As the Insurance Information and Monitoring Centre (SBM), we attach importance to the security of personal data. In this context, we would like to inform all insurance holders about the "Personal Data Protection Law" edited for protecting the fundamental rights and the freedoms of people and the personal data.
Personal Data Protection Law numbered 6698 ("the Law") was published on the Official Gazette as of April 7, 2016 and entered into force. The Law regulates principles such as; the general principles to be observed for processing the personal data, conditions of processing the personal data and the rights of data owners. The purpose of the Law is described as "protecting the fundamental rights and freedoms of persons, privacy of personal life in particular, while personal data are processed, and to set forth obligations of natural persons and legal entities that process the personal data and the procedures and the principles to be observed by the same parties."
General Information about Personal Data Protection Law
Personal data is defined as; "all sorts of information about a natural person whose identity is determined or who can be determinable". All sorts of information refers not to only a person's name, surname, date of birth, place of birth and such information that allows exact identification but also information related to physical, family, economic, social and such other characteristics of that person.
Sensitive (private) personal data is a special category under the personal data. The legislator believes that such information might be potentially used for purposes related to discrimination and thus it has imposed stricter conditions for processing the sensitive personal data. Such data are related about a person's race, ethnicity, political views, philosophical beliefs, religion, religious sect or other beliefs, appearance and clothing, membership to a foundation or union, health, sexual life, biometric data or any criminal sentence and security measures imposed on that person.
Processing of the personal data includes all sorts of proceeding performed on the data, such as; obtaining, saving, storing, keeping, editing, transferring and taking over that data.
There are certain principles that have to be observed for legally proceeding of the personal data. First of all, the data proceeding must comply with the law and rules of good faith. The other principles are ensuring that proceeding of the data is accurate and updated, if necessary; data proceeding should be done for certain, clear and legal purposes; the proceeding should be connected with the purpose, limited and deliberate. Furthermore, the proceeded data should not be kept for a period no longer than the period required for the purpose.
Conditions of Proceeding the Personal Data
As a rule, personal data cannot be proceeded without the explicit consent of the data owner. For obtaining the explicit consent, the data owner must be informed in detail about the process. However, the 5th article of the Law allows proceeding of the personal data without the explicit consent of the data owner in case of exceptional cases. These exceptions are:
- If laws clearly stipulating proceed of the data,
- If required for protecting life or physical integrity of a person who cannot state the explicit consent due to actual impossibilities or whose consent is not legally valid or protecting life or physical integrity of another person,
- If the personal data of contracting parties must be processed on condition that this processing is directly associated with the concluding or performing a contract,
- If required for fulfilling the legal liability of the data supervisor,
- If anonymized personally by the related person,
- If the data proceeding is required for establishing, exercising or protecting any right and,
- If required for legitimate interests of the data supervisor on the condition that does not harm fundamental rights and freedoms of the related person.
Sensitive personal data, excluding the health and sexual life information, can only be proceeded without the explicit consent in case of the situations clearly defined on the laws. Data about the health and sexual life can only be –proceed without the explicit consent of the data owner for protecting the public health, giving preventive medicine, medical diagnosis, treatment and care services, planning and managing the health services and their finance, and this proceeding can be done by person under the confidentiality obligation circumstances or authorized establishments and the organizations subject to confidentiality obligation.
Purposes to Proceed the Personal Data
Your personal data can be proceeded for the following purposes, as allowed under the personal data proceeding conditions stated under the 5th and 6th articles of the Law:
- Communication activities with the business partners / public organizations and follow up of the routine operations,
- Fulfilment of needs of the data requests of authorized public organizations and institutions,
- Settlement of disputes
Parties to Receive Proceeded Personal Data and Purposes of the Personal Data Transfer
Your personal data can be transferred for the following purposes, as allowed under the personal data proceeding conditions stated under the 8th and 9th articles of the Law:
- Communication activities with the business partners / public organizations and follow up of the routine operations,
- Fulfilment of needs of the data requests of authorized public organizations and institutions,
- Settlement of disputes,
- Performing the monitoring and surveillance applications for the security purposes,
- Fulfillment of legal obligations,
- Conducting the customer evaluation processes, conducting legal and business risk analysis
Method and Legal Reasons of Collecting the Personal Data
Personal data collected based on the legal purposes is transferred and proceeded pursuant to the personal data processing conditions and purposes stated under the 5th and 6th articles of the Law numbered 6698.
Rights of the Data Owner
The 11th article of the Law vests certain rights to the data owner. Accordingly, everyone has the following rights on personal data and these rights can be exercises by referring to the data supervisor:
- To learn whether the personal data is proceeded,
- To request the related information if the personal data is proceeded,
- To learn the purpose of proceeding the personal data and whether the data is used for that purpose,
- To know the third persons who received the personal data either in the country or outside the country,
- To request correction if the personal data is proceeded incompletely or incorrectly,
- To request deletion or destruction of the personal data within the framework of conditions stated under the 7th article of Law,
- To request notification of third person who received the personal data about correction, deletion or destruction processes,
- To object to any outcome that is achieved through the analysis of proceeded data exclusively with the automated systems and which is against the person,
- To request the recovery of the losses if the person suffers from any losses due to the illegal proceeding of the personal data.