Personal data protection, a matter that has been in practice in the United States and the European Union for many years, has also come into effect in our country with the Law No. 6698 on the Protection of Personal Data. The purpose of this information text prepared by Erk Law and Consultancy is to inform you about the subject and to warn you about the necessary regulations.
The Law on the Protection of Personal Data No. 6698 (“Law”) was published in the Official Gazette on 7 April 2016, and with this law, the establishment of the Personal Data Protection Authority was envisaged on 7 October 2016. Bringing the personal data processed before the publication date of the Law into compliance with the Law within two years is also among the main provisions of the Law. This period expired on 7 April 2018, and data controllers should start working as soon as possible to fulfill their obligations.
What is Personal Data? Who is the owner of the data? In the Law, Personal Data is defined as any information related to an identified or identifiable real person. In this context, any data that identifies an individual, including the person’s name, surname, ID information, address, car plate, voice recordings, photos, CV, genetic information, health data, and not limited to these, is considered Personal Data.
Personal data is divided into personal data and sensitive personal data. The processing of sensitive personal data, such as the individual’s race, ethnic origin, political opinion, philosophical belief, religion, sect, or other beliefs, appearance and clothing, membership in associations, foundations, or unions, health, sexual life, criminal record, and security measures, as well as biometric data, is subject to stricter rules.
The Law aims to protect the personal data of individuals directly and does not target data related to legal entities.
Who is the Data Controller? What are their obligations?
The Data Controller is the natural or legal person who obtains personal data from the data subject. In the law, it is defined as the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.
a. Obligation to Inform the Data Subject, Natural Person, during the Acquisition of Personal Data During the acquisition of personal data, the data controller or the person authorized by them is explicitly defined in the Law to inform the data subject natural person about the following points:
The identity of the data controller and, if any, their representative, The purpose for which personal data will be processed, To whom and for what purpose the processed personal data may be transferred, The method and legal basis of collecting personal data, Providing information about the rights of the data subject specified in the Law. This information should be provided at the time of obtaining personal data, not after the acquisition. Indeed, in accordance with the purpose of the Law and fundamental rights and freedoms guaranteed by the Constitution, the data subject can freely decide whether to share their personal data or not after learning and clearly understanding these matters.
b. Obligation to Supervise Data Processors
The data processor is the natural or legal person who processes personal data on behalf of the data controller based on the authorization given by them. For example, a company printing invoices on behalf of the data controller company has the status of a data processor.
If a data controller processes personal data on behalf of another natural or legal person, they are jointly responsible with these persons for the security measures specified in the Law.
The Data Controller must conduct or have the necessary audits conducted in their own institution or organization to ensure the implementation of the provisions of the Law. Privacy is one of the aspects that both the data controller and the data processor must carefully consider. Indeed, data controllers and data processors cannot disclose or use the personal data they have learned in violation of the provisions of this Law, and this obligation continues even after the termination of these statuses.
c. Obligation to Register in the Data Controllers’ Registry Under the supervision of the Authority, the Data Controllers’ Registry is publicly maintained by the Presidency. Natural and legal persons processing personal data must register in the Registry before starting data processing. However, considering objective criteria determined by the Authority, such as the nature of the processed personal data, the number of data, the legal basis for data processing, or the situation of being transferred to third parties, the obligation to register in the Data Controllers’ Registry may be exempted by the Authority.
Data Controllers must make a notification containing the following information in their application for registration in the Data Controllers’ Registry. Any changes in these matters must be immediately reported to the Authority.
Identity and address information of the data controller and, if any, their representative, Explanations regarding the purposes for which personal data will be processed, the group and groups of data subjects, and the data categories related to these individuals. Recipients or recipient groups to whom personal data may be transferred. Personal data envisaged to be transferred to foreign countries. The Regulation on the Data Controllers’ Registry, prepared by the Institution, was published in the Official Gazette on 30 December 2017 and came into force.
d. Obligation to Respond to Applications of Data Subjects, Natural Persons Data subjects, natural persons, can submit their requests to the data controller in writing or through other methods determined by the Authority. In this case, the data controller processes the requests in the application, depending on the nature of the request, as soon as possible and no later than thirty days, free of charge. However, if the transaction requires an additional cost, a fee can be charged according to the tariff determined by the Authority. The data controller either accepts the request or rejects it by explaining the reasons, and notifies the response to the relevant person in writing or electronically. If the request is accepted, the data controller fulfills the necessary actions. If the fee is charged due to an error of the data controller, it is refunded to the individual.
In case the application is rejected by the Data Controller, the response is deemed insufficient, or the application is not responded to within the specified period; the Data Subject can file a complaint with the Authority within thirty days from the date they learn about the response and in any case within sixty days from the application date.
Complaint to the Authority cannot be made without exhausting the application method to the Data Controller. Of course, the right to compensation under general provisions is reserved for those whose personality rights are violated.
e. Obligation to Take Necessary Measures to Ensure Data Security The security measures that the Data Controller must take aim to prevent the processing of personal data unlawfully and prevent unauthorized access to this data, and additionally, to ensure the preservation of this data.
The Data Controller is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security to achieve these purposes.
f. Policies that the Data Controller is Obligated to Prepare i. Personal Data Processing Inventory The inventory that data controllers create by associating the personal data processing activities they carry out depending on their business processes with the purposes of processing personal data, data category, the recipient group to which it is transferred, and the group of data subjects, and by explaining and detailing the maximum period required for the purposes for which personal data are processed, the personal data envisaged to be transferred to foreign countries, and the measures taken for data security. Applications to the Data Controllers’ Registry will be made with this inventory.
ii. Personal Data Storage and Destruction Policy It is the policy text that data controllers base on the process of determining the maximum period required for processing personal data for the purpose for which they are processed and the process of deletion, destruction, and anonymization.
g. Criminal and Administrative Sanctions Stated in the Law In terms of crimes committed regarding personal data, the relevant provisions of the Turkish Penal Code will be applied. Due to the personal nature of the penalties, those who violate these provisions will personally be subject to criminal sanctions; being an employee of a legal entity will not exempt them from liability. Legal entities holding the status of Data Controller and/or Data Processor for violations will be responsible as legal entities for administrative sanctions. Individuals who have the authority to represent the legal personality are also responsible under the Turkish Penal Code for the violations.
IN CONCLUSION Although regulations have been made in our country based on the EU Directive 95/46/EC; a need for re-regulation has arisen in the European Union to ensure more effective protection of personal data. Simultaneously with the legislative process in our country, Regulation (EU) 2016/679, known as the GDPR, was published on April 27, 2016, and came into effect on May 25, 2018.
In the above, a general overview has been provided on the subject, and we would like to emphasize that we can arrange a detailed briefing for the necessary adjustments for your company.
We hope for the continued growth of our collaboration.
Best regards
APPLICATION FORM FOR DATA SUBJECTS TO EXERCISE THEIR RIGHTS UNDER LAW NO. 6698 ON THE PROTECTION OF PERSONAL DATA
Please fill in the application form below completely and clearly, and send it by mail with your wet signature to [EMC INFORMATION SERDAR ÖZÇELİK Küçükbakkalköy Mahallesi Dereboyu Caddesi Brandium Residence 3A R5 Blok K:7 D:48 Ataşehir ISTANBUL] address to fulfill your request under the Law on the Protection of Personal Data (“KVKK”).
We will respond to your application as soon as possible and no later than 30 days. In case the information and documents provided by you are incomplete or unclear, we will contact you to clarify your application.
DECLARATION OF APPLICANT
This application form has been prepared to determine your relationship with our organization, if any, and to identify your personal data processed by our organization accurately, in order to respond to your relevant application correctly and within the legal timeframe. In order to eliminate legal risks that may arise from unlawful and unjust data sharing, and especially to ensure the security of your personal data, our company reserves the right to request additional documents and information (such as a copy of ID card or driver’s license) for identity and authorization verification. Our organization does not accept responsibility for any incorrect information or unauthorized applications resulting from inaccurate or unauthorized applications regarding the information submitted within the scope of the form. All responsibility arising from unlawful, misleading, or false applications lies with you. Data Subject / Person Applying on Behalf of Another Full Name:
Application Date:
Signature: