Page 1

LAW
RIGHT INSIDE
AND OBLIGATIONS

Page 3
2

I. Data Controller
Obligations
In Article 3 of the Law, the data controller states that “personal data
data register, which determines the purposes and means of processing
Responsible for the establishment and management of the system
defined as a “ natural or legal person ”.
The data controller can process personal data personally,
third party to carry out data processing
It can also authorize a person. given by the data controller.
that processes personal data on its behalf on the basis of authorization
such natural or legal persons, Article 3 of the Law
As "data processor" in subparagraph (ğ) of paragraph 1
has been named. Protection of personal data in the law
some obligations regarding data
It is also provided for those who work.
Many data controllers are covered by the law.
obligation, some of which
explained in detail below:

one

Page 4

A) Liability to Light
The legislator does this to the persons whose personal data are processed.
by whom, for what purposes and legally
reasons, to whom it can be processed, for what purposes
grants the right to be informed about the transfer of
and these matters, the data controller's clarification
covered under its obligation. data accordingly
The person in charge of personal responsibility within the framework of Article 10 of
personally or authorized by him at the time of obtaining the data.
by providing the following information to the relevant person through the person
liable:
• Identity of the data controller and its representative, if any,
• For what purpose personal data will be processed,
• To whom and for what purpose personal data
can be transferred,
• Method and legal reason for collecting personal data,
• Other rights listed in Article 11.
On the other hand, by our Institution on 10.03.2018
“Lighting” published in the Official Gazette dated
Procedure to be followed in Fulfilling its Obligation
Communiqué on Principles and Principles” and the obligation to inform
which must be complied with by data controllers
arrangements have been made on the procedures and principles,
2nd

Page 5

fulfill the obligation of disclosure by data controllers
These considerations will need to be taken into account.
(See Appendix: “Instead of the Liability of Illumination
About the Procedures and Principles to be Complied with
Notification")
Data processing activity is subject to the express consent of the person concerned.
to which it is affiliated or to another activity in the Law.
data in cases where it is carried out within the scope of the condition.
obligation of the responsible person to inform the person concerned
continues. In other words, the person whose personal data is processed
should be illuminated in any case.
Obligation to register with the Data Controllers Registry
relevant within the framework of the obligation to inform
The information to be given to the person is compatible with the information disclosed in the Registry.
should be. Fulfilling the lighting obligation,
is not subject to the approval of the person concerned. with a unilateral statement
the lighting obligation can be fulfilled. Lighting
proof of fulfillment of the obligation
belongs to the person responsible.

3

Page 6

B) Regarding Data Security
Obligations
According to article 12 of the law on data security, data
responsible;
• Unlawful processing of personal data
prevent,
• Unlawful access to personal data
prevent,
• To ensure the protection of personal data
responsible for.
Data controller to fulfill these obligations
to ensure the appropriate level of security for
must take all necessary technical and administrative measures.
In addition, determining the obligations regarding data security
To take regulatory action for the purpose of the Board's authority and
among its duties.
However, the minimum to be determined by the Board
personal data processed on a sectoral basis on the basis of criteria
It is also possible to take additional measures according to the nature of the data.
may be the subject.

4

Page 7

In the continuation of the article, the data controller's personal
another natural or legal person on behalf of the data
specified in the first paragraph,
together with these persons to take the necessary measures.
jointly liable. Hence
precautionary measures to ensure data security for data processors
is under the obligation to receive. For example, data
records relating to the company of the responsible
regarding the processing of data, if held by the company
regarding the taking of the measures mentioned in the first paragraph
jointly with the data controller accounting company
will be responsible.
With regard to data security, the law also
supervisor has a supervisory obligation. Data
responsible for this Law, in his/her own institution or organization.
necessary to ensure the implementation of the
have to make or have inspections made. Law
that the audit should be done by the data controller
foresees. The data controller does this control himself.
as well as through a third party.
can perform.
On the other hand, data controllers and data processors,
the personal data they have learned is contrary to the provisions of this Law.
cannot be disclosed to anyone else and is not intended for processing.
they cannot use it. This obligation arises from their resignation.
then it continues.
5

Page 8

Finally, the processed personal data is illegal.
in case it is obtained by others by means of
The data controller should report this situation to the relevant person as soon as possible and
Notifies the board. The Board, if necessary,
on its website or any other website it deems appropriate.
method can be declared.
Each of the measures to be taken regarding data security
the nature, activities and
must be appropriate for the risks. Therefore, the data
There is no single model for safety.
The size of the company in determining appropriate measures
or turnover, as well as the work done by the data controller
and the nature of the protected personal data is also important. For example,
small-scale personal data of special nature
higher standards of processing data controller
need to take protective measures.

C) Made by Related Persons
Answering Applications and
Fulfillment of Board Decisions
Obligation
Pursuant to article 13 of the Law and this article
Data published in the Official Gazette dated 10.03.2018
Communiqué on the Procedures and Principles of Application to the Responsible Person

6

Page 9

data controllers, in writing by the relevant persons.
or registered electronic information contained in the said Communiqué.
mail (KEP) address, secure electronic signature, mobile
further to the data controller by signature or the person concerned.
previously notified and registered in the system of the data controller.
using the e-mail address
or software developed for reference purposes, or
to qualify the applications made through the application.
free of charge as soon as possible and within thirty days at the latest.
should conclude.
However, if the transaction also requires a cost,
data controller, the fees in the tariff determined by the Board.
may be requested from the applicant.
If the data controller accepts the request or
If he refuses by explaining, this answer is written to the person concerned.
in an electronic form. Place in application
If the request is accepted, the data controller
fulfilled this request. your application
if it is caused by the fault of the data controller
the fee will be refunded to the person concerned.
Refusal of application, insufficient response
absence or failure to respond to the application in due time.
in cases; the data subject has learned the answer of the data controller.
thirty from the date of application and in any case
may file a complaint with the Board within sixty days from

7

Page 10

The Board, upon complaint or learning of the alleged violation.
in matters that fall within its scope of ex officio
detecting the existence of a violation as a result of the examination.
If the data controller does not comply with the law,
decides to rectify it and notifies the relevant parties of the decision.
The data controller will make this decision as of the date of notification.
without delay and within thirty days at the latest
has to.

D) To the Registry of Data Controllers
Obligation to Register
According to Article 16 of the Law, Protection of Personal Data
made public by the Presidency under the supervision of the Board.
A clear Data Controllers Registry will be kept. Again
according to this article, the real and
legal entities to this Registry before starting data processing.
must register.
However, in paragraph 2 of Article 16 of the Law, the
nature and number of personal data, data processing
originating or transferring to third parties
Considering the objective criteria to be determined by the Board, such as
Data Controllers by the Board
Exceptions can be made to the registration requirement.
specified.

8

Page 11

Pursuant to this provision, the Board
criteria were determined and published in the Official Gazette dated 30.12.2017.
In the Regulation on the Registry of Data Controllers published
these criteria were counted. Said criteria:
a) The nature of the personal data.
b) Number of personal data.
c) Purpose of processing personal data.
ç) Field of activity in which personal data is processed.
d) Transfer of personal data to third parties.
e) Personal data processing activity
originating.
f) The period of retention of personal data.
g) The data subject group or categories of data.

E) Notification Obligation
Another obligation of the data controller is the
others by illegal means of personal data
If obtained by
to notify the relevant person and the Board in a timely manner. board, need
in case of this situation, on its website or appropriate
He can declare it by another method he sees.

9

Page 12

II. Rights of the Relevant Person
Within the framework of Article 11 of the Law, the person concerned is always
about himself by applying to the data controller;
• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• The purpose of processing personal data and their
learning whether it is used for its intended purpose,
• Personal data is transferred in the country or abroad.
knowing third parties,
• Incomplete or incorrect processing of personal data
in case of requesting their correction,
• Deletion or destruction of personal data
don't want,
• Correction, deletion or destruction of personal data
transactions regarding the transfer of personal data
requesting notification to third parties,

10

Page 13

• Exclusively automated systems of processed data
the person himself by analyzing it through
to object to the emergence of a result against him,
• Unlawful processing of personal data
in case of damage due to
request removal
has rights.

11th

Page 14

III. Data Processor
Obligations
Data processor; based on the authority given by the data controller
natural or legal person who processes personal data on his behalf
means. These persons are the data controller's service
a separate real or legal entity determined by purchasing
is a person. Any natural or legal person can also
can be both a data controller and a data processor.
Authorization of personal data data controller
based on and by the data processor on its behalf
in case of unlawful processing of personal data,
to prevent the processing of personal data unlawfully.
to prevent access and protect personal data
ensure the appropriate level of security to ensure
all kinds of technical and administrative measures necessary to
together with the data controller
jointly responsible.
In addition, data processors are responsible for the personal data they learn.
not to disclose to others in violation of its provisions
and the obligation not to use it for purposes other than processing
below.
This obligation arises when the data processor leaves his/her job.
then it continues.
12

Page 15

13

Page 16

Nasuh Akar Mah. 1407. Street No:4 06520
Balgat-Çankaya/Ankara // www.kvkk.gov.tr
Tel: 0 (312) 216 50 50 // Fax: 0(312) 216 50 52

