Applicability of Data Protection Law in Turkey: Filing System Criterion

The Filing System Criterion in Turkey's data protection law extends the law's scope to include manual processing of personal data when such data is systematically organized to allow easy retrieval or access.

Text of Relevant Provisions

DPL Article 2:

"The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system."

Original (Turkish):

"Bu Kanun hükümleri kişisel verileri işlenen gerçek kişiler ile bu verileri tamamen veya kısmen otomatik yollarla veya bir veri kayıt sisteminin parçası olmak kaydıyla otomatik olmayan yollarla işleyen gerçek ve tüzel kişiler hakkında uygulanır."

Analysis of Provisions

The Filing System Criterion in Turkey's Law on the Protection of Personal Data (DPL) is crucial in determining the law's scope of applicability. This criterion is detailed in Article 2, which stipulates that the law applies to both automated and non-automated processing of personal data, provided the data is part of a filing system.

1. Scope of Application:
   • DPL Article 2 states that the law applies to "natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system." This inclusion ensures that both digital and manual processes are covered if they are organized in a filing system.
2. Definition of Filing System:
   • A filing system is defined as any structured set of personal data accessible according to specific criteria. This encompasses both electronic and physical records, ensuring that all systematically organized personal data are protected under the law.
3. Manual Data Processing:
   • The criterion explicitly includes manual processing of personal data, provided that such data forms part of a filing system. This ensures that personal data stored in physical files, if systematically arranged, are subject to the same data protection regulations as those processed digitally.
4. Exemptions:
   • The provision does not explicitly mention exemptions for personal or household activities, but this is typically understood in the context of data protection laws, focusing on professional and organizational processing of personal data.

Implications

For Business

• Manual Record Compliance: Businesses must be aware that manual records, if they form part of a filing system, are subject to the same regulatory requirements as automated records. This necessitates implementing data protection measures for physical files, such as secure storage and controlled access.
• Comprehensive Data Protection: Companies need to ensure compliance with DPL across all forms of data processing. This includes establishing policies and procedures for handling personal data in both digital and manual formats, ensuring that all data management practices meet the standards set by the law.
• Organizational Impact: Organizations must review and potentially restructure their filing systems to ensure compliance with DPL. This involves assessing how personal data is stored, organized, and accessed within their operations, whether in digital or physical formats.

The Filing System Criterion in Turkey’s DPL ensures comprehensive protection of personal data by covering both automated and manual processing, emphasizing the importance of consistent data protection measures across various data handling methods.