Kişisel Verilerin Korunmasında Yeni Paradigma: Hesap Verebilirlik İlkesi

Siber risklerin değişen niteliği, analitik ve yapay zekâ uygulamalarıyla kişisel verilerin işlenmesinin yaygınlaşması, veri işleme ve saklama ortamlarının çeşitlenmesi, sektörel düzenlemelerin artması, klasik veri koruma yaklaşımlarının yetersiz kalmasına sebep olmuştur. Bu bağlamda, değişen veri koruma ve mahremiyet düzlemlerinde ortaya çıkan yeni riskler ve sorunlar için etkin bir çözüm olarak hesap verebilirlik ilkesi ortaya çıkmıştır. Hesap verebilirlik ilkesi, salt mevzuata uyumu aşan ve kavramsal derinliği haiz bir paradigma değişikliğidir. Bu ilke, veri sorumlularının, veri koruma düzenlemelerine uyum için uygun ve etkin tedbirleri almasını ve talep halinde de bunu ispat etmelerini gerektirmektedir. Diğer bir deyişle hesap verebilirlik ilkesi, kişisel verilerin korunmasının bir veri sorumlusu nezdinde sürekli gözetilen, etkin şekilde uygulanan ve düzenli olarak denetlenen bir değer olduğunun ispatı sürecidir. Bu makalenin amacı, veri koruma hukuku bağlamında hesap verebilirlik ilkesini mukayeseli olarak incelemektir. Çalışma, hesap verebilirlik ilkesinin temelini ve kapsamını sorgulamayı, diğer veri koruma ilkeleriyle ilişkisini tespit etmeyi ve ilkenin veri sorumluları ile veri işleyenler üzerindeki normatif etkisini ortaya koymayı hedeflemektedir.

Anahtar Kelimeler:

Hesap Verebilirlik, Veri Koruma, Mahremiyet, Uyum, İspat

The New Paradigm of Data Protection Law: The Principle of Accountability

The inadequacy of classical data protection approaches have been uncloaked by the evolving nature of cyber risks, the tremendous increase in personal data processing through analytics and artificial intelligence technologies, the diversification of data processing and storage environments and the proliferation of sectoral regulations. The principle of accountability is proposed as the most efficacious solution to tackle new emerging risks and challenges in the changing landscape of data protection and privacy contexts. The principle of accountability is a paradigm shift in data protection which has a conceptual breadth and magnitude that goes far beyond mere compliance. It requires data controllers to implement appropriate and effective measures to comply with the principles and obligations set out under data protection regulations and to further demonstrate this compliance on request. This is a process of proving that the protection of personal data is an essential value that is constantly observed, effectively applied, and regularly audited by data controllers. This article aims to provide a thorough analysis of the principle of accountability in the context of data protection law by adopting a comparative approach. The article aims to scrutinise the scope and underpinnings of the principle, identify its relationship with other data protection principles, and discuss the normative effects of such a principle has on data controllers and data processors.

Keywords:

Accountability, Data Protection, Privacy, Compliance, Proof,

PDF

___

Bianculli A C, Xavier F ve Jacint J (eds), Accountability and Regulatory Governance (Palgrave Macmillan 2015).
Birleşmiş Milletler, ‘Guiding Principles on Business and Human Rights: Implementing the United Nations "Protect, Respect and Remedy" Framework’ (2011) https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf
Çekin MS, Avrupa Birliği Hukukuyla Mukayeseli Olarak 6698 sayılı Kişisel Verilerin Korunması Kanunu (On İki Levha 2018).
Černič JL, Corporate Accountability under Socio-Economic Rights (Routledge 2019).
De Hert P, ‘Accountability and System Responsibility: New Concepts in Data Protection Law and Human Rights Law’ in Guagnin D and others (eds), Managing Privacy through Accountability (Palgrave Macmillan 2012).
De Hert P ve Vagelis P, ‘The Council of Europe Data Protection Convention reform: Analysis of the new text and critical comment on its global ambition’ (2014) 30 Computer Law & Security Review 633.
De Terwangne C, Jean-Marc VG ve Yves P, Rapport sur les lacunes de la Convention no 108 pour la protection des personnes à l'égard du traitement automatisé des données à caractère personnel face aux développements technologiques (Partie II) (2010) http://www.crid.be/pdf/public/6559.pdf
Docksey C, ‘Article 24 – Responsibility of the controller’ in Kuner C, Bygrave LA and Docksey C (eds), The EU General Data Protection Regulation (GDPR): A Commentary (Oxford University Press 2020).
European Union Agency for Fundamental Rights ve Council of Europe, Handbook on European data protection law (European Union Agency for Fundamental Rights and Council of Europe, 2018).
Fuster GG, The Emergence of Personal Data Protection as a Fundamental Right of the EU (Springer 2014).
Geradin D, Dimitrios K ve Theano K, GDPR Myopia: How a Well-Intended Regulation ended up Favoring Google in Ad Tech - ILEC Discussion Paper No. 2020-012, 2020)
Greenleaf G, ‘Accountability Without Liability: ‘To Whom’ and ‘With What Consequences’? (Questions for the 2019 OECD Privacy Guidelines Review) UNSW Law Research Paper No. 19-67’ (2019) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3384427
Gunasekara G, ‘Paddling in unison or just paddling? International trends in reforming information privacy law’ (2013) 22 International Journal of Law and Information Technology 141.
Gutwirth S, Ronald L ve De Hert P (eds), Data Protection on the Move - Current Developments in ICT and Privacy/Data Protection (Springer 2016).
Keser Berber L, ‘Çapraz Etkileşim: Mahremiyete İlişkin Mevzuat ve Mahremiyet Standartları Arasındaki İlişki’ in Keser Berber, Leyla and Bilgili, Ali Cem (eds), Güncel Gelişmeler Işiğinda Kişisel Verilerin Korunması Hukuku (On İki Levha Yayıncılık 2020).
Lambert P, The Data Protection Officer - Profession, Rules, and Role (CRC Press - Taylor & Francis 2017).
Lambert P, Understanding the New European Data Protection Rules (CRC Press - Taylor & Francis 2018).
Leenes R, Van Brakel R, Gutwirth S ve De Hert P (eds), Data Protection and Privacy: (In)visibilities and Infrastructures (Springer 2017).
Madde 29 Çalışma Grubu, ‘Guidelines on Data Protection Officers (‘DPOs’)’ (13 Aralık 2016) http://ec.europa.eu/newsroom/document.cfm?doc_id=44100
Madde 29 Çalışma Grubu, ‘Opinion 3/2010 on the principle of accountability’ (13 Temmiz 2010) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp173_en.pdf
Madde 29 Çalışma Grubu, ‘The Future of Privacy’ (1 Aralık 2009) https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2009/wp168_en.pdf OECD, ‘The OECD Privacy Framework’ (2013) https://www.oecd.org/sti/ieconomy/oecd_privacy_framework.pdf
Privacy International, ‘A Guide for Policy Engagement on Data Protection - The Keys to Data Protection’ (2018) https://privacyinternational.org/sites/default/files/2018-09/Data%20Protection%20COMPLETE.pdf
Rodrigues R ve Papakonstantinou V (eds), Privacy and Data Protection Seals (T.M.C. Asser Press 2018).
United Nations,‘Guiding Principles on Business and Human Rights: Implementing the United Nations "Protect, Respect and Remedy" Framework’ (2011) https://www.ohchr.org/documents/publications/guidingprinciplesbusinesshr_en.pdf
Voigt P ve Von dem Bussche A, The EU General Data Protection Regulation (GDPR) A Practical Guide (Springer 2017).
Wright D ve De Hert P (eds), Privacy Impact Assessment (Springer 2012).
Yılmaz SS, Tıp Alanında Kişisel Verilerin Açıklanması Suçu (Seçkin 2014).