Publication: İdare Hukuku boyutuyla kişisel verilerin korunması
Date
2021
Authors
Akman, Necati Gökhan
Journal Title
Journal ISSN
Volume Title
Publisher
İstanbul Kültür Üniversitesi / Lisansüstü Eğitim Enstitüsü / Kamu Hukuku Ana Bilim Dalı / Kamu Hukuku Bilim Dalı
Abstract
Kişisel verilerin korunması, idare hukuku boyutuyla, kişisel verilerin işlenmesi usulünün belirli bir disiplin altına alınarak, idare edilenlerin temel hak ve özgürlüklerinin korunması olarak tanımlanabilir. Bu çerçevede, kişisel verilerin korunması ile, temelde verilerin değil, bu kişisel veri sahiplerinin korunması amaçlamaktadır. Devlet, kamu güvenliğini temin etmek, kamusal faaliyetleri yürütmek ve kamu hizmetlerini gereği gibi yürütebilmek için insan kaynağına ihtiyaç duymaktadır. İnsan kaynağına dayalı olarak yürütülecek kamu hizmetlerinde, bu kişilerin verilerinin idare tarafından bilinmesi ile ve yine hizmetten yararlananların idare ile olan ilişkileri kapsamında elde edilen veriler nedeniyle, ilk veri sorumlusunun devletler olduğu söylenebilecektir. Günümüzde artık her alanda kullanılan kişisel veriler, Birleşmiş Milletler İnsan Hakları Evrensel Beyannamesi ve Avrupa İnsan Hakları Sözleşmesi (AİHS) başta olmak üzere birçok ulusal ve uluslararası mevzuat ile özel hayatın gizliliği ve korunması ilkesi kapsamında güvence altına alınmıştır. Özel hayatın ve aile hayatının korunması başlıklı AİHS'in 8. maddesi kapsamında koruma altına alınan, kişisel verilerin korunması hakkı, ifade özgürlüğü, unutulma hakkı gibi başkaca haklarla da birlikte değerlendirilmektedir. Kişisel verilerin korunmasına yönelik alınan tedbirler, kamu kurum kuruluşları, özel şirketler, gerçek ve tüzel kişiler tarafından ilgili mevzuatın ve uygulamanın birlikte değerlendirilmesi yoluyla en iyi şekilde uygulanmalıdır. Uygulamaya özellikle bu alanda faaliyet gösteren ve bağımsız idare otorite olan "Kişisel Verileri Koruma Kurumu"nun karar organı olan "Kurul" aracılığıyla aldığı kararlar etkili olmaktadır. Kurum, ayrı bir kamu tüzel kişiliği bulunan ve kişisel verilerin kanunda öngörülen hukuki, idari ve teknik tedbirlerin alınması suretiyle koruma altına alınıp alınmadığı, mevzuattan kaynaklanan yükümlülüklerin gereği gibi yürütülüp yürütülmediği noktalarında denetim yaparak yaptırım uygulama yetkisine sahiptir. Bu hususta gerek uygulanacak korumaya yönelik kuralların belirlenmesinde gerek ise denetim makamları çerçevesinde yapılacak denetimlerde iki önemli hususun kişisel verilerin korunmasında göz önünde bulundurulması gerekir. Bu özellikler "orantılılık" ve "gereklilik"tir. Koruma amaçlı uygulanan kurallar koruma amacıyla orantılı ve acil sosyal ihtiyacın karşılanması yönüyle de gerekli olmalıdır. AİHM de kendisine yapılan bireysel başvurularda, üye devletlerin yaptığı kişisel veri ihlaline yönelik incelemelerinde, bir müdahalenin bulunup bulunmadığı, müdahalenin yasa ile öngörülüp öngörülmediği, müdahalenin meşru amaçla uyumlu olup olmadığı ve orantılılığı ile müdahalenin acil bir sosyal ihtiyaca dönük olarak yapılıp yapılmadığı gibi kriterleri çerçevesinde değerlendirmektedir. Kişisel verilerin korunması hakkı, Anayasal bir haktır ve kişi, bu hak kapsamında, kendisine ait verilerinin veri sorumluları tarafından mevzuata uygun biçimde muhafaza edilmesini ve edilip edilmediği noktasında bilgi verilmesini her zaman isteyebilecektir. Kendisinin iradesi dışında, sır olarak adlandırdığı ve gizlediği, sadece kendisinin paylaştığı kişiler dışında üçüncü kişiler ile paylaşılması halinde, sorumluların cezai, idari, disiplin sorumluluğu yanında hukuki sorumluluğu da söz konusu olabilecek; bu durum kişilik haklarına yapılan bir saldırı olarak da nitelendirilebilecektir. Türk hukukunda, Anayasal olarak güvence altına alınan kişisel verilerin korunması hakkı, 2010 referandumuyla birlikte Anayasa'nın 20. maddesinin 3. fıkrasıyla düzenlenmiş ve bu konuda detaylı düzenlemenin yasa ile yapılacağı belirtilmiştir. Bu düzenleme çerçevesinde, 2016 yılında 6698 sayılı Kişisel Verilerin Korunması Kanunu kabul edilerek yürürlüğe girmiştir. Bahse konu kanunun vurgu yaptığı kişisel verilerin korunması, kamu kurumlarında ilk elden devletin yegane organı idare tarafından sağlanmaktır. Bilişim teknolojilerindeki gelişim sonucu, kişi, kurum ve devletlerin bilgi gereksinimi ile bireylerin bilgi üzerinde karar verme hakkı arasındaki denge bozulmuştur. Kişisel verilerin korunması hukuku dengeyi sağlamayı, kişisel verileri işlenen bireye, kişisel verilerinin geleceğini belirleme hakkı tanımayı hedefler. Aksi durum insan haklarının temel değeri olan insan onurunun zedelenmesine neden olabilir. Bu çalışmada, idarenin sorumluluğu kavramı altında, kişisel verilerin korunması hakkının ihlali halinde oluşan hizmet kusurunun, geçmiş yargı kararları da göz önünde bulundurularak incelenmiş olup; bu incelemede veri güvenliği ilkesi başta olmak üzere kişisel verilerin korunmasına yönelik geçerli olan genel ilkelerden faydalanılmıştır. İdarenin kişisel verilerin korunması alanında hizmet kusuru olarak kabul edilecek kusur sorumluluğunun dayanağı iki biçimde söz konusu olabilecektir. Bunlardan birincisi, kamu görevlisinin yapmış olduğu hizmete yönelik kusurlu davranışları, ikincisi ise idarenin veri işleme alanında, hizmetin kurulması ve işletilmesi alanında ortaya çıkabilen kusurlu davranışlarıdır. Böyle bir durumda, kişisel verisi ihlal edilenlerin, Anayasa'nın 125. maddesi gereğince, idarenin sorumluluğu ilke ve kuralları çerçevesinde aktarılmıştır. Kişisel verilerin korunması hakkının temin edilmesi bakımından, kişilerin açık rızası olmaksızın, kişisel verilerinin işlenmesi yasaktır. Özellikle özel (hassas) nitelikli kişisel verilerin, bireylerin temel hak ve özgürlüklerinin korunması açısından ne kadar önemli olduğu ve rıza dışı işlenmesi ile kişiyi maddi ve manevi olarak mağdur edeceği aşikardır. Rıza olmaksızın işlenmesi mümkün olan, istisna hükümleri de 6698 sayılı Kişisel Verilerin Korunması Kanunu ışığında bu çalışmada ele alınmıştır. Bu genel açıklamalar kapsamında çalışmamız dört bölümden oluşmaktadır. "Kişisel Veri Kavramı, Kişisel Verilerin İşlenmesi Ve Korunması" başlıklı Birinci Bölümde, kişisel veri kavramı ve unsurları, kapsamı kişisel verilerin işlenme şartları, özel nitelikli kişisel veri kavramı, kişisel verilerin korunması ihtiyacı ve nedenlerine yer verilmiştir. "Kişisel Verilerin Korunmasına İlişkin Uluslararası Temel Düzenlemeler ve Kurumlar" Başlıklı İkinci Bölümde, İktisadi İşbirliği ve Gelişme Teşkilatı (OECD), Avrupa Konseyi, Birleşmiş Milletler, Avrupa Birliği ve Uluslararası Çalışma Örgütü gibi uluslararası kuruluşların kişisel verilerin korunması düzenlemeleri ile veri koruma kurumları incelenmiştir. "Kişisel Verilerin Korunmasında Denetleyici Ve Düzenleyici Kurum Olarak Kişisel Verileri Koruma Kurumu" başlıklı Üçüncü Bölümde Kurumun yapısı, bağımsızlığı, Kurum'un karar organı Kişisel Verileri Koruma Kurulu, Kurum'un idari teşkilat içindeki yeri ve yaptırım kararlarının hukuki niteliği üzerinde durulmuştur. "Kişisel Verilerin Korunmasında İdari Ve Yargısal Denetim" başlıklı 4. Bölümde ise Kurumun idari denetim yolları, Kişisel Verileri Koruma Kurulu'na yapılan şikayet ve sonuçlandırılması ile yargısal denetimin koşulları belirtilmiş ve yargı kararlarından örnekler verilmiştir. Böylece kişisel verilerin korunması hakkı kapsamında, çalışmamızda konu idare hukuku yönüyle ele alınmıştır. Bu çerçevede, kamu kurum ve kuruluşlarının, kamu düzeni veya kamu güvenliği, vb. durumlar sebebiyle elde ettikleri kişisel verileri, "hukuka aykırı olmayacak" ve "telafisi güç durumlar" oluşturmayacak şekilde işlenmesi ve kullanmasını; kişilerin, kişisel verilerine talepleri doğrultusunda erişimini, silinmesini, yok edilmesini veya kişisel verisi hakkında bilgi edinmesini temin etme olanağının sağlanılmasını; veri sorumlusunun kişiyi aydınlatması ve bilgi edinme hakkı kapsamında idarenin bireye verilerin ne amaçla kullanılacağını aktarmakla yükümlü olduklarını; verilerin güvenliğini sağlamak amacıyla her türlü tedbirin alması gerektiğini; kamu kurum ve kuruluşları tarafından bu sorumluluklarının yerine getirilmemesi halinde idarenin sorumluluğunun doğabileceği; konu hakkında yapılan yargısal denetim kapsamında ortaya çıkan yargısal içtihat ve Kurul tarafından bağımsız idari otorite olarak "idarenin düzenleme yetkisi" sınırları kapsamında verdiği "Kurul Kararları"nın incelenmesi suretiyle ortaya konulması amaçlanmıştır. ANAHTAR KELİMELER : kişisel veri, kişisel verilerin korunması hakkı, AİHS, AİHM, idarenin sorumluluğu, hizmet kusuru, gizlilik, özel hayat, rıza
The protection of personal data can be defined as the protection of the fundamental rights and freedoms of the administrators by taking the personal data processing procedure under a certain discipline in terms of administrative law. In this context, with the protection of personal data, it is basically aimed to protect these personal data owners, not the data. The state needs human resources in order to ensure public safety, to carry out public activities and to perform public services properly. In public services to be carried out based on human resources, it can be said that the first data controllers are the states, due to the fact that the data of these persons are known by the administration and the data obtained within the scope of the relations of the service users with the administration. Today, personal data used in every field are secured within the scope of the principle of privacy and protection of private life with many national and international legislation, especially the United Nations Universal Declaration of Human Rights and the European Convention on Human Rights (ECHR). It is considered together with other rights such as the right to protect personal data, freedom of expression, and the right to be forgotten, which are protected within the scope of Article 8 of the ECHR, titled the protection of private and family life. Measures taken for the protection of personal data should be implemented in the best way by public institutions, private companies, real and legal persons by evaluating the relevant legislation and practice together. The decisions taken by the "Board", which is the decision-making body of the "Personal Data Protection Authority", which operates in this field and is an independent administrative authority, are particularly effective in the practice. The Authority has a separate public legal personality and has the authority to apply sanctions on the points of whether the personal data are taken under protection by taking the legal, administrative and technical measures stipulated in the Law and whether the obligations arising from the legislation are duly executed. In this regard, two important issues should be considered in the protection of personal data, both in determining the rules for protection to be applied and in audits to be carried out within the framework of supervisory authorities. These features are "proportionality" and "necessity". The rules applied for protection purposes should be proportionate for the purpose of protection and necessary in terms of meeting the urgent social need. The ECtHR also evaluates the individual applications made to it, within the framework of the criteria such as whether there is an intervention, whether the intervention is prescribed by law, whether the intervention is compatible with the legitimate aim and proportionality and whether the intervention is made for an urgent social need. The right to protect personal data is a Constitutional right, and within the scope of this right, the person can always request that his / her data be kept by data controllers in accordance with the legislation and to be informed about whether or not. In the event that it is shared with third parties other than the people that he / she has named and kept secret, and who he / she has shared, out of his / her own will, criminal, administrative and disciplinary liability as well as legal liability may be at stake; This situation can be described as an attack on personal rights. In Turkish Law, the right to protection of personal data under constitutional protection was regulated by paragraph 3 of Article 20 of the Constitution with the 2010 referendum and it was stated that the detailed regulation on this issue shall be made by law. Within the framework of this regulation, the Personal Data Protection Law numbered 6698 was accepted and entered into force in 2016. The protection of personal data emphasized by the aforementioned Law is provided by the administration, the only body of the state, at first hand in public institutions. As a result of the development in information technologies, the balance between the information needs of individuals, institutions and states and the right of individuals to decide on information has been disrupted. The law on the protection of personal data aims to achieve the balance and to give the individual whose personal data is processed the right to determine the future of his personal data. Otherwise, human dignity, which is the basic value of human rights, may be damaged. In this study, under the concept of the responsibility of the administration, the service defect that occurs in case of violation of the right to protection of personal data has been examined, taking into account previous judicial decisions; In this review, the general principles applicable to the protection of personal data, especially the principle of data security, were used. The basis of the administration's fault liability, which will be accepted as a service fault in the field of personal data protection, can be in two ways. The first of these is the flawed behaviors of the public official towards the service he / she has done, and the second is the faulty behaviors of the administration that may arise in the field of data processing, establishment and operation of the service. In such a case, in accordance with Article 125 of the Constitution, those whose personal data are violated are transferred within the framework of the principles and rules of the administration's responsibility. In terms of ensuring the right to protect personal data, the processing of personal data is prohibited without the express consent of the persons. It is obvious that especially sensitive personal data are important in terms of protecting the fundamental rights and freedoms of individuals and will suffer the person materially and morally if they are processed without consent. Exception provisions, which can be processed without consent, are also discussed in this study in the the Personal Data Protection Law No 6698. Our study consists of four parts within the scope of these general explanations. In the First Section titled "The Concept of Personal Data, Processing and Protection of Personal Data", the concept and elements of personal data, the scope of processing personal data, the concept of special quality personal data, the need and reasons for the protection of personal data are included. In the Second Section titled "International Basic Regulations on the Protection of Personal Data and Organisations", the personal data protection regulations of international organizations such as OECD, Council of Europe, United Nations, European Union and International Labor Organization and data protection institutions are examined. In the Third Section titled "Personal Data Protection Authority as a Supervisory and Regulatory Authority in the Protection of Personal Data", the structure and independence of the Institution, the decision-making body of the Institution, the Personal Data Protection Board, the institution's place in the administrative organization and the legal nature of the sanction decisions are discussed. In Chapter 4 titled "Administrative and Judicial Control in the Protection of Personal Data", the administrative control methods of the Authority, the complaints made to the Personal Data Protection Board and their conclusion and the conditions of judicial control are specified and examples of judicial decisions are given. Thus, within the scope of the right to protect personal data, in our study, the subject was handled in terms of administrative law. In this framework, public institutions and organizations, public order or public security, etc. processing and using the personal data they obtain due to circumstances in a way that is not "illegal" and "difficult to compensate"; providing the opportunity for individuals to access, delete, destroy or obtain information about their personal data in line with their requests; that the administration is obliged to inform the individual for what purpose the data will be used within the scope of the data controller's right to inform the person and obtain information; All measures should be taken to ensure the security of data; In the event that these responsibilities are not fulfilled by public institutions and organizations, the responsibility of the administration may arise; It is aimed to reveal by examining the judicial case law emerging within the scope of the judicial review on the subject and the Board Decisions made within the scope of the "regulatory authority of the administration" as an independent administrative authority. KEYWORDS : personal data, right to protection of personal data, the court of ECHR, the ECHR, the responsibility of the administration, private life, service fault, privacy, consent
The protection of personal data can be defined as the protection of the fundamental rights and freedoms of the administrators by taking the personal data processing procedure under a certain discipline in terms of administrative law. In this context, with the protection of personal data, it is basically aimed to protect these personal data owners, not the data. The state needs human resources in order to ensure public safety, to carry out public activities and to perform public services properly. In public services to be carried out based on human resources, it can be said that the first data controllers are the states, due to the fact that the data of these persons are known by the administration and the data obtained within the scope of the relations of the service users with the administration. Today, personal data used in every field are secured within the scope of the principle of privacy and protection of private life with many national and international legislation, especially the United Nations Universal Declaration of Human Rights and the European Convention on Human Rights (ECHR). It is considered together with other rights such as the right to protect personal data, freedom of expression, and the right to be forgotten, which are protected within the scope of Article 8 of the ECHR, titled the protection of private and family life. Measures taken for the protection of personal data should be implemented in the best way by public institutions, private companies, real and legal persons by evaluating the relevant legislation and practice together. The decisions taken by the "Board", which is the decision-making body of the "Personal Data Protection Authority", which operates in this field and is an independent administrative authority, are particularly effective in the practice. The Authority has a separate public legal personality and has the authority to apply sanctions on the points of whether the personal data are taken under protection by taking the legal, administrative and technical measures stipulated in the Law and whether the obligations arising from the legislation are duly executed. In this regard, two important issues should be considered in the protection of personal data, both in determining the rules for protection to be applied and in audits to be carried out within the framework of supervisory authorities. These features are "proportionality" and "necessity". The rules applied for protection purposes should be proportionate for the purpose of protection and necessary in terms of meeting the urgent social need. The ECtHR also evaluates the individual applications made to it, within the framework of the criteria such as whether there is an intervention, whether the intervention is prescribed by law, whether the intervention is compatible with the legitimate aim and proportionality and whether the intervention is made for an urgent social need. The right to protect personal data is a Constitutional right, and within the scope of this right, the person can always request that his / her data be kept by data controllers in accordance with the legislation and to be informed about whether or not. In the event that it is shared with third parties other than the people that he / she has named and kept secret, and who he / she has shared, out of his / her own will, criminal, administrative and disciplinary liability as well as legal liability may be at stake; This situation can be described as an attack on personal rights. In Turkish Law, the right to protection of personal data under constitutional protection was regulated by paragraph 3 of Article 20 of the Constitution with the 2010 referendum and it was stated that the detailed regulation on this issue shall be made by law. Within the framework of this regulation, the Personal Data Protection Law numbered 6698 was accepted and entered into force in 2016. The protection of personal data emphasized by the aforementioned Law is provided by the administration, the only body of the state, at first hand in public institutions. As a result of the development in information technologies, the balance between the information needs of individuals, institutions and states and the right of individuals to decide on information has been disrupted. The law on the protection of personal data aims to achieve the balance and to give the individual whose personal data is processed the right to determine the future of his personal data. Otherwise, human dignity, which is the basic value of human rights, may be damaged. In this study, under the concept of the responsibility of the administration, the service defect that occurs in case of violation of the right to protection of personal data has been examined, taking into account previous judicial decisions; In this review, the general principles applicable to the protection of personal data, especially the principle of data security, were used. The basis of the administration's fault liability, which will be accepted as a service fault in the field of personal data protection, can be in two ways. The first of these is the flawed behaviors of the public official towards the service he / she has done, and the second is the faulty behaviors of the administration that may arise in the field of data processing, establishment and operation of the service. In such a case, in accordance with Article 125 of the Constitution, those whose personal data are violated are transferred within the framework of the principles and rules of the administration's responsibility. In terms of ensuring the right to protect personal data, the processing of personal data is prohibited without the express consent of the persons. It is obvious that especially sensitive personal data are important in terms of protecting the fundamental rights and freedoms of individuals and will suffer the person materially and morally if they are processed without consent. Exception provisions, which can be processed without consent, are also discussed in this study in the the Personal Data Protection Law No 6698. Our study consists of four parts within the scope of these general explanations. In the First Section titled "The Concept of Personal Data, Processing and Protection of Personal Data", the concept and elements of personal data, the scope of processing personal data, the concept of special quality personal data, the need and reasons for the protection of personal data are included. In the Second Section titled "International Basic Regulations on the Protection of Personal Data and Organisations", the personal data protection regulations of international organizations such as OECD, Council of Europe, United Nations, European Union and International Labor Organization and data protection institutions are examined. In the Third Section titled "Personal Data Protection Authority as a Supervisory and Regulatory Authority in the Protection of Personal Data", the structure and independence of the Institution, the decision-making body of the Institution, the Personal Data Protection Board, the institution's place in the administrative organization and the legal nature of the sanction decisions are discussed. In Chapter 4 titled "Administrative and Judicial Control in the Protection of Personal Data", the administrative control methods of the Authority, the complaints made to the Personal Data Protection Board and their conclusion and the conditions of judicial control are specified and examples of judicial decisions are given. Thus, within the scope of the right to protect personal data, in our study, the subject was handled in terms of administrative law. In this framework, public institutions and organizations, public order or public security, etc. processing and using the personal data they obtain due to circumstances in a way that is not "illegal" and "difficult to compensate"; providing the opportunity for individuals to access, delete, destroy or obtain information about their personal data in line with their requests; that the administration is obliged to inform the individual for what purpose the data will be used within the scope of the data controller's right to inform the person and obtain information; All measures should be taken to ensure the security of data; In the event that these responsibilities are not fulfilled by public institutions and organizations, the responsibility of the administration may arise; It is aimed to reveal by examining the judicial case law emerging within the scope of the judicial review on the subject and the Board Decisions made within the scope of the "regulatory authority of the administration" as an independent administrative authority. KEYWORDS : personal data, right to protection of personal data, the court of ECHR, the ECHR, the responsibility of the administration, private life, service fault, privacy, consent
Description
Keywords
Hukuk, Law