A significant amendment1 to article 15 of the Law on the Protection of Competition numbered 40542 ("Law") as to on-site inspections, providing legal ground for the already-existing implementation of the Turkish Competition Authority ("TCA"), was introduced on June 24, 2020. Accordingly, the TCA's legal authority is now regulated in a more detailed and explicit way allowing the case officers of the TCA to examine and obtain copies of the files, any information and document stored in physical and electronic media as well as information systems of the undertakings and the associations of undertakings during the on-site inspections. Following the amendment, the TCA has published the Guideline on Examination of Digital Data During On-Site Inspections3 dated October 10, 2020 ("Guideline") to shed a light on the implementation of the amended article 15 of the Law, including also general principles on the handling of digital data retained in portable communication devices (i.e. mobile phones and tablets).
As per the Guideline, the case officers of the TCA are entitled to examine the information systems (i.e. servers, computers/laptops, portable devices) and storage devices (i.e. CDs, DVDs, USB sticks, external hard disks, back-up records, cloud services) of the undertakings that also includes a quick review of any portable communication device on the site to verify whether or not it contains any digital data of the undertaking. The Guideline further states that the portable communication devices that are entirely allocated for personal use shall not be subject to the inspection, whereas the devices containing data pertaining to the undertakings shall be examined by means of the forensic IT tools. In any case, the examination of the digital data obtained from mobile phones must be completed at the undertaking's premises. As a result of the examination, the data which is classified as evidence within the scope of the inspection shall be separated and retained for further examination, and any remaining data shall be irrecoverably deleted by the TCA's case officers.
The publication of the Guideline provides clarity on the implementation of the amended article and the extent of the power of the TCA during on-site inspections, while it gives rise to data privacy concerns. Since the information and documents subject to on-site inspections may include data relating to an identified or identifiable natural person (i.e. employees and/or shareholders of the undertakings), it is obvious that the TCA processes personal data4 as a data controller pursuant to provisions of the Law on Personal Data Protection numbered 66985 ("DPL") while conducting on-site inspections. In this regard, it is worth examining the TCA's underlying power from the data privacy perspective.
Article 4 of the DPL stipulates general principles that lie at the heart of the general data protection regime. Accordingly, all data controllers must fully comply with the following principles for each and every personal data processing activity: the personal data shall be (i) processed lawfully and fairly, (ii) accurate and, where necessary, kept up to date, (iii) processed for specific, explicit and legitimate purposes, (iv) relevant, limited and proportionate to the purpose of processing ("Principle of Data Minimization"), and (v) stored for the period laid down by relevant legislation or the period required for the purposes for which the personal data is processed. In addition, the processing of personal data shall be only deemed lawful if and to the extent that at least one of the legal conditions set out in articles 5 and 6 of the DPL applies6.
Without prejudice to the generality of these rules, provisions of the DPL, in whole or in part, shall not be applied for certain cases as set forth in article 28 of the DPL. At this point, it is crucial to determine whether the personal data processing activities of the TCA within the scope of on-site inspections fall under article 28/1(ç) of the DPL, granting a full exemption7 or article 28/2(c) of the DPL, granting a partial exemption8. Although the legal basis for such personal data processing activities of the TCA during the on-site inspections is yet to be clarified by the Personal Data Protection Authority, we are of the opinion that article 28/2(c) of the DPL is likely to be applicable considering the main duties and the powers of the TCA9, as an independent supervisory authority10. However, it is worth noting here that the TCA must comply with the aforesaid general principles even if the partial exemption from certain provisions of the DPL11 applies to the personal data processing activities during the on-site inspections. Hence, the TCA shall be responsible for, and be able to demonstrate compliance with, the general principles of the DPL under the principle of accountability.
In light of the above, the concept of 'quick review of portable communication devices' introduced by the Guideline may be deemed proportional for protecting and ensuring the competition in markets for goods and services. However, it may be alleged that such practice is inconsistent with the Principle of Data Minimization due to the lack of clarity in setting limits for the "quick review of portable communication devices" concept. Furthermore, as Article 28/2 (c) does not stipulate any exemption with regard to the legal grounds for lawful processing, the TCA must also comply with articles 5 and 6 of the DPL. It is obvious that the wording of the amended article 15 does not explicitly grant authority to the TCA for the processing of special categories of personal data. Thus, when taking into account the narrow interpretation of the Personal Data Protection Board12 particularly, it remains unclear how the conditions set forth in article 6 of the DPL will be met by the TCA, in cases where the portable communication devices to be reviewed by the case officers of the TCA contain the special categories of personal data pertaining to the undertakings' employees, shareholders, customers and/or any other third person. It is even more controversial if the personal portable devices subject to the inspection of TCA also contain health and sexual data as the legal grounds for the processing of such data are strictly limited under article 6/3 of the DPL.
All being said that the right to privacy can be limited under certain conditions as it is not an absolute right and may need to be weighed up against other public interests such as the efficient and effective conduct of the on-site inspections for the protection of competition on a case-by-case basis13. Thus, the challenge here is to frame clear standards in a way that maintains a balance between the use of TCA's power to conduct efficient and effective on-site inspections and the protection of the fundamental rights of individuals.
In conclusion, it is desirable that legislation on the protection of competition, including guidelines, should be prepared in close cooperation with the Personal Data Protection Authority in order to protect the privacy of individuals without creating any barrier to fair and open competition. Accordingly, the TCA and the Personal Data Protection Authority should establish a framework of specific principles and standards to prevent unlawful data processing, b
1 Law numbered 7246 on Amendments to the Law on Protection of Competition, https://www.resmigazete.gov.tr/eskiler/2020/06/20200624-1.htm, (Date of Access: 15.01.2021)
2 Law on the Protection of Competition numbered 4054, https://www.mevzuat.gov.tr/mevzuat.gov.tr/mevzuat? MevzuatNo=4054&MevzuatTur=1&MevzuatTertip=5, (Date of Access: 15.01.2021)
3 Turkish Competition Authority, Guideline on Examination of Digital Data During On-Site Inspections, https://ww w.rekabet.gov.tr/Dosya/kilavuzlar/yerinde-inceleme-kilavuz1-20201009091644514-pdf, (Date of Access: 15.01.2021)
4 Under article 3/1(e) of the DLP, personal data processing is defined as any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
5 Law on Personal Data Protection numbered 6698, https://www.mevzuat.gov.tr/MevzuatMetin/1.5.6698.pdf, (Date of Access: 15.01.2021)
6 Turkish Personal Data Protection Authority, Document on Personal Data Protection with Examples, https://www.kvkk.gov.tr/Icerik/5521/Orneklerle-Kisisel-Verilerin-Korunmasi-Dokumani-Kurum-Internet-Sayfasinda-Yayinlanmistir-, (Date of Access: 15.01.2021)
7 Article 28 1 (ç) stipulates the situations where personal data is processed by the public institutions and organizations that are duly authorized by laws within the scope of their preventive, protective, and intelligence activities for national defense, national security, public security, public order, or economic well-being.
8 Article 28/2 (c) stipulates the situations where personal data is processed for the performance of supervision or regulatory duties, or disciplinary investigation or prosecution to be conducted by the assigned and the authorized public institutions and organizations, and professional organizations having public institution status.
9 Under article 1 of the Law, the purpose of the Law is defined as to prevent agreements, decisions, and practice preventing, distorting or restricting competition in markets for goods and services, and the abuse of dominance by the undertakings dominant in the market, and to ensure the protection of competition by performing the necessary regulations and supervisions to this end.
10 NAZALI Gündem, E-Magazine / 2020 Summer /vol.12, pg. 37, Consideration of the Competition Authority's On-Site Inspectıon Power In Terms of Personal Data Protection, Metin PEKTAŞ, Ayşe Ülkü SOLAK, Tuğçe GELİR, Derviş Boran BEYSÜLEN, http://nazaligundem.com/UserFiles/Press/nazal%C4%B1gundem_yaz_2020_ebpdf-t905md4frp.pdf, (Date of Access: 15.01.2021)
11 Data controller's obligation to inform set out under article 10, the rights of the data subject, excluding the right to demand compensation, set out under article 11, and the requirement of enrolling in the Registry of Data Controllers under article 16 shall not apply.
Turkish Personal Data Protection Authority, Decision numbered 2020/649 and dated 17.08.2020, https://kvkk.gov.tr/Icerik/6815/2020-649, (Date of Access: 15.01.2021), and Turkish Personal Data Protection Authority, Document on Frequently Asked Questions, pg. 22, https://www.kvkk.gov.tr/Icerik/4196/Kisisel-Verilerin-Korunmasi-Kanunu-Hakkinda-Sikca-Sorulan-Sorular, (Date of Access: 15.01.2021)
13 Turkish Personal Data Protection Authority, Document on Questions and Answers on the Implementation of the DPL, pg. 13, https://kvkk.gov.tr/yayinlar/6698%20SAYILI%20K%C4%B0%C5%9E%C4%BOSEL%20VER%C4% B0LER%C4%B0N%20KORUNMASI%20KANUNUNUN%20UYGULANMASINA%20Y%C3%96NEL%C4%B0K%20SORU%20VE%20CEVAPLAR.pdf, (Date of Access: 15.01.2021)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.