Why and How Should “The Explicit Consent” be Obtained as Sought for the Use and Transfer of Personal Data?

How did the concept of personal data come into our lives?

With the developing technology, data networks have become very advanced and widespread today.  In particular, by the reason that all kinds of transactions and notifications are made over the internet, the need to ensure transaction security arises and accordingly, their data are requested from individuals and shared with various authorities when necessary. However, personal data are not always obtained, stored and shared in compliance with the statutory requirements. With the information obtained, the extraction of individuals’ personality profiles and the use of these profiles by recording and using them in favor of or against data subjects constitutes a manifest violation of fundamental rights and freedoms in both international legislation and in our national legislation. This is because; every information from individuals’ choices to the states of their diseases, from their DNA samples to their personal thoughts would be used to define the individuals and thus, the individuals’ movement areas or elbow rooms would be narrowed and the decision mechanism would be suppressed.

In Turkey, the concept of personal data comes into question with the Law on the Protection of Personal Data (“the PDPL” or “the Law”) which entered into force in 2016. The Law introduces various preconditions at the phase where personal data are obtained and prescribes various conditions and sanctions about the sharing and storage of personal data. Personal data are often shared by the data subject, with his consent. However; the reason is that, in case the data subject had refrained from sharing these data, the data subject could not have concluded a contract he desired. Since it is not possible for individuals to conclude a contract without sharing their personal data, e.g. in contracts for purchases and sales of goods or employment contracts which are of importance in the daily life, the individuals have no choice but to share their personal data. Therefore, the laws and the international agreements to which Turkey is a party take personal data under protection and prescribe administrative and penal sanctions in case of violation, in our Country as with many Countries.

What is the importance of the concept “explicit consent”?

With the PDPL that entered into force, imposition of sanctions is stipulated upon violation of rights takes place in the course of obtaining, storing and sharing personal data, and various conditions are also prescribed for the period prior to the sharing of these data by the individual. In our newsletter, we will touch upon the meaning of the concept “explicit consent” necessary for the use and sharing of personal data and how such explicit consent should be obtained in order not to encounter a sanction; and on the other hand, under what conditions should a data subject individual share his personal data.

The concept of explicit consent arises as a concept preventive before the violation of rights occurs, unlike the punitive effect of the sanctions we have mentioned above.

In the article 3, entitled “Definitions”, of the Law on the Protection of Personal Data, explicit consent is defined as “Explicit consent: refers to a consent which is related to a specific matter, based on information and expressed with free will”. To examine the components in the statutory definition one by one; what is meant by “related to a specific matter” is that the individual knows specifically about which the matter the personal information he shares will be used. For this component, it is possible to indicate as an example the case where an individual is informed by the employer that the information, required by the employer before the individual starts working at the workplace, is requested to the end that the information will be added into his personal file. The other component is that the explicit consent is based on information. At this point, the obligation to furnish information (the obligation to inform) lies with the party who wishes to use the personal data in the way of obtaining, sharing, etc.  The obliged party may inform the data subject verbally or in writing; however, in case the obliged party informs the data subject in writing, this will provide ease of proof and minimize any sanctions that might be encountered due to a breach of the obligation to inform. The obligation to inform should be fulfilled as comprehensively as possible so as to cover all kinds of information e.g. the identity of the data controller or of its representative, the processing purpose of the personal data and the persons to whom and for what purposes the personal data may be transferred. Otherwise, a breach of the obligation to inform would be asserted, and the burden of proof that the obligation has been fulfilled would lie with the person who has requested for the personal data. The last component prescribed by the statutory definition is that the consent is expressed with free will; and this component subsists as a universal rule for all kinds of declarations in the systematics of our laws. What is meant by “expressed with free will” is that there is no invalidity of will as stated by the laws and that the individual shares his personal data without being under any pressure.

One of the important points about explicit consent is that explicit consent is not only a condition necessary for obtaining personal data, but it is also required for recording personal data or transferring it to another location. Explicit consent should be obtained individually, i.e. separately for each transaction or transfer, and the information about the transaction to be carried out should be furnished as clearly as possible. If the obligation to inform is fulfilled more clearly, the consent obtained will be valid to that extent. At this point, ambiguous expressions should be avoided, and plain and understandable expressions should be used instead of an inflated language. If the cause of the explicit consent has changed after the explicit consent was obtained, the explicit consent should additionally be obtained for the changed subject. For example, in the case that a laborer’s personal data will be transferred to the Social Security Institution for provision of insurance to the laborer and that the explicit consent has been obtained for this matter, a separate explicit consent is required for the transfer of the laborer’s identity information to the sub-employer.

Since the concepts pertaining to the protection of personal data come into question newly in our Country under the PDPL which entered into force in 2016 as we have stated above, these concepts are not known precisely by everyone, however, the concepts represent a field about which it is necessary to have comprehensive knowledge. This is because; while liabilities may arise against company executives and other data controllers for the personal data belonging to their customers or the staffs they employ, the individuals may effectively claim and exercise their rights against unlawfully obtainment, use or sharing of their own data.