On January 13, 2025, the Turkish Personal Data Protection Authority published a public announcement on the “Obligation to Inform Data Subjects Within the Scope of Mediation Activities” (“Announcement).
As widely known, mediation is an alternative dispute resolution method with respect to private law disputes and can either be carried out voluntarily or mandatorily as a prerequisite to litigation under Turkish law. Mediators are subject to the Law No. 6325 on Mediation in Civil Disputes (the “Law”) and are under the obligation to properly inform the parties about the principles, process and results of the mediation, at the beginning of the mediation activities, pursuant to Article 11 of the Law.
However, according to the Announcement, this obligation alone is not sufficient when it comes to the processing of personal data during mediation activities. The Announcement indicates that mediators are also data controllers that are subject to the Law No. 6698 on Personal Data Protection (the “DPL”), which imposes an additional responsibility on mediators.
Accordingly, the DPL sets out that data controllers are obligated to inform data subjects about the personal data processing activities, which includes providing information on the identity of the data controller, the purpose of data processing, the recipients of the data, the method and legal basis of data collection, and the rights of the data subject. This obligation must be fulfilled regardless of the processing condition (explicit consent and/or other grounds) and principally, prior to the start of processing activities.
Therefore, although it is quite essential to inform the parties of a mediation about the process, this informing activity would not mean that the mediators fulfill their obligation as a data controller. Considering that the burden of proof for fulfilling this obligation lies with the data controller, it is of critical importance for mediators to ensure a lawful process.
Authors: Burak Özdağıstanlı and Burcu Çirkinceli
Commenti