Page 1

NO. 6698
PROTECTION OF PERSONAL DATA
ABOUT THE LAW
TRUE KNOWN FAULTS

Page 2

PERSONAL DATA PROTECTION LAW NO. 6698
WRONG FAULTS ABOUT
KVKK Publications No: 31
April 2020, Ankara

PERSONAL DATA PROTECTION INSTITUTION
Address: Nasuh Akar Mahallesi 1407. Sokak No: 4
Balgat / Çankaya / ANKARA / TURKEY
Phone:

+90 312 216 50 00

web:

www.kvkk.gov.tr

Page 3

NO. 6698
PROTECTION OF PERSONAL DATA
ABOUT THE LAW
TRUE KNOWN FAULTS

Page 5
4

CONTENTS
one) To the Law on Protection of Personal Data No. 6698
According to the Law No. 6698, the data of legal persons are also
Is it protected? .................................................................. ........13
2nd) Name written randomly on a piece of paper,
surname and phone numbers under the law
can be counted? ......................14
3)

Personal data processed through a data recording system
Is the data within the scope of the Law?.................................15

4)

Those who process personal data by non-automatic means
Is it an exception to the law? .................................................................. 15

5)

Storing some personal data on the computer only
if it is kept as a file for the purpose of
In this case, is personal data considered to be processed?....................16

6)

Within the Personal Data Protection Authority (“Authority”)
Are citizens' personal data stored? ...................17

7)

The data controller fulfills the duties assigned by the Law.
Is it a natural person appointed to bring ............17

8)

As a data controller, a company
determine? ................................................................. ...............18

9)

As a data controller, a Ministry
should it be determined? .................................................................. .............19

5

Page 6

Right Known Mistakes about the Law on the Protection of Personal Data

10) Related and related units affiliated to a Ministry, data
Is he responsible? .................................................................. ......... 19
11) Each company affiliated to a group of companies also
Is it considered a data controller? .................................................. ... 20
12) Employees or units of a company that process data
is it? .................................................................. ............................ 21
13) A natural or legal person is both a data controller and
can also be a data processor? ... 22
14) Regarding the rights of the person concerned under the Law
to the data controller or the data processor?
should apply? ............. 22
15) Personal data held by a data controller
to be accurate and, where necessary, up-to-date
Who has the responsibility? .................................................................. ...... 23
16) Is an anonymized data personal data?............ 24
17) Personal data is only subject to the express consent of the persons concerned.
Can it be processed if received?................................................. 25
18) Personal data processing conditions other than express consent
in case of processing personal data on the basis of one
It is also possible to obtain explicit consent from the person concerned.
manager?................................................ ............................ 25
19) Is obtaining explicit consent subject to any form?........ 27
20) How long to keep the explicit consent texts
required? .................................................................. ............. 27
21) During a shopping “my personal data
I agree to be processed and shared”
Processing personal data with consent
Is it legal? .................................................................. ...... 28
6

Page 7

Right Known Mistakes about the Law on the Protection of Personal Data

22) Personal data by the person concerned
If it has been made public, the data controller will use this personal data.
can it work for any purpose?...................................29
23) By a data controller expressly in the Laws
personal data on the condition that it is foreseen
If it is processed, this activity is exempt from the Law No. 6698.
Is it covered? .................................................................. ........30
24) Personal health data, Article 5 of the Law
Can it be processed according to the processing conditions listed?...................31
25) Personal health data is legitimate by data controllers
can it be processed within the scope of interest?................................31
26) Is the 'gender' of the person sensitive personal data?...32
27) Deletion or destruction of the personal data of the person concerned
data controllers, if they request
must fulfill the request under all circumstances?......................33
28) Data abroad, even if the person concerned has express consent
Is a commitment required for the transfer?............................34
29) Signed for the purpose of data transfer abroad
Protection of Personal Data for undertaking confirmation
When sent to the Board (“Board”), the Board will
Has a timeframe been set for the evaluation?............35
30) Data processing of the Board or data abroad
have the authority to stop the transmission?................................35
31) Explicit consent with the lighting text for customers
Can the text be presented under the same title? .........................36
32) Based on the condition of “explicitly stipulated in the law”
If personal data is processed as
must the obligation be fulfilled?................................38

7

Page 8

Right Known Mistakes about the Law on the Protection of Personal Data

33) Data controllers, the lighting they prepare
Should they also send their texts to the Institution?...................... 38
34) The retention periods in the lighting texts.
Do I need to specify? ........ 39
35) What is layered lighting, lighting obligation
How should “layered lighting” be done? ...... 40
36) A call center, a web page of callers
layered lighting by directing to the link
carries out. This way of lighting
Is the obligation considered fulfilled? ............... 42
37) Data controller and data processor being separate persons
How is liability under the Law?
determined? .................................................................. ............ 43
38) A company may obtain data under a contract it has signed.
receives service from the operator. data processor
If a violation is committed by
Who will be responsible according to the law?...................... 44
39) Others, through illegal means of personal data
data obtained by
responsible, whenever he sees fit.
Can they notify the Board in
40) Is the person only for himself/herself to the data controller?
can apply?................................................. ..................... 46
41) Applications made to the data controller in Turkish
Does it need to be? .................................................................. ..... 46
42) From the date of application to the data controller, the data controller
replied on the 15th day from that date.
within how many days from the date of filing a complaint to the Board
available? ................................................................. ................... 46

8

Page 9

Right Known Mistakes about the Law on the Protection of Personal Data

43) 30 from the date of application to the data controller
If he has not been answered even though the day has passed,
Within how many days from this date, the person concerned will be notified to the Board.
Can you make a complaint? .................................................................. ....49
44) Directly to the Board without applying to the data controller
Can a complaint be made? .................................................................. ....51
45) The person concerned can submit his/her complaint via e-mail, telephone or call.
Can it be delivered to the Institution through its center?....................52
46) When the person concerned applies to the Board to complain
Can he claim compensation?.................................................................. .52
47) What does the Board do when a complaint is filed with the Board?
How long does it take to answer? ........................53
48) Data that does not fulfill its legal obligations
Board ex officio review about those responsible
can it do? .................................................................. ...............53
49) Data Controllers Registry Information System (“VERBIS”)
will it contain data? .........54
50) Lawyers are exempt from the obligation to register in the Registry
Is it considered an exception from the Law because it is a law?....................54
51) The institution determines the personal data retention periods.
will he announce? ...............55
52) All data controllers, personal data processing inventory
Do you have to prepare? 56
53) The prepared personal data processing inventory is also available to the Institution.
should it be sent? ...........57
54) Personal data processing inventory to VERBIS
Does it need to be installed?................................................. ......58

9

Page 10

Right Known Mistakes about the Law on the Protection of Personal Data

55) Storage in personal data processing inventory
Is it necessary to specify the deadlines?................................ 58
56) Personal data prepared by data controllers
processing inventory and personal data storage and destruction
Does the Board have the authority to request the policy?...... 59
57) How is the coordination officer in Public Institutions?
should it be determined? .................................................................. ............. 59
58) How is the contact person in Public Institutions?
should it be determined? .................................................................. ............. 60
59) VERBIS registration application form,
Other than the Registered Electronic Mail (KEP) address
Can it be sent from a KEP address? ............................. 60
60) Registry for data controllers residing abroad
working as an exemption criterion from registration obligation
Is the number and annual financial balance sheet taken into account? ............... 61
61) One contact person for multiple data at the same time
Can it be appointed as the contact person for the responsible person? ............ 61
62) Due to VERBIS being publicly available
Would personal data also become public?........ 61
63) Foundation universities register to VERBIS as “domestic
through the “resident legal/natural person” section
should it do? .................................................................. ......... 62
64) Chambers of Commerce register to VERBIS as “domestic
through the “resident legal/natural person” section
should it do? .................................................................. ......... 63
65) Registration in the Registry even though it is not within the scope of exception
about those who do not fulfill their obligations
Will the process be established? ....................................................... .. 63

10

Page 11

Right Known Mistakes about the Law on the Protection of Personal Data

66) As a result of the examinations made within the scope of the law
What is the way to do if the crime element is encountered?
will be followed?.................................................................. ....................64
67) Administrative fines specified in the law every year
increasing? ................................................................. ...................64
68) Administrative fines issued by the Board
Can it be appealed? ....................................................... .............65
69) Exception pursuant to paragraph 1 of Article 28 of the Law
a data controller within the scope of the Law,
Does it count as an exception? ..............65
70) Exception pursuant to paragraph 2 of Article 28 of the Law
a data controller within the scope of the Law,
Does it count as an exception? ..............66

11th

Page 13
12

NO. 6698
PROTECTION OF PERSONAL DATA
ABOUT THE LAW
TRUE KNOWN FAULTS

1) Law No. 6698 on the Protection of Personal Data(Law No. 6698), legal persons and
Are they also protected?
Law No. 6698 protecting the data of legal persons.
is working.
Article 2 of the Law No. 6698
about natural persons whose personal data are processed
stated to be implemented. Accordingly, the Law
As a rule, we only protect the data of natural persons.
legal person whose data is processed
are excluded from the scope of this Law.

13

Page 14

Right Known Mistakes about the Law on the Protection of Personal Data

2) Name written randomly on a piece of paper,
surname and phone numbers within the scope of the lawCan it be counted?
Name written randomly on a piece of paper,
surname and phone numbers under the law
is not.
Personal data processing is considered within the scope of the Law.
a data register of the personal data processed so that
system, that is, a certain set of criteria
It needs to be processed and structured according to sweat.
is Data such as name, surname and phone number
index, index etc. within a data recording system
if it is written, the data processing activity in question is in accordance with the Law.
will be subject.
Manually and haphazardly a sheet of paper
personal data written on the part of
will not be in. However, a data record
personal data processed without being part of the system
The case that it is not subject to the Law No. 6698, this datameans that they can be used arbitrarily.
is not coming. Because the situation constituting a crimeare handled within the scope of the Turkish Penal Code No. 5237.
is taken.

14

Page 15

Right Known Mistakes about the Law on the Protection of Personal Data

3) Personal data processed through a data recording system
Is the data covered by the Law?
Personal data processed in connection with a data recording system
data are within the scope of Law No. 6698.
“data recording system” in the law; certain personal data
in the registry system where it is processed and structured according to the criteria
is defined as. Therefore, personal datas; index, number, name - surname, alphabet, category, orderIf it is processed according to certain criteria such as
will be covered.

4) Processing personal data by non-automatic means
Are they an exception to the law?
The law prohibits the processing of personal data by non-automatic means.
not to completely exclude the business from the scope of the Lawtaste. Non-automatic data processing if a
performed as part of the data recording system.
in this case, the data processing activity in question
are also accepted under the Law.
Therefore, personal data processed non-automatically
Law if the data is part of a data recording system
will be covered.

15

Page 16

Right Known Mistakes about the Law on the Protection of Personal Data

5) Some personal data is only stored on the computer.
If it is kept as a file for commercial purposes, this
In that case, is personal data considered processed?
Computing as a file for storage purposes only
Keeping personal data also includes personal data processing.
is covered by me.
Personal data in Article 3 of Law No. 6698
processing; “personal data in whole or in part”
automatic or any data recording system
non-automatic way, provided that it is part of
acquisition, recording, storage,
preservation, modification, reorganization
transfer, disclosure, transfer, acquisition,
making available, classifying or
on the data, such as preventing the use of
defined as “any kind of transaction carried out in
has been fired.
Accordingly, personal data is only for storage purposes.
even if it is kept as a file and no other operation is performed on it.
Even if it is not done, it is considered as the processing of personal data.
will be evaluated and this activity will be within the scope of the Law.
will be accepted.

16

Page 17

Right Known Mistakes about the Law on the Protection of Personal Data

6) Personal Data Protection Authority (“Authority”)
store personal data of citizens
does he know?
Within the institution, the personal data of citizens
is not stored. In addition, the Institution
to save all personal data processed and
has the authority to preserve it within the institution, and
does not have a duty.
Personal data is subject to the processing conditions specified in the Law.
by data controllers, if available.
is processed. The processed personal data itself or
In a situation such as forwarding a copy to the Institution,
is out of the question.

7) The data controller performs the duties assigned by the Law.
Is it a natural person appointed to bring what?
Data controller in law; processing of personal data
data recording system that determines the purposes and means of
Responsible for the establishment and management of supply
defined as a natural or legal person.
Accordingly, with the expression of data controller, personal data processing
An official, employee, who carries out the

17

Page 18

Right Known Mistakes about the Law on the Protection of Personal Data

manager or a fact responsible for this activity
person is not implied.
The criteria of the personal data processing activity in the definition
by a legal entity (for example, a company) carrying
data controller, legal personis itself itself.
Similarly, personal data processing activity
A natural person who meets the criteria in my
If it is processed on behalf of the pharmacy), this natural person
is the data controller.

8) Who should a company designate as the data controller?
should it be?
A “data controller” of a legal entity (e.g. company)
There is no such thing as a “water” determination.
Because the data controller in the legal entity, the legal entity
is himself.
Data controller in law; processing of personal data
data recording system that determines the purposes and means of
Responsible for the establishment and management of supply
defined as a natural or legal person.
In addition, the Regulation on the Data Controllers RegistryData controller in legal persons in Article 11 of the

18

Page 19

Right Known Mistakes about the Law on the Protection of Personal Data

that the legal entity is the legal entity itself
In terms of implementation of the law, one or more
This assignmentremove the liability of the legal entity
yeast is indicated.

9) Whom a Ministry designates as data controller?
should it?
The public authorities of a Ministry, which is the data controller.
institution and organization or public institution qualification
a data controller of the professional body in
determination is not available.
Data controller in all these institutions and organizations,
institution or organization itself.

10) Related and related units affiliated to a Ministry, data
Is he responsible?
“data controller” in the law; processing of personal data
data recording system that determines the purposes and means of
Responsible for the establishment and management of supply
defined as a natural or legal person.

19

Page 20

Right Known Mistakes about the Law on the Protection of Personal Data

Affiliated, related and associated organizations of a Ministry
determines its own data processing purposes and means
data recording system where personal data is processed
It is also not responsible for the establishment and management of the
se will not be considered as data controller. These units
dealing with all personal data they process.
by the Ministry to which they are affiliated.
will be fulfilled.

11) Each company affiliated to a group of companies
Is it also considered a data controller?
Data controller in law; processing of personal data
data recording system that determines the purposes and means of
Responsible for the establishment and management of supply
defined as a natural or legal person.
Accordingly, if you have the status of data controller,
these three elements in order to determine whether
existence should be considered.
Each of the affiliated companies, personal data processing purposes and
determine their own means and a data record
after the establishment and management of the system
If they are responsible, they have the status of data controller according to the Law.
they will have.

20

Page 21

Right Known Mistakes about the Law on the Protection of Personal Data

12) Employees or units of a company process data.
is it yen?
Employees or sub-units of a company are “data processing
It's not "yen".
“data processor” in the law; given by the data controller
processing personal data on its behalf on the basis of authorization
defined as a natural or legal person. Data
The processor must be outside the body of the data controller.
should be. Therefore, company employees or company
the relevant unit that processes personal data,
cannot be described as.
For example, a company may provide its own call center service.
outsourced service, not with its employees or unit
contract with another firm
is met by. In this case, the company data
Call center service on behalf of the company
The provider company is also the data processor. Call center serviceThe company giving the ti is the person who calls the call center by telephone.
This service does not provide personal data of users on behalf of itself.
processes on behalf of the company within the scope of
status.

21

Page 22

Right Known Mistakes about the Law on the Protection of Personal Data

13) A natural or legal person and a data controller
Can it also be a data processor?
A natural or legal person is both a data controller and
It can also be a data processor.
Data controller and data processor title, data processing activities
It defines the related party according to the nature of its liability.
For example, a call center company with its own staff
data controller in relation to the data he holds
is counted, the amount it holds for companies that are its customers.
will be considered as a data processor in terms of data.
Truck. Therefore, any natural or legal person
At the same time, due to the different activities carried out
can be both a data controller and a data processor.

14) Regarding the rights of the person concerned under the Law
to the data controller or the data processor
Should I apply?
The person whose personal data is processed,
to apply to the data controller regarding their rights,
is from.
In the Law No. 6698, personal data processing activities
fulfillment of legal obligations regarding
data controller is taken as basis.

22

Page 23

Right Known Mistakes about the Law on the Protection of Personal Data

Data controller, purposes of processing personal data
the establishment of the data recording system, which determines the
responsible for the establishment and management of
check or legal person. If the data processor is the data controller,
personal name on his behalf
data processor is a natural or legal person.
Accordingly, the data processor, with the instructions of the data controller,
regarding the rights of the person concerned, since he/she fulfills his/her obligations.
having to apply to the data controller as a grudgeit's sad.

15) Personal data held by a data controller
to be accurate and, where necessary, up-to-date
Who has the responsibility?
Personal data is accurate and up-to-date when necessary
The liability is on the data controller.
Processing of personal data in Article 4 of the Law
Principles that must be complied with are listed in the
One of the principles is “accurate and up-to-date when necessary.
the principle of being. According to this principle, the data controller
Keep the person's information accurate and up-to-date when necessary.
property.

23

Page 24

Right Known Mistakes about the Law on the Protection of Personal Data

The data controller ensures that the information in question is correct and
appropriate communication that will keep it up-to-date
It should also keep the shim channels open.
Therefore, as a rule, the data controller
such as periodically updating one's data
Although there is no obligation, the person concerned
significantly affect their fundamental rights and freedoms.
In terms of data processing activities that will
data to be accurate and, where necessary, up-to-date
responsible should take due care.

16) Is an anonymized data personal data?
Anonymized data does not qualify as personal data.
is losing.
“anonymization” in law; personal data,
under no circumstances, even by matching with other data.
relationship with a certain or identifiable natural person
defined as rendering it inadmissible
is gone. Anonymized data is no longer
is not related to a particular person and does not identify or identify that person.
does not make it lyreable. Therefore, anonymized
A lost data is no longer personal data.

24

Page 25

Right Known Mistakes about the Law on the Protection of Personal Data

17) Personal data is only subject to the express consent of the persons concerned.
Can it be processed if received?
Explicit consent, personal data processing conditions in the LawAlthough it is one of the
It's not the only element that gives credibility. 5 of the Law.
for personal data processing in articles and 6
Conditions other than express consent are also stipulated and this
In case of existence of one of the conditions, the
Processing personal data without seeking consent
possible.
Accordingly, any personal data processing activity
first of all, these articles
Other processing conditions specified should be checked,
In the absence of consent, open consent
must be shot.

18) Personal data processing conditions other than express consentpersonal data processing based on one of
also obtaining explicit consent from the person concerned.
is it possible?
Personal data processing conditions other than express consent
in case of processing personal data on the basis of one
explicit consent should not be obtained from the person concerned.

25

Page 26

Right Known Mistakes about the Law on the Protection of Personal Data

Explicit consent listed in Articles 5 and 6 of the Law
any of the personal data processing conditions other than
the processing of personal data in the presence of
it is possible. From the processing conditions in question
presence of any personal data processing activity
from the person concerned, since it alone is sufficient for the competence.
In addition, express consent should not be obtained. For example, Job No. 4857
Personal file is created in accordance with Article 75 of the Law.
The identity information of the employee for the purpose of
expressly stipulated in the
is processed. In this case, the employee
express consent should not be obtained. Because express consent is always
available for refund.
Any of the other processing conditions other than express consent
from the person concerned, although one is present
Going to the way of obtaining explicit consent is wrong of the relevant persons.
can be considered as stigma. In this case too
One of the basic principles in Article 4 of the Law
and to comply with the rules of honesty”.
We can talk about resilience.

26

Page 27

Right Known Mistakes about the Law on the Protection of Personal Data

19) Obtaining express consent is subject to any form.
is it?
In the law, there is no question of obtaining express consent.
There is no form requirement. The important thing is clear
If the consent bears the elements of the Law and can be proved,
it's a lyre.
Therefore, express consent verbal, written, electronic media
etc. methods can be obtained. Where explicit consent is obtained,
The burden of proof is also on the data controller.
belongs.

20) How long to keep the explicit consent texts
required?
Any period on this subject in the relevant legislation
or form requirement is not stipulated.
Whether your express consent was obtained in accordance with the law
Since the proof of the data belongs to the data controller, it is clear
that the text of consent does not cause any grievance,
Data controller to be stored in a way and in a timely manner
is important for Therefore, explicit consent texts
how long to keep the data controller reasonable
It should be determined by itself, provided that there is a period of time.

27

Page 28

Right Known Mistakes about the Law on the Protection of Personal Data

21) During a shopping “processing of my personal data
I accept its sharing and sharing”.
Processing personal data with consent
Is it legal?
“Processing of my personal data during a shopping
and I agree to be shared”
The processing of personal data is in accordance with the Law.
is not.
“Explicit consent” in Article 3 of the Law; a certain corelevant, informed and free
defined as voluntary consent.
Accordingly, if you obtain express consent while processing personal data,
If necessary, these three elements of express consent
must contain. Any of these three elements
in case of missing one, the existence of express consent
will not be mentioned.
“All my personal data is processed and shared.
express consent given as “I allow the
which data will be processed, not related to a subject
and with whom it will be shared is not clear.
will not be considered as express consent.

28

Page 29

Right Known Mistakes about the Law on the Protection of Personal Data

22) Personal data by the person concerned
If it is made public, the data controller will be responsible for this personal andCan it process data for any purpose?
Personal data is publicly disclosed by the person concerned.
data controller, these personal data
cannot operate for any purpose.
By the data controller, by the data subject himself
In order to process the publicized personal data,
for what purpose by the person to whom the data belongs
evaluate that it has been made public (will to make it public)
need to drop. by the person concerned himselfpublicization of flood data
different from the purpose of making it public by everyone.
does not mean that it can be processed for the purpose. Dothus made public by the person concerned
Personal data made public only to the person concerned.
It can be processed in line with its purpose.
For example, you can sell your vehicle through a website.
Message shared by a person who issued it on this site
The current information is only for purchasing the vehicle or with this advertisement.
can be used to obtain relevant information. This is personal
use of data for any other purpose
It will constitute a violation of Article 4 of the Law.

29

Page 30

Right Known Mistakes about the Law on the Protection of Personal Data

23) By a data controller,
personal data based on the stipulation of the
is processed, this activity is required by Law No. 6698.
Is it covered by the exemption?
Personal data processed by a data controller
Based on the condition that it is expressly stipulated in the law
If it is processed, this activity is exempt from the Law No. 6698.
doesn't require it.
In the 5th article of the Law, “It is clearly stipulated in the laws.
The condition of “to be complied with” is stated in Article 6 of the Law as “LawThe condition of “prescribed in the following terms” is the conditions for personal data processing.
is one of them.
Processing conditions listed in Articles 5 and 6 of the Law
the availability of data, the processing of that personal data
conditions that make it possible. This processing of an activity
based on any of the conditions
means to be exempted from the Law.
The provisions of the Law are not applicable for these activities.
yeast will continue.
The provisions regarding the exception are specified in Article 28 of the Law.
only because it was determined by limited counting
exemption in cases covered by this article.
can be mentioned.

30

Page 31

Right Known Mistakes about the Law on the Protection of Personal Data

24) Personal health data, Article 5 of the Law
Can it be processed according to the listed processing conditions?
Personal health data, numbered in Article 5 of the Law
lan cannot be processed according to the processing conditions.
Personal health data is limited in Article 6 of the Law.
Special categories of personal data determined by counting method
is one of them. Conditions for the processing of special categories of personal data
are also stated in Article 6 of the Law.
Therefore, the processing of personal health data
for the processing of special categories of personal data,
the provision of this article should be taken into account.

25) Personal health data is legitimate by data controllers
Can it be processed within the scope of interest?
Personal health data is legitimate
cannot be processed within the scope of its interests.
Personal health data, identified or identifiable
relating to the physical and mental health of a natural person
with the health service offered to the person with all kinds of information
are relevant information. Personal health data, 6 of the Law.
Search for special categories of personal data listed in Article
is located in.

31

Page 32

Right Known Mistakes about the Law on the Protection of Personal Data

The conditions for the processing of special categories of personal data are also
It is regulated in the article and health care is given accordingly.
protection of public health,
preventive medicine, medical diagnosis, treatment and care services
execution of texts, health services and finance
secrecy for the purpose of planning and managing the
persons or authorized persons under the obligation to
being processed by institutions and organizations or
express consent of the person concerned is required.
The processing of personal health data is covered by this article.
It is limited in terms of purpose and person.
In other words, except for express consent, only specified
processed for the purposes and by the specified persons or organizations.
possible to know.
As it can be understood from the provision of the aforementioned article,
personal data of special nature
health data, legitimate personal data processing condition
cannot be processed within the scope of interest.

26) Is the 'gender' of the person sensitive personal data?
“Gender” data is not personal data of special nature.
Special categories of personal data Article 6 of the Law
determined by the limited counting method and these

32

Page 33

Right Known Mistakes about the Law on the Protection of Personal Data

In this, the gender of the person was not counted. Special nicounted among the personal data; not gender
personal data regarding sexual life. Hence
“Gender” is not personal data of special nature.

27) Deletion of the personal data of the person concerned or
in case of requesting the destruction of the data
authorities, fulfill this request under all circumstances.
should it?
Deletion or destruction of personal data of the person concerned
data controllers, if they request
does not have to fulfill the request under all circumstances.
In Article 7 of the Law, it is necessary to comply with the provisions of the Law.
Although it was processed as a gun, its processing
In the event that the reasons requiring
flood data ex officio or at the request of the person concerned
deleted or destroyed by the data controller.
it is stated that it is necessary.
In addition, the Deletion, Destruction, or Deletion of Personal Data
The Regulation on Anonymization
In article 12, the conditions for processing personal data
if it has completely disappeared; of the data controller
deletion of this personal data within thirty days, do not

33

Page 34

Right Known Mistakes about the Law on the Protection of Personal Data

to make it anonymous or to make it anonymous and to the person concerned.
information, if this personal data is
If it has been transferred to third parties, necessary workprocessing, the need to ensure that transactions are made
if all of the conditions have not disappeared,
written within thirty days at the latest, explaining the reason.
or rejected with an electronic response.
There are provisions that can be made.
Therefore, the deletion of the personal data of the person concerned
or if it requests its destruction,
first of all, the conditions for processing personal data
He should see if his mam is gone,
If there is no processing condition, it should be deleted,
should be destroyed or anonymized.

28) Data abroad, even if the person concerned has express consent
Is a commitment required for the transfer?
In case of explicit consent of the person concerned,
There is no need to sign a decree, it is not necessary to go abroad.
transfer is possible. In the absence of explicit consentin case of transfer in accordance with the provisions of Article 9 of the Law.
rim should be done.

34

Page 35

Right Known Mistakes about the Law on the Protection of Personal Data

29) Signed for the purpose of data transfer abroad
Protection of Personal Data for undertaking confirmation
When sent to the Board of Directors (“Board”),
a period of time is foreseen for his evaluation.
is he a customer?
In the law or secondary legislation, the inNo deadline has been set for the review.
The contract signed for the purpose of data transfer abroad
In case the decrees are sent to the Board, the Board
decision based on various criteria.
gives.

30) Data processing of the Board or data abroad
Do you have the authority to stop the transmission?
According to Article 15 of the Law, the Board has the power to compensate and
either impossible damages arise and are clearly in violation of the law.
in case of a violation, data processing or
to suspend the transfer of
can decide.

35

Page 36

Right Known Mistakes about the Law on the Protection of Personal Data

31) Clear with lighting text for customers
Can the consent text be submitted under the same title?
According to Article 10 of the Law, the obligation to inform
in the order of obtaining the personal data from the person concerned.
It is an obligation to be fulfilled.
Explicit consent or other personal data processing conditions
Regardless of which personal data is processed,
lighting obligation.
The express consent condition listed in Articles 5 and 6 of the Law
to any of the processing conditions other than
If personal data is processed separately, only illumination
obligations must be fulfilled,
express consent should not be provided.
However, each of the other processing conditions in question
personal data, although there is no one
If it is desired to be processed, in this case the relevant person
clarification and obtaining his explicit consent
is in progress. For example, a hotel offers more
commercial electronics for advertising purposes in the future
If he wants to send a message, both the personal data he processes
informing the person concerned and commercial electronic
For messages, it is necessary to obtain the express consent of the person concerned.
is working. Accordingly, both the hotel's lighting burdenfrom the person concerned to prove that he/she fulfills his/her duty.

36

Page 37

Right Known Mistakes about the Law on the Protection of Personal Data

obtaining a signature stating that he “gained information” as well as speaking
Explicit consent is the condition for the processing of personal data.
therefore, it also receives approval with the text of explicit consent.
possible.
In this case, instead of the Lighting Obligation
About the Procedures and Principles to be Complied with
According to Article 5 of the Communiqué, “Personal data processing
based on the express consent condition of the
the obligation to inform and
separate consent processes
s” is required.
Accordingly, clarification and express consent are mediated through a text.

these texts on different pages
It is recommended to be in If you're on the same pageIf desired, both texts should be under different titles.
and a separate provision for express consent
section should be included.
On the other hand, the texts of clarification and explicit consent
preparation in such a way that they do not interfere with each other
required. If for proof of data controller
If a signature is taken from the person concerned or marking is made,
single signature or approval for both
method of obtaining signature or approval not separately
method should be used.

37

Page 38

Right Known Mistakes about the Law on the Protection of Personal Data

32) Based on the condition of “explicitly stipulated in the laws”
If personal data is processed deliberately, it is still clear
Should the delivery obligation be fulfilled?
On the basis of which processing condition personal data are processed,
Even if it is committed, the obligation to inform is still renewed.
should be brought.
“Explicitly stipulated in the laws”, 5 of the Law.
from the personal data processing conditions listed in Article
is one. The obligation to inform is in Article 10 of the Law.
Regardless of the processing condition described in Article
within the scope of all personal data processing activities.
It is an obligation that must be fulfilled.
Therefore, personal data processing activity is prohibited by law.
Even if it is expressly foreseen, the data controller
fulfill the obligation to inform
should be done.

33) Data controllers, the lighting meShould they also send their letters to the Institution?
Sending the prepared lighting texts to the Institution
There is no such thing as a relapse.

38

Page 39

Right Known Mistakes about the Law on the Protection of Personal Data

In accordance with Article 10 of the Law, the obligation to inform
during the acquisition of personal data,
means informing the relevant persons whose data is processed.
it does. The said information; written, oral, visual
etc. can be accomplished by means of
In the law or other relevant legislation, the prepared monthThe deadline for sending the exclusion texts to the Institution
There is no provision in the form of a rec.

34) The retention periods in the lighting texts.
Do I need to specify?
Indication of the storage period in the lighting texts.
is not mandatory.
According to Article 10 of the Law, the data controller
to the persons concerned within the scope of the obligation to deliver; data
identity of the person in charge and representative, if any, personal
for what purpose the data will be processed, personal data processed
to whom and for what purpose the data can be transferred,
the method of data collection and the legal reason 11.
Information on the rights of persons listed in the article
obliged to give
In addition, the content of the illumination text, Article 10 of the Law.
prepared by the Board and

39

Page 40

Right Known Mistakes about the Law on the Protection of Personal Data

“Lighting” published in the Official Gazette.
Compliance with Fulfillment of Obligation
It should be in accordance with the Communiqué on Procedures and Principles”.
Accordingly, the retention periods in the lighting textAlthough it is not mandatory to specify
storage periods may be specified, depending on the

35) What is layered lighting, my lighting load“layered lighting” within the scope of
should it be done?
The scope of the lighting obligation and which
It is explained in the Law that the information will be given. This
However, all of this information is illuminating.
personal time of fulfillment
disclosed to the person concerned during the acquisition of the data.
may not be possible. In this case, the layerWith the method of informing the data controller,
may fulfill its obligation to deliver.
Layered information, obtaining personal data
During the process, personal data was obtained from the person concerned.
short, understandable, clear, simple
providing information on the subject and Article 10 of the Law.
Other matters related to lighting in the

40

Page 41

Right Known Mistakes about the Law on the Protection of Personal Data

In order to obtain information about the relevant person, this brief
accessed after notification.
can be defined as the orientation to the environment.
For example, in a workplace where camera recording is taken, the relevant
person with a camera logo by camera recording method
be informed that their personal data has been obtained,
can be resurrected. Which purpose, which camera recordings
obtained by legal reason and method, the relevant personDetails such as the rights of the person concerned are
in a document to which it is directed via its logo
(regarding the protection and processing of personal data)
policy, lighting text on camera recordings
etc.) can be detailed.
For example, within the scope of the call center service, the call
to persons who call the center, during this call.
to listen to the information about the data
key press prompt, specified key pressedListening to the lighting text is also layered
can be considered as lighting.

41

Page 42

Right Known Mistakes about the Law on the Protection of Personal Data

36) A call center, a web page of callers
layered lighting by directing
is pulling. In this way, the lighting
Is the obligation considered fulfilled?
Layered lighting; obtaining personal data
personal data processing to the person concerned
in a short, understandable, clear and simple method
being informed, Article 10 of the Lawwithin the scope of the lighting obligation in
For other required information, the person concerned should refer to this information.
an environment that can be accessed and read after
means orientation.
Therefore, the person concerned is directed to a direct link.
understanding of layered lighting
it doesn't come to me. For example, on the phone
brief, clear, simple front lighting (informationtext to enlighten that person after
It would be more appropriate to redirect to the link where
method.

42

Page 43

Right Known Mistakes about the Law on the Protection of Personal Data

37) Data controller and data processor are separate persons
liability under the Law
How is it determined?
According to the law, the data controller is responsible for the law of personal data.
illegal processing of personal data and
to prevent unauthorized access to personal data,
appropriate trust to ensure the preservation of
all necessary to ensure the level of
must take technical and administrative measures. Personal
another fact on behalf of the data controller or
In case of processing by legal person, data liability
In particular, regarding the taking of the said measures, this
jointly responsible.
In addition, data controllers and data processors, we learnedpersonal data is contrary to the provisions of this Law.
cannot be disclosed to others, except for the purpose of processing.
they can't use either. This obligation is to leave the job.
continues even after. Personal data
another real or legal entity on behalf of the data controller
personal data, if processed by the person
to prevent unlawful processing of personal data,
to prevent unlawful access and personal data
In order to ensure the protection of the data, the data processor is also
responsible together with the data controller.

43

Page 44

Right Known Mistakes about the Law on the Protection of Personal Data

38) A company, under a contract it has signed,
receives service from the data processor. data processor
If a violation is committed by
Who will be responsible under the law?
In the event of a data breach, the Law, liability
uploaded to the data controller.
Data processor in law; given by the data controller
processing personal data on its behalf on the basis of authorization
defined as a natural or legal person. This
data processor, on behalf of the data controller,
processes personal data according to authorization and instruction.
According to Article 12 of the Law; data controller, personanother real or legal entity on behalf of the flood data
in case of processing by the person,
with these persons regarding the taking of the above-mentioned measures.
jointly responsible.
Accordingly, a violation within the scope of data processing activity
in case of breach, the data controller or the data
performed and performed by the operator
Regardless of whether the law is responsible for data
he has uploaded it to his rum. Therefore, the Law
always see the data controller responsibly.
is working. However, the data controller is responsible for this breach.
detecting that it was carried out by the operator

44

Page 45

Right Known Mistakes about the Law on the Protection of Personal Data

in case of breach of contract between them
data in relation to the part that concerns the data processor.
recourse to the offender is possible.
For example, the data controller is a company's accounting recordsIf any accounting firm holds their
with regard to the processing of personal data
On taking the measures specified in the law
the data controller company, together with the accounting company
will be jointly liable. However, the data controller
data in relation to the records of the company's employees
within a functioning accounting firm
If a violation occurs, responsibility for this violation is given.
Although it belongs to the company responsible for
The responsible company will be able to recourse to the accounting company.

39) Other processing of personal data by unlawful means
data if obtained by
responsible for this situation at a time he deems appropriate.
Can it notify the Board in the man slice?
According to the Board's Decision No. 2019/10, the personal
data by others by unlawful means.
Data controller, in case of data breach
from the date on which he learns, without delay and at the most
“Personal Data Violation Notification Form within 72 hours
should report the violation to the Board using the "Mu".
45

Page 46

Right Known Mistakes about the Law on the Protection of Personal Data

40) Is the person only for himself/herself to the data controller?
Can you apply?
As a rule, the person concerned is subject to Article 11 of the Law.
apply to the data controller on matters related to him/her.
has the right to.

41) Applications made to the data controller in Turkish
Does it need to be?
Procedures and Principles of Application to the Data Controller
In the 4th article of the Communiqué, the application of the relevant persons
from this right, provided that he/she performs their duties in Turkish.
indicated that it can be used.
Therefore, the applications made to the data controller
It must be in Turkish.

42) From the date of application to the data controller, the data controller
replied on the 15th day from that date.
within how many days from the date of filing a complaint to the Board
what can be done?
In Article 13 of the Law, the person concerned
their requests for the implementation of

46

Page 47

Right Known Mistakes about the Law on the Protection of Personal Data

Data responsible by other methods determined by the Board.
to the server, the data controller's place in the application
field requests, as soon as possible according to the nature of the request.
and results free of charge within thirty days at the latest.
It was decreed that he should go.
On the other hand, in Article 14 of the Law, the application
rejection, finding the answer insufficient
Failure to respond to the application in due time or time
in cases; Response of the data controller
thirty years from the date of learning and in any case,
Complaining to the Board within sixty days from the date of
It has been stated that enough can be found.
Interpretation of these periods in the law
In the Board decision numbered 2019/9 regarding the
in accordance with the article;
▪ After submitting data to the application made by the person concerned,

a response within 30 days by the
The answer of the data controller of the person concerned
You can make a complaint within 30 days after
therefore, in such cases, the person concerned
From the date of application to the data controller
that there is no 60-day period for the withdrawal,
▪ After submitting data to the application made by the person concerned,

In the event that no official response is given,
the date on which the data subject applied to the data controller-

47

Page 48

Right Known Mistakes about the Law on the Protection of Personal Data

complaints to the Board within 60 days from
what may be,
▪ After submitting data to the application made by the person concerned,

30-day period recognized by the law
If a reply is given afterwards, the relevant person30 days granted to the data controller in the Law
waiting for the answer to be given after
not liable and recognized to the data controller
With the expiry of the period, a complaint is made to the Board.
data of the person concerned, taking into account that
from the date the person in charge replied
not 30 days from the date of application, apply to the data controller.
Complain to the Board within 60 days from the date of
that you can have enough
decision has been made and this decision has been announced to the public.
is a mystery.
For example, on 01.01.2019, the data subject
has applied to the data controller and
If the application was answered on 16.01.2019, this
the person concerned, the date of the reply in question.
to the Board within 30 days as of 16.01.2019.
has the right to file a complaint. Dolaaccording to this example, by the relevant person to the Board
Complaints must be made late on 15.02.2019.
is in progress.

48

Page 49

Right Known Mistakes about the Law on the Protection of Personal Data

43) From the date of application to the data controller
Even after 30 days, no response was given to him.
If so, how many days does the person concerned take from this date?
Can I make a complaint to the Board?
In Article 13 of the Law, the person concerned
their requests for the implementation of
Data responsible by other methods determined by the Board.
to the server, the data controller's place in the application
field requests, as soon as possible according to the nature of the request.
and results free of charge within thirty days at the latest.
It was decreed that he should go.
On the other hand, in Article 14 of the Law, the application
rejection, finding the answer insufficient
Failure to respond to the application in due time or time
in cases; Response of the data controller
thirty years from the date of learning and in any case,
Complaining to the Board within sixty days from the date of
It has been stated that enough can be found.
Interpretation of these periods in the law
In the Board decision numbered 2019/9 regarding the
in accordance with the article;
▪ After submitting data to the application made by the person concerned,

a response within 30 days by the
The answer of the data controller of the person concerned

49

Page 50

Right Known Mistakes about the Law on the Protection of Personal Data

You can make a complaint within 30 days after
therefore, in such cases, the person concerned
From the date of application to the data controller
that there is no 60-day period for the withdrawal,
▪ After submitting data to the application made by the person concerned,

In the event that no official response is given,
the date on which the data subject applied to the data controllercomplaints to the Board within 60 days from
what may be,
▪ After submitting data to the application made by the person concerned,

30-day period recognized by the law
If a reply is given afterwards, the relevant person30 days granted to the data controller in the Law
waiting for the answer to be given after
not liable and recognized to the data controller
With the expiry of the period, a complaint is made to the Board.
data of the person concerned, taking into account that
from the date the person in charge replied
not 30 days from the date of application, apply to the data controller.
Complain to the Board within 60 days from the date of
that you can have enough,
decision has been made and this decision has been announced to the public.
is a mystery.
Therefore, the application made by the person concerned
a response by the data controller within 30 days

50

Page 51

Right Known Mistakes about the Law on the Protection of Personal Data

If not given, the person concerned shall inform the data controller.
within 60 days from the date of application, i.e. data
the end of the 30-day response period of the person in charge of
complaints to the Board within 30 days from
will know.
For example; The data subject is responsible for the data on 01.03.2020.
and the data controller has applied to the relevant person 30
If he has not responded within the legal time limit, a
In this case, the person concerned makes a complaint to the Board.
The last date it can be found will be 30.04.2020.
For the same application, the data controller
On 10.04.2020, that is, from the date of application
If he replied on the 40th day, then the relevant
person can file a complaint with the Board.
the deadline will be 30.04.2020.

44) Directly without applying to the data controller
Can a complaint be made?
directly to the Board without applying to the data controller.
no complaints can be made.
Pursuant to Articles 13 and 14 of the Law, the person concerned
In order to make a complaint to the Board, first of all, the data
must contact the supervisor. According to this,

51

Page 52

Right Known Mistakes about the Law on the Protection of Personal Data

It is mandatory to apply to the data controller, then
Applying to the Board for a complaint is optional.
Therefore, the way to apply to the data controller is exhausted.
Complaints cannot be made to the Board.

45) The person concerned can submit his/her complaint via e-mail, telephone or call.
Can it be delivered to the Institution through its center?
Complaint applications to the Board, numbered 3071
Framework of the Law on the Use of the Right to Petition
with wet signature, to the postal address of the Institution.
available on the Institution's website.
You can also apply using the complaint module in the
can be done.
In accordance with the current practice of our institution, e-mail,
Complaining to the Board via telephone or call center
is not sufficient.

46) When the person concerned applies to the Board to complain
Can I claim compensation?
In accordance with Article 14 of Law No. 6698, personality
compensation according to the general provisions of those whose rights have been violated.
right of deposit is reserved. However, this situation

52

Page 53

Right Known Mistakes about the Law on the Protection of Personal Data

It can be requested from the Personal Data Protection Authority.
doesn't mean it will. to judicial authorities
claiming compensation from data controllers.
can be done.

47) What does the Board do when a complaint is filed with the Board?
How long does it take to answer?
In Article 15 of the Law, “The Board, upon complaint,
examines the request and gives an answer to the interested parties. Complaint
No response within sixty days from the date ofthe request shall be deemed to have been rejected.” provision is included.
Accordingly, the Board examines the request upon complaint.
gives a reply to the concerned parties, delaying the date of the complaint.
If no response is received within sixty days, the request is denied.
is deemed to have been said.

48) Those who do not fulfill their legal obligations
Board ex officio review about data controllers
can it do?
The board, upon complaint or to learn the alleged violation.
matters that fall within the scope of ex officio
has the authority to inspect.

53

Page 54

Right Known Mistakes about the Law on the Protection of Personal Data

49) Data Controllers Registry Information System (“VERBIS”)
Will it contain personal data?
Instead of the obligation to register with the Data Controllers Registry
Data Controllers are registered to the Registry Information System.
(VERBIS) information about the personal data of the persons concerned
no entry is made.
To VERBIS, for what purposes personal data will be processed,
How long will it be stored, where will it be transferred?
information such as the security measures to be taken and to be taken
will be entered on a categorical basis. Therefore, VERBIS
It does not contain personal data of individuals.

50) Lawyers are exempt from the obligation to register in the Registry
Does it count as an exception from the law?
Being exempt from the obligation to register in the Registry
This does not mean that it will be an exception.
The authority given to the Board by Article 16 of the Law
within the framework of the number 2018/85 taken by the Board.
As per the decision, it has been authorized according to the Attorneyship Law.
lawyers are only liable to register with the Registry.
has been excluded. So for Lawyers,
will continue to apply with its other provisions.

54

Page 55

Right Known Mistakes about the Law on the Protection of Personal Data

51) The institution may determine the personal data retention periods.
Will it announce?
The institution, the personal data they process within the scope of its activities,
how long they can keep the data
any direction to data controllers
there is no med. No. 6698 on this subject
In Article 7 of the Law, the Law and other relevant provisions
Personal processed in accordance with the provisions of
eliminating the reasons for processing the data
ex officio or at the request of the person concerned
deleted by the data controller or
should be destroyed, and in Article 4, the relevant
for the purpose prescribed by law or for which they are processed
the principle of being kept for the required period of time
takes.
Accordingly, data controllers are responsible for the personal data they process.
regarding storage, primarily in the relevant legislation
whether there was any provision regarding the duration of
will look into the matter, if there is a verdict, they will
keep personal data only for the stipulated period.
will be able to.
If there is a provision regarding the retention period in the relevant legislation,
If there is no cluster, then by the data controller.
sufficient to fulfill the purpose of processing personal data

55

Page 56

Right Known Mistakes about the Law on the Protection of Personal Data

storage period can be determined. Storage
When determining the duration of the Data Controllers Registry,
The criteria specified in Article 9 of the Regulation
It must be taken into attention.
Therefore, data controllers, if any, in the relevant legislation.
will take into account the stipulated period, if the legislation
if there is no prescribed time, according to the said criteria
will determine the retention period itself.
The institution does not have an announcement regarding the retention periods.
it is hot.

52) All data controllers, personal data processing
Does he have to prepare the vanter?
All data controllers, personal data processing inventory
You don't have to prepare.
5 of the Regulation on the Data Controllers Registry.
Personal data processing inventory is ready in accordance with Article
Data controller responsible for registering with the Registry
It is an obligation that they must fulfill.
Therefore, exemption from the obligation to register with the Registry.
personal data processing inventory of data controllers
There is no obligation to prepare.

56

Page 57

Right Known Mistakes about the Law on the Protection of Personal Data

However, data exceptions that are exempt from registration in the Registry
personal data processing inventory of
blades are recommended.

53) Prepared personal data processing inventory
Should it be sent too?
5 of the Regulation on the Data Controllers Registry.
Personal data processing inventory is ready in accordance with Article
Data controller responsible for registering with the Registry
an obligation to fulfill
and the prepared personal data processing inventory
There is an obligation to send
is not.
Personal data processing inventory, obliged to register with the Registry
an obligation imposed on data controllers
the body of the prepared inventory data controller.
should remain within the framework. However,
creation of lighting texts,
responding to the applications of the applicants and registration in the Registry.
Why should this inventory be used?
it's sad. In addition, upon complaint or ex officio
by the Board during the review, the inventory
It may also be requested to be submitted or forwarded to the institution.
will.

57

Page 58

Right Known Mistakes about the Law on the Protection of Personal Data

54) Uploading personal data processing inventory to VERBIS
does it need to go?
Uploading personal data processing inventory to VERBIS
There is no such thing as a mess.

55) Storage period in the personal data processing inventory
Do they need to be specified?
The retention periods in the personal data processing inventory
must be specified.
4 of the Regulation on the Data Controllers Registry.
“Personal data processing inventory” in the article; data sodepending on the business processes of the
their personal data processing activities,
personal data processing purposes and legal reason, data
category, transferred recipient group and data subject person
group and personal
the maximum necessary for the purposes for which the data is processed.
storage period, transfer to foreign countries
on personal data and data security
explaining the measures taken and detailing the mostknown as vanter.
Therefore, the “processing of personal data” stated in the definition
maximum retention necessary for the purposes for which they are intended.
58

Page 59

Right Known Mistakes about the Law on the Protection of Personal Data

from the expression “duration period”; maximum storage time
It is understood that it should be specified in the vanter.

56) Personal data prepared by data controllers
data processing inventory and personal data storage and
The Board has the power to request the disposal policy.
is it?
Pursuant to Article 15 of the Law, the Board
in case of learning of the alleged violation or
ex officio, on the matters falling within its scope of duty,
has the authority to do so. Pursuant to this authorization,
rul, personal data processing inventory and personal data storage
requesting the disposal and destruction policy from the data controller
will be able to.

57) Coordination officer in Public Institutions
How should it be determined?
Publication of the Law in accordance with the provisional article 1 of the Law
within one year from the date of
institutions related to the implementation of the Law
a senior manager to provide coordination
appointment as coordinating officer
required.
59

Page 60

Right Known Mistakes about the Law on the Protection of Personal Data

Processing personal data in the public institution of the person to be appointed
It will coordinate all units in
a senior level to monitor the fulfillment of
Must be an administrator.

58) How to determine a contact person in Public Institutions?
should it be?
11 of the Regulation on the Data Controllers Registry.
According to the article, in public institutions and organizations
by the senior manager who will ensure the coordination
In order to ensure communication with the Institution, a
liaison by determining the head of department or higher manager
person, and this person must be appointed via VERBIS.
information must be entered.

59) VERBIS registration application form,
Instead of the Registered Electronic Mail (KEP) address
Can it be sent from another KEP address?
VERBIS registration application form,
Send from a KEP address other than KEP address.
cannot be leathered.

60

Page 61

Right Known Mistakes about the Law on the Protection of Personal Data

60) For data controllers residing abroad,
be an exemption criterion from the registration obligation.
number of employees and annual financial balance sheet are taken into account.
is it taken?
Decision No. 2019/387 published by the BoardAll data controllers residing abroad
There is a provision that it will be registered in the Registry. It
Therefore, for data controllers residing abroad,
any statistics, such as the number of employees and the financial balance sheet.
There is no criteria for na.

61) A contact person requests more than one data at the same time.
Can it be appointed as the contact person of the responsible party?
A natural person is responsible for more than one data at the same time.
cannot be appointed as the contact person.

62) Due to the fact that VERBIS is kept open to the public,
Therefore, personal data has become publicly available.
is it OK?
Since VERBIS is open to the public, personal
data will not be made public.

61

Page 62

Right Known Mistakes about the Law on the Protection of Personal Data

Data controllers processing personal data,
data categories of flood data and these data categories
Information to VERBIS regarding the transactions made with
will enter. These publicly available data are
that there are data on a gorical basis and a fact from these data
as there is no way to reach the check person
With the registration with VERBIS, the public disclosure of personal data is promised.
is not the subject.

63) Foundation universities can register with VERBIS as “domesticon the section “legal/real person residing in
should it do?
With the 130th article of the Constitution, the Foundation Higher Education
In accordance with Article 5 of the Regulation on Institutions of the Foundation,
universities have public legal personality.
For this reason, foundation universities are public legal entities.
country, since it is clearly stated that it has
not from the legal/natural person division residing in
From the section “public institutions and organizations” to the Registry
registration is required.

62

Page 63

Right Known Mistakes about the Law on the Protection of Personal Data

64) Chambers of Commerce register to VERBIS as “domestic
through the “resident legal/natural person” section
should it do?
With the Union of Chambers and Commodity Exchanges of Turkey numbered 5174
In accordance with the Law on Chambers and Commodity Exchanges, chambers
It is a Greek professional organization.
For this reason, chambers and commodity exchanges must register VERBIS.
From the section "legal/real person residing in the country"
not from the "public institutions and organizations" section
needs to be accomplished.

65) Registration in the Registry even though it is not within the scope of exception
about those who do not fulfill their obligations
Will the process be established?
Within the scope of exemption from registration obligation
not fulfilling its obligation to register in the Registry
Detection of data controllers who do not
to be made and about them within the scope of the Law.
process will be established.

63

Page 64

Right Known Mistakes about the Law on the Protection of Personal Data

66) As a result of the investigations carried out within the scope of the law,
How to do if a criminal element is found in
a path will be followed?
There is no special provision in the law in this regard.
However, if any criminal element is encountered,
Institution in accordance with the Turkish Penal Code.
notified to the competent authorities by
it is hot.

67) Administrative fines specified in the law every year
is it increased?
In Article 18 of the Law; The level foreseen in the law
applicable in case of breach of obligations.
However, administrative sanctions are issued. Aforementioned
administrative fine amounts at the beginning of each calendar year
in the relevant Official Gazette, effective from
increased by the published revaluation rate
is implemented.

64

Page 65

Right Known Mistakes about the Law on the Protection of Personal Data

68) Administrative fines issued by the Board
Can it be appealed?
Pursuant to Article 18 of the Law, it is decided by the Board.
against the administrative fine sanction decisions
judgment is open. Law on Misdemeanors No. 5326
Peace against administrative fines according to Article 27
Appeals can be made to the Criminal Courts.
Along with an administrative fine, a sanction decision is also made.
has also been given (for example, together with a fine
to suspend the transfer of data abroad.
decision) Administrative Court
is happening.

69) Pursuant to paragraph 1 of Article 28 of the Law,
A data controller within the scope of na
Does it count as an exception?
The activities listed in the first paragraph of Article 28 of the Law
Law for personal data processed within the scope of
provisions will not be applied. However, the same data
activities other than those listed above.
Regarding the personal data it processes, the Law,
will continue to apply with its other provisions.

65

Page 66

Right Known Mistakes about the Law on the Protection of Personal Data

70) Pursuant to paragraph 2 of Article 28 of the Law,
A data controller within the scope of na
Does it count as an exception?
In the second paragraph of Article 28 of the Law, “This
Compliant and proportionate to the purpose and basic principles of the law
the disclosure obligation of the data controller, provided that
10th, which regulates the
Article 11, which regulates the rights of the person concerned, except for the right to
and reduce the obligation to register with the Data Controllers Registry.
Article 16, which regulates the following, shall not be applied in the following cases.
Pursuant to the provision of …” , the activities enumerated in articles are
For personal data processed within the scope of
Only the provisions of Articles 10, 11 and 16 of
won't come off; other provisions continue to apply.
will.
In addition, the same data controllers, other than those listed,
with the personal data processed within the scope of its activities in
(e.g. human resources, accounting, computing
activities) in relation to other provisions of the Law.
will continue to be implemented.

66

