Turkey: Data Protection in the Automotive Sector
The main piece of legislation under Turkish law applicable to data protection matters is the Law on Protection of Personal Data No. 6698 ('the Law'). The Law, data protection issues, and the related concepts are relatively new to the Turkish legal system, and such, are still evolving.
Similarly, well-established cybersecurity legislation still does not exist under Turkish law (although there are several referrals under other pieces of legislation, for example under telecommunications legislation, relating to cybersecurity and the establishment of several related institutions).
There are no specific pieces of legislation under Turkish law directly related to autonomous vehicles and/or related technologies. To the extent relevant, the major pieces of Turkish legislation, such as the Turkish Code of Obligations No. 6098 (only available in Turkish here) ('the Code of Obligations') and the Civil Code, Law No. 4721 (as amended) (only available in Turkish here) ('the Civil Code'), can be applied to this matter, for example issues concerning liability arising from accidents involving the use autonomous vehicles. In addition, the Law would apply in cases where data processing by such vehicles is in question.
Lastly, several technical regulations, such as the Road Traffic Regulation (only available in Turkish here) and regulations related to automotive manufacturing, such as Regulation (EU) 2019/2144 of the European Parliament and of the Council of 27 November 2019 on type-approval requirements for motor vehicles and their trailers, and systems, components and separate technical units intended for such vehicles, as regards their general safety and the protection of vehicle occupants and vulnerable road users ('Regulation 2019/2144'), should also be considered.
With respect to the data protection aspect of autonomous vehicles, the key regulatory authority guidance tools are the guidelines and decisions published by the Personal Data Protection Authority ('KVKK') and the Data Protection Board ('the Board').
2. Key Defintions
- Vehicle Information Number (sole or in combination with further identifiers): Not applicable.
- Geolocation data: Not applicable.
- Telematic data: Not applicable.
- Biometric data: Pursuant to the Law, biometric data is listed as a 'special category of personal data', although a further definition has not been provided. On the other hand, in decisions numbered 2019/81 and 2019/165 on biometric data (summary of both decision only available in Turkish here), the Board referred to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') to define biometric data as 'personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data'.
- Metadata: Not applicable.
- Voice data: Not applicable.
- Video data (inside/outside the vehicle): Not applicable.
- Anonymisation: Under the Law, anonymisation is defined as 'rendering personal data impossible to link to an identified or identifiable natural person, even where such data is associated with other data'.
- Pseudonymisation: Not applicable.
- Data Processing: Under the Law, data processing is defined as 'any operation which is performed on personal data, by full or semi-automated means or non-automated means which form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof'.
- Data Controller: Under the Law, data controller is defined as 'the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system'.
- Data Processor: Under the Law, data processor is defined as 'the natural or legal person who processes personal data on behalf of the data controller upon its authorization'.
- Manufacturer: Under the Regulation on Manufacturing, Remodelling and Assembling of Vehicles (only available in Turkish here), the manufacturer is defined as 'a person or an entity who is responsible before the approval authority for the compliance of manufacturing and remodelling of vehicles which will be released to the market, employs at least one technical employee and manufactures, remodels or assembles; whom, however is not required to be directly related to all of the phases of manufacturing and remodelling of vehicles, systems, parts of technical units which are subjected to approval'.
3. Supervisory Authority
The authority with regards to the manufacturing of automobiles is the Ministry of Industry and Technology. On the other hand, as mentioned above, the sole supervisory authority enforcing the data protection laws and regulations is the KVKK.
As any other sector, all the entities active in the automotive sector, including manufacturers, distributers, suppliers, insurers, and creditors, are subject to the Law. This means that, to the extent it applies to them, all the said sectors must comply with the terms of the Law in its entirety.
Having said this, several concepts introduced under the data protection practice in general have yet to be better defined and established under Turkish law. To this effect, especially the (relatively) new concepts such as artificial intelligence ('AI'), the Internet of Things, and blockchain, are still subject to early phase theorical discussions and remain largely unregulated under Turkish law.
Moving forward, it is likely that Turkey will follow in the footsteps of the EU in its implementation of laws and regulations governing the said instruments.
The concept of 'transparency' is regulated under the Law from the perspective of the data controllers' obligation to inform data subjects on data processing activities.
Accordingly, data controllers are obliged to inform the data subjects about the following, prior to the processing of such data (or if the personal data is not obtained directly from the data subject, then in a reasonable time following acquisition of such data or at the time of the first transferring of such data, at the latest): (i) the identity of the data controller and of its representative, if any; (ii) the purpose of processing of personal data; (iii) to whom and for which purposes the processed personal data may be transferred; (iv) the method and legal basis of collection of personal data; and (v) other rights granted to data subjects under the Law.
While the Turkish public in general is very tech-savvy, and might not necessarily be concerned about the data processing element of connected vehicles, the obligations posed under the Law for data controllers, and processors remains intact in case of connected vehicles and must be fulfilled accordingly.
To this effect, the information obligations must be fulfilled in a clear, up-to-date, and understandable manner by all relevant players in the automotive sector. Notices, forms, car manuals, text messages, and in-car screens, for example, should all be (and usually are) made part of this process.
Choice and consent
The Law requires, in general, that the 'explicit consent' of the data subject for the processing, and the transfer of the related data is obtained, where one of the other statutory bases for data processing (e.g. legitimate interest) is not applicable.
Explicit consent is defined under the Law as 'freely given, specific and informed consent'. Furthermore, the KVKK has also expressed under the Guidelines on Data Protection in Turkey that explicit consent must be given with free will, based on sufficient information provided to the data subjects, and in a manner that will leave no room for doubt for the matters to which the data subject has consented.
To ensure such requirements are fulfilled, explicit consent must be related to a certain matter (open-ended consent are not allowed), it must rely on sufficient information (including the potential outcomes of the matter which will be subject to consent), and it must be expressed with free will and via an affirmative declaration. Also, the consent must not be set forth as a condition to the procurement of services and/or delivery of a product.
All these criteria will apply without exception to the entities acting in the automotive sector and, considering that connected vehicles use technology which involve the processing of a significant amount of personal data, the data controllers and processors face various obligations under the Law and must take the necessary steps to make sure they comply with the terms of the same.
With respect to connected vehicles, the principal issue concerning explicit consent is the cross-border transfer of the personal data, especially if connected vehicles will share various personal data (belonging to passengers of the said vehicles) with foreign entities (e.g. the foreign resident manufacturer).
To elaborate, the Law allows the cross-border transfer of personal data in the following cases:
- with the existence of explicit consent;
- where the recipients are in safe jurisdictions; and
- where the sending and the receiving entities have executed model clauses/Binding Corporate Rules ('BCRs'), as approved by the KVKK.
As the safe jurisdictions have still not been announced by the Board, relying on this basis for cross-border data transfers is currently not possible.
Similarly, whilst getting model clauses/BCRs approved by the Board is theoretically possible, this usually takes a long time.
As such, the most practical method under the current legislation to duly implement cross-border data transfers is obtaining explicit consent from data subjects. It is possible for a data controller to apply to the KVKK for the approval of its model clauses/BCRs, whilst relying on consent for cross-border data transfers (in which case the data controller could rely on such consent if, and until its model clauses/BCRs are approved, and only switch the basis for cross-border transfer once the approval of the Authority is obtained).
As the automotive sector includes various players, there is a discussion in the Turkish legal arena as to who (i.e. the seller/dealer who ultimately delivers the automobile to the consumer and/or the manufacturer) should obtain the said consent.
To this end, the general approach is that all entities that act as data controllers of the data processed by autonomous vehicles will need to rely on the statutory legal bases for data processing (and should obtain the consent of data subjects if no such legal basis exists) and, where cross-border transfer is in discussion, all entities involved in the cross-border transfer of personal data will need to separately obtain the consent of the related data subjects.
Where there are other entities that act as data controllers involved in the process starting from the manufacturing of the said vehicles and until final delivery, these entities would be obligated to also rely on the statutory legal bases for data processing (or obtain consent to this effect), as necessary.
According to the Law, the data controller is obliged to take all necessary technical and organisational measures to provide an appropriate level of security for the purposes of: (i) preventing unlawful processing of personal data; (ii) preventing unlawful access to personal data; and (iii) ensuring protection of personal data. The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organisation, to ensure the due implementation of the provisions of the Law.
The organisational and technical measures for the provision of data security have not been specifically defined under the Law. Similarly, a set of specific data security measures for the automotive sector is also not available under the Law or the related guidelines.
Having said this, one decision by the Board sets out in more detail the technical and operational measures that must be implemented where the processing and transfer of sensitive personal data are in question.
As such, for instance, where sensitive data such as health data is to be transferred by data controllers in the framework of connected vehicles (e.g. sending health data to a health care provider in proximity in the case of a traffic accident), then collecting and sharing that data will likely be subject to the explicit consent of the data subject and additional layers of safety measures will need to be implemented for such processing and transfer.
As such, within the framework of connected vehicles, the data controller must assess the risk of the processing and transfer of each set of data and must decide on the appropriate level of measures to be taken. To this effect, industry best practices and standards as well as the nature of the data being processed and transferred must be considered.
Data controllers who fail to fulfil the obligations related to data security provided under the Law will be face a monetary fine of TRY 29,503 (approx. €2,860) to TRY 1,966,862 (approx. €190,760).
As per the Law, any data processing activity should be relevant and limited to the purpose of such processing and excessive processing should be avoided. To achieve the goal, the most non-intrusive means of data processing practices should be preferred.
This is true for all the players in the automotive sector that each player must determine the minimum set of personal data to be collected from the data subjects and only collect such data.
Finally, the technology in the connected vehicles should be designed, to the extent possible, to allow the data subject to limit the data that the vehicle is to collect about such data subject.
According to the Law, each set of data which was processed by the data controller must only be retained for the period determined under the related piece of legislation and for the period which is necessary with regards to the purpose of processing. Where there is no specific law governing a retention period, data controllers should at least refer to the generally applicable statutory limitations applicable, which may provide guidance in this respect.
Further, according to the By-Law on Erasure, Destruction or Anonymization of Personal Data, the Data Controllers Information System ('VERBIS') (detailed below) must also prepare a personal data storage and destruction policy.
The obligation to set data retention periods would be applicable to all the players in the automotive sector. This means that every such player must determine the reasons and purposes for data retention in the entire process and only retain personal data for such purpose. Furthermore, the data must be deleted to the extent applicable, and a personal data storage and destruction policy must be prepared, where applicable.
Lastly, by way of example, it is to be noted that a significant data retention issue would occur where a connected vehicle is re-sold to a third person by its initial owner, in which case the initial owner would have the right to ask the data controllers to delete the various data belonging to such initial owner.
Accountability and record of processing
According to the Regulation on the Data Controllers Registry (only available in Turkish here), a secondary legislation issued based on the Law, certain data controllers, based on the number of their employees, their jurisdiction of residence, and total turnover, are obligated to register with VERBIS.
Those data controllers that face this obligation must (in addition to the obligation to prepare a personal data storage and destruction policy, as explained above) prepare a personal data processing inventory. Such inventory must include information on: (i) the personal data processing operations performed by data controllers according to their business processes; (ii) the purposes and legal basis of personal data processing; (iii) the data category, recipient group, and maximum storage period; (iv) the personal data envisaged to be transferred to foreign countries; and (v) the measures taken relating to data security.
As such, players in the automotive sector would need to determine whether they are obligated to register with VERBIS and, if so, complete such registration and prepare the documentation listed above.
One significant issue that should be considered here is that while many manufacturers will be resident outside Turkey, this would not necessarily make them exempt from the obligation to register with VERBIS, and that to the extent that they engage in data processing in Turkey, this obligation may apply to them as well.
Data sharing and international transfers
For data sharing taking place within Turkey, the Law requires either the explicit consent of the data subject or the existence of one of the statutory legal bases under the Law (e.g. legitimate interest and legal obligations).
Where the transfer of sensitive data within Turkey is in question, the Law makes a distinction between personal data relating to health and sexual life and other types of sensitive personal data defined as such under the Law.
Accordingly, for the transfer of sensitive personal data excluding the personal data with regards to health and sexual life, such sensitive personal data could only be processed and/or transferred in cases where this is explicitly allowed under the relevant laws and provided that necessary measures are implemented.
Where personal data relating to sexual life and health is in question, this could only be transferred domestically by persons or competent authorities who are under the obligation of confidentiality for the purposes of the protection of public health, preventive medicine, medical diagnosis, conducting diagnosis and treatment activities, and the planning and management of medical services and financing.
At any rate, sexual data should likely not be processed as part of the operations of any player in the automotive sector, and health data may be processed only in emergency situations. Additionally, a choice over the processing of such data should be granted to the data subjects and consent to this effect should not be made a condition for the purchase and delivery of a connected vehicle at any rate.
Similarly, data subjects should have a choice over whether the vehicle in question processes certain sets of sensitive personal data that might be relevant in the scope of connected vehicles (e.g. data obtained via facial recognition or fingerprint scanning technology).
As for the cross-border transfer of personal data, please see our explanations above under the heading 'Choice and Consent'.
To date, there is no specific regulation from the KVKK or other legislative institutions establishing the rules and mechanism for data governance.
To date, there is no specific regulation from the KVKK or other legislative institutions establishing the rules and mechanism for data portability.
Privacy/Security by Design and by Default
The Privacy by Design and Privacy by Default concepts are not explicitly regulated under the Law. However, these concepts would likely be regarded as part of the data security measures that must be implemented by data controllers and data processors and as such, should be considered by the same.
To this effect, please see our explanations above under the heading 'Data Security'.
According to the decisions of the KVKK, the right of privacy of the data subject and the right to access information concerning whether his/her personal data has been processed, includes the right to access the processed data related to himself/herself. Thus, the data controllers are responsible for providing data subjects access to their data.
Further, according to the Law, data subjects have the right to apply to the data controller for the implementation of the provisions of the Law, including making requests to find out about the data which is processed by such data controller. The details regarding such applications are determined with the Communiqué on Principles and Procedures for Application to Data Controller 2018 (only available in Turkish here) ('Application Communiqué'), a secondary legislation issued based on the Law. Accordingly, data controllers are obliged to take necessary organisational and technical measures to conclude the requests made by data subject in an effective manner.
In the automotive industry, this would concern all data controllers and especially those entities resident in Turkey. Accordingly, the said data controllers would be obligated inform the data subjects of the personal data retained by such entities upon an application made by the said data subjects.
Ownership of personal data is not specifically regulated under the Turkish data protection legislation and/or the decisions of the KVKK. For the sake of completeness, data subjects are already considered as the owners of their personal data under Turkish legal practice.
Data protection rules and principles
Due to its technological nature and systematic requirements, autonomous driving involves extensive amounts of data processing, such as surveillance of passengers and possibly health and location data.
Such data processing would trigger the full application of the Law and any applicable secondary legislation. Accordingly, please refer to the explanations in section 4 above with regards to the application of data protection concepts and personal data protection rules to this effect.
Additionally, it must be considered that there are still ongoing theorical discussions with regards to the potential incompatibility of autonomous driving/vehicles with data protection rules.
Lastly, even though there are early-phase legislative provisions with regards to the technical requirement of autonomous vehicles in Turkey, they are not comprehensive, and it is explicitly stated that the legislative progress of the EU could be taken as an example by the Turkish regulatory authority.
Legal status of autonomous vehicles in Turkey
Turkey is a signatory to the Vienna Convention on Road Traffic ('the Vienna Convention'). However, the amendment to the Vienna Convention regarding autonomous vehicles has not been ratified by Turkey yet.
Additionally, there is no domestic legislation regulating autonomous vehicles. However, Regulation 2019/2144 entered into force on 6 July 2022.
As such, currently, autonomous vehicles do not have a specific legal status under Turkish law.
Civil and criminal liability
The Turkish legal system does not specifically regulate the civil and penal liabilities arising from the use of autonomous vehicles.
However, as is the case in data protection matters, there are early phase theorical discussions, some of which indicate that the Code of Obligations or the Civil Code could be applied to such cases (e.g. applying the rules related to animal ownership mutatis mutandis) based on which, manufacturers and sellers could both face liability in accidents involving autonomous vehicles.
Data protection rules and principles
Under the Turkish legal system, the telematic systems of the transportation sector established by the related governmental institutions are specifically regulated. Accordingly, municipalities, the Ministry of Transportation and Infrastructure, and the General Directorate of Security Affairs are authorised to install telematic systems to the transportation infrastructure of Turkey without being subject to the terms of the Law.
On the other hand, currently the private use of telematic systems is not specifically regulated. In this respect, where data processing occurs via telematic systems in private use, the Law would govern such use and our explanations in section 4 would apply in this case.
Location data, to the extent that it relates to an identified or identifiable individual, would be considered as personal data and the processing of such data would trigger the application of the Law.
Furthermore, it has been stated by the KVKK that location data, which enables the real persons to be identifiable, would be in the scope of the Law as well.
Accordingly, each data protection aspect detailed above in section 4 will be applicable to vehicle geolocation systems since the location data of persons will be subjected to processing. Within this framework, where geolocation systems are implemented in connected vehicles, their use will be subject to the principles under the Law, as explained above.
As the Law requires data controllers to take all necessary technical and organisational measures to provide an appropriate level of security for the purposes of preventing unlawful processing of personal data, preventing unlawful access to personal data, and ensuring protection of personal data, it is manufacturers first, as data controllers, who must comply with the said principles.
Thus, it is necessary to already implement technical measures to comply with the concepts and rules set forth in section 4 during the manufacturing phase.
From a commercial perspective, having already implemented the said measures will be an enabling factor for the remaining players in the automotive sector to duly engage in this business (i.e. providing loans or insurance for connected vehicles or acting as a re-seller of such vehicles) as these vehicles will be considered as compliant from the perspective of the data protection legislation.
Additionally, the manufacturing phase must comply with the technical requirements determined by the related regulations.
Due to the technological nature of autonomous vehicles and related technological products and services, such products and services could be subjected to radio equipment and electronical communications regulations in effect in Turkey. Additionally, even though the Turkish legislation does not yet have a well-established cybersecurity regulation, as a safe approach, it would be advisable to already comply with the strategies and policies of the governmental institutions related to cybersecurity.