The Turkish Personal Data Protection Authority Published the Guidelines on the Right to be Forgotten
| Data Protection
The Turkish Personal Data Protection Authority Published the Guidelines on the Right to be Forgotten
Article by Cansen Erensoy, Ulya Tan and Bahadır Aslan
The Guidelines on the Right to be Forgotten (“Guidelines”) has been published on the Personal Data Protection Authority’s (“DPA”) official website on October 20, 2021. The right to be forgotten concerns the right to request the removal of access to personal data. In fact, the right to be forgotten is associated with the right to protect the honour of an individual by restraining access to the personal data of an individual by third parties.
The Guidelines evaluated the right to be forgotten specifically in terms of the results on the search engines. The Guidelines initially provided explanation on the right to be forgotten under international and local legislations. In terms of Turkish law, the right to be forgotten is evaluated under Law No. 6698 on Protection of Personal Data (“DP Law”) and the Personal Data Protection Board’s (“Board”) decision dated June 23, 2020 and numbered 2020/481 (“Decision”) on several applications submitted before the DPA regarding the requests of removal of results containing individuals’ personal data from search engines.
Right to be Forgotten in International Law
The Directive 95/46/EC on the Protection of Individuals with regards to the Processing of Personal Data and on the Free Movement of Such Data ("Directive”) does not provide the right to be forgotten, however grants a right to erasure or blocking of data which are incomplete, inaccurate or stored in a way incompatible with the legitimate purposes.
The first recognition of the right to be forgotten before the judicial authorities is the Google Spain v. Gonzalez decision of the Court of Justice of the European Union (“CJEU”) dated May 13, 2014, which is also considered as the most important judicial decision on this matter. The CJEU concluded that the information and links in the results displayed on search engines should be erased in case they are inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing. It is evaluated that the right to respect for private life and the right to the protection of personal data override both the economic interest of the search engine and the interest of the general public in having access to certain information upon a search relating to a data subject. The CJEU defined the search engines as data controllers considering their significant power, responsibility and capabilities in the distribution and control of data in line with the Directive.
Finally, the General Data Protection Regulation (“GDPR”), which repealed the Directive, entered into force on May 25, 2018. Although the right to be forgotten is not defined under GDPR, it is evaluated under Article 17 titled “Right to Erasure”. According to Article 17 of GDPR, data subjects can request the erasure of personal data in case the data are no longer necessary in relation to the purposes for which they were collected or processed.
Right to be Forgotten in National Law
The Guidelines explicitly stated that currently there are no regulations that give place to the right to be forgotten under Turkish law, however there are other means to benefit from this right. Article 20 of the Constitution of the Republic of Turkey recognizes the right to request the protection of personal data as a fundamental right. As per DP Law, Article 4 regarding the general principles for the processing of personal data, Article 7 regarding erasure, destruction or anonymisation of personal data and Article 11 regarding the rights of data subjects, constitute the basis of the right to be forgotten.
The Guidelines included the details of the Decision which evaluates several requests submitted before the Authority. Accordingly, the prominent evaluations regarding the right to be forgotten in line with the Decision under the Guidelines are provided below:
- The right to request the prevention of access to the results related to individuals further to the searches based on name and surname in the search engines shall be qualified as “the request of removal from the index”.
- Search engines shall be considered data controllers and the activities of search engine operators shall be considered as data processing.
- Upon the request of the removal from the index, a balance test shall be performed as to whether the public interest on the relevant information prevails over the fundamental rights and freedoms.
- Data subjects should initially apply to the relevant search engine for their requests of removal of search results from index, and in the event that the data controller declines or fails to respond the request, data subjects can apply to the Board along with the judicial bodies.
The Guidelines further noted that the right to be forgotten is not an absolute right, accordingly it can be requested by the data subjects under certain conditions where the relevant data is inaccurate, unsuitable, irrelevant or disproportionate for the purposes of relevant data processing. It is also underlined that the access to the relevant content is not completely prevented, meaning that the data is not entirely removed from the internet, and thus the relevant content may still be reached through different set of keywords.
Criteria to Consider when the Board Examines the Request to be Removed from Index
The Guideline provided the following criteria determined within the Decision which should be initially considered by the search engines in case data subjects request the removal of certain results from search index:
- Whether the data subject plays an important role in public life: The results concerning the individuals playing a role in public life such as politicians, public administrators, businesspeople, famous artists and athletes, religious leaders and people subject to media, may include certain data that requires the relevant search results to be disclosed to the public given their professions. Accordingly, any request pertaining to right to be forgotten raised by such data subjects would be less likely to be accepted. However, removal requests for data pertaining to private life would be more likely to be removed from search results.
- Whether the subject of the search result is a child: In case the data subject is underage at the time of publication of relevant data, the principle of “best interest of the child” should be considered.
- The accuracy of the content of the information: It should be evaluated whether the published information reflects the truth or creates an inaccurate and misleading impression about the data subject. It is noted also that the burden of proof lies on the data subject in case of any dispute on the accuracy of the information.
- Whether the information pertains to one’s business life: The data regarding a data subject’s business life would be less likely to be removed from search engines.
- Whether the information is of insulting, derogatory, slanderous nature regarding the data subject: In case the data controller rejects a data subject’s request of removal of the links containing insulting, derogatory or slanderous statements, it would be more appropriate to resolve this issue through the courts instead of submitting a complaint to the Board.
- Whether the information is of the nature of sensitive personal data: The requests of removal of links containing sensitive personal data from search engines are more likely to be accepted. With regards to the sensitive personal data of public figures, the public interest in disclosure of such data might also be evaluated.
- Whether the information is up to date: The elapsed time may decrease the relevancy of the content and its up-to-date nature.
- Whether the information causes prejudice against the data subject: In case the data subject is able to substantiate such claim, the relevant links would be more likely to be removed from the search results.
- Whether the information poses a risk for the data subject: In case the relevant information lead to risks such as identity theft or being tracked, the information would be more likely to be removed from the search results.
- Whether the information is published by the data subject: It should also be evaluated whether the data subject is provided with option to withdraw its prior explicit consent for the publish of its personal data.
- Whether the original content covers data processed within the scope of journalism: A balance between the constitutional right to request the protection of honour and reputation and the freedom of press as a reflection of freedom of speech should be pursued.
- Whether there is a legal obligation in the publication the information is a legal obligation: It should be separately evaluated for each case as to whether there is a legal obligation in the publication of the personal data by a public authority or institutions and whether this obligation maintains its validity.
- Whether the information relates to a criminal offense: Parameters such as the date of the relevant crime and gravity of the crime should be evaluated on the basis of each concrete case.
Exercising the Right to be Forgotten
Data subjects may request from the search engines for the removal of the relevant results from the index in line with the procedures and principles set forth under Article 13 of the DP Law and Communiqué on the Principles and Procedures for the Request to Data Controller. Data subjects may also address their complaints to the Board in case the data controller rejects the data subject’s request, provides unsatisfactory response or does not provide any response in certain period in accordance with the Article 14 of the DP Law.
 CJEU, Case C-131/12, Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González
right to be forgotten Turkish Personal Data Protection Authority request of removal from the index