There is no single company that does not deal with data. Employee files, fiscal reports, product information or business plans are easily falling within the definition of data and besets every company with data protection obligations. Bearing the potential to face severe implications alone brings data protection to the top priority for any company and makes data one of the most important assets that a company has. Undoubtedly, when liability of a company is at stake, directors and board members’ role will be an integral part to this. As a legal entity, companies operate through real persons and in particular managed by directors and board members. This brings us to our subject, namely, directors’ and board members’ liability on data protection.
What obligations does data protection include?
This includes; guarding the availability of the data to employees who need it; providing the integrity of the data (keeping it correct and up-to-date); the confidentiality of the data; and the assurance that it is available only to people who are authorised. Who are obliged to provide data protection in terms of GDPR and KVKK? In terms of data protection and cybersecurity, there are two main applicable legislations in Turkey; the General Data Protection Regulation (“GDPR”) and Turkish Data Protection Law (“KVKK”).
GDPR bears responsibility on the controller for procurement of data protection. According to article 24, the controller must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with GDPR. Moreover, the controller is also responsible for regular updating of such measures. Parallel with the GDPR and although defining the controller as the data responsible, article 12 of KVKK sets out that the data responsible shall take the necessary technical and organisational measures to provide data processing, data access and to keep personal data in accordance with respective laws.
Who is the controller? Who shall be deemed as the controller?
Both under GDPR and KVKK, the controller (or the data responsible) is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Thus, whoever determines means and purposes of processing data must be deemed as the controller. Since companies are obliged to ensure the robustness of IT infrastructures, security of data and protection from cyber risks, the very same is to be deemed as “the controller” or the “data responsible” in terms of two main applicable legislations in Turkey. KVKK clearly states that data responsible are guardians of the personal data that is obtained for processing purposes. Data responsible is the supervisor in procurement of the integrity of personal data, execution of the mandatory and necessary precautions to protect it and furthermore, such responsible entities are not allowed to disclose the personal data in a way to contradict with applicable law and regulations.
Board of Directors’ Position in terms of Data Protection Liability
Directors and board members of a legal entity cannot be accepted as the controller in terms of data protection regulations. The data responsible (or the controller) is the one who determines “how” and “why” the data is processed and in a company, the legal entity itself corresponds to these questions. In terms of Data Protection Law, directors are not deemed as the controller and sanctions to be imposed under KVKK are applicable on the legal entity. Besides, there is no specific provision under Turkish Data Protection Regulation that holds representatives of a legal entity liable for cyber security breaches and data protection violations. However, what if an action of a director leads to a sanction of the legal entity under KVKK are applicable on the legal entity.
Data Protection Regulation?
In this case, general liability provisions of the Turkish Commercial Code (“TCC”) can be resorted at all times. If a company is subject to fine under KVKK due to its director’s misconduct, it shall be able to recourse to liability of the director. Article 553 of the TCC suggests that members of Board of Directors may only be liable against to company, to shareholders or to the creditors of the company if they damage the company by failing to perform their duties arising from articles of association and law with their fault. Moreover, directors are obliged to perform their duties with utmost diligence and care to protect interests of the company based on the good faith principle.
Directors who fail to perform their duties and cause damage due their fault shall be held liable against company under TCC. Thus, any act of breach that violates safekeeping of personal data and failing to take necessary precautions and monitor these on behalf of the company shall lead to the liability of the representatives.
Worth mentioning that under German law there are explicit provisions that may lead to the liability of directors due to data protection failures. 1 According to the German Stock Corporation Act, Section 93, directors are obliged to gain proper oversight of cybersecurity and must act with utmost care within their establishment. Furthermore the same Act suggest that directors must take appropriate and necessary measures in particular to establish a monitoring system to detect any threat at an early stage which may endanger continued existence of the company.
Lack of specific regulation defining directors’ duties within data protection scope in Turkey and having TCC as a single resort may result in “non-liability” of a director. As known, TCC grants the opportunity to directors to assign their representation power to a third person by an internal directorate. Thus, such third party will be held liable in case of failing to act with care and diligence. However, there should be circumstances where such liability cannot be run from as in the case of public debts. A Director is hold liable (and even with their personal assets) if a company owes public debts irrelevant from the assignment of powers and duties to a third person.
Rapid developing nature of IT law requires specific attributions in relations to the liability of the directors. General liability provision of TCC may fall short in meeting some needs, as it necessarily requires “fault” precondition. No failure by the directors should be left out of sight especially actions deriving from negligence. In order to enhance law enforcement and make Turkey an effective contributor in the international fight against cybercrime, we believe more measures must be taken in respect to safekeeping of personal data.