Building Complex Managements’ basic obligations arising from the Law on the Protection of Personal DataJuly 2020, Erdemir&Özmen Attorney Partnership
Building Complex Managements’ basic obligations arising from the Law on the Protection of Personal Data
Due to the services they provide, Building Complex Managements carry out many personal data processing activities pertaining to the building complex residents, visitors, supplier firms and building complex staffs. Within this framework, there are obligations necessary to be observed by Building Complex Managements in order for the processing and retention of all kinds of personal data belonging to all the individuals who benefit from the services provided by Building Complex Managements and who are in a relationship with Building Complex Managements, which processing and retention must be performed in compliance with the Law numbered 6698 on the Protection of Personal Data (“the Law”).
The article 3 of the Law defines personal data as any data related to an identified or an identifiable real person. In this direction, the personal data, and particularly the identity information and contact information, belonging to the individuals who are in a relationship with Building Complex Managements, are collected and processed by those Building Complex Managements. While performing these activities, Building Complex Managements must comply with various requirements within the scope of the legislation.
The article 4 of the Law on the Protection of Personal data indicates the principles necessary to be observed by data controllers in the processing of personal data. Pursuant to the article, data controllers are obliged to comply with the following principles in the processing of personal data:
- Lawfulness and to comply with the rule of objective good faith,
- To keep personal data accurately, and up-to-date when needed,
- To process personal data for certain, clear and legitimate purposes,
- To comply with the principle of proportionality and being limited to and in connection with the personal data processing purposes,
- To retain personal data until expiration of the period stipulated by the legislation or necessary for the processing purposes.
In spite of the fact that the matter “whether Building Complex Managements are data processors or data controllers” is recently debatable, we are of the opinion that a Building Complex Management must, as if it is a data controller, act in compliance with all the responsibilities arising from the Law, due to the activities carried out by the Building Complex Management.
Obtaining explicit consent from the data subjects in the processing of personal data
The data controllers’ one of the most significant obligations arising from the Law is that they must obtain explicit consent for the processing of the personal data, from the data subjects whose personal data will be processed in necessary cases. It is necessary that the explicit consent has been obtained within the data subject’s free will and before performing the relevant data processing activity. In obtaining such explicit consent, there is no rule as to form, however, in practice, it is preferred to obtain such consent in writing, for ease of proof.
Hence, it is adopted that, while obtaining explicit consent from the data subjects, the data controllers must not lay down a condition or a stipulation for the explicit consent.
As per the article 5 of the Law, personal data shall not, as a rule, be processed in the absence of the data subject’s explicit consent. However, the second paragraph of the article indicates the exceptions to this rule. Accordingly, it possible to process the data subject’s personal data without the requirement to obtain his/her explicit consent in the following cases:
- In the cases expressly permitted by the laws;
- In case it is mandatory to process a data subject’s personal data in order to protect his/her or another individual’s life or physical integrity where his/her consent is not deemed legally valid or he/she is incapable of giving explicit consent because of de facto impossibility;
- In case it is necessary to process personal data pertaining to the parties of a contract, provided that this is directly related to the conclusion or performance of the contract;
- In case the data processing is mandatory for the data controller to fulfil its legal obligations;
- In case the data subject has made his/her personal data public;
- In case the data processing is necessary for the establishment, exercise or protection of right; or
- In case the data processing is necessary for the data controller’s legitimate interests, provided that the fundamental rights and freedoms of the data subject are not harmed.
The necessity to obtain explicit consent applies to the special categories of personal data as well. Special categories of personal data are defined as the data related to the individual’s race, ethnicity, political opinions, philosophical opinions, religion, sect or other beliefs, appearance; association, foundation or trade union memberships; health, sexual life, criminal convictions and security measures, and biometric and genetic data. As a rule, in the absence of the data subject’s explicit consent, it is prohibited to process the special categories of personal data indicated by the article 6 of the Law on a numerus clausus basis.
However, as with the article 5, the relevant paragraph of the article 6 indicates the exceptions to processing of the special categories of personal data without the requirement to obtain explicit consent; and as per the paragraph, the special categories of personal data, other than health and sexual life, may be processed without the requirement to obtain the data subject’s explicit consent, in the cases permitted by the laws.
However, the personal data related to health and sexual life may be processed without the requirement to obtain explicit consent of the data subject, by competent institutions and organizations or persons who are under the confidentiality obligation, only for the purposes of protecting the public health, conducting preventive medicine, medical diagnosis, treatment and nursing services and for the planning and management of healthcare services and their financing.
Obligation to inform
Before starting the processes of obtaining personal data, all the data controllers are obliged to inform the data subjects. Within the context of this obligation, the data subjects must be informed about the following matters:
- The identity of the data controller and of its representative if any,
- The purpose for which the personal data will be processed,
- To whom and for what purposes the processed personal data may be transferred,
- The method and legal cause of collecting the personal data, and
- The rights listed by the article 11 of the Law.
The information texts must be prepared in such a content that will include the aforementioned matters and then, these texts should be conveyed to the data subjects before their data are processed and/or obtained.
Erasure, destruction or anonymization of personal data
As per the Law, another obligation of a data controller is to erase, destroy or anonymize in due course the personal data they process within its body. Pursuant to the rule prescribed by the article 7 of the Law, in case the reasons necessitating the processing of personal data have ceased to exist, though the personal data were processed in compliance with the Law, those personal data must be erased, destroyed or anonymized by the data controller on its own motion or upon the data subject’s request.
Obligations related to data security
As per the article 12 of the Law, all data controllers that carry out personal data processing activities are obliged to take all kinds of technical and administrative measures that will guarantee the appropriate security level in order to:
- prevent personal data from being processed unlawfully,
- prevent personal data from being accessed unlawfully, and
- ensure the preservation of personal data.
The obligations related to data security will be fulfilled by taking the measures i.e. keeping in lockers the personal files pertaining to the employees of the Building Complex Managements, encryption of the office phones, the presence of anti-virus software on the computers, preventing unauthorized access to Building Complex Management’s computers, etc.
In case the processed personal data are obtained by others in violation of the Law in spite of the technical and administrative measures taken in respect of data security, it is necessary for the data controllers to inform the Personal Data Protection Board and the data subject of this circumstance as soon as possible.
Personal data processing operations included in the scope of building complex management activities
Camera recording for security and labor inspection purposes
Even though the fundamental rule in the processing of personal data is to obtain explicit consent from the data subject, it is possible to process personal data without obtaining explicit consent from the data subjects in case of existence of one of the exceptions listed by the article 5/2 of the Law as we have explained above in detail.
Building Complex Managements have legitimate interest in the placement of security cameras for both security purposes and in order to carry out labor inspections on their staffs. Besides, there is a contractual relationship between Building Complex Managements and the apartment residents, the staffs of the Building Complex Management or the business contacts of the Building Complex Management. Furthermore, it is sometimes necessary for Building Complex Managements to process personal data due to their legal obligations. In case of the processing activities within this context, it is possible that it is not necessary to obtain explicit consent from the data subjects; however, also in these cases, the information text must absolutely be submitted to the data subjects and the warning signs, indicating the camera recording, must absolutely be placed on the sections where camera recordings take place.
Such camera recordings should take place only for security and labor inspection purposes; should not, for any purposes other than the mentioned purposes, be used in a way to interfere with the individuals’ private lives; and with regard to the staffs, such camera recordings should not take place at such times out of working hours.
In addition, care should be taken that the cameras do not record sound and that no hidden camera is used. In case the cameras record sound and/or hidden cameras are used, this case would mean a breach of the principle of “proportionality and limitedness” prescribed by the Personal Data Processing Principles and would constitute a violation of the Law.
Submission of identity cards by the individuals visiting a building complex
For mutual confirmation with the building complex residents and in order to ensure the security of the building complex; obtaining the information regarding the names of the individuals visiting the building complex and recording the images of these individuals by means of security cameras constitute the data processing activities in this phase.
In spite of the fact that it is not necessary to obtain explicit consent from building complex visitors for such data processing activities due to the existence of legitimate interest, i.e. for security purposes, it is necessary to furnish information to the data subjects within the scope of the obligation to inform.
Presentation, in the common areas, of the information letters pertaining to the building complex residents’ contribution fee debts
At a place visible by everyone in the common areas, presentation of information letters declaring the building complex residents’ contribution fee debts is one of the personal data processing activities constituting a violation of both the principle of objective good faith and the principle of proportionality prescribed by the Law. Therefore, it would be a more favorable approach if Building Complex Managements make such notifications by directly contacting those building complex residents or by sending SMS messages to those building complex residents. However, also in these cases, the necessary notifications should made in compliance with “the principle of proportionality” and the building complex residents should not be disturbed constantly.
Reviewing the form and documents received from building complex residents
Personal data processing activities also come into question by means of the information forms received from the apartment residents who start to reside in building complexes.
Personal data should be obtained in connection with the purpose and by paying attention to processing of the necessary data only, and care should be taken that the personal data processing does not go beyond the principle of “proportionality and limitedness”. Likewise, the obligation to inform should also be fulfilled for the forms received.
Processing of the curriculum vitae pertaining to the building complexes’ employee candidates
Since curriculum vitae are the documents necessary to be used and evaluated in the recruitment process, it is possible to consider the keeping of the employees’ curriculum vitae by the employer, within the context of the principles “legitimate interest” and “to be necessary for conclusion of a contract”.
However, it should be noted that, since the data in the curriculum vitae may be outdated in a short span of time, these documents should not be kept for a long period of time and should be destroyed in due course. As regards the candidates with whom the job interview has not taken place affirmatively, the curriculum vitae of these candidates should be destroyed ungently.
Personal files pertaining to the staffs of the building complex
As is known, all employers are under the obligation to prepare a personal file for each staff they employ. Our laws do not contain a precise provision for how long the personal files should be kept; however, it is prescribed that the workplace books and records must be kept for a period of 10 years as from the following year pursuant to the Social Insurance and General Health Insurance Law numbered 5510. Considering this provision, it is possible to make the interpretation that the personal files pertaining to the employees may be kept for a period of 10 years as from the date that their employment relationship has terminated.
However, as regards the personal file documents which have become outdated or whose retentions are not possible to be considered within the context of legitimate interest or legal obligation, other than the personal file documents whose submissions would be necessary with the scope of the labor lawsuits that would be filed against the employer; in case such outdated or retained documents are kept for many years after the expiration or termination of the employment contract, this case would constitute a breach of the Law on the Protection of Personal Data and therefore, such documents should be segregated and destroyed.
In conclusion, due to the services they provide, Building Complex Managements carry out many personal data processing activities pertaining to the building complex residents, visitors, supplier firms and building complex staffs. In spite of the fact that the matter “whether Building Complex Managements are data processors or data controllers” is recently debatable, a Building Complex Management must, as if it is a data controller, therefore act in compliance with all the responsibilities arising from the Law.