Page 1

6698 SAYILI
KANUN’DA YER ALAN
TEMEL KAVRAMLAR

Page 3
2

I. AÇIK RIZA
Kanunun yürürlüğe girmesi sonrasında, kişisel veri
ve bu verinin işlenmesi ile birlikte hayatımıza giren
kavramlardan birisi de “açık rıza” kavramıdır. Kanunun
3. maddesinde açık rıza; “belirli bir konuya ilişkin,
bilgilendirilmeye dayanan ve özgür iradeyle açıklanan
rıza” şeklinde tanımlanmıştır.
Ayrıca Anayasa’nın 20. maddesinin 3. fıkrasında, kişisel
verilerin, ancak kanunda öngörülen hallerde veya kişinin
açık rızasıyla işlenebileceği hüküm altına alınmıştır. Açık
rıza, 6698 sayılı Kanun’da hem özel nitelikli kişisel veriler,
hem de özel nitelikli olmayan kişisel veriler bakımından
temel hukuka uygunluk sebebi olarak öngörülmüştür.
Buna göre sırasıyla Kanun’un,
• In paragraph 1 of Article 5, “Personal data
cannot be processed without his express consent”,
• In paragraph 2 of Article 6, “Special quality personal
processing of data without the explicit consent of the person concerned
it is forbidden",
• In paragraph 1 of article 8, “Personal data is
cannot be transferred without express consent”,
• In paragraph 1 of article 9, “Personal data is
cannot be transferred abroad without express consent”
regulations are included.
one

Page 4

Explicit consent has also found its place in international texts.
is an important concept. European Union 95/46 EC
consent according to the directive; data about the person concerned
freely, with sufficient knowledge of the subject
in a clear and unambiguous manner,
It is a declaration of consent limited to that transaction. in the directive
processing only special categories of personal (sensitive) data
While express consent is sought for, in our country and GDPR
open for the processing of any personal data as a rule.
consent is needed.

2nd

Page 5

Explicit consent within the framework of the law,
data processing, voluntarily or from the other party.
It means to give approval upon the incoming request.
Another importance of the explicit consent statement is to the data processor.
to guide him in the action to be taken.
The person is actually the data controller with the express consent statement.
notified its decision on its legal value.
is happening. Statement of explicit consent, the processing of the person concerned
the limits, scope and realization of the data it allows.
will also determine its format.
In this sense, express consent means “positive will” of the person giving consent.
statement should be included. in other legislation
without prejudice to the regulations, express consent in writing
no need to be taken. electronic media of express consent
and call center etc. ways are also possible.
Here, the burden of proof lies with the data controller.
The definition of explicit consent in Article 3 of the Law
Within the scope of this, there are 3 elements of express consent:
• Relating to a specific subject,
• Consent is based on information,
• Disclosure of free will.

3

Page 6

A) Related to a Specific Subject
to be
Validity of the express consent given for data processing
express consent for a particular subject and
must be limited. Open by data controller
on which subject the declaration of consent is requested
must be clearly stated. Accordingly, the relevant
with a general statement of will of the person,
open-ended and
indefinite consent alone “Explicit consent” in the context of the Law
as unacceptable.
If the processing of data for more than one category
If a declaration of consent is to be made about the
different points of processing, such as and for what purposes it will be processed
must also be given.
After the data controller's use of personal data
for secondary operations (for example,
such as data transfer abroad)
will need to take. The same applies to the processing of personal data.
This also applies if their purpose changes.

4

Page 7

B) Based on Information
Explicit consent is a declaration of will and
In order to give consent, he must also know what he consented to.
must know. not only on the subject, but also
full knowledge of the consequences of his consent as well.
must own.
Information is open and clear on all matters related to data processing.
should be carried out in an understandable way. of the information
must be done before processing the data.
The nature of the data to be processed, as well as the information
Informing the relevant person will determine the level of
one's right to self-determination
constitutes the reflection.
Personal data to be obtained while informing
the purposes for which it will be used must be clearly stated,
terms the person may not understand or written information
small enough to make it difficult to read
Points should not be used.

5

Page 8

C) Disclosure of Free Will
Consent, which is the declaration of will of the person, is the behavior of the person.
validity if conscious and self-determined
will win. Any kind that will cripple one's will
The act also includes the consent given for the processing of personal data.
it will hurt. such as algebra, threat, error, and deception.
free decision of the person in injurious situations
It is not possible. Therefore, in such cases
There is no mention of a declaration of will. However, here
each reason should be evaluated in itself,
the degree of influence must be determined.
in which the parties are not equal or one of the parties
free consent where it has an effect on the other
careful consideration of whether it was given voluntarily
must. Particularly in the employee-employer relationship, the employee's consent
the possibility of not showing
or a possible non-consent to the worker.
In cases where it will cause negativity, your consent is free.
cannot be accepted as voluntary.

6

Page 9

II. ANONYMOUS
BRING
Anonymization or anonymization
under no circumstances can it be identified, even if it is matched with other data.
or cannot be associated with an identifiable natural person.
means to be made. In this context, obtaining
with other data by making a follow-up on the remaining data.
Who owns the data after matching and supporting?
If it can be understood that this data is anonymized,
unacceptable.
At this point, it should be noted that anonymous
It is the difference between data and anonymized data. Anonymous
associating with a specific person from the beginning of the data
While expressing data that is not possible, anonymized
data was previously associated with a person, but
data that is no longer connected.

7

Page 10

III. RELATED PERSON
In the law, only the protection of the data of natural persons
foreseen. Therefore, personal data in the Law
the expression "contact person" to refer to the natural person being processed
used. The person to be protected
As clearly stated in the definitions section, “real
person”.
According to the definition of personal data in the law, legal
identification of any natural person by a personal data
or if it makes it identifiable, these data
under protection. But here preserved
the interest is not the legal person, but the
the fact that has been determined or can be determined by priority.
will belong to the individual. Because the Law, data belonging to legal persons
does not regulate its protection in any way.

8

Page 11

IV. PERSONAL DATA
Personal data to a specific or identifiable person
any information about it. In this case, the personal data
basically two criteria in order to distinguish from data that is not
can be said to have been used. Accordingly, personal data
In order to be able to talk about it, the data is about a person and
that this person is also specific or identifiable
required.
Personal data, personal, professional and family characteristics of the individual
distinguishing that individual from other individuals and showing their qualities
any kind of information that can be revealed. personal in law
data; “Pertaining to an identified or identifiable natural person
defined as “any kind of information”. This information is certain
a person's identity, ethnicity, physical characteristics,
health, education, employment status, sexual life, family
life, communications with others, residence address,
credit card, personal thoughts and beliefs, association and
union memberships, shopping habits.
covers.
In line with the definition of personal data in the law
any form of identification that makes a natural person specific or identifiable.
information must be considered as personal data.
In the definition made in the law, which information is personal?

9

Page 12

limited count of what will be considered data
principle is not adopted. in law
data categories that can be derived with developing technologies.
A broad definition of personal data to regulate
is offered.
The fact that a person is specific or identifiable means that the available data
to be associated in any way with a natural person
means making that person identifiable by
is doing. In the justification of the law, the name, surname of the individual,
his definitive diagnosis, such as date of birth and place of birth
physical, family, economic,
personal data of data related to social and other characteristics
has been specified.
Personal data, physical, economic, cultural, social
or a tangible content that expresses his or her psychological identity
such as identity, tax, insurance number, etc.
as a result of being associated with any record
encompasses all the data to be determined.
As a matter of fact, the phone number in the justification of the Law,
motor vehicle license plate, social security number, passport
number, resume, picture, video and audio recordings,
data such as fingerprints, genetic information, albeit indirectly.
personal due to their ability to make the person identifiable.
indicated that it should be considered as data.

10

Page 13

V. PERSONAL DATA
PROCESSING
The concept of processing personal data is a chain loop.
means. In Article 2 of the Law, personal data
fully or partially automatic or any
automatically, provided that it is part of the data recording system.
beginning with the first obtaining by means of non-existent means
a process and any subsequent processing, data processing
has been defined as. Personal data as specified
deletion, destruction or anonymization after collection
carried out in the process up to the
all kinds of activities within the scope of the law, personal data
11th

Page 14

considered as processing. actually personal
in the case of data, how the data is held and
It is at least as important as the data itself.
Below are some of the methods of processing personal data
explains:
Retrieval or recording: First obtaining of personal data
As of the moment they are issued, the actual processing begins.
Storage/preservation: In digital or physical environment,
storage, hosting or use of personal data
storage is considered as part of processing.
Modification / Rearrangement: Personal data, various
changed by using methods or
rearrangement is considered a change.
Transfer / Assignment: Personal data through various methods
transmission is also within the scope of processing activity.
Personal data by automated or non-automated means
can be processed:

12

Page 15

A) Automatic Processing
What automatic processing is in the Directive and the Law
While there is no definition regarding
definition; “On human intervention or aid
interconnected, which minimizes the need
and by an interactive electrical or electronic system.
data processing activity” . With this
In the justification of the Law, the scope of the Law
While explaining, “Today, these data are used both by the private sector and the private sector.
both by the public sector through information systems.

13

Page 16

It is frequently used by automated means.” indirectly by saying
path of automated processing on information systems
activities have been stated.
Accordingly, automatic data processing; computer,
phone, watch etc. replaced by devices with processors
through software or hardware features.
within the scope of pre-prepared algorithms
spontaneous processing without intervention
activity.

14

Page 17

B) Non-Automated Processing
(Being Part of the Data Recording System
on record)
As stated above, personal data is subject to automatic processing.
through the "data recording system" , although they are not subject to
they will be subject to the provisions of the Law when they are processed.
In the law, the data recording system is defined as “personal data being subject to certain criteria.
means the recording system in which it is structured and processed according to
is doing. These systems are in electronic or physical environment.
can be created. Accordingly, for example, in the data recording system
via personal data, name, surname or ID number
can be classified as those who do not pay their loan debt
In this context, the classification to be created for the
can be evaluated. law, automatic
data processing is completely within the scope of the Law.
does not exclude. That is, data in a non-automatic way
if the processing is part of the data recording system, then
data processing activity will be considered within the scope of the Law.
As a result;
For the legal processing of personal data,
All conditions must be met together:
• The processing is based on data processing conditions
• The fact that the lighting has taken place,
• Compliance with general (basic) principles.

15

Page 18

C) Processing of Personal Data
Conditions
Processing of personal data, Article 3 of the Law
has been defined. According to this; personal data completely
or partially automatic or any data recording
non-automatic, provided that it is part of the system
acquisition, recording, storage,
preservation, modification, reorganization,
disclose, transfer, take over, obtain
making, classifying or using
performed on data such as blocking
All kinds of transactions are considered as processing of personal data.
has been done.
The conditions for the processing of personal data are 5 of the Law.
listed in the article, accordingly the following
In case of at least one of the conditions, personal
data processing is possible.
• Existence of the explicit consent of the person concerned,
• It is clearly stipulated in the laws,
• Will not be able to express consent due to actual impossibility
legal validity of the situation or consent

16

Page 19

unknown person himself or another person
for the preservation of life or bodily integrity
be mandatory,
• Directly from the establishment or performance of a contract.
parties to the contract, provided that it is directly related
It is necessary to process personal data of
• Fulfilling the legal obligation of the data controller
mandatory to bring
• The person concerned has been made public by himself,
• Data for establishment, exercise or protection of a right
processing is mandatory
• Damage to the fundamental rights and freedoms of the person concerned.
legitimate data controller, provided that
The necessity of data processing for their interests.
Conditions for the processing of personal data, that is, compliance with the law
cases are listed in a limited number in the Law and these conditions are
cannot be expanded.
Personal data processing, other than express consent in the Law
if it is based on one of the conditions, then from the person concerned
express consent is not required. Data processing

17

Page 20

carrying out its activity on a basis other than express consent
based on explicit consent whenever possible, deceptive and
would constitute an abuse of right. Indeed, the relevant
In case of revocation of the explicit consent given by the person
from other personal data processing conditions of the data controller.
to continue processing data based on one
Acting against the law and honesty rules
will mean.
In this context, personal data is collected by the data controller.
express consent of the purpose of the processing
whether it is based on one of the processing conditions other than
should be evaluated, if this purpose
does not meet at least one of the conditions other than consent,
In this case, the person is open for the continuation of the data processing activity.
consent should be sought.

Terms of processing personal data
the purpose of the processing activity in terms of the Law
forms the legal basis. Personal data processing
more than one personal data for the purpose of its activity
processing conditions. For example, payroll
personal data of employees in order to regulate
legal basis of processing, personal data processing
performance of the contract and data controller
fulfillment of its legal obligation.

18

Page 21

The conditions for processing personal data without express consent are as follows:
like this:

Scope of Processing Conditions

Provision of Law

Sample

Tax Laws,
Labor Law, Turkish

Employee's
personal information

Commercial Law

According to the legislation

etc.

keeping
must.

of the contract
its execution

Employment Contract, Sales
delivery
contract,
to be done
Transport
company's address
contract,
information
Work Contract
recording.
etc.
unconscious
actual impossibility

contact person
or address

due to consent
won't be able to give information.
Actual Impossibility
have or distinguish kidnapped or
power to

a lost person
Location information.

non person.

19

Page 22
Scope of Processing Conditions

Sample

Financial Audits,
Security

Data
of the person in chargeLegislation,
Legal

Industry Focused

Responsibility

with regulations
Harmony.

publicity
earning

Banking,
Energy, Capital
like their markets
domain specific
in controls
information sharing
to be done.

Contact person

sell your house

his own
public information

the person who wants
in the sales advertisement

to the knowledge

to contact information

to present.

to place

litigation,

Leave the job

registration procedures,belonging to an employee
Establishment of Right,
all kinds of deeds
necessary information
protection,
process etc. in the works
litigation time
Using
use
over the course of
mandatory data.

storage.

Data owner

Legitimate Interest

to their fundamental rights
Working
do no harm
increasing commitment
provided, Data
awards and bonuses
of the person in charge
implementation
legitimate interest
data for the purpose
mandatory for
processing.
in case
data can be processed.
20

Page 23

VI. DATA SPEAKER
AND DATA PROCESSOR
A) Generally
Data controller, purposes of processing personal data and
establishment of the data recording system, which determines the means of
and the natural or legal person responsible for its management
means. Legal entities to process personal data
themselves within the scope of their activities
“data controller”, as specified in the relevant regulations.
legal responsibility will arise in the person of the legal person. It
public law legal persons and private law legal entities
There was no difference in terms of individuals.
Legal personality of units within a company
data controller of these units.
it's not possible. However, a company
Each company that makes up its group has legal personality.
separate data controller for each of these companies.
it is possible.
The data processor is authorized by the data controller.
real or real person processing personal data on his behalf

21

Page 24

defined as legal persons. These individuals are
processes the data within the framework of the instructions given to it.
real and legal persons working outside the data controller organization.
are legal persons. In other words, the personal data controller
authorized by making a data processing contract.
is a separate natural or legal person.
Any natural or legal person can also
The data controller can be both a data processor. For example, a
The accounting firm holds data about its own personnel.
as the data controller in relation to the
In terms of the data held by the companies, the data processor
will be accepted as
The activities of the data processor are more technical than the data processing.
limited to parts. For example, by which method of storing
how to do it, how to delete the data is up to the data processor.
is in its jurisdiction. However, regarding the processing of personal data
data controller is authorized to take important decisions.
belongs. Data controller, purpose of processing personal data
and determines the method. That is, the processing
It will answer the questions of “why” and “how”
is a person.

22

Page 25

In order to determine the data controller, the following matters
who decides should be taken into account:
• Collection of personal data and the purpose of collection,
• Types of personal data to be collected,
• For what purposes the collected data will be used,
• Which individuals' personal data will be collected,
• Whether the collected data will be shared,
if it is shared, with whom it will be shared,
• How long the data will be stored,

23

Page 26

However, the personal data to be made by the data controller
With the processing contract, the example below is
may leave the authority to decide on the issues to the data processor:
• Which information technologies are used to collect personal data?
systems or other methods will be used,
• The method by which personal data will be stored,
• Security to be taken for the protection of personal data
details of the measures,
• The method by which personal data will be transferred,
• The correctness of the periods for the storage of personal data.
method to be used,
• Deletion, destruction and anonymity of personal data
method of making.
Some common ground between data controller and data processor
points must be specified. First, the data controller
In other words, from data processing activities within a company.
no responsible person is implied. data controller
is the legal entity itself. Data controller (same
being a data processor as well)
to determine the obligations
status and meeting the characteristics given in the definition.
case, the legal entity of the company is also included in this status.

24

Page 27

will take. For example, part of the data processing activity
a person who receives and records documents in a company
not, the company itself has the title of “data controller”.
Secondly, both concepts are both real and legal.
applies to individuals. For example, a self-employed financial
both the consultant and the financial advisory firm, the data controller,
as well as a data processor. within a company
Since these units do not have legal personality, these units
It is not possible to be a data controller or a data processor.
However, each constituting a group of companies
Since a company has legal personality, these companies
each can take place in two separate statuses.
Finally, a legal or natural person
can be both a data controller and a data processor.
it is possible to say. For example, a cloud computing service
The company that offers it is “data” in terms of the data of its own employees.
responsible for the data of its customers.
acts as “operator”.

25

Page 28

B) Examples
b.1. Market Research Companies
Under a contract with a pharmaceutical company, a research
employee satisfaction survey for pharmaceutical company
took charge of the arrangement. The company, the employee to be surveyed
determination of the list, selection of the survey method
and the presentation of the survey results to the research company.
has left. In this case, the research firm
Even if it conducts the survey on behalf of the company and processes personal data
and is in the status of data controller together with the pharmaceutical company.
Because which employees will be surveyed, which data will be
gather etc. have decision-making powers
is a research company.

b.2. Shipping Companies
A cargo company, a bank and customers' credit cards
a contract to provide the transport service to the person concerned
he did. Cargo company sender's name, surname, receiver's
data it obtains to manage the shipment, such as the address
is the data controller. However, the shipping company
although he physically holds his credit cards
information regarding the credit card in question.

26

Page 29

not possible to reach. In this case, the delivery service
What is the data of the cargo company serving as a server?
is neither the controller nor the data processor. Hence,
only to ensure the safety of the physical goods it carries.
is obliged to comply with the processing of personal data.
There is no obligation required.

b.3. Payment Services
A person who sells online
customer by agreement with the payment service company.
in the case of processing your data; payment service company
is not the seller's data processor. Processing of this data
is in the status of data controller. Because the payment
service company; (1) In order for payments to be made correctly
what data should be collected from customers
decides. (2) For what purpose the collected data
has control over its use. (3) From the seller
independently processed personal data directly
own terms and conditions applied to customers
exists. (4) Independent of the seller,
has legal obligations. For example;
deletion of credit card information, etc.

27

Page 30

b.4. lawyers
One of the quitting employees of a company
stole the customer list and in return the owner of the company
He consulted a lawyer on how to get the list back.
In an example where; about the former employee of the owner of the firm
by handing over the personal data to the lawyer, the lawyer also
has the status of supervisor. In this case, the lawyer
acting on behalf of the owner of the company
does not change. How does the personal data obtained from the lawyer
will decide what will be processed. Hence, provided
In terms of personal data, both the owner of the company and
lawyer is in the status of data controller. In this sense
their own obligations to each
(for example, the data owner's personal data
Both are separate in terms of fulfilling the access request.
separately responsible).

b.5. Financial Advisors
Financial advisors, records of their clients' accounts
processing of personal data in these records while keeping
are data controllers. Because financial advisors
oblige them to take responsibility for the personal data they process.
There are many professional legal obligations that make
For example, when examining a company's accounts,
legal and financial advisors in case they come across

28

Page 31

notifying administrative units or other authorized institutions
is required to be present. While making the notification
does not act in accordance with the customer's instructions
obviously it will. Therefore, such expert service
providers to their professional legal obligations.
in the status of data controller as long as they are subject to
will be found and resulting from being the data controller.
its obligations to the customer by agreement, partially or
They will not be able to give up completely.

b.6. Cloud Service Providers
Personal data collected by a public institution
contract with a cloud service provider to store
and the cloud provider's data to a specific
which will be deleted after time and/or personal data of the data owners.
agreed to provide access to their data
cloud service provider data processor
status. As per the contract between the parties
cloud service provider's data for their own purposes
not possible to use. Also cloud service
The provider itself does not collect data. Single activity
personal data from public institutions
store in accordance with the organization's instructions.

29

Page 32

VII. DATA RECORD
SYSTEM
By structuring personal data according to certain criteria
refers to the recording system in which it is processed. These systems
can be created electronically or physically. According to this,
personal data in the data recording system; name-surname or identity
can be classified by the number of credit
classification to be created for those who do not pay their debts
will also be evaluated in this context.
According to the justification of the Law, by non-automatic means
the personal data processed are part of a data recording system
otherwise it will not be considered within the scope of the Law.
In other words, the Law in the following two cases
will find application:
The law will find application in the following two cases:
Personal data by partially or fully automated means
processing,
Personal data by non-automatic means but as a data
processing in the registration system.

30

Page 33

According to this definition, a processing performed on data
your activity,
1) first determining whether it is automatic,
2) if there is non-automatic processing, this time also give the data
whether it is processed in a data recording system
understanding
required.

Page 34

Nasuh Akar Mah. 1407. Street No:4 06520
Balgat-Çankaya/Ankara // www.kvkk.gov.tr
Tel: 0 (312) 216 50 50 // Fax: 0(312) 216 50 52

