STF Hukuk Bürosu

FIRST PART
PERSONAL DATA CONCEPT AND DEFINITIONS
1. Kişisel Veri

The concept of Personal Data has entered our lives with the developing technology and especially with the emergence of the first computers, personal data has begun to be collected. These developments in the world have made the definition of personal data and how to protect it debatable. In the United States, banks that give loans to citizens demand a center where the personal data of citizens will be collected in order to determine the people to whom they will give loans, in Europe II. After the World War II, the proposals regarding the collection of personal data encountered a great public reaction and the need for new legal regulations emerged. Legal regulations and international agreements on the protection and transfer of personal data will be discussed in the next section, and only common definitions will be examined in this section.

The concept of personal data is defined as data relating to a specific or identifiable person in international documents, in the national legislation of the countries examined and in the justification of the first paragraph of Article 135, which regulates the crime of recording personal data from the provisions of the Turkish Penal Code protecting personal data. As a matter of fact, in Article 2 of the Convention on the Protection of Real Persons during the Automatic Processing of Personal Data No. 108, titled “any information belonging to a certain or identifiable person” and in Article 2 of the European Community Personal Data Protection Directive No. 95/46, personal data data is defined as “any information pertaining to a specific or identifiable natural person”. The concept of identifiable person is defined in the same article as “a person whose identity can be determined, directly or indirectly, especially by reference to an identity number or one or more specific factors to the physical, psychological, spiritual, economic, cultural or social identity of the person”. Lastly, personal data is expressed as any information relating to an identified or identifiable natural person in the definitions section of the Law on the Protection of Personal Data, which entered into force in 2016 in line with international agreements.

The aforementioned information is based on nationality, ethnic origin, religious/philosophical beliefs, social/political beliefs, photograph, voice, biometric records such as fingerprints taken for security purposes, retinal map, odor recognition, physical characteristics, appearance, sexual orientation, which reveal the identity of a particular person. tendencies, blood type, medical analysis values, health, medical and forensic history, place of residence, bank account and credit card information, electronic passwords, signature, shopping habits, education and working status, professional secrets, retirement, corporate registry or tax number, social security records, personal and/or familial relationships, communication data such as phone messages, phone book, phone number, e-mail or social media account and their contents, personal computer’s IP. address etc. They may consist of all kinds of information about

Some personal data, on the other hand, are evaluated in categories such as sensitive personal data and special quality personal data due to the importance they provide, and the necessity of providing special protection to such data is stated in all legal texts. As a matter of fact, in the Law No. 6698 on the Protection of Personal Data, people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, their appearance and clothing, membership of associations, foundations or unions, health, sexual life, criminal convictions and security measures data and biometric and genetic data are defined as special quality personal data.

2. Processing of Personal Data

The processing of personal data is defined in the European Community Personal Data Protection Directive No. 95/46/AT as any type of processing to which personal data is subjected. As a matter of fact, the Law on the Protection of Personal Data No. 6698 adopted a definition in line with this regulation and the Processing of Personal Data includes the acquisition, recording, storage, preservation, modification of personal data completely or partially automatically or by non-automatic means provided that it is a part of any data recording system. It is defined as any kind of operation performed on data such as rearrangement, disclosure, transfer, takeover, making available, classifying or preventing its use. In short, any process from the collection of data to its destruction can be defined as the processing of personal data.

3. Data Subject/Contact Person

Regarding the protection of personal data, two important concepts are “data subject” and “relevant person”. The data subject is the person to whom the personal data is related, that is, determined or identifiable, in Article 2 of the European Community Personal Data Protection Directive No. 95/46/AT and Article 2 of the Convention on the Protection of Real Persons During the Automatic Processing of Personal Data No. 108 has been defined as. As a matter of fact, the Law on the Protection of Personal Data No. 6698 defines the Relevant Person as the natural person whose personal data are processed. Therefore, only data belonging to real persons can have the quality of personal data, while the concept of trade secret will be used for data belonging to legal persons.

4. Data Controller

This term, which is mentioned in the data protection laws of different countries, refers to the person or organization that determines the purpose and means of processing the data. In some international texts and the Law on the Protection of Personal Data, we see that the terms data logger and data controller are used to meet this concept. The Law on the Protection of Personal Data No. 6698 has determined the data controller as the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

5. Data Processor

Since the Law on the Protection of Personal Data was still in draft form in those years, the concept of data processor, which was not included in Nil Melek Gültekin’s thesis but included in the Law on the Protection of Personal Data, should also be defined. We see that the law defines this concept as a natural or legal person who processes personal data on behalf of the data controller, based on the authority given to him. While the data controller and the data processor may be the same person, if the data controller shares his/her authority with another natural or legal person, it will exist within two different persons.

SECOND PART

SECOND PART
HISTORY OF PERSONAL DATA PROTECTION

Regulations on the protection of personal data, rather II. Although it gained importance after World War II, BC. The physician’s obligation to keep confidential, which emerged in the 5th century, is one of the oldest examples of personal data protection. This obligation, which requires physicians not to share the information they have learned about the health of individuals within the scope of their profession, is one of the first steps of indirectly protecting personal data. The development of the concept of personal data as it is understood today and its protection began to gain importance, in the 1950s and 1960s, with the first emergence of computers and, accordingly, the rapid development of technology in the following periods, and the beginning of keeping, spreading and transferring data about individuals. (USA) came to the fore. Especially the concern of misuse of collected and stored personal data, II. After the World War II, the effects of this war were felt intensely in European countries, and because of the psychological continuation of the devastating effects of this war, it brought along discussions on the protection of personal data. At that time in the USA, the creditworthiness of individuals was of great social importance, and the discussions that started when it was recommended to collect the data of the citizens in a center so that the computers would not make mistakes while giving credit, flared up when it was revealed that the US army collected the personal data of many people. Similarly, in Sweden, a large tax registry was created in the 60s and a study was initiated to collect the population information of citizens here, and these discussions in the USA and Sweden ended with the establishment of a joint electronic data bank.[1]

In the light of the developments experienced, the developments regarding the personal data law gained momentum with the coming of the 70s. The studies on the protection of personal data in national and international legislation will be briefly mentioned below.

1. Organization for Economic Cooperation and Development (OECD Convention)

Taking the first step towards achieving unity among countries regarding personal data internationally, the OECD adopted the “Guiding Principles on the Protection of Privacy and Transnational Personal Data Roaming” (OECD Convention) on September 23, 198019. Although it is aimed to protect personal data in an international sense, this text is only a recommendation to the member states as guiding principles, and in this respect, the text is not binding for the member states.

The Guidelines adopted by the OECD defined personal data as all information belonging to a specific or identifiable person; has adopted 8 basic principles for the protection of personal data and these principles are stated in the relevant articles. The Guiding Principles have formed the source of personal data law in the domestic laws of many countries, and it is seen that they even form the basis of the Law on the Protection of Personal Data in Turkey.

.OECD brings the following principles in terms of processing personal data;

1. The principle is “Limited Data Collection Principle” (art. 7).

2.The policy is the “Data Quality Policy” (art. 8).

3.The principle is “The Principle of Certainty of Purpose” (art. 9).

4. According to the principle of “Limited Use Principle” (art. 10),

5. The principle is “Data Security Policy” (art. 11),

6. The principle is the “Principle of Openness” (art. 12)

7. The principle is “Individual Participation Principle” (art. 13)

8. The principle is the last principle in the OECD Guiding Principles and is the “Accountability Principle” (art. 14).).

These principles brought by the OECD have formed the basis of personal data protection law in many countries.

2. Contract No. 108 on the Protection of Real Persons During Automatic Processing of Personal Data (Contract No. 108)

The Convention on the Protection of Real Persons during the Automatic Processing of Personal Data, dated 1981 and numbered 108, regulates the right to protection of personal data, which is not expressly included in the ECHR. According to Article 23 of Convention No. 108, states that are not members of the Council of Europe can also sign this convention, but according to Article 4 of the Convention, the signatory states are obliged to transpose the provisions of the Convention into their domestic laws.

The regulations of the Convention No. 108 are important in terms of transfer. With regard to the transfer of personal data, Convention No. 108 regulates free transfer as a general rule and stipulates that one of the contracting countries cannot prohibit the transfer to one of the other parties to the contract or subject it to a special permission solely on the grounds of the protection of private life. However, there are two exceptions to this rule and they are; there is no equivalent protection in the other country to which the personal data will be transferred, or special protection has been introduced for certain categories of personal data, or the data transfer will be made to a country that is not a party to the Agreement.

Convention No. 108 is one of the important documents regarding the protection of personal data, and it is in a very important position with the obligations it brings to the states that signed the Convention and its binding nature regarding their transposition into domestic law. Convention No. 108 is the first and only internationally binding agreement in the field of personal data protection. With Turkey becoming a party to the Convention in 2016, there is no state among the members of the Council of Europe that is not a party to this text.

3. European Convention on Human Rights (ECHR)

The first steps were taken with the establishment of the United Nations Organization and the adoption of the Universal Declaration of Human Rights with the decision of the UN General Assembly dated 10.12.1948, in the protection of human rights, which gained importance after the destruction caused by the Second World War. Then, on November 4, 1950, the European Convention on Human Rights was signed in Rome and the Convention entered into force in 1953. Subsequently, the European Commission of Human Rights was established in 1954 and the European Court of Human Rights (ECHR) was established in 1959 in order to supervise the correct implementation of this Convention by the countries that ratified the Convention. Turkey also ratified this Convention in 1954. [2]

Although the protection of personal data is not explicitly mentioned in the ECHR, this issue is examined within the scope of Article 8 of the Convention, since Article 8 protects the “Right to Respect for Private and Family Life”, and the ECHR evaluates the protection of personal data in this context.

The ECHR includes the article on the protection of private and family life as “1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. Interference by a public authority with the exercise of this right only if the interference is prescribed by law and is necessary in a democratic society for national security, public safety, the economic well-being of the country, the protection of order, the prevention of crime, the protection of health or morals, or the protection of the rights and freedoms of others. may occur”. Therefore, the Convention firstly protected the private life, family life, home and correspondence of individuals in the first paragraph, and then regulated in the second paragraph on what grounds and under what conditions these rights of individuals could be restricted. The main purpose of the article is considered to be to protect the private and family life of individuals from arbitrary interference. In this context, the positive and negative obligations imposed on the state by the ECHR gain importance. Accordingly, the first obligation of the state is the negative obligation, not to arbitrarily interfere with the private and family life of the individual. The second obligation is a positive obligation, and within the scope of this obligation, the state should provide appropriate conditions for individuals to exercise these rights, and prevent arbitrary interference by public officials or individuals in the private and family life of others.

In its decisions, the ECtHR interprets the Convention and creates case law. As a matter of fact, in many of its decisions, it is seen that some criteria are now applied in similar decisions by referring to its previous decisions. One of the first and most important decisions of the ECtHR regarding the protection of personal data is Leander v. It is the case of Sweden.[3] In this case, the applicant alleges that according to a law allowing personnel record keeping in Swedish domestic law, some personal data about him is kept for security purposes, but the request to see the information collected about him and to correct it if it is incorrect was denied, which violates Article 8 of the ECHR. it took. The Court, on the other hand, examined the application in three stages and firstly evaluated whether the intervention was carried out for a legitimate purpose, and as a result, it concluded that the purpose of the intervention was “national security” listed in the second paragraph of Article 8, and as such it was legitimate. Afterwards, the court evaluated whether the intervention was in accordance with the law, and stated that at this stage, the law contained sufficiently clear provisions, that the provisions clearly regulated which personal data were kept for what purpose, and that the criterion of compliance with the law was met in this respect. The Court examined whether the interference was necessary in a democratic society for the protection of national security and found it necessary in a democratic society, finding that the interference was proportionate. In conclusion, the Court held that there was no violation under Article 8 in this case, but it was argued that it was further ahead in doctrine than at the time when it rendered its decision, given the present understanding and structure of the Court.

In the decisions given by the ECtHR, in general, it has been evaluated whether the keeping or disclosure of personal data constitutes an intervention within the scope of Article 8 of the ECHR. It has been checked whether there is a regulation, if there is, whether there are clear provisions in the regulation that will ensure adequate protection of personal data of individuals. Subsequently, the Court determined whether the interference was necessary in a democratic society and proportionate in that context.

It is seen that the ECHR, due to its nature, provides protection to individuals only against states, but leaves individuals unprotected in terms of private law real and legal persons. Today, there is no doubt that many private law real and legal persons, especially international companies, process data. For this reason, in addition to the ECHR, especially the Convention No. 108 and the European Union regulations gain importance in the protection of personal data.

4. United Nations

The United Nations, within the scope of its general work on Human Rights, made arrangements to include personal data in the UN Universal Declaration of Human Rights dated 10 December 1948 and the UN International Covenant on Individual and Political Rights. In addition to these, it has also introduced various regulations regarding the control of the personal data of the auditors, who supervise the implementation of the principles it has brought in their work, and the protection of personal data related to the health of the personnel working within the United Nations. [4]

The basic work of the UN on this issue is the “Guiding Principles on the Arrangement of Computerized Personal Data Files”, which was adopted in 1990 and is advisory. As the name suggests, this regulation on the protection of personal data is not binding for the states included in the United Nations, but is only a guideline and is the first document in the context of international law expressing the necessity of establishing authorized and independent protection bodies for the protection of personal data.

The details of the UN regulation will not be covered in this study as it is almost a repetition of the OECD Guiding Principles.

5. European Union Regulations
a) European Community Personal Data Protection Directive 95/46

Although the European Union includes legal regulations such as the Protection of Private Life and Electronic Communications No. 2002/58/AT and the European Union Charter of Fundamental Rights, it is seen that the most important regulation regarding the protection of personal data is the Directive 95/46.

With the Directive No. 95/46/AT, it is aimed to harmonize the legislation on the protection of personal data between the member states of the European Union, which are developing under the single market idea and developing various commercial activities for this purpose, and thus to determine the minimum protection criterion in each of these countries. In the first article, the purpose of the Directive was determined, in the first paragraph it was stated that the member states should ensure the protection of the fundamental rights and freedoms of individuals, especially the privacy of private life in the field of processing personal data, and in the second paragraph, it was emphasized that the member states should not hinder the free flow of data on the grounds of ensuring this protection. The importance of harmonization of national legislation between member states was mentioned in the justifications 7 and 8 of the Directive, and it was stated that the existence of different regulations on the protection of personal data may prevent the flow of data from one member state to another and the level of protection provided should be equivalent in all member states to prevent such situations.

b) European Union Data Protection Regulation (GDPR)

Directive 95/46 has achieved its purpose over time, ensuring that the data protection laws of the member states of the European Union are harmonized, and various agreements have been signed with non-compliant countries that provide for equivalent protection. In 2016, Turkey adopted the Law on the Protection of Personal Data, which is based on the Directive 95/46 in the European Union negotiation processes. However, the European Parliament adopted the General Data Protection Regulation by voting in the same year. While 95/46/EC is valid for all European Union member states as of the effective date, it is a directive that allows each member country to make their own internal regulations, while GDPR is a regulation to a certain extent. Therefore, each country has to duly enforce the provisions regulated in the GDPR.

THIRD PART
PROTECTION OF PERSONAL DATA IN TURKISH LAW
1. Protection of Personal Data in the 1982 Constitution of the Republic of Turkey

After the referendum held in 2010, the protection of personal data of individuals found a constitutional basis with the paragraph added to Article 20 of the Constitution, which regulates the privacy of private life, with Law No. 5982. According to the last paragraph of Article 20, “Everyone has the right to demand the protection of their personal data. This right; It also includes being informed about the personal data about the person, accessing these data, requesting their correction or deletion, and learning whether they are used for their purposes. Personal data can only be processed in cases stipulated by law or with the explicit consent of the person. The principles and procedures regarding the protection of personal data are regulated by law.

The fact that the relevant article of the Constitution does not include the conditions in which the right to protect personal data can be limited has led to some debates in the doctrine. Indeed, according to Article 13 of the Constitution, which provides for the restriction of fundamental rights and freedoms when necessary, “Fundamental rights and freedoms can only be limited by law, without infringing on their essence, depending on the reasons specified in the relevant articles of the Constitution. These restrictions cannot be contrary to the word and spirit of the Constitution, the requirements of the democratic social order and the secular Republic, and the principle of proportionality.” In this respect, although the right to protect personal data in the last paragraph of Article 20 may be limited by law in the same paragraph, although this issue is in accordance with Article 13, there is no “reasons specified in the relevant articles of the Constitution” in terms of the right to protect personal data in the same article. This current deficiency leads to a confusion of meaning, such as the fact that the right is unlimited, even if the reasons for limitation are specified by law.

In addition, in Article 5 of the Constitution, which is regulated under the title of “main aims and duties of the state”, the statement “trying to prepare the necessary conditions for the development of the material and spiritual existence of the human being” imposes a positive obligation on the state. In the context of this obligation, the right to protect the honor and reputation of the person in the context of the moral integrity of the person regulated in Article 17 of the Constitution is also accepted as the Constitutional Articles, which are the indirect basis of the right to protect personal data.

2. Law No. 6698 on the Protection of Personal Data

The Law on Protection of Personal Data No. 6698 was accepted at the General Assembly of the Grand National Assembly of Turkey on March 24, 2016 and entered into force after being published in the Official Gazette No. 29677 on April 7, 2016. It has been prepared on the basis of the Council of Europe’s 28 January 1981 dated “Convention on the Protection of Individuals Against the Automatic Processing of Personal Data”, the “Additional Protocol on the Protection of Personal Data” dated 2001 and the “Personal Data Protection Directive” no 95/46/EC.

Protection of personal data, T.C. dated 12 September 2010 and numbered 5982. It has been recognized as a right on the constitutional ground within the scope of the last paragraph added to the 20th article of the Constitution with the 2nd article of the Law on Amending Some Articles of the Constitution.

3. Other Laws and Regulations

The Right to Protection of Personal Data is directly or indirectly protected by various laws and regulations, apart from the Constitution and Law No. 6698. Legislations such as the Turkish Penal Code and the Code of Criminal Procedure, the Civil Code and the Code of Obligations, the Labor Law, the Banking Law and the Bank Cards and Credit Cards Law, the Notary Law, the Judicial Registry Law, the Population Services Law, and the Patient Rights Regulation can be counted as examples. The regulations regarding penal legislation will be examined in detail below.

CHAPTER FOUR
PROTECTION OF PERSONAL DATA IN TURKISH CRIMINAL LAW
1. Arrangements in the Criminal Procedure Code

According to the second and third paragraphs of the second and third paragraphs of the article 17 titled “The Immunity, Material and Spiritual Existence of the Person” in the second part of the Constitution titled “The Rights and Duties of the Person”, cannot be subjected to scientific and medical experiments without his consent. No one can be tortured or tortured; No one shall be subjected to punishment or treatment incompatible with human dignity.” Therefore, since taking a sample from the body also means an interference with the body integrity of the person, the interventions to be made within the scope of the Criminal Procedure Code can only be regulated by law in accordance with Article 13 of the Constitution, and the restrictions made are contrary to the word and spirit of the Constitution, the requirements of the democratic social order and the secular Republic, and the principle of proportionality. will not be.

In the current practice in Turkey, the procedures regarding DNA analysis are carried out in accordance with the relevant provisions of the Criminal Procedure Code. According to Articles 75 and 76 of the Law, physical examinations of the suspect or the accused and the victim can be carried out, and samples can be taken from the body as a result of this examination316. With the regulation made in the law, this issue is divided into two as the examination of the suspect or the accused and taking samples from his body, and the physical examination and taking samples from the body of other people317. On these samples, DNA analysis can be performed in accordance with Article 78, which is regulated under the title of “Molecular Genetic Studies”. According to the article, “Molecular genetic analyzes can be carried out on samples obtained through the procedures stipulated in Articles 75 and 76, if it is necessary to determine whether paternity or the finding belongs to the suspect or the accused or the victim”, but “detections other than these purposes can be made on the samples taken”. examinations are prohibited.” In Article 79, it is stated that the authority to decide to carry out this examination is exclusively with the judge, and it is stipulated that the experts who will be appointed to carry out the examinations are “obligated to prevent illegal molecular genetic examinations from being carried out and unauthorized third parties obtaining information with appropriate measures in terms of technique and organization”. The last article in the CMK regarding this issue is in the 80th article and in this article, the results of the examination made on the samples taken in accordance with the provisions of Articles 75, 76 and 78, are in the nature of personal data and cannot be used for any other purpose; that they cannot be given to someone else by those who have the authority to learn the content of the file” and that “this information will be immediately destroyed in the presence of the Public Prosecutor in the event that the deadline for objection to the decision not to prosecute, rejection of the objection, acquittal or punishment is finalized, and this matter shall be kept in the file.” to be recorded in the minutes”.

2. Penal Arrangements in the Law on Protection of Personal Data No. 6698

Crimes are regulated in Article 17 of the Law on the Protection of Personal Data. According to the article, “Provisions of Articles 135 to 140 of the Turkish Penal Code dated 26/9/2004 and numbered 5237 are applied in terms of crimes related to personal data. Contrary to the provision of Article 7 of this Law; Those who do not delete or anonymize personal data are punished according to Article 138 of the Law No. 5237.” The law referred to the Turkish Penal Code in terms of crimes related to personal data.

3. Regulations in the Turkish Penal Code No. 5237

While recording personal data can be done by official institutions of the state, other institutions and organizations can also collect and store personal data of individuals. Examples of this are hospitals that record confidential and extremely important information about patients, forensic medicine institutions that collect DNA and fingerprints of individuals, conduct investigations on them, but do not destroy this data later on, and companies that are mobile phone operators.

In order to reduce the violations of rights that may arise with the increase in the processing of personal data, to punish those who commit such actions and to deter those who will commit such actions, regulations regarding personal data have been made in the Turkish Penal Code No. 5237, and new crimes and penalties have been established in this area. In the Ninth Section of the Second Part of the Law, titled “Crimes Against Persons”, titled “Crimes Against Private Life and Confidential Area of Life”, “Recording of Personal Data” in Article 135, “Unlawful Giving or Seizing Data” in Article 136 and Article 138 In the article 137, the crimes of “not destroying the data” are regulated, and in article 137, qualified cases that require an increase in the penalty are listed.

A) TCK article 135: Recording of Personal Data

a. General Information

The crime of recording personal data is defined in Article 135 of the TPC: “(1) Any person who unlawfully records personal data is sentenced to imprisonment from one year to three years. The penalty to be imposed in accordance with the first paragraph shall be increased by half in the event that it unlawfully relates to their moral tendencies, sexual life, health status or union affiliations.” It is arranged in the form.

At the time the thesis subject to our review was written, there were discussions regarding the violation of the principles of certainty and legality, since the Law on the Protection of Personal Data was not yet in effect. According to the discussions, although a clear definition of personal data cannot be expected in the law due to the nature of the Turkish Penal Code, the establishment of a crime regulating the recording of personal data necessitates a legal definition specifying as clearly as possible what should be understood from personal data. makes it. Otherwise, there were opinions that the principle of legality would be violated, as it was unclear what data would be included in the scope of this crime, since the law did not specify what exactly the personal data is. With the entry into force of the Law on the Protection of Personal Data in 2016, these discussions came to an end.

b. Legal Value Protected by Crime

The Offense of Recording Personal Data is regulated in the Second Part of the Turkish Penal Code titled “Crimes Against Persons” and in the Ninth Part titled “Crimes Against Private Life and Secret Area of Life”. As it is clearly understood from this system, the crime of recording personal data is one of the crimes against individuals and the privacy of individuals is protected by the crime. The concept of privacy is defined in the 1987 Constitutional Court decision as follows: “Protection of private life means first of all protecting the privacy of this life and not revealing it to others. One of the fundamental rights of a person is to demand that what is happening there be known only by himself or by the people he wants to know.” defined as. In its decision, the Court emphasized the importance of the protection of private life: “Due to this nature, it is requested that the privacy of private life be preserved and protected in declarations and contracts regarding human rights, and this right is protected against state organs, society and other individuals, with the exceptions clearly specified in the legislation of all democratic countries. The right to respect for private life, which is of great importance for human happiness, is a fundamental right for his personality, and if it is not adequately protected, it is not possible for people and therefore the society to feel peaceful and live in safety. For these reasons, the acts of violating the confidentiality in various forms have been considered a crime and bound to criminal sanctions.

c. Elements of Crime

(1) Material Elements

(a) Act

In Turkish Criminal Law, crimes are divided into two as single action or more than one action, according to the number of actions. The crimes that the legislator considers a single action sufficient for the crime to be committed and the crime is completed with this action are called single action crimes. The crime of recording personal data, on the other hand, is one of the only action crimes, since it is foreseen in the article that the crime will only occur with the committing of the act of “recording”.

Crimes are divided into two as perpetual and negligent offenses according to the type of action. Enforcement crimes are the conduct of a behavior that was ordered not to be done, a prohibited norm, and therefore the violation of the rule that ordered not to be done with a positive behavior. Negligence crimes, on the other hand, occur in the form of a crime that is committed with a negative behavior when the rules of law stipulate a certain imperative behavior, but this action is not taken, in contrast to the executive crimes. The crime of recording personal data prohibits the unlawful recording of personal data, and punishes this action when illegal recording is made by doing an act on the contrary. In this respect, the crime of recording personal data is a crime committed by executive action.[6] As mentioned above, the purpose of recording is not only a recording to be made in the information system; any type of record. Therefore, this recording can be realized by entering personal data into an information system or data transport tool, or it can be recorded by handwriting or writing in any way on a piece of paper. Regardless of how the personal data is recorded, this crime occurs as soon as the recording is made; as long as the registration is done illegally. For the crime of illegal recording of personal data to occur, it is not necessary to unlawfully record a new data; This crime will also occur if a data that was previously recorded in accordance with the law is taken from that source and recorded in an information system illegally or recorded in handwriting.

In the evaluation of whether or not the typical action envisaged will continue, the crimes are divided into two as sudden action and continuous crimes. The crimes that are completed as soon as the act is made and the execution is not required to continue for a certain period of time are called immediate crimes, while the crimes that the crime is completed with the execution of the action specified in the typicality, but does not end due to the continuation of the execution and in which the perpetrator has the opportunity and power to voluntarily continue the act, are called continuous crimes. Since the recording movement stipulated in Article 135 is not required to continue for a certain period of time and the illegal recording of personal data will constitute a crime, this crime is a sudden crime.

(b) Perpetrator

Since the term “nobody” is used for the perpetrator of the crime in Article 135, which regulates the crime of recording personal data, the law did not look for any characteristics in terms of the perpetrator, therefore it regulated that anyone could be the perpetrator of this crime. However, a special arrangement has been made in terms of the perpetrator being a public official, and this issue has been regulated as a qualified situation. Indeed, in Article 137 of the TPC, it is stipulated as a qualified situation for the perpetrator to be a public official. This qualified case will also be applied in terms of Article 135, and this issue will be explained in detail while examining the qualified cases of Article 135. In this case, it turns out that this crime is an apparently specific crime for the perpetrator. In seemingly specific crimes, while the basic form of the act can be committed by anyone, its perpetration by people with certain characteristics creates a qualified situation that requires an increase or decrease in the penalty for that crime. In terms of this crime, it is stated in Article 135 that the act can be committed by “anyone” who illegally records personal data for the perpetrator. However, with the qualified state in Article 137, it is foreseen that the penalty will be increased if this crime is committed “by a public official” or “by taking advantage of the convenience provided by a certain profession and art”. Therefore, the crime of recording personal data, for the perpetrator, is a seemingly specific crime that can be committed by anyone in its basic form, but when it is committed by certain individuals, a qualified version of the crime occurs.

( c ) Aggrieved

The victim is the owner of the material subject of the crime. Since no feature is shown in the article for the victim of this crime, the victim can be any individual. Although there is a contrary opinion in the doctrine, in our opinion, since the victim of this crime can only be real persons, the victim in terms of this crime can only be the real person who owns the subject, namely personal data. As a matter of fact, in the second paragraph of the text of the law that regulates this crime, information on “race origins, moral tendencies, sexual life, health status” of individuals is mentioned, and since such information can only belong to real persons, it is understood that the real persons are the ones to be protected by the regulation of this crime. In addition, while defining personal data in the justification of Article 135, which regulates the crime, “all kinds of information about a natural person” are mentioned. Legal entities, on the other hand, can only be harmed by the crime. At this point, it should be underlined that the person harmed by the crime is broader than the concept of the victim, and what should be understood from the person harmed by the crime is “the person whose legally protected interests are directly or indirectly violated by committing a crime”.

(d) Subject

“The person or thing to which the movement is directed constitutes the subject of the crime.” The subject of the crime of recording personal data is personal data. Within the scope of the Turkish Penal Code, any information that can be linked to a certain person or that shows its belonging to that person is within the scope of personal data. For example, people’s name, phone number, picture, fingerprint, genetic information, address, etc. information can be displayed. Naturally, personal data related to economic expenditures, telephone numbers, and business activities of individuals, learned or recorded by a person due to his/her job, will naturally remain within this scope.

Crimes are divided into two according to whether the commission of the crime harms the subject of the crime or not. Typically, in cases where it is stated that harm must occur on the subject in order for the crime to be committed, harm crimes are mentioned. Danger crimes are also divided into two, depending on whether the judge envisages an investigation as to whether the action actually creates a danger on the subject of the crime. If the legislator has foreseen that the committed act poses a danger to the subject of the crime, the judge should investigate, it is called concrete danger crime. If such a research is not foreseen and a crime occurs when the action is taken, it is called an abstract danger crime.

No damage is sought due to the recording of personal data. Therefore, this crime is not a harm crime; It is a danger offence. Because the recording of personal data constitutes a crime, and the person whose personal data is recorded is not required to suffer any damage as a result. Since there is no statement in the text of the article regarding the investigation of whether the subject of the crime is in danger of being harmed as a result of the illegal recording of personal data, this crime is an abstract danger crime and the crime occurs as soon as the recording is made.

( e ) Result

It is possible to say that the crime of recording personal data is a crime of pure action. In acts of mere action, the crime is accomplished and completed by the act of doing it. In this respect, there is no need for the result to occur in order to complete the crime in purely act crimes; With the execution of the move, the violation specified in the typicality is completed. In terms of the crime of recording personal data, there is no need for any result to occur, and the crime will have occurred when the unlawful recording of personal data takes place. Therefore, only the recording of personal data will be sufficient for the crime to occur, and the perpetrator will not be required to use or benefit from these data.

(f) Qualified Elements of Crime

In Article 137 of the Turkish Penal Code, “(1) The crimes defined in the above articles; a) By abusing the authority given by his duty and by a public official, b) By taking advantage of the convenience provided by a certain profession and art, the penalty to be imposed will be increased by half”. circumstances are arranged. So qualified cases are only 132-136. It will find application in terms of crimes falling between the article, but in the continuation of the section m. It will not be applied between 138-140.

(2) Spiritual Element

It would be correct to say that this crime can be committed with general intent. The legislator did not seek a special intent in terms of committing this crime, and did not specify a motive that would become an element of the crime. In addition, there is no provision in the law that the crime can be committed by negligence. In order for crimes to be committed by negligence, there must be a special regulation in the law stating that they can be committed by negligence. Because in terms of the Turkish Penal Code, it is a general rule that crimes are committed intentionally; It is an exceptional case that crimes are committed by negligence. Therefore, it is clear that the crime cannot be committed by negligence, since there is no special regulation regarding the commission of this crime by negligence, as per article 22 of the TPC.

In terms of the regulation of the crime, the first paragraph and the second paragraph refer to recording personal data as “unlawful” in terms of certain data. Therefore, the law seeks a special awareness of illegality in terms of this crime. As a matter of fact, this issue is stated in Article 22 of the TPC as “Acts committed by negligence are punished in cases clearly specified by the law”. In terms of recording personal data “unlawfully” and “unlawfully” in paragraph 2, “personal data relating to moral tendencies, sexual life, health status or union connections”, this crime can only be committed with direct intent; It will not be possible to use it with possible intent. However, in our opinion, since it is not specifically sought to record “unlawfully” in terms of personal data on “persons’ political, philosophical or religious views, racial origins” in the first part of paragraph 2, it is possible to commit the crime with direct intent as well as with probable intent, in terms of recording these data. will also be possible.

(3) Unlawfulness

The element of illegality in this crime should be examined in terms of paragraphs 1 and 2 of Article 135, and even by making a distinction between the personal data specifically mentioned in paragraph 2. In the first paragraph of the article, “the person who unlawfully records personal data” is mentioned, while in the second paragraph, “The person’s political, philosophical or religious views, racial origins; A person who unlawfully records information about his moral tendencies, sexual life, health status or union connections as personal data. In general, in terms of “personal data” and “personal data pertaining to people’s moral tendencies, sexual life, health status or union connections”, although a special awareness of illegality was sought by the legislator as “unlawful”, “political, philosophical or The legislator did not use the term “unlawfully” in terms of “religious views, racial origins”, therefore, no awareness of private illegality was sought for these personal data.

The reasons for compliance with the law make the act legally legitimate, and if one or more of the reasons for compliance with the law are found both in the first paragraph and in the second paragraph in terms of all personal data, the act of the person will cease to be a crime. The reasons for compliance with the law listed in the Turkish Penal Code, fulfilling the provision of law (TCK art.24/1), self-defense (TCK art.25), exercising the right (TCK art.26/1) and consent of the person concerned (TCK art. 26/2).

d. Special Appearances of Crime

(1) Attempt

Since the crime of recording personal data is a purely act crime; this crime remains at the stage of attempt only if the enforcement actions are divisible. [7]For example; (A) cannot see the personal data shared by (B) only with his friends on his Facebook page, if (B) is not a friend. However, if (A) uses a program that allows him to see that data, he copies the data to save it, but if his computer shuts down before he can open any word page to save and he cannot save the data he wants to save, the crime of recording personal data will remain at the stage of the attempt. Because in this case, he will have started the enforcement actions by copying the personal data, but since the enforcement actions could not be completed due to reasons beyond the will of (A) because he did not paste the file into the word file and save the file, a crime would not have occurred.

As evaluated under the title of moral elements above, since there is no special violation of law in terms of personal data regarding “political, philosophical or religious opinions, racial origins” of individuals, these data can be recorded with possible intent, and in such a case, it will not be possible for the crime to remain at the stage of attempt. Since it is not possible to attempt crimes committed with possible intent, the attempt cannot be mentioned in terms of recording these data with possible intent.

Voluntary renunciation is regulated in Article 36 of the Turkish Penal Code. According to this, “If the perpetrator voluntarily gives up the execution actions of the crime or prevents the completion of the crime or the realization of the result with his own efforts, he will not be punished for the attempt; but if the complete part essentially constitutes a crime, it will be punished only with the penalty for that crime.” In order to be able to talk about voluntary renunciation, the perpetrator’s free will must be present at the stage of renunciation430, since his will was not affected by external material or moral reasons, he defined voluntary renunciation as “If the perpetrator believes that he can take them to the end when he interrupts his enforcement actions and does not continue to perform despite this conviction, there is a voluntary renunciation”. . 149 is sought431. In addition, in order for the voluntary waiver provisions to be applied, the crime must have reached the stage of attempt, that is, the perpetrator must have started the execution of the crime directly432. In mere acts of crime, the result emerges as soon as the act is made, and since the crime of recording personal data is purely actary offences, voluntary waiver in terms of this crime will only be possible if the enforcement actions are divisible. Considering the example given above, if (A) voluntarily abandons the recording process and shuts down the computer or fails to complete the copying process, voluntary opt-out will be mentioned and (A) will not be penalized for attempting to record this personal data. However, if (A) cannot complete his action due to factors beyond his will, such as computer shutdown or power cut, (A) will be punished for attempting this crime.

(2) Participation
In terms of this crime, it will be possible to talk about all aspects of participation.

Within the scope of the qualified version of this crime, if the participants are public officials or have a certain art or profession, the punishment to be given to these people will be more severe. Since one of the qualified cases of the crime is that the perpetrator is a public official, as stated at the top of our study, the apparently specific crime will be mentioned. According to the rule applied in participation in specific crimes, the person who does not have the necessary qualifications to be the perpetrator of the crime is held responsible as the instigator or helper, not as the joint perpetrator434. However, pursuant to the principle of “substantiality of agency compared to sharia”435, if a non-public official and a public official commit this crime together, the offender who is not a public official will be punished according to Article 135, and the perpetrator who is a public official will be punished according to the qualified condition in Article 137. In this respect, in order for the qualified version of the crime regulated in Article 137 to be committed, the perpetrator must be a public official, and in the event that a non-public official incites or assists a public official, that person will be held responsible as the instigator or helper, but a non-public official will be held responsible for the crime. If he personally participates in the committing of the crime, this person will not be punished as instigator or helper, but as the perpetrator in accordance with the principle of the originality of the agency compared to the partnership, according to Article 135.

(3) Assembly

First of all, it is necessary to evaluate the crime in Article 135 within the scope of chain crime provisions. If the crime of recording personal data is committed more than once to the same person at different times, the provisions of the chain crime regulated in the first paragraph of Article 43 of the TCK will apply at this point. According to this provision, “In case the same crime is committed more than once against a person at different times within the scope of the execution of a decision to commit a crime, a penalty is imposed. However, this penalty is increased from one quarter to three quarters.

In the case of recording the personal data of more than one person in a single action, there are two different views in the doctrine. According to one of them, in this case, the chain crime provisions will be applied; however, according to the other view438, crime will occur as much as the number of people to whom the data belongs. The case of committing a crime against more than one person with a single act is regulated in the second paragraph of Article 43 of the TPC and in the doctrine it is called the same kind of intellectual gathering by some authors439. According to this, “In case the same crime is committed with a single act against more than one person, the provision of the first paragraph is applied”, that is, a penalty is imposed, but this penalty is increased from one quarter to three quarters. In the third paragraph of the article, it is stated that this provision will not be applied for the crimes of willful killing, deliberate injury, plunder and torture, and a separate penalty will be given for each crime. In this respect, in our opinion, since the crime of recording personal data is not one of the crimes included in the third paragraph of Article 43 of the TPC, the first opinion in the doctrine is correct and if the personal data of more than one person is recorded unlawfully with a single action, a penalty will be imposed by applying the same kind of intellectual meeting provisions. will be sentenced, but the penalty of the perpetrator will be increased.

In the first sentence of the first paragraph of Article 132, violation of the confidentiality of the communication between individuals was regulated as a crime, and in the second sentence, it was stipulated that the penalty would be increased if this privacy violation occurred by recording the contents of the communication. In the event that personal data is also recorded during the recording of the contents, different kinds of intellectual discussion provisions will be applied between the two articles.

In the first paragraph of Article 133 of the TCK, listening to non-public conversations with an instrument or recording them with a sound device is regulated as a crime. If the person who records the non-public conversations between persons regulated as a crime in the article with an audio device, also records some personal data, the crime of recording personal data will also be committed and the provisions of intellectual discussion will be applied between the two articles. If the personal data of more than one person is recorded during the registration, the punishment of the perpetrator will be increased in accordance with the provisions of the same kind of intellectual gathering, since the crime of processing personal data against more than one person in a single act is committed by applying the provisions of the chain crime.

In the second paragraph of Article 33, recording a non-public conversation with a voice receiver without the consent of the other speakers is regulated as a crime. Similar to the explanation we made in the paragraph above regarding the first paragraph of Article 133, if a person records the personal data of the persons or others whose voice he has recorded during the recording of his speech, the crime of recording the personal data regulated in Article 135 will also occur.

In the first paragraph of Article 134, “Anyone who violates the privacy of individuals is sentenced to imprisonment from six months (changed from one year) to two years (changed to three years) or a judicial fine. In case of violation of confidentiality by recording images or sounds, the penalty to be imposed is increased by one fold. According to an opinion in the doctrine, if personal data is recorded in violation of the privacy of private life, the crime defined in the first paragraph of Article 134 will occur. In our opinion, this view is partially correct; because in the second sentence of the first paragraph of Article 134, violation of privacy by recording “images or sounds” is mentioned. In these circumstances, it should be accepted that even if the privacy of private life is violated in a sense, in terms of recording personal data other than images or voices, the crime of recording personal data in Article 135, not the crime defined in Article 134. If recording “images or sounds”, which are personal data, is in question, then different kinds of intellectual discussion provisions will be applied between Articles 134 and Article 135. The opinion of the Supreme Court is that if there is an image, the crime in article 134 will occur. In case of being in the public area, m. It will find 135 application areas.

It is also possible to commit the offense regulated in Article 243 of the TCK titled “Entering the Information System” and the offenses in Article 135 together. In this case, it is also known that those who will record personal data may commit this crime by entering information systems. Article 243 of the TCK stipulates that “any person who illegally enters the whole or part of an information system and continues to stay there” will be punished. Therefore, a person who wants to record someone else’s personal data, if this personal data is recorded in an information system, will first enter this information system, then take the data there and save it to a place of his own choice. In terms of situations where the perpetrator must enter an information system in order to access and record personal data, according to an opinion that we also agree with in the doctrine, the crime of entering the information system in article 243 will be a gated crime in terms of the crime of recording personal data in article 135. Thus, a single crime will occur, and the perpetrator will be sentenced to the punishment stipulated only for the crime of recording personal data. However, if the perpetrator has entered an information system and stayed there for a certain period of time and has recorded the personal data he accidentally saw in the system, then it will be necessary to accept that the perpetrator should be punished for both crimes by applying the real rules of discussion between these two crimes.

e. Sanction

It is decided to impose the crime of recording personal data, to impose 1 assignment and up to 3 penalties. In this law, the penalty for this person to benefit from the use of a certain profession and art to be filled by the public is increased by half, according to the article th, which is only by the soul.

In addition, personal data, political or religious views, racial origins; It is increased in such a way that it will be in the first case in the situation regarding their inferiors, their health, their connection with sexual life, unlawfully.

According to the 231st final sentence of the Code of Criminal Procedure, “if the accused is sentenced to less than trial for the crime tried without trial, if the sentence is two years or more limited imprisonment or a judicial fine; to the vested soldier of his decision.” The same may have been obtained for madness, with regard to the opinion of a person previously taken to have been in the state of this decision, by the court, the opinion of the person concerned and to obtain the re-purposed business for consideration public arrival to find out, opinion and examination of a person estimating the target of the crime Considered to apply, to be returned in the same way, to be received before the request or to be purchased on compensation 2 years less than the recording of personal data or further decision If necessary, it can be given to HAGB.

TCK.140 According to the details of the descriptions of the symptoms of crimes in my own examples, violence is typically condemned.

f. Investigation Procedure, Commissioned and Competent Court, Timeout of Litigation

Investigation Procedure, Commissioned and Competent Court, Timeout of Litigation

Criminals in Article 135 will be tried at the Criminal Court of First Instance, the draft of Article 11 of Law No. 5235. In the workshop of the events stipulated in Article 137, there will be the Criminal Court of First Instance.

CMK m. 12 shopping will find general jurisdiction regulation area.

Being shot by the Code of Criminal Procedure’3, the crimes related to the incident and the intentionally included in the article (article 86; article 88, except for the third paragraph), the nature of the injury by negligence (article 116), to be reviewed for the complaint, and the detainee (article 234), trade secret, disclosure of the confidential side of the secret to the owner of knowledge or knowledge (see Reconciliation, stop the education foundations from stopping the foundations of the victim’s victims and trainings for planning a training within the scope of “user rights”. In this regard, the crime of recording personal data 139 of the TPC is not included in the evaluations because it is not among the crimes considered subject to 253 of the CMK.

According to TCK m 66/1, the statute of limitations for even this offense is eight years, and if the ongoing cases are applied, the statute of limitations will continue to be within the scope of the upper estimated year.

B) TCK m. 136 : Unlawfully Giving, Disseminating or Capturing Data

a. General Information

Unlawful or seizure of data 136, With personal data of the TCK, illegally giving a third, giving four or up to ten to two pedestrians, giving one amount in violation of two events, being on trial, in breach of two events or with seizure judged.” formatted.

b. Legal Value Protected by Crime

Contrary to giving personal data is to suspect privately, as in the crime of seizure, recording or crime of personal data.

c. Elements of Crime
(1) Material Elements
(a) Act
The crime of illegally giving or obtaining data is an optional mobile crime. In elective mobile crimes, more than one independent action is foreseen in the type of crime and it is sufficient for the perpetrator to commit any of them to complete the crime. This crime will occur with the realization of one of the acts of giving, spreading or seizing.

The crime of illegally giving or obtaining data is an optional mobile crime. In elective mobile crimes, more than one independent action is foreseen in the type of crime and it is sufficient for the perpetrator to commit any of them to complete the crime. This crime will occur with the realization of one of the acts of giving, spreading or seizing.

There is more than one definition in the doctrine for giving, spreading and seizing, and it is necessary to mention a few of them. According to Yaşar-Gökcan-Artuç, giving is “presenting something one has to another”; dissemination; seizing is “to obtain a material in the possession of another person against his or her consent”. [8] Even if it is possible for the act of seizure to take place in the form of recording, it is considered that the remaining actions are meant, since recording is clearly regulated under article 135.

Considering the elective acts stipulated in the article, it is seen that the crime is one of the executive crimes. Because, the legislator has prohibited the unlawful giving, seizing or dissemination of personal data, and stipulated that those who do these acts by violating this prohibition should be punished. At this point, it should be noted that, in terms of the act of dissemination, if the consent is given from the beginning and subsequently withdrawn, the act that was initially lawful will constitute an unlawful act if the dissemination is not terminated, and the crime will be formed by negligence. Indeed, for example, if a person consents to the sharing of their picture on a social networking site, the picture can be shared and this act will not constitute a crime. However, as soon as the person’s consent is withdrawn, not withdrawing from the site where the picture was shared, that is, remaining inactive, will constitute a crime. In this respect, in terms of the act of dissemination, if the data constituting the subject of the crime is unlawfully disseminated, it will be a criminal act, but if a personal data that has been spread in accordance with the law at the beginning continues to be spread unlawfully, after the lawfulness has disappeared, criminal negligence will occur.

In terms of the optional acts of giving or taking possession of the crime regulated in Article 136, there is an immediate crime since the act will be committed. However, when evaluated in terms of the “spreading” movement, we believe that the crime can be considered both as an immediate crime and as a continuous crime. For example, if a person’s personal data is illegally published on a website, the crime will be completed, but the crime will not be over since these data will continue to be presented to different people at different times as long as they remain on that website. However, in case personal data is sent to more than one person by mail, it will be considered as an immediate crime since the act of dissemination will be committed as soon as the mail reaches these people.

(b) Perpetrator

In Article 136, which regulates the crime of unlawful giving, dissemination or seizure of personal data, the word “person” is used for the person who can commit the crime. The law did not look for any characteristics in terms of the perpetrator, it regulated that anyone can commit this crime, and therefore everyone can be the perpetrator of this crime. However, with the 137th article of the TPC, a special regulation was introduced and the perpetrator’s being a public official was regulated as a qualified situation. In this respect, as in Article 135, the crime of illegally giving or obtaining personal data is a seemingly specific crime for the perpetrator, the basic form of which can be committed by anyone, but when committed by certain individuals, a qualified form of the crime occurs.

(c) Aggrieved
Since no feature is shown in the article in terms of the victim of the crime, every real person can be the victim of this crime.

(d) Subject
The subject of the crime of illegally giving or obtaining personal data is “personal data”.
It is an abstract danger crime.
(e) Result

The crime of giving or obtaining personal data unlawfully is a pure act crime. In acts of mere action, the crime is accomplished and completed by the act of doing it. Therefore, in such crimes, it is not necessary for the result to occur in order to complete the crime; With the execution of the move, the violation specified in the typicality is completed.

(f) Qualified Elements of Crime

According to Article 137 of the TPC, if the crime is committed by a public official by abuse of his authority or by taking advantage of the convenience provided by a certain profession and art, the penalty to be imposed will be increased by half. The explanations made for TCK Article 135 are also valid for this crime.

(2) Spiritual Element

It would be correct to say that the crime of illegally giving or obtaining personal data can be committed with general intent. The legislator did not seek a special intent in terms of committing this crime, and did not specify a motive that would become an element of the crime. In addition, there is no provision in the law that the crime can be committed by negligence.

In terms of regulation of the crime, it is mentioned about giving or obtaining personal data “unlawfully”. Therefore, the law seeks a special awareness of illegality in terms of this crime. In terms of giving or obtaining personal data “unlawfully”, this crime can only be committed with direct intent; It will not be possible to use it with possible intent.

(3) Unlawfulness

As in the first paragraph and part of the second paragraph of Article 135, the acts of giving, disseminating or seizing shall be committed “unlawfully” in order for the crime defined in the article 136 to occur. Therefore, giving, disseminating or capturing someone else’s personal data in accordance with the law will no longer constitute the crime in Article 136. Since the act must be committed unlawfully for the crime to occur, it is clear that the crime will not occur when it is committed in accordance with the law. The reasons for compliance with the law make the act legally legitimate, and if one or more of the reasons for compliance with the law are found both in the first paragraph and in the second paragraph in terms of all personal data, the act of the person will cease to be a crime. In terms of this article, fulfilling the law with the consent of the person concerned is the grounds for compliance with the law.

d. Special Appearances of Crime

(1) Attempt

Since the crime of illegally giving, disseminating or seizing the personal data regulated in Article 136 is a mere act; If this crime remains at the stage of attempt, but if the enforcement actions are divisible, it seems possible for the attempt to take place in terms of this crime, considering the nature of the crime.

In case the enforcement actions are divisible, voluntary waiver can also be mentioned in terms of this crime. If the perpetrator voluntarily gives up on giving, disseminating or capturing personal data before the execution activities are completed, the perpetrator will not be punished for attempting this crime, but if his actions so far constitute another crime, he will be punished for that crime. For example, (A) legally retains (B)’s personal data, but decides to unlawfully send them to his journalist friend (G). While (A) sends this data via e-mail from the internet, he writes (B)’s personal data in the mail, and adds (G)’s e-mail address to the address section, but then he thinks that what he did may be wrong, and he hides this e-mail as a draft among his e-mails (G). does not send to . As a result of a lawful search, this draft e-mail on (A)’s computer comes to light. In this case, it will be said that (A) decided to give (B)’s personal data unlawfully and started the execution of the crime, but voluntarily gave up the crime by giving up committing the crime of his own will and he would not be punished. On the other hand, if (A) had decided to send the personal data not from his own e-mail address, but from the e-mail address of his brother (K), whom he had entered by breaking his password, and had given up and left the e-mail in draft form, since there was voluntary renunciation, he would be liable for the attempted crime in Article 136. will not be punished, but the fact that he entered his brother’s e-mail address by breaking his password, TCK m. Since it constitutes the crime of entering the information system regulated in Article 243, and this crime is another crime committed until the moment of giving up the crime of giving personal data, (A) will be punished for the crime in article 243.

(2) Participation
In terms of this crime, it will be possible to talk about all aspects of participation.
(3) Assembly
The same kind of intellectual meeting provisions that will be applied in case of a chain crime and the crime is committed against more than one person are the same as our previous explanations.

In the second paragraph of Article 132, illegal disclosure of the contents of communications between individuals, and in the third paragraph, public disclosure of the content of communications made with the person without the consent of the other party is regulated as a crime. Accordingly, if a person commits one of these acts and commits the crime set out in the second or third paragraph of Article 132, if the contents of the disclosed communication include personal data of others or the parties to the communication, besides Article 132, Article 136 will also be violated. . In such a case, different kinds of intellectual meeting provisions will be applied between the crimes and the perpetrator will be punished for the crime that requires the heaviest penalty.

In the third paragraph of Article 133, according to the first two paragraphs of the article, “recording non-public conversations between persons with a sound recording device without the consent of any of the parties” or It is a crime for a person to give them to others or to obtain information by other people. In the event that the contents of the communication recorded in accordance with the first two paragraphs of Article 133 also contain the personal data of the parties or others of the non-public conversation or non-public conversation, in case the perpetrator gives these communication contents to someone else or enables other persons to obtain information, The crime which is regulated in the article 136 will have occurred. In our opinion, in such a situation, since the perpetrator would have caused more than one crime to occur with a single act, the provisions of intellectual discussion will be applied about the perpetrator, and the perpetrator will be punished with the crime that requires the heaviest penalty.

In the second paragraph of Article 134, which regulates the crime of violating the privacy of private life, it is stated that anyone who discloses the images or sounds related to the private life of individuals will be sentenced to imprisonment from one year to three years (changed from two to five years). In the event that the perpetrator discloses images or sounds related to the private life of individuals, and if these sounds or images contain the personal data of the persons or others to whom they belong, the act of illegally disseminating personal data will also occur and the crime regulated in Article 136 will occur. In this case, the perpetrator will have caused the violation of more than one crime with a single act, but he will not be punished separately for both crimes and will be punished with the most severe crime in accordance with the rules of intellectual community.

There are different opinions in the doctrine in terms of the rules of association in the case of the crime of recording personal data in Article 135 and the crimes of illegally giving or obtaining personal data defined in Article 136. In our opinion, if a person who acts with the intention of committing the crime regulated in Article 136 is required to record personal data in order to be able to seize, disseminate or give away, gated crime can now be mentioned here.[9] Because, if the intention of the perpetrator is to commit the crime in Article 136 and the “registration” made at this time is carried out in order to commit the acts in Article 136, it will be accepted that there is only one crime and the perpetrator will be punished for the crime regulated in Article 136. However, if the perpetrator first performs a registration process at different times and independently of each other, and then illegally gives, seizes or disseminates the personal data he recorded, it should now be accepted that there are two separate crimes. should be punished. In cases where a person both records and captures or disseminates or gives personal data with a single action, it will now be necessary to talk about intellectual gathering.

It is also possible that the crime of entering the information system regulated in article 243 of the TCK and the crime regulated in article 136 of the TCK can coexist. In this case, it is known that the perpetrator can process the acts of giving, disseminating or seizing personal data much more easily by entering information systems. Article 243 of the TCK stipulates that “any person who illegally enters the whole or part of an information system and continues to stay there” will be punished. Therefore, a person who wants to give, disseminate or seize the personal data of another person, if these personal data are registered in an information system, will first enter this information system and then may unlawfully capture the data there. Similarly, it is clear that the perpetrator who wants to give personal data to someone else can commit this act much more easily by e-mail, and in terms of dissemination, he can commit this act by sending more than one e-mail at the same time or by sharing this data in forums where more than one person can access. In terms of situations where the perpetrator has to enter an information system in order to reach personal data and to seize, give or disseminate them, according to an opinion that we agree with in the doctrine491, the crime of entering the information system in Article 243 will be a gated crime in terms of the crime defined in Article 136. Thus, the perpetrator will be punished only for the crime of illegally giving or obtaining personal data. However, when there is no situation that requires the perpetrator to enter an information system in order to commit the crime in Article 136, for example, if the perpetrator decides to take the personal data he sees there after breaking the password of a person and entering his e-mail address, in this case, real discussion provisions will be applied between the two crimes. will be punished for two separate crimes.

In terms of the implementation of Article 136, another issue to be emphasized under this title is the legal dispute that may arise with Article 244 of the TPC. In the second paragraph of Article 244, it is stated that “Anyone who corrupts, destroys, changes or renders inaccessible data in an information system, places data on the system, or sends existing data to another place shall be punished”, a provision similar to Article 136 has been referred. However, although sending the data mentioned in Article 244 to another location seems similar to the crime in Article 136, the crime regulated in Article 136 covers only personal data, while the offense in Article 244 is for all data in general. In addition, in Article 136, the giving, dissemination or seizure of personal data may be through the information system or by other means. However, sending the data existing in Article 244 to another place or placing data in the system can only be done within the information system. In our opinion, in the event that personal data is sent to another location by using information systems or data is placed in the system, if these data are personal data and there is an unlawful transfer or dissemination at the same time as this act, both the crime defined in Article 136 and The crime regulated in Article 244 will also occur. If the perpetrator commits more than one crime with a single elephant, in this case, he will be punished with the penalty for the most serious crime, in accordance with the provisions of different kinds of intellectual gathering. However, without unlawful giving, dissemination or seizure of personal data, article 244 alone will find application in case such data is corrupted, destroyed, changed or rendered inaccessible by the acts listed in article 244.

e. Sanction

Anyone who commits the crime defined in Article 136 of the TCK is sentenced to imprisonment from 2 years to 4 years. However, in accordance with Article 137, which is regulated in the law as the qualified version of this crime, if this crime is committed by a public official or by taking advantage of the convenience provided by a certain profession and art, the penalty to be imposed is increased by half.

TCK m. Since the lower limit of the penalty foreseen for 136 is 2 years, HAGB will not be sentenced if the lower limit is not given.

If the perpetrator of this crime is sentenced to imprisonment, the deprivation of rights in this article will be applied to the perpetrator in accordance with Article 53/1 of the TCK. In the event that a public official commits this crime, which is one of the qualified cases of the crime, it is also decided to deprive the perpetrator from public office from half to one-fold of the penalty given to the perpetrator in accordance with Article 53/5 of the TPC, regardless of whether the sentence given is a prison sentence and whether it is postponed.

Pursuant to Article 140 of the TPC, if legal persons gain unlawful benefits due to the commission of this crime, the security measures stipulated in Article 60 of the TPC will be applied to them.

f. Investigation Procedure, Commissioned and Competent Court, Timeout of Litigation

Since there is no crime of illegally giving or seizing the personal data in Article 136 among the crimes related to the complaint contained in the TCK article 139, the investigation and prosecution of this crime will not be dependent on the complaint, but will be made ex officio by the Public Prosecutor’s Office.

Persons who commit the crime in Article 136 will be tried in Criminal Court of First Instance in accordance with Article 11 of Law No. 5235. Since aggravating and mitigating factors do not affect the determination of the competent court in accordance with Article 14 of the same law, even in case of qualified cases stipulated in Article 137, the competent court will still be the Criminal Court of First Instance.

For the determination of the competent court, the basic principles of criminal and criminal procedure law will be applied.

The crime of illegally giving or obtaining personal data is not a crime subject to reconciliation, as it is not subject to complaint pursuant to Article 139 of the TPC and is not among the crimes listed in Article 253 of the CMK. According to Article 66/1 of the TCK, the statute of limitations for this offense is eight years and in cases where qualified cases (Article 137 of the TCK) are to be applied, Article 66/3 states that “In determining the statute of limitations for the case … the qualified cases of the offense that require a heavier penalty. This period is 15 years in accordance with article 66/1-d..

C) TCK m. 138: Not Destroying Data

a. General Information

The crime of not destroying the data is regulated in Article 138 of the TPC as “Those who are obliged to destroy the data within the system despite the deadlines set by the laws are sentenced to imprisonment from six months to one year (changed from one year to two years) when they do not fulfill their duties”. Basically, it was aimed to prevent personal data from being kept arbitrarily, and if these personal data are not destroyed within the legal timeframes stipulated by the law by those responsible for destroying them, it is subject to a sanction.

b. Legal Value Protected by Crime

Considering that the crime is regulated in the Crimes Against Persons section and in the Crimes Against Private Life and Secret Area of Life section, it is understood that the main value that is tried to be protected by the establishment of the crime is the privacy of the private lives of the data subjects whose personal data are not destroyed.

c. Elements of Crime

(1) Material Elements

(a) Atc

The act constituting the crime is not destroying the personal data recorded in accordance with the law on legal grounds, by the persons obliged by the law, within the periods stipulated by the law.

If the recorded personal data is saved in an information system, it can be deleted from there, and if they are not recorded on a certain document, the document can be destroyed. However, the point to be considered here is that the recorded personal data must be destroyed in a way that cannot be recovered, in order to prevent crime. Simply deleting an information in the records kept in computers does not mean destroying it, because this information can be re-discovered by some methods. For this reason, in our opinion, the recorded personal data should be destroyed in a way that makes it impossible to re-discover.

The laws generally specify the period of time that recorded personal data should be destroyed, as in the Code of Criminal Procedure, and in cases where this period is clearly indicated, the person responsible for destroying the data has to destroy the data before this period expires. However, the law that stipulated the recording of data may have included concepts such as “immediately deleted”, “immediately destroyed” instead of specifying a clear period for their destruction. According to an opinion in the doctrine, which we also agree with, the statements that do not have definite deadlines in the law are also imperative and it is necessary to destroy within a reasonable time according to the concrete event.[10] Since the crime of not destroying the data means not performing an action that should be taken, this crime is one of the crimes that can be committed with negligent actions.

(b) Perpetrator

Only the person responsible for destroying the data can commit the crime of not destroying the data. In this respect, it should be accepted that this crime is a specific crime and not a crime that can be committed by everyone.

( c ) Aggrieved

Since we agree with the idea that the fundamental legal value protected is the privacy of private life, we believe that it is necessary to accept that the victims of this crime are those whose personal data are not deleted.

(d) Subject

The subject of the crime is the personal data recorded in accordance with the law. In order for the crime in this article to occur, personal data must be recorded in accordance with the law; are required by law to be deleted at certain times. For this reason, it can be mentioned that the personal data recorded in accordance with the law should be deleted when the legal deadlines expire.

If the personal data is recorded illegally, the crime of illegally recording the personal data, which has already been examined above and regulated in Article 135 of the TPC, will occur.

In order for the crime of not destroying the data to occur, it is not required that any damage has occurred, and the crime will be completed if the data is not destroyed even though the legal deadlines have passed. It has the status of abstract danger crime.

(e) Result

In terms of the crime of not destroying the data, it is possible to say that the crime is a purely act crime, and since the crime is completed and completed only by performing the action in the crime of action, it is not necessary for the result to be revealed in order to complete the crime.

(f) Qualified Elements of Crime

As the text of article 138 does not foresee any qualified situation for the crime, since the phrase “crimes defined in the above articles” is included in article 137 of the TPC, the qualified situations stipulated in this article do not include the crime of not destroying data. For this reason, there is no qualified situation that requires aggravating or mitigating the penalty for this crime, which is regulated in Article 138 of the TPC.

(2) Spiritual Element

The crime of not destroying personal data regulated in Article 138 of the TCK can be committed with general intent. Any motive was sought for the crime to be committed. For this reason, it is sufficient that the perpetrator deliberately does not fulfill this duty even though the legal deadlines have passed and he is obliged to destroy the recorded personal data. Since there is no regulation in the TCK regarding negligence, it will not be possible to commit the crime by negligence, and the perpetrator must act deliberately.

(3) Unlawfulness

Since there is no specific reason for compliance with the law stipulated for the crime of not destroying the data, the reasons for compliance with the law will be determined according to the general provisions of the Turkish Penal Code. It can be thought that the fulfillment of the provision of law (performance of duty), which is one of the reasons for compliance with the law, may constitute a reason for compliance with the law in terms of this crime. Although there are contrary views in the doctrine, in our opinion, if the person concerned has consent, a crime does not occur.

d. Special Appearances of Crime

(1) Attempt

Since the crime of not destroying the data is negligence, if the personal data is not deleted when the time specified in the law expires, a crime will have occurred. Since the negligence of this crime is a crime and if the data is not deleted despite the expiry of the time, it would be appropriate to accept that the crime is not suitable for the attempt, since a crime would have occurred.

(2) Participation

In our opinion, since this crime is a specific crime and only those who are assigned to destroy personal data in certain periods can commit this crime, the rules of participation in specific crimes will be applied in the crime of not destroying data. Accordingly, in terms of the crime of not destroying personal data, only the person who is obliged by law to destroy this data can be the perpetrator of the crime, so those who commit this crime together with that person can only be responsible as the instigator or helper pursuant to the second paragraph of Article 40 of the TCK. .

(3) Assembly

If the personal data recorded in accordance with the law are not deleted within the periods determined by the laws, if this crime is committed against the same person more than once at different times, the chain provisions will be applied, but if the same personal data of the same person is not deleted for a very long time, this will be considered a single crime and the chain crime provisions will not be applied. . Similarly, if the personal data in the personal data record belongs to more than one person and they are not deleted despite the legal deadlines, the personal data of more than one person will not be deleted, and the crime will be committed against more than one person with the same act. In this case, the same kind of intellectual aggregation provisions will be applied and the penalty will be increased.

On the other hand, it is necessary to focus on the possible association between the crime of illegally giving or obtaining the data regulated in Article 136 of the TPC with this article. Even though the legally recorded personal data has expired, if the person responsible for deleting them does not delete the data, the perpetrator may also unlawfully give this data to others. In our opinion, in this case, the perpetrator will have to be punished in accordance with the provisions of real discussion between Articles 136 and 138 of the TPC.

e. Sanction

As a sanction for the crime of not destroying personal data, only the penalty that binds freedom is foreseen in the law, and the penalty is determined as imprisonment from six months to one year (from one year to two years).

Since the prison sentence foreseen for the crime of not destroying the data is determined as 1 year to 2 years and the qualified cases specified in the article 137 are not applied to the crime regulated in this article, the sentence to be determined by the judge will be imprisonment for two years or less. In this respect, if the conditions listed in Article 231 of the CCP are fulfilled, the adjournment of the announcement of the verdict may be implemented.

In the event that legal persons gain unlawful benefits due to the commission of this crime, the security measures stipulated in Article 60 of the TPC will be applied to them, as stipulated in Article 140 of the TPC.

f. Investigation Procedure, Commissioned and Competent Court, Timeout of Litigation

The investigation and prosecution of the crime regulated in Article 138 is not dependent on the complaint, because while the crimes that are related to the complaint are regulated in article 139, the crime of not destroying the data in article 138 is not included here, and in this respect, the investigation and prosecution of the crime will be carried out ex officio by the Office of the Chief Public Prosecutor.

Pursuant to the tenth article of Law No. 5235, since the upper limit of the prison sentence stipulated for this crime is less than two years, the court in charge of hearing the lawsuit is the penal court of peace. (According to the new regulations, Criminal Courts of First Instance)

For the determination of the competent court, the basic principles of criminal and criminal procedure law will be applied, and since detailed explanations on this issue were made while examining Article 135, this issue will not be discussed again.

The statute of limitations for the offense is eight years in accordance with Article 66/1-e of the TCK.

[1] Şimşek, s. 7, Küzeci, s. 108.
[2] Türkiye, Sözleşmeyi 18 Mayıs 1954 tarihinde onaylamıştır. R.G.t., 19 Mart 1954, S. 8662, http://www.inhak-bb.adalet.gov.tr/aihs/aihs.htm, 07.05.2012.
[3] Atak, Avrupa Konseyinin Kişisel Veriler Açısından Sağladığı Temel Güvenceler, s. 104, Bygrave, s. 10, Ketizmen, Muammer, Türk Ceza Hukukunda Bilişim Suçları, 1. Baskı, Ankara 2008, s. 200, Akyürek, Güçlü, “Kişisel Veriler ve Özel Hayatın Gizliliği Hakkı”, Suç ve Ceza Dergisi, Sayı 3 Temmuz-Ağustos-Eylül 2001, s. 47.
[4] Ayrıntılı bilgi için bkz. Vicien-Milburn, Maria, “The United Nations And Personal Data Protection”, Oktober 2005, s. 1, http://www.adatum.ru/downloads/conferences/27th/The%20united%20nations%20and%20personal%20data%20pr otection.pdf, 28.02.2012, Birleşmiş Milletler tarafından 15 Ağustos 2000’de kabul edilen tıbbi standartlara ve yetkilere ilişkin düzenleme: “Medical standards and clearances”, http://www.fsu.unlb.org/docs/related_documents/AI-2000-7.pdf, 28.02.2012.
[5] Keser Berber, Leyla, “Uluslararası Standartlar ve İyi Uygulama Kodları Işığında Kişisel Verilerin Korunması ve Kişisel Bilgi Yönetimi Sistemleri Oluşturulması”, s. 2, http://www.docstoc.com/docs/91480740/ULUSLARARASI-STANDARTLAR-ISIGINDA-KISISELVERILERIN-KORUNMASI, 13.05.2012.
[6] Dülger s. 271
[7] Toroslu, s.294
[8] Yaşar-Gökcan-Artuç, s. 4126.
[9] Bkz. Soyaslan, s.348
[10] Yaşar-Gökcan-Artuç, s. 4134-4135.

Begüm BÖREKCİ