Regulation on Identity Sharing System
The Regulation on Identity Sharing System (“the Regulation”), prepared by the Ministry of Interior on the basis of the Civil Registration Services Law numbered 5490 (“the Law”), has entered into force as published in the Official Gazette dated 21.08.2020 and numbered 31220.
The objective of the Regulation is to set forth the principles and procedures regarding online sharing, with the recipient entities, of the data contained in the central database of the General Directorate of Civil Registration and Nationality (“the General Directorate”) by the General Directorate. The scope of the Regulation consists of the principles and procedures regarding sharing of the data, contained in the central database, with the recipient entities; regarding the process of application for sharing; regarding the processes for singing, cancellation and termination of the letters of commitment; regarding authorization; the principles and procedures for ensuring confidentiality and security of the data shared; for tracking the information about the works and transactions of the entities; and for training of the users. Furthermore, the Identity Sharing System Regulation, which was put into force within this scope by the Council of Ministers’ Decree dated 16.11.2006 and numbered 2006/11249, has been repealed.
Sharing principles and benefiting from the system
In the Regulation, “personal data” constituting the basis of the Identity Sharing System (“KPS”) is defined as all kinds of information related to an identified or an identifiable real person, and “recipient entity” is defined as legal entities providing public service and the institutions other than the General Directorate, benefiting from the Identity Sharing System.
The data kept in the central database may be shared with the recipient entities within the framework of the principles and procedures specified in the Law, in the Law on the Protection of Personal Data i.e. the Law dated 24.03.2016 and numbered 6698 (“the PDPL”) and in the secondary legislation related to these Laws. The data processing purposes pursued by the recipient entities and the legal basis of the data processing shall be taken into consideration in determining such data.
With KPS, it is aimed to provide a secure and an uninterrupted service, other than force majeure events. Another important point is that the data obtained through the central database shall be deemed to be valid until the contrary is proved. It is set out that the information and documents, accessible through the system by recipient entities, shall not be requested from the persons concerned or from the Civil Registration Office. It is also adopted that the documents obtained are not different in terms of legal value, in other words, the documents produced by KPS have the same legal value as the documents obtained from the Civil Registration Offices.
It is set out that the recipient entities that wish to benefit from this system must submit the relevant application to the General Directorate in writing or in electronic environment and sign a letter of commitment after the requested documents are forwarded. The following should be contained in the letter of commitment:
- For what purpose the data will be accessed
- Legal cause of the access
- Way and duration of the data access
- Authorities and duties
- Legal liability
- Administrative and technical measures necessary to be taken
- Other matters
After the letter of commitment is signed by the recipient entity, the data kept in the central database will be made available for sharing through KPS.
The letter of commitment will be signed with the recipient entity only; however, the article 7 of the Regulation states that the recipient entity may also allow its provincial organization, its branches, its subsidiaries and even its foreign organizations to benefit from this service in line with the purposes specified in the letter of commitment.
Confidentiality of the information accessible through KPS
Within the context of the legal arrangement in the article 9 of the Regulation, it is set out that the privacy and personal data protection-related provisions contained in the legislation shall be taken as basis in use of the Identity Sharing System. Furthermore, the information obtained through KPS shall be used by the recipient entities in line with the principles specified in the letter of commitment and shall not be used by the recipient entities for any purposes other than the fulfillment of their duties and responsibilities determined in the legislation. Within this scope, it is prescribed that the recipient entities shall take all kinds of administrative and technical measures in order to ensure the confidentiality of the data, in order to prevent the data from being unlawfully processed and accessed and in order to ensure the preservation of the data. In addition to these points, for the special categories of personal data, it is stated that the measures, determined by the Personal Data Protection Board pursuant to the fourth paragraph of the article 6 of the PDPL, shall be taken by the recipient entity and that the entire legal liability shall lie with the recipient entity within this context.
It is prescribed that all kinds of legal, financial and penal liabilities, arising from the use of the data obtained from the Identity Sharing System in breach of the provisions contained in the relevant legislation and the letter of commitment or arising from the acquisition and use of the data by unauthorized persons for reasons such as security vulnerabilities or erroneous queries originating from the recipient entity’s system software, shall lie with the recipient entity. Within this context, the recipient entities are obligated to comply with the principles and procedures specified in the Law and in the PDPL and monitor, within these principles, the transactions carried out by the users.
Generating trackback information
As regards trackback information, the article 10 of the Regulation contains significant provisions for KPS. It is stated that date, hour and web service name records pertaining to all kinds of transactions carried out by the recipient entity through KPS shall be kept by the General Directorate as trackback information in user or service, administrative and technical user levels. Furthermore, the trackback information shall be kept in such a way that will also contain the identification number belonging to the queried person as well as the identification numbers belonging to the persons affected by the result of the query. Ultimately, both the General Directorate and the recipient entity shall keep the trackback information for a period of eight years in such a way that will prevent the trackback information from being modified and that will protect the trackback information against unauthorized accesses. It is also prescribed that the trackback information shall be erased or destroyed at the expiration of this period, within the scope of the provisions contained in “the Regulation on Erasure, Destruction or Anonymization of Personal Data” published in the Official Gazette dated 28.10.2017 and numbered 30224.
Follow-up, inspection and evaluation
The General Directorate shall ensure that all kinds of administrative and technical security measures are taken for the following-up of the recipient entity’s transactions and particularly, in order to prevent the personal data from being unlawfully processed and accessed and in order to guarantee preservation of the personal data. The General Directorate shall also follow-up and inspect the measures taken by the recipient entity in respect of these matters. The General Directorate may carry out this inspection either on its own or by means of an institution that will be authorized by the General Directorate or by means of the institutions and organizations to which the inspection authorization and duty is granted by the legislation. The article 12 of the Regulation prescribes that actions shall be taken as per the relevant articles of the Law, the PDPL and the Turkish Criminal Code dated 26.09.2004 and numbered 5237 in case an irregularity is found in result of the inspections carried out. Finally, it is stated that use of the KPS shall not be allowed and the letter of commitment shall be cancelled unilaterally by the General Directorate in case it is found that recipient entity does not fulfill the requirements of the administrative and technical security measures undertaken.
The Regulation provides legal arrangements, aiming that the online database created by making use of the records kept in the General Directorate’s database is shared with certain public institutions and organizations through the Identity Sharing System. Within this context, the Regulation sets forth the principles and procedures regarding the process of application for KPS that has been set up in respect of data sharing; regarding the processes for singing, cancellation and termination of the letters of commitment; regarding authorization; the principles and procedures for ensuring confidentiality and security of the data shared; for tracking the information about the works and transactions of the entities; and for training of the users. Furthermore, the Regulation sets forth the matters for inspecting the recipient entities by the General Directorate in respect of the PDPL and the Turkish Criminal Code.
The Regulation on Data Sharing Board, entered into force as published in the Official Gazette dated 08.08.2020 and numbered 31207, sets forth the transfer of the data, kept in the central database, to online environment, the grant of the required permissions to the public institutions and organizations that wish to benefit from this system, and the functioning of the Board. Besides, the Regulation on Identity Sharing System, entered into force as published in the Official Gazette dated 21.08.2020 and numbered 31220, sets forth how the recipient entities will be allowed to benefit from the system within the scope of the permissions granted by the Board, sets out the principles regarding data sharing, prescribes how the application and letter of commitment processes will take place and sets forth how the system will function. Consequently, these two regulations are directly linked to each other and indicate that the General Directorate of Civil Registration and Nationality carries out works to establish the infrastructure necessary for sharing of the data in compliance with the legal arrangements, which data are kept in the central database of the General Directorate.