This article examines the accountability of diplomatic missions for the personal data they acquire and process in the receiving State. It focuses on Türkiye's Law No. 6698 on the Protection of Personal Data and how these responsibilities intersect with their immunities under public international law, highlighting the complexities of balancing data protection with diplomatic privileges.
Diplomatic missions are essential for the functioning of any foreign policy and maintaining international relations. Consulates and embassies come as prime examples of diplomatic missions, and by the very nature of their activities, they acquire and process data in the receiving State.
This article will explore whether these missions are accountable for the personal data they collect and process under the Law No. 6698 on the Protection of Personal Data (“KVKK”)1, and how these legal considerations interact with the immunities and privileges they enjoy under public international law.
Privileges and Immunities Afforded Under Public International Law
The immunities and privileges conferred on diplomatic missions and staff are reflected by two key international conventions, namely the Vienna Convention on Diplomatic Relations2 and the Vienna Convention on Consular Relations3 both of which Türkiye has ratified.
In order to ensure diplomatic missions can perform their functions without interference, these immunities and privileges protect diplomatic/consular staff from the criminal, civil, and administrative jurisdiction of the receiving State and render them inviolable, preventing arrest, detention, or customs inspection. This inviolability extends to the consular premises, archives and documents, which the receiving State cannot inspect.
Although, diplomatic missions must respect the receiving country's laws, in practice, these immunities they enjoy often limits the receiving State's ability to enforce its laws. Consequently, the diplomatic mission continues to be subject to the jurisdiction of their sending State.
Exceptions to the Diplomatic Immunities
Notably, the abovementioned immunities only apply in relation to the sovereign functions of a diplomatic mission, not to private activities. Thus, for example, diplomatic missions and staff do not enjoy immunities for commercial activities aimed at generating profit that are outside their official duties. Such actions fall under Article 10 of the 2004 UN Convention on Jurisdictional Immunities of States and Their Property, potentially subjecting the mission to local legal scrutiny by the courts of the receiving State.
One recognized consensus in international law is that employment matters are private, not sovereign functions. Indeed, diplomatic missions in Türkiye shall adhere to Turkish Labor Law in relation to local staff and lack judicial immunity for labor disputes and compensation matters.4
This implies that a diplomatic mission in Türkiye could, despite its general immunities, be held accountable for local employees and the data collected in relation to them. In the event of a breach, the Turkish Personal Data Protection Authority (“PDPA”) might accept claims from employees against a diplomatic/consular mission, potentially allowing for enforcement. Therefore, the central question of this article becomes whether PDPA can extend this enforcement in relation to all the personal data collected by diplomatic/consular missions in Türkiye.
Law No. 6698 on the Protection of Personal Data
Article 3 of the KVKK defines a data processor as “a natural or legal person who processes personal data on behalf of the data controller upon its authorization” and a data controller as “a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.”
The definitions in this provision are very broad in nature. Given that consulates conduct data processing activities, such as processing visa applications of persons domiciled in Türkiye, one could argue that diplomatic missions fall within the meaning of data controller, and consequently, they must register to Data Controllers Registry Information System (“VERBIS”), a requirement for data controllers, and other regulatory obligations that arise under the KVKK. It is important to note that diplomatic missions are not listed among the entities exempt from the VERBIS registry obligations according to the relevant PDPA decisions5. Likewise, the exceptions under Article 28 of the KVKK provide limited guidance, unlikely to be applicable to diplomatic missions.
There are, however, certain problems with classifying diplomatic missions as data controllers. This approach overlooks the unique legal status of these entities, which are neither natural nor legal persons capable of bearing legal obligations. Classifying diplomatic missions as data controllers could conflict with the immunities and privileges afforded to diplomatic missions, giving rise to a conflict between Türkiye's obligations under public international law and KVKK. To address this in more detail, it is essential to discuss the principle of no separate legal personality and the approach taken by EU member states regarding General Data Protection Regulation (“GDPR”).
No Separate Legal Personality
The principle of "no separate legal personality" in public international law provides that diplomatic missions, such as consulates and embassies, do not function as distinct legal entities; rather, they are extensions of the state they represent. As such, the actions taken by a diplomatic mission in a host country are, in essence, actions of the sending State. Therefore, it sits uncomfortably within the public international law to treat consulates and embassies as independent legal entities or as public institutions capable of bearing legal obligations.6
This principle is also echoed in the legal frameworks of Türkiye. For instance, “the Regulation on the Implementation of the Notification Law”7 and the “Circular No. 63/3 on the International Judicial Notification Procedures in the Legal Field”8 mandate that all legal service, including those in relation to litigation and execution proceedings against diplomatic missions, and shall be channeled through the Ministry of Foreign Affairs9.
This is so, because some states do not accept legal service directly to their diplomatic missions for the very reason that these missions do not have a legal personality nor have the capacity to become a party to a lawsuit.10 Accordingly, the defendant must be designated as the sending State in disputes, rather than the mission itself, reinforcing the notion that consulates and embassies are extensions of their sending State's sovereignty.
Following this reasoning, one might argue that it is more accurate to consider the sending State itself as the data controller, rather than the diplomatic mission. This raises the question: under whose jurisdiction will the data collected and processed in the receiving State be governed?
Situation in the EU with Reference to the GDPR
Despite the lack of research in Türkiye on data protection in diplomatic contexts, insights from the EU's application of the GDPR can offer valuable guidance.
The GDPR is renowned for its extensive territorial scope, designed to ensure robust data protection regulations without gaps.11 This ambition is particularly evident in Article 3 with Article 3(3) notably specifying that the GDPR applies to data controllers not established in the EU but operating in locations where Member State law is applicable “by virtue of public international law”, including diplomatic missions and consular posts. Therefore, EU diplomatic missions located in third-countries are subject to the GDPR due to their sending State's obligation under the regulation, reflecting the principle of no separate legal personality. This application of the GDPR is, however, subject to exceptions such as national security and public interest.
Conversely, diplomatic missions from third-countries within the EU are generally not subject to the GDPR as their sending State is not a party to the GDPR. This formulation prevents an overreach of GDPR's applicability to third-country diplomatic missions, thereby preserving their immunities under international law.
In the case of EU countries, their diplomatic missions in Türkiye are likely to be subject to the GDPR anyway, a regulation that the KVKK mirrors to a significant extent. However, the situation becomes more complex with non-EU countries like the United States and Canada, which have different data protection regimes. The GDPR addresses this issue by classifying data transfers from EU entities to non-EU diplomatic missions as international transfers under Article 44,12 thereby covering potential gaps in data protection.
Similarly, the PDPA could treat data collected by foreign consulates in Türkiye as international transfers, recognizing that consular posts are legal extensions of foreign states, thereby requiring confirmation that appropriate data protection measures are in place as stipulated under Article 9 of the KVKK. This approach ensures that data collected by a foreign consulate in Türkiye is processed to a standard approved by the KVKK, without necessarily subjecting the consular post to full compliance with Turkish data protection laws.
Conclusion
Ultimately, the status of diplomatic missions within Türkiye's data protection framework remains ambiguous, having received little attention. The central issue is whether these entities should be governed by the principle of “no separate legal personality,” respecting their diplomatic immunities as the GDPR does; or if they should be subject to national data protection laws in their capacity as resident data controllers. This ambiguity highlights the urgent need for a clearer legal regulation on the application of Turkish data protection laws to the data collected and processed by foreign diplomatic missions.
References
Bozdağ, G. G. (2016). 1965 Tarihli Lahey Sözleşmesi Bakımından Tebligat Kanunu'na İlişkin Bazı Sorunlar (Only in Turkish). Gazi University Faculty of Law Review, Volume XX, Issue 2, p. 302.
Circular No. 63/3 on the International Judicial Notification Procedures in the Legal Field (Only in Turkish). (2011, November 16). Retrieved from Ministry of Justice - Department of Foreign Relations and European Union Affairs: https://diabgm.adalet.gov.tr/Resimler/Dokuman/48202009523663%20-%203%20(1).pdf
Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters. (1965, November 15). Retrieved from Ministry of Justice - Department of Human Rights: https://inhak.adalet.gov.tr/Resimler/Dokuman/2812020150704lah14_ing.pdf
Guide for Diplomatic Missions in Türkiye. (2022, June). Retrieved from Ministry of Foreign Affairs: https://cd.mfa.gov.tr/getFile/251
Jervis, C. (2020, February). The Curious Case of Article 3(3) of the GDPR and Its Application to Diplomatic Missions. International Data Privacy Law, Volume 10, Issue 1, pp. 107-114.
Jervis, C. (2022, February). International Transfers: Johnson v Secretary of State for the Home Department 2020 and Diplomatic Missions. International Data Privacy Law, Volume 12, Issue 1, s. 53-62.
PDPA Decision Dated 02/04/2018 No. 2018/32 (Only in Turkish). (2018, April 2). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/Icerik/4233/2018-32
PDPA Decision Dated 02/07/2018 No. 2018/87 (Only in Turkish). (2018, July 02). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/Icerik/5271/2018-87
PDPA Decision Dated 06/07/2023 No. 2023/1154 (Only in Turkish). (2023, July 6). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/Icerik/7647/2023-1154
PDPA Decision Dated 22/04/2020 No. 2020/315 (Only in Turkish). (2020, April 22). Retrieved from Personal Data Protection Authority: https://kvkk.gov.tr/Icerik/6740/2020-315
Personal Data Protection Law. (2016). Retrieved from Personal Data Protection Authority: https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law
The Regulation on the Implementation of the Notification Law (Only in Turkish). (2012, January 25). Retrieved from The Official Gazette: https://www.resmigazete.gov.tr/eskiler/2012/01/20120125-7.htm
United Nations Convention on Jurisdictional Immunities of States and Their Property. (2004). Retrieved from United Nations Office of Legal Affairs: https://legal.un.org/ilc/texts/instruments/english/conventions/4_1_2004.pdf
Vienna Convention on Consular Relations. (1963). Retrieved from United Nations Office of Legal Affairs: https://legal.un.org/ilc/texts/instruments/english/conventions/9_2_1963.pdf
Vienna Convention on Diplomatic Relations. (1961). Retrieved from United Nations Office of Legal Affairs: https://legal.un.org/ilc/texts/instruments/english/conventions/9_1_1961.pdf
Footnotes
1. (Personal Data Protection Law, 2016)
2. (Vienna Convention on Diplomatic Relations, 1961)
3. (Vienna Convention on Consular Relations, 1963)f
4. (Guide for Diplomatic Missions in Türkiye, 2022)
5. (PDPA Decision Dated 02/04/2018 No. 2018/32 (Only in Turkish), 2018); (PDPA Decision Dated 02/07/2018 No. 2018/87 (Only in Turkish), 2018); (PDPA Decision Dated 22/04/2020 No. 2020/315 (Only in Turkish), 2020); (PDPA Decision Dated 06/07/2023 No. 2023/1154 (Only in Turkish), 2023)
6. (Jervis, The Curious Case of Article 3(3) of the GDPR and Its Application to Diplomatic Missions, 2020)
7. (The Regulation on the Implementation of the Notification Law (Only in Turkish), 2012)
8. (Circular No. 63/3 on the International Judicial Notification Procedures in the Legal Field (Only in Turkish), 2011)
9. (Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters, 1965)
10. (Bozdağ, 2016)Gazi University Faculty of Law Review
11. (Jervis, The Curious Case of Article 3(3) of the GDPR and Its Application to Diplomatic Missions, 2020)
12. (Jervis, International Transfers: Johnson v Secretary of State for the Home Department 2020. and Diplomatic Missions, 2022)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.