Legal Liability Arising From The Protection Of Personal Data

I. Obligation To Protect Personal Data

Personal data is any information relating to an identified or identifiable natural person. This information may be related to the personal values of the person, his/her assets or the physical and social environment in which he/she lives. Although personal data is not a secret most of the time, real persons, as they are social beings, disclose many of their data to other real and even legal persons with whom they are in contact.

Firstly, it is important to note that the responsibility for protecting personal data lies with the State. The State fulfills this obligation by drafting, enacting, and enforcing legislation as stipulated in Article 20 of the Constitution. The pertinent legislation is the Personal Data Protection Law No. 6698, which was published in the Official Gazette on April 7, 2016, with most of its provisions taking effect on the date of publication. The objective of this Law, as outlined in Article 1, is "to protect the fundamental rights and freedoms of individuals, particularly the right to privacy, in the processing of personal data, and to establish the obligations, procedures, and principles to be adhered to by natural and legal persons processing personal data."

To execute the duties mandated by the Personal Data Protection Law, the Personal Data Protection Authority, an autonomous public legal entity with administrative and financial independence, has been established. The decision-making body of this institution is the Personal Data Protection Board. Although the duties and powers of the Board are detailed in Article 22 of the Law, some of these can be summarized as follows:

• To ensure that personal data are processed in accordance with fundamental rights and freedoms (Art. 22.a)
• To decide on the complaints of those who claim that their rights regarding personal data have been violated (Art. 22.b)
• Upon complaint or ex officio upon learning of the alleged violation, to examine whether personal data are processed in accordance with the law and to take temporary measures in this regard when necessary (Art. 22.c)
• To determine the adequate measures required for the processing of special categories of personal data (Art. 22.ç)
• To take regulatory action to determine the obligations regarding data security (Art. 22.f)
• To take regulatory action regarding the duties, powers and responsibilities of the data controller and its representative (Art. 22.g)
• Deciding on administrative sanctions stipulated in the Law on the Protection of Personal Data (Art. 22.ğ)

Although the primary obligation to protect personal data lies with the State, natural and legal persons are also required to protect and manage this data. These individuals or entities are referred to in the Law as "data controllers" and "data processors." Article 3 of the Personal Data Protection Law defines these roles. Accordingly, a data controller is a natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. A data processor, on the other hand, is a natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the latter. Both data controllers and data processors are obligated to comply with the procedures and principles outlined in the Personal Data Protection Law, as well as other relevant laws, when processing personal data.

Sanctions for Breach of the Obligation

In the event that data controllers and data processors violate their obligations or exceed the limits of their powers, if their actions constitute a crime, Articles 135-140 of the Turkish Penal Code are applicable (KVKK Art. 17). In cases where specific obligations outlined in the Personal Data Protection Law are violated by natural persons who are data controllers or by private legal entities, administrative fines are imposed on these individuals or entities. If such violations occur within public institutions, organizations, or professional organizations of a public nature, civil servants, other public officials, and individuals working within these professional organizations are subject to disciplinary proceedings (KVKK Art. 18). Unfortunately, it cannot be said that these sanctions are very effective for individuals whose personal data has been compromised. It would be more effective for the affected data subjects to seek legal redress from those responsible for the damage. The basis, conditions, and extent to which the affected individuals can seek compensation for the damage caused by a breach of personal data processing obligations are examined in detail below.

II. Legal Responsibility

A. Status of European Union Regulations

The European Union's Directive 95/46 of October 24, 1995, on the Protection of Natural Persons and the Free Flow of Data concerning the Processing of Personal Data addresses the issue of "responsibility" in Article 23 as follows: "(1) Member States may claim compensation from data processors for individuals who have been harmed by unlawful processing or activities incompatible with the provisions stipulated by individual States regarding the implementation of this directive. They adjudicate that these individuals have rights. (2) If the data processor can prove that the situation causing the damage cannot be attributed to them, they may be relieved of liability in whole or in part."

The European Parliament amended this issue in a regulation adopted on April 27, 2016, and published in the Official Journal of the European Union on May 4, 2016. The Regulation on the Protection of Natural Persons with Respect to the Processing of Personal Data, the Free Flow of Data, and the Abolition of Directive 95/46 is also known as the General Data Protection Regulation (GDPR).

Article 82 of the GDPR, titled "Liability and the Right to Request Compensation for Damages," includes the following provisions:

1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.
2. Any controller involved in processing shall be liable for the damage caused by processing which infringes this Regulation. A processor shall be liable for the damage caused by processing only where it has not complied with obligations of this Regulation specifically directed to processors or where it has acted outside or contrary to lawful instructions of the controller.
3. A controller or processor shall be exempt from liability under paragraph 2 if it proves that it is not in any way responsible for the event giving rise to the damage.
4. Where more than one controller or processor, or both a controller and a processor, are involved in the same processing and where they are, under paragraphs 2 and 3, responsible for any damage caused by processing, each controller or processor shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
5. Where a controller or processor has, in accordance with paragraph 4, paid full compensation for the damage suffered, that controller or processor shall be entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage, in accordance with the conditions set out in paragraph 2."

B. The Situation in Türkiye

It can be observed that the Turkish Personal Data Protection Law differs from both the European Union regulation and the German Data Protection Law in that it does not include a specific article addressing liability for damages resulting from the unlawful processing of personal data.

According to the final paragraph of Article 11, titled "Rights of the Data Subject," in the third part of the Personal Data Protection Law No. 6698, under "Rights and Obligations," "Each person has the right to request compensation from the data controller for the damage arising from the unlawful processing of their personal data." Additionally, the third paragraph of Article 14, titled "Complaint to the Board," states, "The right to compensation, under the general provisions, of those whose personal rights are violated, is reserved." The general provisions referred to in Article 14 include Articles 24 and 25 of the Turkish Civil Code No. 4721 and Articles 53, 54, 56, and 58 of the Turkish Code of Obligations No. 6098.

According to Article 24 of the Turkish Civil Code, a person whose personal rights are unlawfully violated can seek protection from the judge against the violators. This protection can be pursued through litigation. Among the lawsuits that can be filed in case of an attack on personal rights are lawsuits for pecuniary and non-pecuniary damages (Article 25 of the Turkish Civil Code).

In cases of death, the items of material damage that must be compensated include funeral expenses, treatment expenses if the death did not occur immediately, losses arising from the decrease or loss of working capacity, and losses incurred by individuals who were dependent on the deceased (Turkish Code of Obligations Art. 53). In cases of bodily harm, the items of material damage that should be compensated include treatment expenses, loss of earnings, losses arising from the decrease or loss of working capacity, and losses resulting from the disruption of economic prospects (TCO Art. 54)

In cases of physical harm to an individual, the judge may, considering the circumstances of the case, order the payment of an appropriate amount of money to the injured party as non-pecuniary damages. In instances of severe bodily injury or death, an appropriate amount may also be awarded as non-pecuniary damages to the relatives of the injured or deceased person (Article 56 of the Turkish Code of Obligations, TCO). A person whose personal rights have been infringed may request a monetary payment for the non-pecuniary damage suffered. Instead of monetary compensation, the judge may opt for another form of redress or supplement the compensation with additional measures; in particular, the judge may issue a ruling condemning the violation and order the publication of this decision (Article 58 TCO). If the harm results in a diminution of the person's property values rather than personal values, compensation for pecuniary damage is possible, even if the protected legal values, such as property or possession, have not been directly violated.

Given that the Personal Data Protection Law can be regarded as a special protection norm safeguarding the assets of the injured party, data subjects who lose customers or miss business opportunities due to unlawful processing or failure to protect their data may also seek compensation for the resulting damages. Indeed, such actions constitute a tort within the meaning of the first paragraph of Article 49 of the Code of Obligations. It is important to note that, as a general rule, tort liability in our law is contingent upon the fault of the perpetrator. Since the Personal Data Protection Law does not prescribe a specific provision on liability, it suggests that fault-based liability should be applicable in this domain.

When data controllers are public authorities, the responsibility of the authority may also come into play due to the potential existence of a service defect. A malfunction occurring during data processing is considered a service defect in the performance of the public service and thus gives rise to the authority's liability. Regardless of whether the public official personally caused the disruption, the administration is obligated to compensate for the damage caused and may only seek recourse from the public official if there is a fault on their part.

In cases where data controllers are private entities, it is necessary to consider the concept of service defect, particularly when damage is caused intentionally or negligently by the data controller or data processor. Data processing, especially in the digital environment, may often result in leaks unrelated to the data controller's fault, making it challenging to prove fault. However, it can usually be demonstrated that the data controller's processing of the data caused the damage, establishing the causal link. It is a matter of equity that data controllers, who can easily collect, store, and analyze large amounts of data digitally, are deemed to have undertaken the risk of failing to protect the data appropriately in this environment. Nonetheless, the Personal Data Protection Law does not provide clear guidance in this regard.

Even if it is accepted that the general provision on strict liability for danger can be applied when fault-based liability provisions are insufficient to protect personal data, another point must be considered. Specifically, the actions of data controllers or data processors often may not be solely responsible for causing damage. The mere disclosure of personal data does not typically result in death, bodily harm, damage to other personal values, or property loss. Since not all personal data is inherently confidential, it would be inappropriate to categorize all disclosures as personal data breaches. Unlawful processing of personal data can often cause damage only in conjunction with another party's actions. For example, if a data controller mistakenly includes an unrelated third party on a list of customers ineligible for loans, or if there is a system malfunction leading to incorrect listings, the individual may be unable to secure a loan from any bank. In such a scenario, the damage suffered by the data subject is solely attributable to the data controller's actions, whether faulty or not.

III. Conclusion

The legal responsibility of data controllers is outlined in the final paragraph of Article 11 and Article 14 of the Personal Data Protection Law in a very general manner. Article 14 references general provisions concerning violations of personal rights. If the resulting damage manifests as a decrease in the value of assets rather than personal values of the data subject, it is possible to seek compensation for material damage, even if none of the injured party's legal values protected by fundamental norms, such as property or possession, have been violated.

The Personal Data Protection Law No. 6698 can be regarded as a special protection norm safeguarding the assets of the injured party. Under our law, tort liability is generally linked to the fault of the perpetrator. The absence of a specific provision on liability within the Personal Data Protection Law suggests that defect liability should be applied in this context. When data controllers are public authorities, administrative responsibility may be relevant. However, for private data controllers, it is necessary to consider the concept of service defect, which applies to administrative liability, and whether the data controller or processor caused the damage intentionally or negligently.

Data processing, particularly in the digital environment, may frequently result in leaks beyond the control of the data controller, making it difficult to establish fault. Nevertheless, the causal link between the data controller's actions and the damage can be easily demonstrated. Unlawful processing of personal data often results in damage only when combined with another party's behavior. In such cases, both the data controller and the other party should be held jointly and severally liable to the injured party. The data controller may often have the opportunity to seek recourse from the other party. This suggests that imposing liability based on inherent risk will not unduly burden data controllers.

Furthermore, data controllers can mitigate potential liability through insurance contracts covering such damages. Therefore, it is crucial for both public authorities and private data processors to implement maximum administrative and technical measures to prevent data breaches and protect personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.