04 March 2020
Personal Data Protection: Criminal Sanctions Stipulated in the Turkish Criminal Code
The Turkish Criminal Code No. 5237 ("TCC") regulates the actions which may constitute crimes with respect to the unlawful use of personal data. The Personal Data Protection Law No. 6698 ("KVK") remains important in this context because it provides a clear definition of personal data. Certain actions which constitute a breach of the KVK may result in administrative fines imposed by the Personal Data Protection Board. However, the same actions may also constitute a breach of the TCC, which may result in criminal prosecution of individuals and criminal sanctions. We have these crimes and the relevant criminal sanctions below.
1.Recording Personal Data
According to the Article 135 of the TCC, recording the personal data of individuals without their consent shall constitute a crime. To give an example, recording the name, phone number, address or other personal data of a customer for the purposes of marketing may be considered in this scope.
Accordingly, any person who illegally records personal data shall be sentenced to imprisonment for a term of 1 to 3 years.
In a case that this personal data relates to an individual’s political, philosophical, or religious opinions, racial origins; moral tendencies, sex lives, health, or relations to trade unions, the penalty imposed may be imprisonment for a term of 1.5 to 4.5 years.
2.Obtaining, Sharing or Disclosing Personal Data
According to the Article 136 of TCC; obtaining, sharing, and disclosing the personal data of individuals without their consent shall constitute a crime. To give an example, obtaining the personal data relating to an association’s volunteers by entering such the computer system and sharing such information with another association and/or other individuals may be considered within the scope of this crime.
Accordingly, any person who illegally obtains, disseminates, or discloses personal data of individuals shall be sentenced to imprisonment for a term of 2 to 4 years.
3.Destruction of Personal Data
According to the Article 138 of the TCC, keeping personal data of individuals after the legally prescribed expiry date, shall constitute a crime. To give an example, keeping the personal files of employees after the 10 years expiry date shall be considered in this scope.
Accordingly, any person who fails to destroy data in accordance with the prescribed procedures, before the expiry of the legally prescribed period for destruction, shall be sentenced to a penalty of imprisonment for a term of 1 to 2 years.
The rights of data subjects are also protected within the scope of the TCC. Accordingly, individuals employed by and / or representing organizations which process data without having complied with the legislation may face criminal prosecution. The practice relating to data crimes under the TCC is becoming clearer as the High Court of Appeals is ruling on higher number of cases, setting a strong precedent for the prosecutors’ offices and first instance courts. Projects to ensure legal compliance with data protection significantly reduce the risk of committing crimes relating to personal data, knowingly or unknowingly, by employees and representatives of organizations.