Personal Data
Personal data refers to any kind of information that identifies an individual, distinguishes them from other individuals, or can be associated with a specific individual. Information such as name, address, phone number, email address, social media profiles, medical records, and even IP addresses that can identify a person are considered personal data.
While personal data has existed throughout human history, the advancement of technology has increasingly emphasized the need for its protection.
Personal data, particularly due to technological advancements, has led to the implementation of various regulations aimed at safeguarding individuals’ privacy and preventing its disclosure. The most well-known among these regulations is the General Data Protection Regulation (GDPR), which is an European Union (EU) regulation aiming to protect the personal data of EU citizens. In Turkey, the most important and comprehensive regulation regarding the protection of personal data is the Law on the Protection of Personal Data numbered 6698 (KVKK).
Right to Be Forgotten
With the advent of modern technology, ensuring partial restriction of access to an individual’s personal data by third parties has become nearly impossible, thereby jeopardizing the guarantee of a dignified life, preventing social exclusion, and enabling individuals to start anew independently of their past. The digital realm can easily expose the most detailed and even oldest data about a person with just a click. Often, this situation, which can lead to violations of personality rights, has brought forth a special aspect of the right to protect personal data under the concept of the “Right to Be Forgotten,” a relatively new concept.The Right to Be Forgotten is regulated in Article 17 of the GDPR:
1. “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defense of legal claims.”
In Turkey, it is regulated in Article 7/1 of the KVKK:
“Everyone has the right to demand the protection of their personal data. This right includes being informed about personal data concerning oneself, accessing this data, requesting the correction or deletion of this data, and learning whether this data is being used for its intended purposes. Personal data can only be processed in cases stipulated by law or with the explicit consent of the individual. The principles and procedures for the protection of personal data are regulated by law.”
Although the right to be forgotten was not historically recognized as a legitimate right, its importance has been understood with the evolving technology and digital platforms, and it has become subject to many disputes and court decisions today. One such example is the Constitutional Court’s Decision on Application No. 2013/5653 and N.B.B. Application dated March 3, 2016; in this decision, the applicant requested the deletion of archive records of news articles published years ago about their alleged drug use on a newspaper’s website. The Constitutional Court considered certain criteria and concluded that the relevant news had damaged the applicant’s reputation:
“As of the application date, it is evident that the news in question relates to an event that occurred approximately fourteen years ago and thus has lost its relevance. It cannot be said that it is necessary for a news article regarding drug use for statistical or scientific purposes to be easily accessible on the Internet. In this context, it is evident that the accessibility of news published on the Internet regarding the applicant, who does not have a political or media personality, damages the applicant’s reputation in terms of public interest.”
In essence, the Constitutional Court analyzed the news article and the applicant’s right to be forgotten, conducting a benefit/harm analysis, and consequently decided that the applicant’s reputation had been damaged. This decision serves as a guiding principle in this regard.
Even though the protection of personal data and the right to be forgotten do not have sufficient legal safeguards as of now, these rights, aimed at preserving human dignity and values, are indispensable for individuals to maintain their private lives within the framework of the trust and justice required by a democratic state.
