Page 1

KVKK PUBLICATIONS NO: 29

WITH EXAMPLES
PROTECTION OF PERSONAL DATA

Page 3
2

EXAMPLES OF PERSONAL DATA
PROTECTION
KVKK PUBLICATIONS NO: 29
ISBN: 978-605-80554-1-4
June, 2019 ANKARA

TR PERSONAL DATA PROTECTION AGENCY
ADDRESS: Nasuh Akar Mahallesi 1407 Street No: 4
Cankaya / ANKARA
Telephone: 0.312.216 50 00
www.kvkk.gov.tr

Page 4

The text and other content in this booklet
in whole or in part without permission.
copying, reproduction, use, publication
and distribution is prohibited. About those who do not comply with this law
Legal action will be taken in accordance with Law No. 5846.
All rights of the product are reserved.

Page 5

CONTENTS
1. PERSONAL DATA

one

2. GENERAL (FUNDAMENTAL) PRINCIPLES
5
a) Compliance with the Law and the Rules of Integrity
5
b) Being Accurate and Up-to-Date When Necessary
6
c) Processing for Specific, Explicit and Legitimate Purposes7
d) Relating to the Purpose for which they are Processed, Limited
7
and Measured
Being
e) The Purpose of Processing or Envisioned in the Related Legislation
8
Storage for the Time Required
3. TERMS OF PROCESSING PERSONAL DATA
10
a) Explicit Consent of the Related Person
10
b) Explicitly Provided in Laws
10
c) Consent due to Actual Impossibility
11th
Incapable of Explaining Or With Consent
Legally Not Recognized Person Himself or
Another's Life Or Body Integrity
Mandatory for its Protection
d) Directly with the Establishment or Performance of a Contract
13
Provided that it is Factly Relevant, the Agreement
It is Necessary to Process the Personal Data of the Parties
to be
e) Legal Obligation of Data Controller
14
Mandatory to Fulfill

Page 6

f) Publicized by the Relevant Person Himself
15
to be
g) Establishment, Use or Protection of a Right
16
Mandatory for Data Processing
h) Damage to the Fundamental Rights and Freedoms of the
17Related Person
Legitimate Data Responsible
Obligatory Data Processing for Their Interests
4. SPECIAL QUALITY PERSONAL DATA (SENSITIVE19
DATA)
5. DELETING PERSONAL DATA, NO
DISCLAIMER OR ANNOUNCEMENT
a) Deletion of Personal Data
b) Destruction of Personal Data
c) Anonymization of Personal Data

22

6. LIGHTING OBLIGATION

27

7. RIGHTS OF THE RELATED PERSON

30

8. APPLICATION TO DATA SPEAKER

32

23
24
25

9. COMPLAINTS TO THE BOARD AND REVIEW PROCESS
36
a) Complaint to the Board
36
b) Procedure of Investigation on Complaint or Ex officio 38
And Its Fundamentals
10. REGISTRATION WITH THE DATA CONTROLLERS41REGISTRY

Page 7

11. EXCEPTIONS
50
a) Circumstances in which the Law will not be applied completely
50
b) Some Articles of the Law Will Not Be Applied
54
states
12. DATA SPEAKER AND DATA PROCESSOR

59

Page 9
8

PERSONAL DATA PROTECTION LAW
WHAT YOU NEED TO KNOW ABOUT
1. PERSONAL DATA
In the Law on Protection of Personal Data No. 6698
(“Law”) personal data, identified or
any information relating to an identifiable natural person.
is defined.
In fact, with all kinds of information expression, only the individual
name, surname, date of birth,
not information such as place of birth; as well as the individual
physical, family,
economic, social and similar features.
information is also included.
In the law, personal data is limited by counting.
specific to each concrete event.
extending the scope of personal data
possible.
In this context, the motor vehicle license plate of a real person,
interview results, electronic devices used
IP addresses, audio and video recordings, location information,
criminal record, credit card statements, social media
likes, fingerprints etc. information and personal data

one

Page 10

can be defined as
EXAMPLE: By a video surveillance system
Images of captured individuals can be recognized by individuals
may be considered as personal data.
EXAMPLE: In the telephone banking system, the customer
the voice recording that he instructed the bank as personal data
acceptable.
EXAMPLE: Child related to family in a custody case
The drawn drawing shows the child's feelings towards his family.
It is within the scope of personal data. Other
On the other hand, through this drawing, the family of mother and father
If the behavior in it can be understood, the drawing is the same.
It is also considered as the personal data of the parents.
For an information to be considered personal data according to the law
First of all, it must belong to a real person.
Data relating to legal entities are the definition of personal data.
are excluded.
EXAMPLE: Trade name or address of a company
legal entity information such as
personal data (except in cases where it will be associated)
not counted.
In order for the information to be personal data, the identity must be certain.

Page 11

or relating to an identifiable natural person
required.
The expression of certainty means that the data is of a natural person.
situations where he can directly reveal his identity;
The expression of being identifiable means any record.
identification of the person as a result of the association
means it provides.
EXAMPLE: Name and surname alone are personal data and
can identify a real person. However, first and last name
always enough to identify a natural person
may not, in some cases identify a natural person
other information together with the name and surname so that he can
may also be needed.
EXAMPLE: Commonly used first and last name
In terms of combinations of first and last name alone
may not identify a person, but a real person
always identifiable
is personal data. Name and surname, sometimes odd
directly determines the person concerned, sometimes more than one
indirectly identifies the person concerned. It
status, name and surname do not cease to be personal data.
Similarly, in some cases, first and last name
It is possible to identify a person even without being specified.

3

Page 12

can happen.
EXAMPLE: “A worker in the B unit of Institution A, X
middle-aged, who owns a brand and a red car
and a short man” is the only expression that fits this description.
In case of a person, this person can be determined
considered as personal data.
EXAMPLE: Nicknames, nicknames alone or in other
identify the person when combined with resources
If such data is of a nature to provide personal data
It is considered.
However, the real person to whom the information belongs,
In determining the determinability of each concrete event,
in particular, the ability of the data to identify the person
should be taken into account.

Page 13

2. GENERAL (FUNDAMENTAL) PRINCIPLES
General requirements for the processing of personal data
The principles are stated in Article 4 of the Law. It
principles;
• Compliance with the law and honesty rules
• Being accurate and up-to-date when necessary
• Processing for specific, explicit and legitimate purposes
• Being connected, limited and restrained for the purpose for which they are processed.
• The purpose for which they are processed or stipulated in the relevant legislation
to be stored for the required time
sorted as.
What legal reason/processing is the data processing activity?
All data processing activities, regardless of
should be carried out in accordance with these principles.

a) LAW AND INTEGRITY RULES
ELIGIBILITY
This principle; in the processing of personal data, by law and
in accordance with the principles introduced by other legal regulations
to act, as well as to the persons concerned while processing the data.
take into account their interests and reasonable expectations
means.

5

Page 14

NOTE: Legal compliance, data processing, personal
data protection law or other legislation.
is not inconsistent.
NOTE: Integrity means the personal data of the person concerned.
in such a way as to cause injustice to the person concerned
failure to use it is beyond the reasonable expectation of the person concerned.
meeting and the purpose of collecting personal data
is not exceeded.

b) ACCURATE AND UPDATED WHEN NEEDED
This principle; correct the subject about which the data informs.
means to be able to explain. In this respect correct and up-to-date
the principle of being the data rectification of the persons concerned.
compatible with the right to demand.
EXAMPLE: When calculating the Minimum Living Allowance (AGI)
The current number of children and the employment status of the spouse
correct calculation of AGI and
important to its economic interests.

Page 15

c) FOR SPECIFIC, EXPRESS AND Legitimate PURPOSES
PROCESSING
This policy clearly states the data controller's data processing purpose.
clearly and understandably, and that that purpose is legitimate
makes it mandatory. data controllers,
other than for the purposes they have indicated to the person concerned.
if they process the data for these purposes,
responsibilities will arise.
The purpose is legitimate; processed personal data, data
with the work or service of the person in charge
means that they are connected and necessary for
is coming.
EXAMPLE: An e-commerce site
name, surname and address information for cargo shipping
While the processing is within the scope of the legitimate purpose, the mother maiden
legitimate purpose to process surname or blood type information
will not be considered within the scope of

d) RELATED TO THE PURPOSE FOR WHICH IS PROCESSED,
LIMITED AND MEASURED
This principle is based on the purpose of the processed data.
be conducive to the realization of the purpose

7

Page 16

not related to the realization or need
from the processing of unheard personal data
means avoidance.
EXAMPLE: From the person applying for a credit card,
request information about their preferences in social life
It violates the principle of proportionality.
Data processing other than necessary for the purpose,
violation of the principle of limited data processing for the purpose
forms.
EXAMPLE: Organized by a foundation university
informing the e-mail address for participation in the symposium
e-mail advertising to the person by this university
sending, contrary to the principle of being limited to purpose
creates.

e) PROVISED IN THE RELEVANT LEGISLATION OR
NECESSARY FOR THE PURPOSE FOR THE PROCESSING
STORAGE FOR TIME
According to this principle, data controllers
if there is a stipulated period for storing the data
comply with this deadline; If there is no such period, the data,
only for as long as is necessary for the purpose for which they are processed.

Page 17

they can preserve.
EXAMPLE: A gas station in a certain time
It will give a reward to people who buy a certain amount of gasoline.
in the campaign, the name he collected for participation in the campaign
and any other processing of license plate information.
If there is no condition, it must be deleted at the end of the campaign.
Personal data, after the specified period,
occurs or the data processing condition ceases to exist.
probability of future use after
they cannot be hidden on the basis of their existence.

9

Page 18

3. TERMS OF PROCESSING PERSONAL DATA
Processing personal data in accordance with the law
for the data listed in Article 5 of the Law
presence of at least one of the processing conditions
required. These conditions are:
a) EXPRESS CONSENT OF THE RELATED PERSON
The express consent of the person concerned; on a particular subject
must be informative and freely given.
should be.
NOTE: Explicit consent is obtained, personal data
to the general principles listed in Article 4 of the Law.
It does not mean that it can be processed in violation.

b) EXPRESSLY PROVIDED IN LAW
Regarding the processing of personal data, any
If there is a clear provision in the law, it
processing of personal data is possible.
EXAMPLE: Personnel belonging to the employee in accordance with the Labor Law
retention of information.

Page 19

EXAMPLE: Banking Law m. banks according to 42
processing of customer information held by it.
EXAMPLE: In Article 16 of Law No. 6698
Registration in the Data Controllers Registry
data controllers within the scope of their obligations
Entering information to VERBIS.
EXAMPLE: Article 70 of the Income Tax Law
as per the requirement of those who rent their real estate,
within the scope of the annual declaration
personal data belonging to the Ministry of Finance
processing by the relevant departments.

c) REACH YOUR CONSENT DUE TO ACTUAL IMPOSSIBILITY
UNABLE TO EXPLAIN
LEGAL VALIDITY OR WITH YOUR CONSENT
OR THE UNKNOWN PERSON ITS
SOMEONE'S LIFE OR THE BODY
MANDATORY TO MAINTAIN THE INTEGRITY
TO BE
Any act of the person whose personal data will be processed
unable to express consent due to impossibility
status or legal validity to its consent
the unrecognized person himself or someone else's life and

11th

Page 20

necessary for the preservation of bodily integrity
processing of personal data is possible.
EXAMPLE: The body of an unconscious person
medical intervention to preserve its integrity
in cases where it is necessary; news to relatives
administered by authorized health institutions.
necessary by learning the patient history through the records.
the name of the person for purposes such as making the intervention,
surname, ID number, phone number, etc. personal
The processing of data is within this scope.
EXAMPLE: Rescuing a deprived person
his or the suspect's cell phone
signal, credit card usage and transaction movements, vehicle
tracking system information, MOBESE records, etc. personal
location determination by processing the data by the relevant units.
to be done.
EXAMPLE: Rescuing a person stranded on a mountain
mobile phone signal, GPS and mobile traffic
locating the data by processing it.

Page 21

d) ESTABLISHMENT OF A CONTRACT OR
DIRECTLY RELATED TO THE PERFORMANCE
REGARDING THE PARTIES TO THE AGREEMENT
THE PROCESSING OF PERSONAL DATA IS REQUIRED
TO BE
Personal data based on this data processing condition
that the processing is really for this purpose so that it can be processed
service and limited to this purpose.
must be carried out.
In addition, the personal data processed only
belongs to the parties and is limited to the framework of the contract.
provided that the processing of personal data is necessary,
should not be forgotten.
EXAMPLE: A real estate agent's lease agreement
contract between landlord and tenant
identification number of the parties, bank account
personal data such as number, address, signature and telephone
processing, keeping in file.
EXAMPLE: A good that a seller sells to a customer
move a customer's address to deliver
to give to the company.

13

Page 22

EXAMPLE: A bank signing with a salary client
the customer's identification number under the contract,
e-mail, address, signature, mobile phone number
processing and maintaining personal data such as
to do.

e) LEGAL DATA RESPONSIBLE
FULFILLING ITS OBLIGATION
MUST HAVE FOR
In order to apply this data processing condition, personal data
processing, the legal obligation of the data controller
necessary and limited for that purpose
should be carried out.
EXAMPLE: A cargo that is liable for transportation
In order for the company to deliver to the person,
recording the recipient's address and contact information.
EXAMPLE: A company can pay an employee a salary
for processing bank account information.
EXAMPLE: A service where a seminar is organized
both the participants and the building
participants to ensure their safety.
personal identification number, signature, telephone number, etc.

Page 23

processing of data.

f) BY THE RELATED PERSON ITSELF
IT HAS BEEN PUBLISHED
publicized, in other words, any
personal data disclosed to the public
to be connected for the purpose of making one's public
condition can be processed. In other words, in this case,
personal data subject to the will to make it public
processing is possible.
The declaration of will is essential in making it public. Therefore,
being publicized by the person himself,
for any purpose other than the will to make it public
where this personal data can be used and processed
will not mean.
EXAMPLE: Personnel working in a public institution
name, surname and business phone information of citizens
Internet access of the institution for easy access.
If shared on the website, this phone
numbers, business and business in the jurisdiction of the public institution
can be used in transactions.

15

Page 24

EXAMPLE: The internet where used vehicles are sold
The contact of the person who wants to sell his vehicle on the website
marketing information other than vehicle purchase and sale.
purposes, within the scope of this data processing condition.
are not evaluated.
EXAMPLE: The person to whom a lawyer gives his business card can only
on a business card for purposes such as legal advice.
You can use the GSM number listed. However, in question
SMS with advertisement and campaign content to GSM number
the will of the lawyer to send or search
contrary to his statement.

g) INSTALLATION, USE OF A RIGHT OR
DATA PROCESSING IS MANDATORY FOR PROTECTION
TO BE
A right by data controllers to the data subjects
establishment, use or
if necessary for the protection of their rights
personal data can be processed.
EXAMPLE: A company filed by its own employee
in a case, using some data for proof
evaluated in scope.

Page 25

EXAMPLE: As a parent/guardian by the court
a person appointed as a parent/guardian
making an application to the relevant public institutions on behalf of the person
to process its data.
EXAMPLE: A lawyer signed with his client
under the contract, his client before the court
to sue, represent, or other judicial
to exercise their rights, such as
processing personal data to enable

h) FUNDAMENTAL RIGHTS OF THE RELATED PERSON AND
NOT TO DAMAGE THEIR FREEDOM
WITH THE REGISTRATION OF THE DATA SUBJECT
DATA PROCESSING FOR THE INTERESTS
MUST HAVE
In order for this provision to be implemented; data processing
obligatory for the legitimate interest of the person responsible
and damage to the fundamental rights and freedoms of the person concerned.
should not give.
EXAMPLE: Selling, acquiring a business
In case of such a situation, buy the company
including the personal data of the personnel of the recipient
legitimate interest in examining certain information

17

Page 26

can be evaluated within the scope of
EXAMPLE: An employer's
job security to ensure the safety of employees
employees to establish mechanisms
processing of personal data.

Page 27

4. SPECIAL QUALITY PERSONAL DATA
(SENSITIVE DATA)
Protection of personal data with stricter measures
special quality (sensitive), which is a category that requires
personal data, if learned by others
victimization of the person concerned, subject to discrimination
to remain or to damage his honor and dignity.
data that can cause Therefore,
which personal data are sensitive data, and
Conditions for the processing of special categories of personal data are in the Law.
also edited.
People's race, ethnicity, political thought, philosophical
belief, religion, sect or other belief, disguise
and clothing, association, foundation or union membership,
health, sexual life, sentencing and safety
biometric and genetic
data are counted as special quality personal data.
Conditions for Processing Special Quality Personal Data:
The processing conditions of these data are stipulated in Article 6 of the Law.
specially arranged.
Rule for the processing of special categories of personal data
express consent of the person concerned is required.

19

Page 28

EXAMPLE: Volunteer in clinical trials
explicit consent must be obtained.
In some cases where the person concerned does not have express consent,
processing of special categories of personal data
possible. However, without the express consent of the person concerned
situations where this data can be processed
life data and other special quality personal data
data has been segregated. This
by;
*Special quality data other than health and sexual life;
only in cases stipulated by law,
may be processed without consent.
*Data on health and sexual life; but public
health protection, preventive medicine, medical diagnosis,
providing treatment and care services, health
Planning and management of services and financing
for the purpose of secrecy,
by persons or authorized institutions and organizations
can be processed without seeking the explicit consent of the person concerned.
NOTE: Provision of health care in law
processing of certain types of data valid for
exception has been made and this exception is only for secrecy.
limited to persons subject to its obligations.

Page 29

EXAMPLE: A person's blood pressure in hospital A
treatment of heart disease in hospital B.
due to a heart condition
These two hospitals are about the patient who needs surgery.
doctor's transfer of health data to each other.
Special qualifications pursuant to paragraph 4 of Article 6 of the Law
in the processing of personal data, also by the Board
Adequate measures must be taken.
NOTE: In accordance with paragraph 4 of article 6 of the Law, Personal
"Special Qualified Personal" by the Data Protection Board
Receipt of Data by Data Controllers in Processing
titled "Adequate Measures Required", dated 31/01/2018
and its decision No. 2018/10 Official dated 07/03/2018
It was published in the newspaper.

21

Page 30

5. DELETING PERSONAL DATA, NO
DECLARE OR ANONYMOUSLY
According to Article 7 of the Law, personal data is legal.
processing, even if properly processed
data when the reasons for
Ex officio or at the request of the person concerned
should be deleted, destroyed or anonymized on
should be brought.
EXAMPLE: For a lottery in a shopping mall
information such as name, surname, telephone number collected,
for further promotions by the mall
must not be used, after the completion of the lottery
should be deleted.
NOTE: According to the 3rd paragraph of the 7th article of the Law,
by the Personal Data Protection Board based on the authority
“Deletion, Destruction of Personal Data” prepared
Or Anonymization Regulation”
Published in the Official Gazette dated 28.10.2017
It entered into force on 01.01.2018.
NOTE: Article 22 of the Law numbered (1)
Protection of Personal Data pursuant to subparagraph (g) of paragraph
Once established, data controllers are authorized to delete, destroy or
provide guidance on anonymization and

Page 31

to show examples of good practice “Personal
Deletion, Destruction or Anonymization of Data
Bringing the Guide” has been prepared and the aforementioned guide,
It is available on the institution's website.

a) DELETING PERSONAL DATA
Deletion of personal data
users (data controller or data processor)
technically storing and protecting data
and everyone except those responsible for backup)
become inaccessible and unusable in any way.
delivery process.
EXAMPLE: Personal data of employees are stored on the server.
a company that is holding one of its employees
in case of leaving the job, this data is
data deletion as it cannot completely destroy the server
applies the operation. This data is applied to some techniques.
back by the database administrator.
human beings, although
by the sources or by those in the other unit.
will become inaccessible.
EXAMPLE: Applications for a position at a company
personal data received and included in all applications,

23

Page 32

in paper form according to the candidates' identification number
transferred to the list, application documents are also kept.
archived in the relevant file.
Application while evaluations continue at the company
one of the owners has withdrawn the application
in case the processing condition of this person is no longer valid.
deletion, destruction or anonymization of this data
necessity has arisen. In this case,
It is possible to destroy the application document.
However, a list with all references
processing by other persons on this list.
This list is not available due to ongoing conditions.
Since it would not be right to apply, it is only necessary to apply
data belonging to the person who has given up, in the relevant list
blackout is possible.

b) DESTRUCTION OF PERSONAL DATA
Destruction of personal data
cannot be accessed by anyone in any way,
irretrievable and unusable
process.
EXAMPLE: Organization as part of a symposium
will participate in the symposium by
personal data of persons in portable memory or

Page 33

It is kept on CD. Completion of the symposium
and after the expiry of the required storage period
From now on, the data in question must be destroyed. It
In case of personal data of the participants,
memory stick or CD may break,
can be burned or passed through a metal grinder.

c) MAKING PERSONAL DATA ANONYMOUS
BRING
Anonymization of personal data
under no circumstances, even if matched with other data.
cannot be associated with an identifiable natural person.
means.
EXAMPLE: By a public opinion research company
In the research carried out in a neighborhood, the name, surname, TR
identity number, age, gender, payment preferences,
mobile phone model used, vehicle owned
information such as brand, clothing and brand preferences
was asked and the result of the research was shared with the public.
wanted to be shared. According to this; name, surname, TC
directly any person, such as an identification number
from the list of those who can make it specific or identifiable
removing it, making it invisible by staring / pressing
bringing, generalizing, k-anonymity, l-diversity,

25

Page 34

Anonymization using techniques such as t-proximity
can be brought.
NOTE: By contacting the data controller of everyone
Personal data related to him/her in Article 7 of the Law
to be deleted or destroyed in accordance with the stipulated conditions.
has the right to request

26

Page 35

6. LIGHTING OBLIGATION
Data controller or authorized person, personal
relevant persons at the time of obtaining the data.
According to Article 10 of the Law,
obliged to inform:
• Identity of the data controller and its representative, if any,
• For what purpose personal data will be processed,
• To whom and for what purpose the personal data processed
can be transferred,
• Method and legal reason for collecting personal data,
• Others of the person mentioned in Article 11 of the Law.
rights.
NOTE: Published in the Official Gazette dated 10.03.2018
“In Fulfillment of the Illumination Obligation
With the Communiqué on the Procedures and Principles to be Complied
while fulfilling this obligation by those responsible
Points to be noted are outlined.
While lighting;
• The personal data processing purpose must be specific, clear and legitimate,
• The notification to the relevant person should be clear and simple,
• The language used, the category of contact to which the information is addressed
should be determined, taking into account

27

Page 36

• Avoid vague expressions and technical terms in the texts.
should be avoided,
• Include incomplete, misleading or incorrect information in the texts.
should not be given.
Within the scope of the lighting obligation, the relevant persons
It is possible to be informed in written or oral form.
may be sent electronically,
via e-mail, voice recording or call center.
possible to be informed.
NOTE: With the express consent of the person concerned, personal data
also based on other data processing conditions in the Law.
of the obligation to inform
obligatory to be fulfilled.
NOTE: The data controller is responsible for the request of the person concerned.
fulfill its obligation to inform without waiting
should bring.
NOTE: The data controller fulfills the obligation to inform.
responsible for proving that he has done so.
NOTE: By the Personal Data Protection Authority,
fulfillment of the lighting obligation
to guide data controllers on
and to show examples of good practice

28

Page 37

“Fulfilling the Lighting Obligation
Guide” was prepared on the Institution website.
has been published.

29

Page 38

7. RIGHTS OF THE RELATED PERSON
According to Article 11 of the Law, the persons concerned are always
about himself by applying to the data controller;
• Learning whether personal data is processed or not,
• If personal data has been processed, request information about it
don't,
• The purpose of processing personal data and their
learning whether it is used for its intended purpose,
• Personal data at home or abroad
knowing the third parties to whom it has been transferred,
• Incomplete or incorrect processing of personal data
in case of requesting their correction,
• Conditions stipulated in Article 7 of the Law
deletion or destruction of personal data within the framework of
do not want to,
• Correction, deletion or destruction processes,
to third parties to whom personal data is transferred
request notification,
• Exclusively automated systems of processed data
the person himself by analyzing it through
to object to the emergence of a result against him,
• Unlawful processing of personal data
in case of damage due to
request removal
has rights.

30

Page 39

NOTE: By the data controller as soon as possible to the request and
A reply must be given within 30 days at the latest.
However, if the application is rejected or the answer given
in case of insufficient, within 30 days, to the application
In case of not responding in due time, the application
within 60 days from the date of the relevant persons to the Board.
can file a complaint.
NOTE: The persons concerned, in Article 11 of the Law,
primarily to data controllers regarding their requests.
should apply. Personal Data without consuming this way
Complaints should not be made to the Protection Board.

31

Page 40

8. APPLICATION TO DATA SPEAKER
In Article 13 of the Law, the data of the person concerned
Matters regarding the application to the supervisor
are held.
According to the first paragraph of the article, the persons concerned
their requests regarding the implementation of
must be reported to the supervisor. Related persons,
their requests in writing to the data controller or
by other means to be determined by the Board.
are allowed to transmit.
NOTE: To be made to the data controller by the relevant persons
application in writing or as determined by the Board.
may be transmitted by other means. In this context
Other methods determined by the Board,
“Data” published in the Official Gazette dated 10.03.2018
About the Procedures and Principles of Application to the Responsible Person
It is regulated in the Communiqué.
NOTE: According to Article 5 of the Communiqué, the person concerned
within the scope of the rights specified in Article 11
requests in writing or by registered e-mail.
(KEP) address, secure electronic signature, mobile signature or
to the data controller by the data subject beforehand.
reported and registered in the system of the data controller.

Page 41

using the e-mail address
or software developed for reference purposes
or through the application to the data controller.
In the second paragraph of the same article, the data receiving the request
of the person in charge; free of charge or separately
by the Board if it requires a cost
according to the determined tariff, in return for the fee to be charged,
reviewing the request as soon as possible and within 30 days at the latest,
acceptance or refusal by explaining the reason, also
It is envisaged to notify the relevant person of the answer.
NOTE: The natural person or private company of the data controller
and they are subject to the Notification Law No. 7201.
are taken into account that they are not subject to
where he has to “notify” his answer to the person concerned
has been adjudicated.
This notification is a matter of proof and
will be considered by the authorities. Subject to Law No. 7201
These notifications of institutions and organizations
by official notification pursuant to the provisions of
is clear.
Pursuant to paragraph 3 of the article, the data controller request
accepts or rejects by explaining the reason.
The data controller responds to the relevant person in writing or

33

Page 42

reports electronically.
If the request in the application is accepted, the data
carried out by the responsible person. Data of the application
in case of fault of the responsible
The fee is refunded to the person concerned.
EXAMPLE: A person who has left the company he works for,
Deletion, destruction of the relevant data of the Board
to the data controller through the methods determined by him.
can apply by applying. data controller
makes the evaluation and gives an answer to the person concerned.
The data controller submits the request of the person concerned within 30 days.
accepts or rejects by explaining the reason.
Refusal of application or response
in case of inadequacy before the person concerned
within 30 days from the date the person received the reply
A complaint can be made to the Board. data controller
If the application is not answered by
if; to the Board within 60 days from the date of application.
can make a complaint.
EXAMPLE: Address of person who is a bank customer
credit card statements to your old address because it has changed
sent and the person cannot access their statements.
By applying to the data controller, the person

Page 43

relevant incomplete or incorrectly processed data.
reserves the right to request correction. contact, data
required as a result of the response from the person in charge
In the event of a complaint to the Board,
EXAMPLE: During the registration process at the hospital,
information of the person notifying the registrar, the official
staff repeating this information out loud
by other people whose result is in the queue.
has been learned. Contact person who is disturbed by this situation
first, apply to the hospital that is the data controller.
Depending on the quality of the response received, the Board may file a complaint.
may prefer.
EXAMPLE: A data controller of personal data
who learns that it has been processed illegally by
a person for the purpose of application of the data controller
You can submit your application via the mobile application developed by
as soon as possible and as soon as possible after that date.
by the data controller within 30 days.
response is required. However, the application
refusal or inadequate response
within 30 days, timely response to the application
If not granted, from the date of application.
within 60 days from the date of the relevant persons complain to the Board.
can go his way.

35

Page 44

9. COMPLAINTS TO THE BOARD AND REVIEW PROCESS
Persons whose personal data are processed, 11 of the Law.
Before exercising the rights envisaged in Article
to apply to the data controller, depending on the nature of the response.
It is possible to file a complaint with the Board.

a) COMPLAINT TO THE BOARD
Subject of complaint to the Board with Article 14 of the Law
are held.
According to this; within the scope of Article 13 of the Law.
rejection of the application,
inadequate or timely response to the application
In the event that the data controller is not provided, the data controller
30 from the date of learning the answer and in any case
to the Board within 60 days from the date of application.
can make a complaint.
In the second paragraph of the article, in the 13th article of the Law
a mandatory application of the application stage
and that there is a way to complain before this way is exhausted.
It is ruled that he cannot go. thus
data controllers of a certain part of the disputes
by the Board and thus the intense

36

Page 45

avoiding a workload
is intended.
It is obligatory to go to the application way, to the complaint way
Since leaving is optional, the application
implicitly or expressly denied
on the one hand, to file a complaint with the Board, on the other hand,
it is possible to go to the judicial or administrative judicial remedy.
will be.
Persons whose personal rights are violated with paragraph 3 of the article,
reserves the right to compensation in accordance with the general provisions
held is held. In this context, data
according to the legal status of the responsible person,
They can also sue in administrative court.
EXAMPLE: By the data controller, the data subject
Advertising and campaign on your phone without permission
content SMS is sent. In this case relevant
person; to the data controller in writing or electronically
may submit its request. Data controller concerned
responding to the person's request within 30 days
liable. According to the response from the data controller
The person concerned can make a complaint to the Board if he/she wishes.
NOTE: The data controller cannot be reached in any way,
data controller could not be identified.

37

Page 46

in cases where the person concerned is demonstrable
complaint directly to the Board, provided that it is a document
can go his way.

b) BY COMPLAINT OR EXHIBITION
PROCEDURES AND PRINCIPLES OF THE EXAMINATION
To be made by the Board with Article 15 of the Law
The procedures and principles of the examination are regulated.
Accordingly, the Board, upon complaint or claim of violation
ex officio, in case of learning
will be able to make necessary investigations on the issues. It
review complaint or ex officio complaint
will be subject specific.
On the Exercise of the Right to Petition No. 3071
Not meeting the conditions specified in Article 6 of the Law
Notifications and complaints will not be considered.
Data controllers, state secret information and
Except for the documents, the requested information and documents are submitted to the Board.
send within 15 days or on-site as needed
must allow for an investigation.
Upon the complaint, the Board examines the request and sends a letter to the concerned.

38

Page 47

answers. Within 60 days from the date of complaint
If no response is received, the request will be deemed rejected.
Accordingly, 60 days from the date of complaint
time to file a lawsuit in administrative court
will start. The board will make a complaint
Even if a 60-day period is foreseen for the examination, ex officio
any period of time for the examinations to be carried out
not foreseen.
NOTE: It should be noted that; complaint of the person concerned
Upon the request, the Board examines the request and sends a
answers. A response from the board
It doesn't mean it's finished. Review process
it can continue.
Investigation made on the complaint or ex officio
As a result, if the existence of the violation is understood,
The Board shall determine the data of the unlawful violations it has determined.
by deciding to remove it by the responsible
notify the concerned. This decision, since its notification
without delay and within 30 days at the latest.
Investigation made on the complaint or ex officio
As a result, it is determined that the violation is widespread.
If necessary, relevant institutions and organizations
decision of principle by the Board by taking the opinions of

39

Page 48

is taken and published.
Occurrence of irreparable or impossible damage, and
in case of a clear violation of the law, the data shall be submitted to the Board.
processing or transferring data abroad.
authorized to stop it.
EXAMPLE: It constitutes a clear violation of Law No. 6698.
the Board, within the scope of Article 18.
may impose an administrative fine, as well as difficult to compensate or
in case of impossible damage, access to data
restriction, data processing or
may also decide to suspend the transfer.

40

Page 49

10. REGISTRATION WITH THE DATA CONTROLLERS REGISTRY
Article 16 of the Law requires data controllers to be registered.
regulates the required Data Controllers Registry.
Data Controllers Registry, Protection of Personal Data
by the Presidency under the supervision of the Board
is kept publicly available.
Natural and legal persons processing personal data
to the Data Controllers Registry before starting the processing.
must register.
However, the nature and number of processed data
arising from the law or to third parties
to be determined by the Board, such as transfer status
taking into account objective criteria,
Exception to the registration obligation by the Board.
can be brought.
NOTE: Paragraph (1) of Article 16 of the Law
and the Regulation on the Data Controllers Registry
Data Controllers Registry Information in accordance with the relevant articles
System (VERBIS) was prepared and put into use.
Processing personal data, with exceptions
real and legal persons who are registered with VERBIS
liable.

41

Page 50

The application for registration in the Data Controllers Registry is as follows:
is made in a notification containing the following;
• Identity of the data controller and its representative, if any.
address information,
• For what purpose personal data will be processed,
• The data subject group and groups and their
explanations about data categories,
• Recipient or recipient to whom personal data can be transferred
groups,
• Personal data intended to be transferred to foreign countries,
• Measures taken regarding personal data security,
• Necessary for the purpose for which personal data is processed.
maximum time.
By data controllers, containing this information
registration is made to VERBIS with a notification. Aforementioned
changes in the information immediately to the Institution.
Reported to the President.

42

Page 51

NOTE: The Regulation on Data Controllers Registry
According to article 13, changes in the information registered in the Registry
from the date of the change, if any.
Update via VERBIS within 7 days from
needs to be done.
Other procedures and principles regarding the Data Controllers Registry
It is regulated by regulation.
NOTE: Article 16 of the Law No. (5)
Personal Data based on the authorization given by paragraph
“Data Controllers” prepared by the Protection Board
Regulation on Registry” dated 01.01.2018
entered into force.
NOTE: Dates of registration to VERBIS Board No. 2018/88
Determined by decision. Relevant Board Decision www.
It can be accessed via the address kvkk.gov.tr.
Registration in the Registry in the Board Decision No. 2018/88
liability start dates are as follows:
has been declared:

43

Page 52

Data controllers

Registration start
historical

Last for registration
history

Time

Number of employees per year
more than 50 or
annual financial balance sheet
total 25 million
01.10.2018
more than TL
natural and legal person

12 months

30.09.2019

01.10.2018

12 months

30.09.2019

01.01.2019

15 months

31.03.2020

01.04.2019

15 months

30.06.2020

data controllers
abroad
established truth
and legal person data
for those responsible
annual employee
fewer than 50 and
annual financial balance sheet
total 25 million
less than TL
main activity
special quality personal
with data processing
natural and legal person
data controllers
Public institutions
and Establishment data
those responsible

NOTE: Annual employee included in board decisions
To calculate the number of first completed
to be one year and 12 within this completed year
by the data controller in each of at least 7 of the months
authorized public institutions and organizations are paid monthly
declared in the premium and withholding declaration
The number of employees must be taken into account.
In addition, the 7 months in question must be in the same year.
does not necessarily have to be consecutive. According to this,

44

Page 53

Social responsibility of a data controller in 2017
Concise statement given to the Security Institution and
each of at least 7 of the premium service declarations
more than 50 of the number of employees reported in one
registration obligation 01.10.2018
will start on.
NOTE: The annual financial balance sheet included in the Board decisions
completed first to calculate the total
one year and within this completed year
to the authorized public institution by the data controller.
annual income or institutions
"active" in the financial statements attached to the tax return
or based on the total figure in the "passive" section.
should be taken.
NOTE: The main activity in the board decisions
whether the subject is special categories of personal data processing
Data controllers are the most
activities that generate added value or the basic
Processing of special categories of personal data in line with their work and duties
situation is taken into account.
In other words, it should be evaluated here;
in any activity of data controllers.
not the processing of special categories of personal data,
carried out within the scope of their main activities
whether the subject of their business is personal data of special nature

45

Page 54

is not.
In addition, pursuant to Article 11 of Law No. 5429,
Since 2012, all public institutions in our country
institutions and organizations under the coordination of TUIK
created NACE Rev.2 economic activity
classification is used by our Institution.
activities of data controllers
from the aforementioned NACE activity codes.
are utilized. In this context, data controllers
in the trade registry or tax plate.
activity codes.
NOTE: In the decision of the Board, all data residing abroad
Registration obligation for those responsible for starting the Registry
The date has been determined as 01.10.2018. According to this,
Registration of data controllers residing abroad
annual period in determining the starting date of the obligation.
number of employees, financial balance sheet total or main activity
whether the subject matter is sensitive personal data
information is not taken into account.
EXAMPLE: A domestic automotive company
employees in the human resources department
some health data as well as personal data
is also processed. In this case, the company's registration in the Registry
in order to determine whether it is liable

46

Page 55

First of all, determining the main field of activity
required. In addition to personal data of employees
Processing of some health data as well
its main activity is the processing of special categories of personal data.
Does not mean. As an automotive company
The main activity of the company is the processing of special categories of personal data.
will not be counted. Here, Board 2018/88
It should be checked whether the criteria in the decision are met.
and registration must be determined.
EXAMPLE: A company headquartered abroad
It has a branch operating in Turkey.
Registration of the branch operating in Turkey with VERBIS
in order to determine whether it is liable
The branch in Turkey;
• Does it have a different legal personality?
• Does it own personal data processing purposes and methods?
determines?
• Establishment of the data recording system and
Is it responsible for its management?
must answer the questions positively.
In this case, if different from the company abroad
in Turkey, if it is a data controller.
one of the criteria in the Board Decision No. 2018/88 of the branch.
registering with VERBIS in case of providing one
required.

47

Page 56

NOTE: According to paragraph 2 of Article 16 of the Law,
Protection of Personal Data based on authorization
Registration with VERBIS for some data controllers
exemption from the obligation. These exceptions
Announcement in the Official Gazette dated 15.05.2018 and 18.08.2018
and announced on the Institution's website.
From Obligation to Register with a Board Decision
Data Controllers with Exception
In the Official Gazette dated 15.05.2018
Board Decisions Published

In the Official Gazette dated 18.08.2018
Board Decisions Published

By Non-Automatic Ways
Personal Data Processors

Customs Brokers

notaries

Mediators

Political Parties, Associations,
Foundations, Unions
lawyers
Certified Public Accountants and
Certified Public Accountants

Annual Number of Employees Less than 50 and Annual
Financial Balance Sheet Is Less Than 25 Million TL
Main Activity Private Personal Data
Non-Processing

All data controllers not covered by the exception
Login to VERBIS via www.kvkk.gov.tr
must be registered. When registering with VERBIS
strictly to personal data by data controllers
will not be included, only the headings on a categorical basis
What kind of personal data is processed in case of
It is processed for the purpose, to whom it is transferred, the measures taken
Information such as what is going on will be entered into the system.

48

Page 57

EXAMPLE: A company data as name-surname, identity
If the number is working, the 'ID' during registration to VERBIS
I'm processing the information' option will be selected. It
In this sense, VERBIS is open to the public and provides transparency and accountability.
based on the principles of availability.
Personal data processed by data controllers,
If there is no equivalent in the categories in VERBIS,
These data categories are 'other' in VERBIS.
It can be entered manually by clicking the button.
In case of not registering in this system, the Board
Administrative fine from 20 thousand TL to 1 million TL
will be given. The amounts of the administrative fines in question,
is increased every year at the rate of “revaluation”.
Registration of public institutions and organizations to VERBIS
if not; according to disciplinary provisions
action will be taken and the result will be reported to the Board.

49

Page 58

11. EXCEPTIONS
With Article 28 of the Law, it is completely within the scope of the Law.
situations and partially within the scope of the Law.
activities outside of it.

a) THE LAW WILL NOT FULLY APPLY
CASES
In the first paragraph of Article 28 of the Law, the Law
in which cases the provisions will not be applied,
In other words, it is completely outside the scope of the Law.
matters are regulated.
NOTE: The principles regarding the processing of personal data
be at the core of personal data processing activities, and
All personal data processing activities comply with these principles.
should be performed as Hence, although
full and partial from the Law on the basis of various activities.
although exceptions are provided, in accordance with the basic principles and proportionately.
personal data must be processed.
Accordingly, in the following cases, numbered 6698
The provisions of the law will not be applied;

50

Page 59

1. Personal data not to be given to third parties and data
provided that the obligations regarding safety are complied with
by natural persons wholly with himself or herself or
activities related to family members living in the same residence
processing under
EXAMPLE: A mother not giving to third parties
and comply with obligations regarding data security
provided that the child or spouse living in the same residence
taking and saving photos with a mobile phone,
situations such as processing identity information to the directory
It falls outside the scope of the law.
2. Anonymization of personal data with official statistics
research, planning and statistics
processing for purposes such as
EXAMPLE: Official by authorized public institution
being processed within the scope of the Statistical Program (RIP)
personal data is outside the scope of the Law. With this
together with the official statistics of the public institution in question.
in terms of personal data processed outside of
obligation to comply with Law No. 6698 continues.
is doing.
EXAMPLE: By a data controller; become anonymous
research, planning and statistics

51

Page 60

Personal data processed for purposes such as
falls outside its scope. However, this
anonymized personal data
must be sure.
3. Personal data on national defense, national security,
public safety, public order, economic
security, privacy or personal rights
provided that it does not violate or constitute a crime,
for artistic, historical, literary or scientific purposes, or
processed within the scope of freedom of expression,
EXAMPLE: Personal data committed within the scope of freedom of expression
although the data remained outside the scope of the Law
Although freedom of expression and protection of personal data
It is recommended to perform some kind of balance test between Expression
protection of the personal data of the individual, with the freedom of
the expectation that it will enjoy the right
by keeping a fair and reasonable balance between demand and
Protection of personal data with freedom of expression
a balance between the right to
should be installed.
EXAMPLE: Personal data can be used to protect national defense, national
security, public safety, public order,
economic security, privacy or
not to violate personal rights or constitute a crime

52

Page 61

publicly known, provided that
biography of the artist's life
provided that the situation is limited to this field of activity
It is out of the scope of Law No. 6698.
4. Personal data on national defense, national security,
public safety, public order or economic
duties and obligations by law to ensure security
by authorized public institutions and organizations
preventive, protective and intelligence activities carried out
processing under
EXAMPLE: National Intelligence Units
defense, national security, public security, public
aimed at maintaining order or economic security.
data processed as outside the scope of the Law
remains.
Likewise, money laundering
prevention of financing and investigation of financial crimes
collecting data by authorized units, financial
obtaining intelligence, suspicious transaction reports
to receive, analyze and share with relevant institutions
committed within the scope of activities carried out for the purpose of
data is outside the scope of the Law.

53

Page 62

5. Investigation, prosecution of personal data,
judiciary in relation to trial or execution proceedings
processing by authorities or enforcement authorities.
EXAMPLE: During the prosecution of a criminal case
persons concerned by the courts.
Data processing is outside the scope of the Law.
remains.
NOTE: Article 28 of the Law No. 6698 (1)
within the scope of the activities listed in paragraph no.
Provisions of the Law for processed personal data
other than these activities,
in terms of data processing activities carried out
The obligation to comply with the law continues.

b) SOME ARTICLES OF THE LAW
NOT APPLIED CONDITIONS
In paragraph (2) of Article 28 of the Law,
Matters that are partially outside the scope of the Law
are held. Accordingly, as a rule this
Obligation to comply with the Law in cases listed in the paragraph
However, only certain provisions
There is no obligation regarding Other
in a word, within the scope of this paragraph; of the data controller

54

Page 63

Article 10, which regulates the obligation to inform,
excluding the right to demand reparation
Article 11, which regulates the rights of the person concerned,
and the obligation to register with the Data Controllers Registry
listed in the provisions of Article 16 regulating
cases, it is not applicable.
Here only in certain situations and certain matters
exceptions are stipulated for the
Compliance with the obligations of the law
condition will always be required. In this context, the Law
be in accordance with its purpose and basic principles and be proportionate
exempt from Articles 10, 11 and 16 of the Law, provided that
The situations held are:
1. Preventing personal data processing from committing a crime
or necessary for criminal investigation.
EXAMPLE: A person traveling by car
A family was hit by security forces on the road.
has been stopped. As part of the criminal investigation,
Family identity checks are required.
relevant persons of the security forces
lighting, responding to the contact application and
Information on these declarations during registration to VERBIS
There is no obligation to enter.

55

Page 64

2. Made public by the person concerned
processing of personal data.
Personal data by the person concerned
third parties if made public
such data processing in order to be processed by
in accordance with the will and purpose of publicizing its activity
must be.
EXAMPLE: The person's public access
name, surname and phone on social media account
by sharing the number of people you know
if he states that he can reach
of the Law in case of sending an SMS to him.
Application of the provisions of Articles 10, 11 and 16
it is not mandatory.
EXAMPLE: A doctor in private practice,
when it gives a newspaper advertisement for advertising purposes,
contact information in the advertisement, limited to
has made public. This contact information
will reach the doctor in order to get service using
the person to the provisions of Articles 10, 11 and 16 of the Law.
Compliance is not mandatory.
3. Personal data processing is authorized by the Law
responsible and authorized public institutions and

56

Page 65

organizations and public institutions
institutions, control or regulation
disciplinary investigation or
necessary for prosecution.
EXAMPLE: A public institution's audit
made by the staff about the staff of the institution.
regarding that personnel during the disciplinary investigation.
possible to process personal data. In this case, the relevant
informing the personnel, if any, to apply
response and registration of the public institution in VERBIS
matters such as reporting this data category during
it is not mandatory.
EXAMPLE: Banking Regulation and Supervision
Authority (BDDK) and the Radio and Television Supreme Council
Regulatory and supervisory institutions such as (RTÜK);
supervision or control based on the authority granted by law.
discipline with the execution of regulatory duties
be necessary for the investigation or prosecution
only within the scope of these duties.
limited to the personal data processed by the Law.
Application of the provisions of Articles 10, 11 and 16
it is not mandatory.

4. Budget, tax and financial issues of personal data processing
the economic and financial interests of the State with regard to

57

Page 66

necessary for its protection.
EXAMPLE: Revenue Administration by relevant persons
During the submission of the lease declaration to the President
in terms of the processing of shared personal data,
Informing the relevant person of the Revenue Administration,
responding to the relevant person application and registering with VERBIS
Obligation to enter information regarding these declarations during
not available.

58

Page 67

12. DATA SPEAKER AND DATA PROCESSOR
Data controller; the purposes of processing personal data
data recording system, which determines the means and
responsible for establishing and managing
is a natural or legal person. Legal entities, personal
its activities in data processing
are themselves data controllers within the scope of
legal liability specified in the relevant regulations
shall arise in the person of the legal person.
In this regard, public law legal persons and private law
No difference was observed in terms of legal persons.
In this context, both criminal and legal liability
regarding the liability of legal persons in terms of
general provisions in private and public law
is applied.
EXAMPLE: Name to be able to pay the salary of the staff,
phone number, bank account number, etc.
a white man who keeps his personal data in a database
goods manufacturing company in this context, both personal data
processing purpose as well as data processing tools and methods
and also a data record for this
system has been created. Briefly why and
decides how it processes personal data.
For this reason, the company in question, in terms of the Law

59

Page 68

is the data controller.
Legal personality of units within a company
data controller of these units.
it's not possible. However, a
each company constituting the group of companies
personality, each of these companies
It is possible to be a separate data controller.
If the data processor is; authority given by the data controller.
that processes personal data on its behalf, on the basis of
real outside the organization of the person in charge
or legal entities. It
persons, personal data, instructions given to him
the personal data of the data controller, which is processed within the framework of
authorized by concluding a processing contract
is a separate natural or legal person.
NOTE: The data processor has signed with the data controller.
received from the data controller within the framework of the contract.
Personally, on behalf of himself, out of authority and instruction
personal data in case it starts to process data
data controller by leaving the status of data processor for
status will be.
EXAMPLE: Personal data collected by a private company
contract with a cloud service provider to store

60

Page 69

cloud service provider data
is in working condition. Because between the parties
data of the cloud service provider by contract
It cannot be used for its own purposes.
In addition, the cloud service provider itself
does not collect. Personal activity from the company
data again in accordance with the instructions of the private company.
is to hide.
NOTE: Any natural or legal person
At the same time, both the data controller and the data processor
may be.
EXAMPLE: An accounting firm with its own staff
data controller in relation to the data he holds
while the contract he signed with his customer
personal data processed for the customer within the scope of
shall be deemed to be a data processor. However,
out of the scope of the contract and the data controller
personal data on his behalf in violation of his instructions
process, it will be a separate data controller.
EXAMPLE: Within an Institution and externally
service procurement call center service company,
Data in terms of the data processed by the institution
about its own personnel while operating
data controller in terms of personal files he keeps

61

Page 70

status can be.
The activities of the data processor are more
It is limited to very technical parts. Personal data
The authority to take decisions regarding the processing of data
belongs to the person responsible. Data controller personal data
It is the person who determines the purpose and method of processing. So
personal data processing, which has the power to make decisions on its own behalf
questions of “why” and “how”
He is the one to answer.
To identify the data controller;
• Collection and collection method of personal data,
• Types of personal data to be collected,
• For what purposes the collected data will be used,
• Which individuals' personal data will be collected,
• Whether the collected data will be shared,
if it is shared, with whom it will be shared,
• How long the data will be stored,
• How to ensure the rights of the persons concerned
It takes into account who makes the decision.
However, the data controller, the personal data to be
with the processing contract;
• What information to collect personal data
technologies systems or other methods

62

Page 71

will be used,
• The method by which personal data will be stored,
• Security to be taken for the protection of personal data
details of the measures,
• Which method of transfer of personal data
will be done,
• Duration of storage of personal data
the method to be used for its correct application,
• Deletion, destruction and anonymity of personal data
methods of making
to the data processor with the authority to decide on
may leave.
NOTE: Data controller, personal data
on behalf of another natural or legal person (data processor)
if processed by; any technique taken
and administrative measures together with these persons.
jointly responsible.
Some common ground between data controller and data processor
There are points. These;
a) In terms of data controller, data within a company
any person responsible for processing activities
is not implied. The data controller itself is a legal entity.
is the personality itself.

63

Page 72

Being a data controller (as well as a data processor),
To determine the legal obligations of the law
It is a status determined for the purpose of
If it meets the specifications, the company's legal
personality will also have this status.
For example, as part of data processing activity
not the person who receives and records documents in a company,
The company itself has the title of “data controller”.
EXAMPLE: Applying to a company while applying for a job
Submit the form to the Human Resources Department.
Human Resources of the data controller
It doesn't mean he has a department. data here
responsible for the company having legal personality
is himself.
EXAMPLE: Service provider for hotel reservations
information given to a website for reservation
service that receives this information first-hand in terms of
provider appears to be the data controller of the website
herein, the purpose and means of processing personal data
It has the status of data controller because it is the hotel that determines it.
The legal entity that owns it is the hotel.
b) Both concepts, both real and legal
applies to individuals. For example, a freelance

64

Page 73

accountant or a financial advisory firm
The data controller can be both a data processor. also
each company constituting a group of companies
individual, each of these companies
It can be in either status.

65

Page 78
74
75
76
77

Nasuh Akar Mah. 1407. Street No: 4 06520
Balgat - Cankaya / ANKARA
Phone: 0 (312) 216 50 00
www.kvkk.gov.tr

