Articles

Regulation on Data Sharing Board

August 2020, Erdemir&Özmen Attorney Partnership

Regulation on Data Sharing Board

The Regulation on Data Sharing Board (“the Regulation”), prepared by the Ministry of Interior on the basis of the article 45 of the Civil Registration Services Law numbered 5490 (“the Law”), has entered into force as published in the Official Gazette dated 8 August 2020 and numbered 31207.  

The Regulation aims to identify the institutions that provide address-based public service, the legal entities that provide public service and the General Directorate of Civil Registration and Nationality (“the General Directorate”) units and institutions that will make use of the records kept in the General Directorate’s central database by the General Directorate of Civil Registration and Nationality, to determine the general principles and procedures regarding the scope, method and security of online and offline sharing and to set forth the working principles of the Data Sharing Board (“the Board”) constituted within the body of the General Directorate. The data that will be shared within this context are the individuals’ civil registration and place of residence information kept in the central database by the General Directorate.

A Data Sharing Board will be established within the body of the General Directorate  

A Data Sharing Board will be constituted under the article 5 of the Regulation in order to evaluate the requests regarding the sharing of the information contained in the central database and thus, to identify the beneficiaries of data sharing, and in order to decide the scope of sharing and the method under which sharing will take place. The duties of the Board are as follows:

  • To resolve online or offline data sharing requests;
  • To decide what data will be shared with recipient entities on online basis; 
  • To evaluate and resolve online additional service, service output authorization and service output parameter requests;
  • To take principle decisions on online or offline data sharing, in similar matters;
  • To determine the scope of data sharing and decide the method under which sharing will take place;
  • To decide what services will be available on the General Directorate’s web page for verification purposes, and to resolve the input and output parameters of those services;
  • To take resolutions on cancellation or termination of letters of commitment or suspension of data sharing.  

Data in the central database contained within the General Directorate, and the Identity Sharing System (“KPS”)  

The Regulation determines that data sharing may take place in two ways: Online data sharing and offline data sharing. The Regulation states that, in offline data sharing, the records kept in the central database are queried through the database and accordingly, the data sharing may take place by means of external storage devices and under the methods determined by the General Directorate and that, in online data sharing, the data sharing may take place by means of KPS services.  

Within the framework of the principles and procedures set forth in the Law and in the Law on the Protection of Personal Data (“the PDPL”), the data kept in the central database may be shared with the recipient entities or other persons by means of the sharing method considered appropriate by the Board, and all requests made in order to benefit from KPS will be evaluated by the Board. The following principles shall be taken into consideration in the evaluation to be carried out for acceptance or rejection of the requests:  

  • The principle of having the duty of and responsibility for querying and verification of the data in the central database under its own legislation;
  • The principle that legal entities providing public services continue their activities under the supervision of public institutions or organizations;
  • The principle that data sharing through KPS represents a necessity for public and social benefit;
  • The principle that works and procedures are carried out in order to meet the social needs of citizens, and the principle of the generality and continuity of services.

Furthermore, it is stated that the requests, made by the provincial organizations, branch offices or subsidiaries of the KPS beneficiary recipient entities, shall be rejected without submission of these requests to Board, in which case these requests will be fulfilled by their recipient entities. 

In spite of the fact the Regulation defines recipient entities as the legal entities providing public service and the institutions other than the General Directorate, benefiting from KPS; the article 45/1 of the Law specifies the recipient entities. These are:

  • Legal entities providing public service;
  • Pension and insurance companies operating within the framework of the Insurance Law dated 03.06.2007 and numbered 5684;  
  • Banks operating within the framework of the Banking Law dated 19.10.2005 and numbered 5411;  
  • Companies incorporated for data sharing purposes pursuant to the last paragraph of the article 73 of the Law numbered 5411, and the Risk Center;  
  • Financing companies and financial leasing companies included in the scope of the Financial Leasing, Factoring and Financing Companies Law dated 21.11.2012 and numbered 6361;
  • Portfolio management companies and intermediary institutions included in the scope of the Capital Markets Law dated 06.12.2012 and numbered 6362;  
  • Payment service providers included in the scope of the Law on Payment and Securities Settlement Systems, Payment Services and Electronic Money Institutions i.e. the Law dated 20.06.2013 and numbered 6493;
  • As regards place of residence and other address information, institutions providing address-based public service, determined by the Ministry;  
  • Pension and insurance companies performing activities under the Law numbered 5684;  
  • Banks performing activities under the Law numbered 5411;  
  • Companies incorporated for data sharing purposes pursuant to the last paragraph of the article 73 of the Law numbered 5411, and the Risk Center;  
  • Financing companies and financial leasing companies covered by the Financial Leasing, Factoring and Financing Companies Law dated 21.11.2012 and numbered 6361;  
  • Portfolio management companies and intermediary institutions covered by the Law numbered 6362;  
  • Payment service providers covered by the Law numbered 6493.

Online data sharing and offline data sharing 

First of all, prior to these two types of data sharing, it is mandatory to sign the relevant letter of commitment with the recipient entities.   

In online data sharing, the Board shall carry out evaluations on the following matters within the scope of the criteria pertaining to needs and competence analysis, while KPS service requests are fulfilled:

  • Whether or not the recipient entity has the authorization and responsibility for receiving and processing the data the recipient entity requests within the framework of the legislation governing the recipient entity;
  • Whether or not the data sharing is necessary with regard to the public and social benefit it will create for the persons and the society;
  • Whether are not the data requested are proportionate to the legal basis and the purpose specified.

In offline data sharing, the prioritized criterion is that the data that may be received from KPS shall not be requested on offline basis. However, if the following cases take place all together, namely;

  • In case they make their offline bulk data requests by means of an official letter,
  • In case they specify the justification(s) for and the legal basis of the data usage in their letters of request,
  • In case there is a compulsory need in the planning and execution of the public service, and
  • In case the data sharing is necessary with regard to the public and social benefit:

It is prescribed that the data requests may be fulfilled at a minimum, proportionately with the legal basis and the purpose specified.  

Exceptions

The Regulation determines certain exceptions as well. The requests included in the scope of these exceptions shall be fulfilled directly, without submission to the Board. These exceptions can be listed as follows:  

  • Requests for data related to the cases, investigations and prosecutions conducted by Supreme Courts, the Turkish Court of Accounts, the Supreme Election Council, Courts, Prosecutors’ Offices or by the pre-examiners assigned under the Law on Prosecution of Civil Servants and Other Public Officials i.e. the Law dated 02.12.1999 and numbered 4483;
  • Requests for data related to the investigations, examinations, audits and inspections conducted by the public institutions and organizations included in the scope of the Public Financial Management and Control Law dated 10.12.2003 and numbered 5018, provided that these requests conform to their missions and authorizations and that the letters approving the mission are forwarded;
  • Data requested within the scope of the subparagraph (ç) of the first paragraph contained in the article 28 of the Law numbered 6698, i.e. “Processing of personal data in the context of preventive, protective and intelligence-related activities carried out by public institutions and organizations to which the laws make the assignment and grant the authorization for ensuring the national defense, the national security, the public safety, the public order or the economic security”.

Obligations of recipient entities and other persons

These obligations are set forth in the article 16 of the Regulation. The recipient entities and other persons are held liable for compensation of the financial loss and all kinds of legal and penal sanctions which might arise from unauthorized uses of the obtained data or from unauthorized persons’ access to these data. In particular, it stated that the received data should not be shared with third parties and that the data should be kept by taking measures under the PDPL numbered 6698. Furthermore, it has been inserted, into the last paragraph of the same article, that the relevant provisions of the Law numbered 6698 and the Turkish Criminal Code dated 26.09.2004 and numbered 5237 shall apply to those who act in breach of the personal data protection-related provisions and to those who alter or modify confidential data or disrupt the integrity of confidential data.  

Conclusion

The Regulation primarily aims to enable certain public institutions and organizations and public service provider legal entities to make use of the records kept in the General Directorate’s database and thus, enable these public institutions and organizations and public service provider legal entities to benefit from this database on online basis within the scope of the permissions granted by the General Directorate, and aims to reduce the General Directorate’s workload, since it is not allowed to request on offline basis the data that may be requested on online basis in this context, and aims to ensure that data sharing takes place after the data requested are evaluated and scrutinized by the Data Sharing Board.  

References:

https://www.resmigazete.gov.tr/eskiler/2020/08/20200808-3.htm

https://kpsbasvuru.nvi.gov.tr/Acik/KpsNedir


Similar Articles

August 2020 Regulation on Identity Sharing System
August 2020 VAT Rate Reductions for Certain Sectors