on data protection and, through the draft legislation for protection of personal data, has taken a first step in the direction of a data protection law of its own.

In regard to an exchange of information on criminal convictions between Germany and Turkey, there is no appropriate legislation authorizing transmission from the Federal Central Criminal Register. Neither the Federal Central Criminal Register Act nor the Act implementing the European Convention on Extradition of 12/13/1959 and the European Convention of 4/20/1959 on Mutual Assistance in Criminal Matters from 11/3/1964 includes a power of authority to deliver extracts from the Federal Central Criminal Register to a foreign country on a regular basis.

Thus, the Federal Republic of Germany has indeed made international commitments to exchange criminal conviction information, but has not implemented this obligation as national legislation.

In regard to intensifying the collaboration with member countries in the area of border protection and identity checks, Turkey is a natural partner for closer collaboration in regard to data exchange because of its proximity to the European region.