Page 1

PERSONAL DATA
PROTECTION
ABOUT THE LAW
FREQUENTLY ASKED QUESTIONS
Page 2

PROTECTION OF PERSONAL DATA
ABOUT THE LAW
FREQUENTLY ASKED QUESTIONS

Page 3

ABOUT PERSONAL DATA PROTECTION LAW
FREQUENTLY ASKED QUESTIONS
KVKK Publications
ISBN: 978-975-19-6847-0
March 2018, Ankara
Personal Data Protection Authority
Address: Nasuh Akar Mahallesi 1407. Sokak No: 4 Balgat/ANKARA/TURKEY
Phone: +90 312 216 50 50
Web: www.kvkk.gov.tr

Page 4

“The texts, photographs and other content in this book are not permitted except for individual use.
Copying, duplicating, using, publishing, in whole or in part, without
and its distribution is strictly prohibited. Opinion No. 5846 on those who do not obey this ban
Legal action will be taken in accordance with the Art Works Law. All rights of the product are reserved.”

Page 5

CONTENTS
A. GENERAL CONSIDERATIONS REGARDING THE PROTECTION OF PERSONAL DATA

9

1. What Does Personal Data Protection Mean?

11th

2. What are the Legal Regulations Regarding the Protection of Personal Data in Our Country?

11th

3. What is the Scope of the Right to Request the Protection of Personal Data as a Constitutional Right? 12
4. Why is a Legal Regulation Needed on the Protection of Personal Data? 13
5. What is the Basis of the Right to Protection of Personal Data? Is This Right an Unlimited Right?

15

6. When was the Personal Data Protection Law Enforced?

16

7. What is the Purpose of the Law on the Protection of Personal Data?

16

8. What is the Scope of the Law on the Protection of Personal Data?

17

9. What are the Circumstances Not Covered by the Law?

17

B. BASIC CONCEPTS IN THE LAW ON THE PROTECTION OF PERSONAL DATA

19

1. What is Personal Data?

21

2. Are Pseudonyms (Pseudonyms), Pseudonyms and Nicknames Personal Data?

22

3. What is Sensitive Personal Data (Sensitive Data)?

22

4. What is Personal Health Data?

22

5. What is Explicit Consent?

23

6. Is Explicit Consent the Only Condition of Personal Data Processing Activities?

24

7. How Should Explicit Consent Be Obtained to Include the Elements Enumerated in the Law?

25

8. Can express consent be revoked? What are the Legal Consequences of Withdrawal?

26

9. Express Consent means that the Offering of Any Product and/or Service or the Offering of Any Product and/or
Can a Prerequisite of Benefiting from the Service Be Made?

26

10. Can Explicit Consent be Obtained to Cover All Personal Data Processing Activities? 27
11. Is Explicit Consent Subject to Any Form?

27

12. Under which conditions will the consents obtained prior to the publication of the law be considered lawful? 28
13. What Kind of Process About the Personal Data Processed Before the Entry into Force of the Law
Will it be done?

28

14. Personal Data by Fully or Partially Automatic or Non-Automated Means
What is Processing?

29

15. Personal Data that is Physically Held and Not Part of the Data Recording System, Personal Data
Will the Provisions Regarding the Processing of Data Be Applied?

30

Page 6

16. What is Data Recording System?

30

17. What Does the Processing of Personal Data Mean?

31

18. Who is the Data Controller?

32

19. Data Controller Person Responsible for Data Processing Activities within the Legal Entity or
Are they people?

33

20. Who is the Data Processor?

34

21. If the Data Controller is a Legal Entity, the Data Processor is a Subordinate to the Data Controller.
Is it a unit?

34

22. Can a Natural or Legal Person Be Both a Data Controller and a Data Processor?

35

23. Data Controller in Terms of Fulfillment of Obligations in the Law, Data
Is the Operator Based?

35

24. In Case the Data Controller and the Data Processor are Separate Persons, the Liability Regime in the Law
How is it determined?

36

25. A Company Processing Personal Data Only Regarding Its Employees Is Also Within the Scope of the Law
Will it be evaluated?

37

C. TERMS OF PROCESSING PERSONAL DATA

39

1. What are the Basic Principles in the Processing of Personal Data?

41

2. What Does Compliance with Law and Integrity Mean by Law?

42

3. What Does the Principle of Being Accurate and Up-to-Date When Necessary According to the Law Mean?

44

4. What Does the Principle of Relating to the Purpose for which Personal Data are Processed, Limited and Measured Mean? 45
5. What Does the Principle of Definite, Legitimate and Clear Personal Data Processing Purposes Mean?

46

6. What Does It Mean to Elaborate the Purposes of Processing Personal Data?

47

7. For the Processing of Personal Data, Envisioned in the Relevant Legislation or Necessary for the Purpose of Processing
What Does the Principle of Retention for Term Mean?

48

8. What are the Processing Conditions of Personal Data?

50

9. Are the Legal Conditions of Personal Data Processing Activities Limited?

51

10. Provided that it does not harm the Fundamental Rights and Freedoms of the Data Controller,
What Does It Mean That Data Processing Is Mandatory For Legitimate Interests?

51

11. Consideration for Determining the Legitimate Interest of the Data Controller
What are the Required Matters?

52

12. Is Private Personal Data Limited in Law?

53

13. In Which Situations Can Private Personal Data Be Processed?

54

14. Why is the Processing of Special Categories of Personal Data Bound to More Strict Conditions?

54

Page 7

15. In Which Circumstances Can Personal Health Data Be Processed?

55

16. Why are Processing and Transfer of Personal Data Subject to the Same Conditions?

56

17. What are the Exact Exceptions Arranged in the Law?

56

18. What are the Partial Exceptions Arranged in the Law?

57

D. RIGHTS OF THE RELATED PERSON
1. What are the Rights of the Data Subject against the Data Controller?

59
61

2. “If Personal Data Has Been Processed, Information Request Regarding The Data”, which is considered among the Rights of the Relevant Person
How will the “Concept of Doing” be applied?

62

3. How Can the Rights Regarding Personal Data Be Invoked by the Related Persons?

63

4. Are Requests of Related Persons Regarding Personal Data Subject to Fee?

64

5. How long does the requests of the data subjects regarding their rights take by the Data Controller?
Should it be answered?

64

6. To the Personal Data Protection Board for the Requests of the Related Persons regarding their Rights
Is There a Right to Complain?

65

7. Which Conditions Should Complaints to the Board Have?

65

8. How Long Should the Personal Data Protection Board Respond to the Complaint of the Relevant Person?

66

9. What are the Consequences of Accepting the Complaint of the Related Person?

66

10. Personal Data of Relevant Person in Case of Unlawful Processing of Personal Data
Other than a Complaint to the Protection Board, Any Other Request from the Data Controller
Is there a right?

67

E. DELETING, DESTROYING OR MAKING PERSONAL DATA

69

1. What Does Deletion of Personal Data Mean?

71

2. Who is the Relevant User?

71

3. What Does Personal Data Destruction Mean?

72

4. What Does Personal Data Anonymization Mean?

72

5. Under Which Conditions Should Personal Data Be Deleted, Destroyed or Anonymized?

73

F. TRANSFER OF PERSONAL DATA

75

1. How is the Domestic Transfer of Personal Data Regulated in the Law?

77

2. To Whom Can Personal Data Be Transferred Domestically According to Article 8 of the Law?

77

3. How is the Transfer of Personal Data Abroad Is Organized?

79

4. The Board determines that the country to which the data is transferred is sufficient for the transfer of personal data abroad.
On What Principles Will It Decide That It Provides Protection?

80

Page 8

G. EXPLANATIONS REGARDING DATA CONSULTANTS

83

1. Who is the Data Controller in the Subsidiaries of the Group of Companies and the Data Controller?

85

2. What are the Obligations of the Data Controller?

86

3. What is the Scope of the Data Controller's Disclosure Obligation?

87

4. What are the Matters to be Considered While Fulfilling the Lighting Obligation?

88

5. Are There Any Form Conditions in Fulfilling the Lighting Obligation?

90

6. What is Layered Information, “Layered Information” in the Scope of Illumination Obligation
How is it done?

90

7. Name or Name of Third Parties to whom Personal Data will be Transferred within the Scope of Disclosure Obligation
Is It Necessary to Specify Their Titles?

91

8. What are the Obligations of Data Controllers to Ensure Data Security?

92

9. How is the Appropriate Security Level by Data Controllers Under Article 12 of the Law?
Will it be provided?

93

10. What are the Procedures and Principles to be Followed in Applications to the Data Controller? 94
11th . What Procedures and Principles Are Related Person's Right to Complain to the Board?

95

12. Who Determines the Retention Periods of Personal Data?

95

13. Which Points Are Considered While Determining the Retention Periods of Personal Data?

96

The periods determined in the relevant legislation for the personal data to be processed by the data controllers; if
If it is not determined in the relevant legislation, the purpose for which they are processed by the data controllers is taken into consideration.
are kept.

96

I. DATA RESPONSIBILITIES REGISTRY

99

1. What is Data Controllers Registry?

101

2. How to Apply for Registration in the Data Controllers Registry?

102

3. Who Should Register in the Data Controllers Registry?

103

H. PERSONAL DATA PROTECTION BOARD

105

1. What are the Main Duties and Powers of the Personal Data Protection Board?

107

2. Is the Board Allowed the Opportunity to Investigate the Complaint or Ex officio?

109

3. In the event that a crime element is found as a result of the investigations carried out within the scope of the law
What Way Will Be Followed?

110

4. Board Decision to Stop Processing Data or Transferring Data Abroad
Can you give?

110

J. WORKS AND PROCEDURES TO BE DONE AFTER THE LAW ENTERS INTO FORCE

113

1. When does the Data Controllers' Obligation to Register in the Registry Begin?

115

2. What Should Data Controllers Do After the Entry into Force of the Law?

116

Page 9
8

Page 10
9

A. PERSONAL DATA
REGARDING THE PROTECTION
GENERAL CONSIDERATIONS
Page 12
11
11th

1. What Does Personal Data Protection Mean?
Protection of personal data is fundamental with the discipline of processing personal data.
protection of rights and freedoms.
Protection of personal data is basically not the data, but the personal data to which this personal data relates.
aimed at protecting individuals. In other words, data protection;
persons whose data about them is fully or partially automated or
for the purpose of protection from damages arising from non-automatic processing.
oriented and embodied in the principles on the protection of personal data, administrative, technical
and legal measures. In this sense, the protection of personal data
data processing, such as the collection, storage, use and transfer of data relating to
reassuring individuals the right to control, covering all phases of the
It can be said that it aims to gain Within the scope of this purpose, personal data
protection refers to the right of the individual to determine the future of his/her data.
it does. At the same time, this protection is a requirement of human dignity and personality right.

2. Regarding the Protection of Personal Data in Our Country
What are the Legal Regulations?
The right to the protection of personal data has been guaranteed by the constitution in 2010 in our country.
In the period up to this date, personal data is mostly covered in general legal regulations.
protected by the provisions. In Turkish Civil Code and Turkish Penal Code
provisions and sanctions for the protection of personal data and the right to personal data.
examples of regulations. In 2010, Article 20 of the Constitution

Page 13
12

added “Everyone has the right to demand the protection of personal data concerning him/her…”
Protection of personal data gained a constitutional right status for the first time.
At the same time, in the 3rd paragraph of Article 20 of the Constitution, regarding the protection of this right
Determining the procedures and principles is left to a law to be enacted. In this context, 24
Law No. 6698 on the Protection of Personal Data, adopted in March 2016, 7
It entered into force by being published in the Official Gazette dated April 2016 and numbered 29677.

3. Personal Data as a Constitutional Right
What is the Scope of the Right to Request Protection?
With the amendment made in 2010 with the Law No. 5982, the Constitution's private life
Article 20, which regulates the privacy of individuals, states that “Everyone has the right to
has the right to seek protection. This right; personal data about the person himself
information about, access, correction or deletion of this data.
It also includes requesting and learning whether it is used for its purposes.
Personal data can only be processed in cases stipulated by law or with the explicit consent of the person.
The principles and procedures regarding the protection of personal data are regulated by law. provision
The scope of the right of individuals to protect their personal data has been determined.

Page 14
13

4. Legal on the Protection of Personal Data
Why Was an Arrangement Needed?
Both public institutions and private organizations, fulfilling a task or
in connection with the provision of a service, personal data
they have been operating for a long time. As this may be caused by laws, sometimes
based on the consent of persons or a contract, sometimes
depending on its nature. It should be noted that the fundamental rights of individuals
One of the priority issues is the protection of personal rights and freedoms in the data processing process.
In addition, maintaining social and economic life in order, public services
effective delivery of goods and services in accordance with the requirements of the economy
The processing of personal data is indispensable for the development, distribution and marketing of
However, unlimited and indiscriminate collection of personal data,
unauthorized access, disclosure, or misuse or misuse.
It is necessary to prevent the violation of personal rights as a result of its use.
In addition, by the Council of Europe, in all member states, personal data is the same.
standards and to determine the principles of cross-border data flow.
Individuals Against the Automatic Processing of Personal Data Prepared
Concerning the Protection of the Convention No. 108 was opened for signature on 28 January 1981 and
signed by our country. This contract is dated 17 March 2016 and numbered 29656.
It was published in the Official Gazette and included in domestic law. 4 of Convention No. 108.
legal regulation on the protection of personal data in domestic law, within the framework of Article
has become necessary. As a matter of fact, the Constitutional Court dated 9 April 2014
and in its Decision E:2013/122, K:2014/74; “The right to the protection of personal data,

Page 15
14

the right to the protection of human dignity and the free development of his personality
as a special form, the rights and freedoms of the individual during the processing of personal data
It has been determined that it aims to protect [..…]” and “personal data is valuable for commercial enterprises.
As a result of gaining an asset quality, the risks created by the private sector elements
to reach more widespread and important dimensions and personal data of terrorist and criminal organizations
personal data due to factors such as the increase in
It has been stated that it needs much more protection than in the past.

Page 16
15

5. Basis for the Right to Protection of Personal Data
What? Is This Right an Unlimited Right?
The basis of the right to protection of personal data is the last article of Article 20 of the Constitution.
is the paragraph. Requesting the protection of personal data, which is held as a fundamental right
The right of the person is included in the section of the Constitution regarding the rights and duties of the individual.
However, as with all rights and freedoms, the protection of personal data
other rights and freedoms within the limits drawn in the Constitution.
may be limited in favor of Accordingly, the personal rights recognized in Article 20 of the Constitution
the exercise of each right to data protection and in favor of other rights
Regulations regarding the restriction can only be made by law.
The Constitutional Court, in its decision dated 9 April 2014 and numbered E:2013/122, K:2014/74
In the last sentence of paragraph 3 of Article 20 of the Constitution, “Personal data
the principles and procedures regarding the protection of the law are regulated by law” and
In accordance with the principle of "non-transferability of legislative power", the Constitution is expressly
directly and at first hand to the executive body on the issues it envisages to be regulated.
Deciding that it cannot be given the authority to take regulatory action,
underlined the necessity of legal regulation. Hence
Protection of personal data recognized in the last paragraph of Article 20 of the Constitution
As long as the regulations related to the right of law are made by law, it will find application area.

Page 17
16

6. When the Law on Protection of Personal Data
Entered into force?
Draft Law on Protection of Personal Data, Protection of Personal Data No. 6698
It was referred to the Presidency of the Grand National Assembly of Turkey on January 18, 2016 with the name of the Law.
It was adopted by the General Assembly of the Grand National Assembly of Turkey in 2016 and enacted.
It entered into force by being published in the Official Gazette dated April 2016 and numbered 29677.

7. Purpose of the Law on Protection of Personal Data
What?
Considering international documents, comparative law practices and the needs of our country
Processing personal data in contemporary standards with the Law prepared by
intended to be protected. In this context, the purpose of the Law is to
the processing conditions, the fundamental rights and freedoms of individuals in the processing of personal data.
to comply with the obligations of natural and legal persons who process personal data
to regulate the procedures and principles. In the justification of the law, the person's right to privacy
Data protection and data security are also considered within this scope.
In addition, natural and legal persons who process personal data are obliged to comply with their obligations.
Regulation of procedures and principles is among the aims of the Law.

Page 18
17

8. Law on Protection of Personal Data
What is the scope?
The law covers real persons whose personal data are processed and these data in whole or in part.
automatic or any data recording system (for certain
provided that it is part of the registration system where it is processed and structured according to the criteria.
It applies to natural and legal persons who operate by non-automatic means. It
In this direction, organizations operating in the private sector and public institutions and organizations
no distinction has been made in terms of
has been adopted in terms of institutions. The fact whose data is processed in the law
Everyone who has the capacity to have rights because people are mentioned is within the scope of the Law.

9. Circumstances Not Covered by the Law
What are they?
• The law is about data processors without being part of any data recording system.
not applicable.
• Since the term "natural persons whose personal data are processed" is used in the law, personal data
Legal entities whose data are processed are also excluded from the scope of this Law.
• Cases that are completely or partially out of the scope of Article 28 of the Law shall be ruled out.
connected. Full exceptions in paragraph 1 of this article, partial exceptions in paragraph 2
are arranged. In cases of complete exception, the Law will not be applied in any way,
In cases of partial exception, only some articles of the Law will not be applicable.

Page 19
18

Page 20
19

B. PERSONAL DATA
IN THE LAW OF PROTECTION
FOUNDATION INCLUDED
CONCEPTS
Page 22
21
21

1. What is Personal Data?
It is all kinds of information regarding a natural person whose identity is determined or identifiable.
In order to be able to talk about personal data, it must be related to a natural person and this
The person must also be of a specific or identifiable nature. According to this:
a) Relating to a real person: Personal data relates to a real person and not to legal persons.
Related data is outside the definition of personal data. Therefore, the trade name of a company,
information about the legal entity such as address, tax identification number, MERSIS number and turnover
(except in cases where they can be associated with a natural person) will not be considered as personal data.
b) Making the real person identifiable or identifiable: Personal data, TR identity numberIt can show the direct identity of the person concerned, as well as the identity of that person.
Although it does not directly show the
as a result of associating it with a record, it also includes all the information that enables the person to be identified.
covers.
c) All kinds of information: This expression is extremely broad and means that a real person
only identifying information such as name, surname, date of birth and place of birth
as it may be; phone number, motor vehicle license plate, social security number,
passport number, resume, pictures, video and audio recordings, fingerprints, e-mail
address, hobbies, preferences, contacts, group memberships, family information,
all data that makes a person identifiable directly or indirectly, such as health information
is also considered as personal data. Which information is personal data in the law?
Since the limited count principle is not adopted, the personal
It is possible to expand the scope of the data. Importantly, any data
the fact that it can be associated with a real person or that it can identify that real person.

Page 23
22

2. Pseudonyms (Pseudonyms), Pseudonyms and
Are Nicknames Personal Data?
Be able to identify a natural person, alone or when combined with other sources
If so, these data will be considered as personal data. However, their personal
The ability to identify the person according to the characteristics of each concrete event, whether there is data or not.
should be taken into account.

3. What is Sensitive Personal Data (Sensitive Data)?
Special categories of personal data, if they are processed, may cause the relevant persons to become victims or
data that carries the risk of causing discrimination. Therefore, other personal
data need to be protected much more strictly. Article 6 of the Law
special categories of personal data; “A person's race, ethnicity, political opinion,
philosophical belief, religion, sect or other beliefs, disguise, association, foundation or
union membership, health, sexual life, criminal conviction and security measures.
data and biometric and genetic data”. These data are determined in a limited number in the Law.
they cannot be expanded.

4. What is Personal Health Data?
Personal health data, any data relating to a person's physical and mental health
Information about the health service provided to the person. For example; any kind of analysis
personal health data such as the result of the person, the diseases he has had, the drugs he used.
are data. Since personal health data is special quality personal data, 6 of the Law
It is subject to the processing conditions of special categories of personal data regulated in the article.

Page 24
23

5. What is Explicit Consent?
Explicit consent is based on being informed about a particular subject and expressed with free will.
is consent. In other words, freely to process the data of the person concerned,
consent given by being sufficiently informed and limited to that transaction only.
statement.
According to the law, express consent has three elements:
a) Relating to a specific subject: The scope of the express consent declaration is of a general nature.
should not be specific to a particular situation. For example; by the data controller
“Explicit consent to the processing of your personal data for the provision of all our products and services
Do you give?” In case of consent in the form of consent, the consent is related to a particular subject.
will not be considered valid.
b) Relying on information: Express consent is a declaration of will and the person's free will.
In order to consent in this way, he must know what he is consenting to. In this context,
The information to be made to the person must be made before the data is processed and the data
All matters relating to processing must be carried out in a clear and understandable manner.
The purposes for which the personal data to be obtained will be used should be clearly stated.
will have difficulty in reading when given terms or written information that he will not understand
Small font sizes should not be used.
c) Expression of free will: The declaration of explicit consent, which is a declaration of will.
The person must be free from situations that will affect his free will. It
Accordingly, there is a situation that will overturn the will of the person who has given the express consent declaration.
should not be. For example, the provision of a service is dependent on explicit consent, or
obtaining explicit consent by fraud.

Page 25
24

6. The Only Condition of Personal Data Processing Activities
Is it Open Consent?
Explicit consent pursuant to Article 5 of the Law, personal data processing in the Law
Although it is one of the conditions, it gives legality to the data processing activity.
It is not the only element. Apart from express consent for data processing activity in the law,
conditions are stipulated. Accordingly, if one of the following conditions exists,
It is possible to process personal data without seeking the explicit consent of the person concerned:
a) It is clearly stipulated in the laws,
b) Being unable to express their consent due to actual impossibility, or
the life of the person or another person whose consent is not given legal validity, or
necessary for the preservation of bodily integrity,
c) Being directly related to the establishment or performance of a contract
provided that it is necessary to process the personal data of the parties to the contract,
ç) Obligatory for the data controller to fulfill its legal obligation
to be,
d) The person concerned has been made public by himself,
e) Data processing is mandatory for the establishment, exercise or protection of a right.
to be,
f) Provided that it does not harm the fundamental rights and freedoms of the data subject,
Data processing is mandatory for the legitimate interests of the controller.

Page 26
25

7. Open to Include the Elements Enumerated in the Law
How Should Consent be Obtained?
In accordance with the definition in subparagraph (a) of Article 3 of the Law, express consent; specific
should be disclosed on a subject, based on information and free will.
In the justification of the law, explicit consent is stated, “The data subject is processed by the person concerned,
freely, with sufficient knowledge of the subject, in a clear manner that leaves no room for hesitation.
and the statement of approval given only limited to that transaction”.
In this context, not limited to a specific subject and not limited to the relevant transaction.
general consents are legally invalid. There is no provision in the law regarding express consent.
Although no form requirement is foreseen, in cases where express consent is written
Consent texts should be written in a clear, understandable and simple manner. Your express consent
by referring to another medium or text other than the medium or text from which it was taken.
The explicit consent of the person concerned should not be obtained. Explicit consent, free will of the person concerned
It should be presented to the relevant person's choice in a way to show that he has made a statement.
However, data processing activity is the most important of the other personal data processing conditions.
If it is based on at least one of them, explicit consent should not be sought for this activity. If your activity
The purpose of realization is to fulfill the personal data processing conditions other than express consent in the Law.
express consent must be obtained for this activity and limited to that activity.
In case of reliance on reasons other than express consent,
Obtaining consent may deceive and mislead the persons concerned. Therefore, priority
whether the personal data processing is based on conditions other than express consent.
should be investigated, if any of these conditions are not available, explicit consent should be sought.

Page 27
26

8. Can express consent be revoked? Take Back
What are the Legal Consequences?
Since express consent is a strictly personal right, the given consent can be withdrawn.
In this context, since the right to determine the future of personal data belongs to the person concerned,
The person can withdraw the explicit consent given to the data controller at any time. With this
based on express consent, as the withdrawal together will have prospective consequences.
All activities carried out as a retrieval declaration have reached the data controller.
must be stopped by the data controller from now on. In other words, undo
The declaration becomes effective from the moment it reaches the data controller. However, to keep
If there is another legal reason that requires personal data, the data controller
may be stored for this purpose only.

9. Express Consent is the use of any Product and/or Service.
Your Offering or Any Product and/
or a Prerequisite for Enjoying the Service
Can it be done?
Obtaining the explicit consent of the person concerned, since the express consent must be disclosed with free will,
precedence of offering or benefiting from a product or service
should not be put forward as a condition.
For example, in places where the use of a service is a condition of membership, being a member
Establishment of the membership agreement for obtaining and processing the fingerprint of the relevant person
It would be unlawful for it to be stipulated as a necessity. Because this is how
express consent will be contrary to the principle of giving open consent with free will and the principle of proportionality.

Page 28
27

10. Explicit Consent Personal Data Processing Activities
Can it be taken to cover the whole?
General, not limited to a specific subject and not limited to the relevant transaction
express consents of such nature are considered as “blanket consents” and legally
is deemed invalid. For example; “all kinds of commercial transactions, all kinds of banking transactions
and all kinds of data processing activities, which do not point to a specific subject and activity.
Consent statements are situations that can be considered within the scope of blanket consent.

11. Any Form of Explicit Consent
Is it of course?
The law does not stipulate any form requirement for giving express consent.
The important thing is that the express consent has the elements in the Law and can be proven.
that is. Therefore, express consent can be verbal, written, electronic media, etc. by methods
can be given. The burden of proof that express consent has been obtained rests with the data controller.

Page 29
28

12. Received Before the Publication of the Law
Consent, Under Which Conditions Are Legally Accepted?
Will it be?
According to the 3rd paragraph of the Provisional Article 1 of the Law, before the publication date of the Law,
consents obtained in accordance with, not making a contrary declaration of will within one year.
shall be deemed to be in accordance with this Law. Therefore, before the publication of the Law
In order for the consent to be accepted as lawful, it must comply with the general legal rules.
and no declaration of intent to the contrary has been made within one year.

13. Before Entry into Force of the Law
What Kind of Action About the Processed Personal Data
Will it be done?
Provisional Article 1 of the Law states that “processed before the publication date of the Law.
personal data that is in compliance with the provisions of the Law within two years from this date.
is made. Personal data found to be in violation of the provisions of the law
immediately deleted, destroyed or anonymized.” provision is included.
Pursuant to this provision, data controllers collect data before the publication date of the Law.
Personal data processing activities carried out on the basis of personal data
The law should make it compatible with the Law within 2 years from the date of publication.
Within the scope of personal data processing activities that need to be harmonized within this framework,
Processing of activities that are detected to be inconsistent with the law and not harmonized
activities should be stopped. Personal data processing activities that are incompatible with the law
The personal data in question should be promptly deleted, destroyed or anonymized.

Page 30
29

14. Fully or Partially Automatic, or
Personal Data Processing by Non-Automatic Means
What?
Although the law does not define what automatic processing is,
While explaining the scope of the Law in the justification, “Today, these data are used both privately and privately.
automatically by the sector and the public sector through information systems.
used frequently.” automatic processing indirectly,
activities carried out through information systems.
In this context, processing that is fully or partially automated; human intervention
recording of data, minimizing the need for assistance or
applying logical or arithmetic operations to data, changing data,
automatic or automatic transfer of transactions such as deletion, recovery or transfer.
can be defined as the implementation of partially automated methods.
Processing by non-automatic means depending on a data recording system is manual.
processing, which is prepared as an easy-to-understand, but facilitates access and interpretation.
represents its activity. The law completely prohibits data processing by non-automatic means.
does not exclude it from the scope, non-automatic data processing is a data record.
part of the system accepts the data processing activity within the scope of the Law.
Here, not any unsystematic pile of information, but prepared with manual methods
a classification expression that facilitates access to information and interpretation, even if
is being done. For example, a random
It is within the scope of the Law that the names and surnames of the persons are included in a book.
While not entering, the names and surnames in question are systematically recorded in a book.
If it is recorded, data processing activity will be mentioned within the scope of the Law.

Page 31
30

15. Physically Held and Data Recording
Personal Data Not Part of the System,
Provisions Regarding the Processing of Personal Data
Will it be applied?
Physically recorded but not part of the data recording system
Provisions of the Law regarding the processing of personal data do not apply to personal data.

16. What is Data Recording System?
The data recording system is the registry where personal data is processed and structured according to certain criteria.
represents the system. Data recording system that can be qualified as a filing system
can be created electronically or physically. Accordingly, in the data recording system, personal
data can be classified by name, surname or identity number, for example
A classification to be created for those who do not pay their loan debts will also be included in this context.
is being evaluated.
As stated above, arbitrarily without any criteria.
The case where only the names and surnames of the persons are included in a paper is within the scope of the Law.
Although not entered, the names in question are put on a piece of paper according to a certain criterion.
If it is recorded, this data recording is considered within the scope of the Law.

Page 32
31

17. What Does the Processing of Personal Data Mean
Coming?
Fully or partially automated or any data
obtained by non-automatic means, provided that it is part of the registration system,
recording, storing, preserving, changing, rearranging,
disclose, transfer, take over, make available, classify or
It is all kinds of operations performed on data, such as preventing its use.
For example, storing personal data only on a hard disk, CD or server,
It is a data processing activity even if no other operation is performed with the aforementioned data.
Therefore, the actions within the scope of data processing are not limited, and personal data is first
all types of operations performed on the data, starting with the
means.

18. Who is the Data Controller?
Data controller, which determines the purposes and means of processing personal data,
real or legal person responsible for the establishment and management of the system
represents the person. These persons may be natural persons as well as public institutions, companies,
It can also be legal entities such as associations or foundations. Legal entities, personal data
Personal data controller within the scope of his/her activities regarding processing
and will assume the legal responsibility specified in the relevant regulations. In this respect

Page 33
32

There is a difference between public law legal persons and private law legal persons.
has not been observed. In this context, in terms of legal and criminal liability, legal persons
General provisions in private law and public law regarding liability are applied.
The processing of personal data and the purpose of processing for the determination of the data controller,
types of personal data, the purposes for which the processed personal data will be used, which persons
personal data will be processed, whether personal data will be shared, if it will be shared
with whom it will be shared, how long it will be stored, the right of access and other
It is taken into account who decides on matters such as whether or not their rights will be enforced.
Any legal regulation, personal data processing purposes and means
determines the duties determined within the scope of this legal regulation.
Natural or legal persons who will fulfill the requirements should be considered as data controllers.

19. Data within the Data Controller Legal Entity
Person Responsible for Processing Activities or
Are they people?
Data controller in law, determining the purposes and means of processing personal data,
real or legal person responsible for the establishment and management of the data recording system.
referred to as a legal person. In this context, the data controller
responsible for data processing activities within the legal entity
Real persons who are registered as data controllers are not considered as data controllers for the implementation of the Law.

Page 34
33

Therefore, the data controller liability will arise on the relevant legal entity and this
The obligation is fulfilled by the bodies or persons authorized to represent and bind the legal entity.
will be brought. The body or persons authorized to represent and bind the legal entity, legal entity
To fulfill the data controller obligations of the legal entity
may appoint a person or persons to This assignment is the data controller of the legal entity.
As it will not remove the liability of the natural persons concerned, the data controller
will not be identified as such.

20. Who is the Data Processor?
The data processor, based on the authority given by the data controller,
are natural or legal persons. These persons process the personal data of the data controller.
It may also be a separate natural or legal person authorized by it.
For example, operating on behalf of the data controller based on the authority given by the data controller.
a company that provides call center services by outsourcing
will be considered as a data processor within the scope of this activity. What matters here is the data.
that the processor receives the personal data processing activities within this scope from the data controller.
carried out in accordance with the instructions.

Page 35
34

21. In Case the Data Controller is a Legal Entity
Data Processor, a Unit Affiliated to the Data Controller
is it?
In the law, the data processor, based on the authority given by the data controller,
is the natural or legal person who processes the data. Organization of the data controller legal person
other than those who are in a legal relationship with the data controller in terms of personal data processing.
data according to the nature of each natural and/or legal person personal data processing activity
responsible (e.g. financial advisors, lawyers, banks, insurance companies) or data
processing (e.g. IT service providers, archiving service providers, call center
service providers). For this reason, the data controller is a legal person.
The data controller is the person outside the organization of the legal person.

22. A Natural Or Legal Person Both Data
Can the Responsible Be Also a Data Processor?
Data controller and data processor, depending on the nature of the data processing activity.
identifies the relevant party. Therefore, any natural or legal person
Due to the different activities it carries out, it is also both a data controller and a
It can also be a data processor. For example, a call center company
While it is considered a data controller for the data it holds, it is given to the companies that are its customers.
In terms of the data it holds, it will be considered as a data processor.

Page 36
35

23. Fulfillment of Obligations in the Law
In terms of Data Controller or Data Processor?
Based on?
In the law, fulfilling legal obligations regarding personal data processing activities
Data controller is taken as basis. Data controller, personal data
from the establishment of the data recording system, which determines the purposes and means of processing
and the natural or legal person responsible for its management. If the data processor is
real or legal entity that processes personal data on behalf of the person in charge of
is a person. Accordingly, it is clear that the data processor fulfills the instructions of the data controller.
In the law, both the obligation of disclosure and obligations regarding data security
It is defined through the data controller and the data subject transfers his/her rights to the data controller.
established that it can be argued against.

24. Separate Persons of the Data Controller and the Data Processor
Liability Regime in Law, in Case of Existence
How is it determined?
According to the law, the data controller is responsible for the unlawful processing of personal data and
to prevent unlawful access to personal data, to protect personal data
all necessary measures to ensure the appropriate level of security in order to ensure
must take technical and administrative measures. On behalf of the data controller of personal data
If it is processed by another natural or legal person, the data controller
It is jointly responsible with these persons for taking the measures in question.

Page 37
36

In addition, data controllers and data processors are responsible for the personal data they have learned in accordance with this Law.
They cannot disclose it to others in violation of its provisions or use it for purposes other than processing.
This obligation continues even after they leave office. Data of personal data
If it is processed by another natural or legal person on behalf of the person responsible, the personal
prevent unlawful processing of data, unlawful access to personal data
In order to prevent and ensure the protection of personal data, the data processor is also the data processor.
responsible with the supervisor.

25. Personal Only for Own Employees
A Data Processing Company Is Also Within The Scope Of The Law
Will it be evaluated?
As a rule, natural and legal persons who process data are within the scope of the Law.
Therefore, a company that processes personal data only about its own employees
will be evaluated within the scope of

Page 38
37

Page 39
38

Page 40
39

C. PERSONAL DATA
PROCESSING CONDITIONS
Page 42
41
41

1. Basic Principles in the Processing of Personal Data
What are they?
In the processing of personal data, always in accordance with the general principles set forth in the Law.
should be treated. The general principles in the processing of personal data are:

1) Compliance with the law and honesty rules
2) Being accurate and up-to-date when needed
3) Processing for specific, explicit and legitimate purposes,
4) Being connected, limited and restrained with the purpose for which they are processed,
5) The period stipulated in the relevant legislation or required for the purpose for which they are processed.
to be preserved.
Principles regarding the processing of personal data, all personal data processing activities
must be inherent and all personal data processing activities must be carried out in accordance with these principles.
should be carried out.

Page 43
42

2. By Law, By Law and Integrity
What Does Eligibility Mean?
Compliance with the law and the rule of honesty, with laws and regulations in the processing of personal data
the obligation to act in accordance with the principles brought by other legal regulations.
means. In accordance with the principle of compliance with the rule of honesty, the data controller
interests and reasonable expectations of the persons concerned, while seeking to achieve their objectives in processing.
should take into account. Consequences that the person concerned does not expect and does not need to expect.
must act to prevent its occurrence. In addition, in accordance with the principle
the data processing activity in question is transparent for the data subject and the data controller
must act in accordance with the information and warning obligations.
The principle of being in compliance with the law and the rule of honesty has an inclusive feature as well.
has. Compliance with the law, in general legal norms and universal legal principles
is suitability. The scope of legality is broad, including regulatory compliance.
For example, an illegal practice also brings about illegality.
Compliance with the rules of honesty is in our law, in Article 2 of the Civil Code.
The principle of honesty is not violated when processing personal data. This principle
to comply with the prohibition on the abuse of the right when processing personal data.
requires. The rule of honesty is in accordance with the rules of trust when using the rights of people
and to behave in the manner expected of a reasonable person. Integrity rule
boundaries are determined according to the behavior to be expected from an objective person in each concrete case,
The subjective status of individuals is not taken into account. There is a violation of the rule of honesty
the person uses his/her right and acts within the limits of this right,
however, it acts contrary to the purpose of the right.

Page 44
43

In terms of the protection of personal data, the honesty rule is
based on legal rules that authorize or order processing
processing the least possible amount of data in accordance with the purpose of this legal rule,
It requires behaviors such as not acting in a way that cannot be foreseen by the persons concerned.
Data controllers take into account the interests and reasonable expectations of the data subjects
It is a requirement of the honesty rule. private life of the person concerned without a justified reason.
The processing of data in a way that violates the privacy and dignity of the data will undoubtedly constitute a violation of this principle.
will. For example, requesting unreasonable data from the data subject or
It is against this principle that it is processed in violation of the rules of honesty by the responsible person.
The rule of integrity is embodied in other principles of data protection. to these principles
Data processing without observance of the rule of good faith, therefore legal data
processing will be inconsistent.
For example, in case of deletion of personal data before a legal entity, the data is technically
data by persons responsible for its storage, protection and backup.
Although it is possible to provide access, within the legal entity in question
Number of persons responsible for storing, protecting and backing up data
Access to personal data deleted by these persons in case of over-determination
It will be a violation of the honesty rule.
Whether this principle is applicable or not, first of all, the fundamental rights and freedoms of the Constitution
regime should be considered. The processing of personal data, the basic
means an interference with their rights, and this interference is fair and lawful.
In order to be considered appropriate, the Constitution must be limited by the restriction of fundamental rights and freedoms.
must comply with the relevant regulations. Emphasis on legality
One of the most important points to be made is that this concept refers to the entire legal system. One
data processing is permitted or even ordered by law.
presumed to be appropriate.

Page 45
44

3. According to the Law, Accurate and Up-to-Date When Necessary
What Does the Principle of Being Mean?
The fact that personal data is accurate and up-to-date when necessary,
It defines the necessity of performing it based on true and up-to-date personal data.
In this context, the data controller's personal data is accurate and up-to-date when necessary.
active duty of care, if the data controller
It is valid if it creates a result related to the person concerned (for example, a credit transaction). Its
Apart from that, the data controller always ensures that the information of the person concerned is correct and up-to-date.
keep the channels open. 11 of the Law, which regulates the rights of the person concerned.
In subparagraph (d) of paragraph 1 of the article, the personal data of the person concerned are incomplete or incorrect.
If they have been processed, the right to request their correction is included.
For example, as a result of the change of surname of the data subject after marriage, the data controller
requesting to change the surname in the bank records by calling the bank
It is an act of enforcing a right.
Likewise, a person working in company A quits his job and starts a job in company B.
In the event that the person is an employee of company A, the data "is an employee of company A" will not be correct.
The data that it is “worked person” will be correct.

Page 46
45

4. Related to the Purpose for which Personal Data are Processed,
What Does the Principle of Limitation and Moderation Mean?
Purpose limitation is one of the important principles prevailing in the protection of personal data.
Personal data must be relevant, limited and proportionate to the purpose for which they are processed. not available
and personal data should not be collected for purposes that are thought to be realized later. Personal
Personal data should not be collected more than necessary for the realization of data processing.
and/or should not be processed. Accordingly, personal data can only be used for certain purposes and when necessary.
It should be collected as much as possible and used where the purpose requires.
In this regard, new processing that may occur in the future after personal data is collected
at the time of the initial collection of the data for processing for its intended purpose.
The conditions that need to be met should be sought again for new purposes. For example, a
Address information recorded by the transportation company within the scope of the transportation contract,
If it will be used for marketing activities afterwards, it can be used for this purpose.
Re-evaluation of whether the personal data processing conditions are met for
required.
In addition, the processed data is only necessary for the realization of the data processing purpose.
should be limited to For example, identification of customers by a textile company
or keeping contact data, tracking sales transactions, etc. in keeping with the purposes,
linked to the purpose of collecting data on customers' financial history and
cannot be said to be measurable.
In addition, the condition of being connected, limited and proportional to the purpose is required for each relevant person and process.
must be evaluated separately. Because it is necessary for a specific person and process
data may be unmeasurable to another person. Data of special nature to this matter
attention should be paid to. Employees by the human resources unit in a workplace
Receiving union membership data in order to determine their financial rights is considered to be proportional.
While the data will be taken by the R&D unit of the same workplace, it will be measured on a measured basis.
will not be accepted.

Page 47
46

5. The Purposes of Personal Data Processing are Specific, Legitimate and
What Does the Principle of Openness Mean?
The principle that the purposes of processing personal data are specific, legitimate and clear;
• The personal data processing activities can be clearly understood by the person concerned.
to be,
• Based on which legal processing condition of personal data processing activities
detecting that it has been done,
• The specificity of the personal data processing activity and the purpose of this activity.
to be presented in detail to
provides.
The principle that the purposes of personal data processing are specific, legitimate and clear, especially express consent
personal data during the collection and fulfillment of the obligation to inform
Ensuring that the processing activities are carried out in accordance with the law
point of importance.
Within the scope of this principle, express consent, clarification, answering the applications of the relevant person, data
application to the registry of responsible persons, etc. certainty and clarity in legal proceedings and texts such as
being sensitive to the principle of compliance, use of incomprehensible terminology
must be avoided. Acting in accordance with this principle is also based on the principle of honesty.
It is also important for compatibility.

Page 48
47

6. Purposes of Processing Personal Data
What Does Elaboration Mean?
Elaborating the purposes of processing personal data,
each event determines what level of detail is expected in terms of communicating the objectives.
is to be considered separately.
A small business and a retail business offering goods and services for a narrow environment
The data processing purposes offered by the chain cannot be expected to be of the same detail. One
through very different means and purposes in terms of the market chain (loyalty program
or cross selling etc. elaboration of all these purposes as the data will be processed
required.
A website that offers very different services at the same time (e-commerce, social
platform etc. etc.) avoiding general expressions when declaring their goals and that the target audience
information at a reasonable level of detail, in a language and terminology appropriate to one's qualifications
must present.
In areas where special categories of personal data are processed, the purposes of data processing in other areas
should be presented in more detail. For example, a personal
general purpose of processing the data, such as fulfilling human resources activities.
indicates a personal data processing purpose, providing sufficient detail at this point
does not provide.
However, the processing of special categories of personal data for the purpose of creating the personnel file.
reveal the purpose of processing personal data in a more detailed and specific way
puts it.

Page 49
48

7. In the Relevant Legislation for the Processing of Personal Data
Intended or Necessary for the Purpose for which they are Processed
What Does the Principle of Conservation for Term Mean?
Income?
Personal data is only required for the purpose stipulated in the relevant legislation or for the purpose for which they are processed.
It must be kept for as long as possible. Accordingly, data controllers
If there is a period stipulated in the legislation for the storage of data, it will comply with this period, personal data
will only be able to keep the data for as long as is necessary for the purpose for which they are processed.
If there is no valid reason for further storage of a data, that data
will be deleted, destroyed or anonymized. Can be used again in the future
Keeping personal data in mind or for any other reason
will not be able to go his way.
In addition, when applying for registration in accordance with Article 16 of the Law, the data controller
must notify the maximum period required for the purpose of processing personal data.
The processing purposes of the data categories notified to the Registry by the data controller and these
with the maximum retention periods necessary for their processing based on the purposes
The periods stipulated in the legislation may be different. In this case, maximum protection in the legislation
if a period of expiry is foreseen, if this period is not foreseen, the longest period of these is the basis
A notification is made to the Registry for this data category.
It should be emphasized here that compliance with these periods stipulated within the scope of the legislation is essential.
The storage activities for the data controller are determined by the data controller.
exceeds, these activities only fulfill the obligations specified in the relevant legislation.

Page 50
49

should be conducted as a limited storage and processing activity. Both the data controller
the periods stipulated within the scope of the legislation to which it is subject due to its legal obligations,
and in case the storage periods determined by the data controller are exceeded, the personal
Deletion, Destruction and Anonymity of Personal Data by the data controller
Deletion, destruction or anonymization according to the Regulation on
delivery must be provided.
The maximum retention period required for the purpose for which personal data is processed
while determining;
a) The activity of the data controller within the scope of the processing purpose of the relevant data category
the period accepted as per the general custom in the sector indicated,
b) Requires the processing of personal data in the relevant data category and
the period during which the legal relationship established with the person will continue,
c) Depending on the purpose of processing the relevant data category, the data controller can obtain
that the legitimate interest to be gained will be valid in accordance with the law and honesty rules.
time,
ç) The consequences of storing the relevant data category depending on the purpose of processing.
the period during which risks, costs and responsibilities will continue legally,
d) The relevant data category of the maximum period to be determined is correct and when necessary.
whether it is convenient to keep up to date,
e) In accordance with the legal obligation of the data controller, it is included in the relevant data category.
the period during which the recipient has to keep the personal data,
f) By the data controller, depending on the personal data in the relevant data category.
the statute of limitations for asserting a right,
are taken into account.

Page 51
50

8. What are the Processing Conditions of Personal Data?
Article 5 of the Law regulates the processing conditions of personal data. special qualification
The processing conditions of personal data are subject to different principles in Article 6 of the Law.
In this context, in which cases non-special quality personal data is legally valid.
It has been arranged as follows according to the principles in the Law, which can be processed as
the presence of only one of these conditions, the existence of non-special quality personal data.
will create sufficient legal conditions for the processing of:
• Existence of the explicit consent of the person concerned,
• It is clearly stipulated in the laws,
• Those who are unable to express their consent due to actual impossibility or
the life of the person or another person whose legal validity is not recognized, or
necessary for the preservation of bodily integrity,
• Provided that it is directly related to the establishment or performance of a contract,
It is necessary to process the personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The person concerned has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data controller
data processing is necessary for their legitimate interests.
Data processing is one of the data processing conditions other than the express consent of the data subject in the Law.
if it is based on at least one of them, in this case the express consent of the data subject from the data controller.
should not be taken.

Page 52
51

9. Legal Conditions of Personal Data Processing Activities
Is it Limited Edition?

Personal data processing conditions are specified in a limited number in the law, except for these conditions, personal data processing conditions are limited.
data processing is not possible.

10. Damage to the Fundamental Rights and Freedoms of the Related Person
Legitimate Data Responsible
Obligatory Data Processing for Their Interests
What does it mean?
According to the law, provided that it does not harm the fundamental rights and freedoms of the data subject,
If data processing is necessary for the legitimate interests of the controller
It is regulated that personal data can be processed. Legitimate interest of the data controller,
the interest to be obtained as a result of the personal data processing activity to be carried out, and
is for the benefit.
Benefit of the data controller; legitimate, with the fundamental rights and freedoms of the person concerned
It must be competitively effective, specific and relevant to an existing interest. for example
a company owner, provided that it does not harm the fundamental rights and freedoms of its employees,
their promotions, salary increases or regulation of their social benefits or
to be taken as basis in the distribution of duties and roles in the restructuring process.
will be able to process personal data of employees. Here is the restructuring of the business
or the promotion of qualified and qualified employees, the company in the status of data controller
in the legitimate interest of the owner.

Page 53
52

11. Determining the Legitimate Interest of the Data Controller
To Consider
What are the Considerations?
In case the data controller relies on the legitimate interest condition, the existence of this condition
In order to determine the following points should be evaluated:
a) The interest belongs to the data controller: The existence of which must be sought in the law
It is regulated that the legitimate interest should belong to the data controller. data controller
the legitimate interest of a third party outside the scope of this data processing requirement.
remains.
b) Legitimacy of interest: In order to be able to talk about the existence of the data processing condition
not only that the interest of the data controller exists,
It must also be legitimate. Upon the possibility that the interest may arise in the future, the person concerned
It is not possible to obtain personal data. accepted under Article
The concept of legitimate interest refers to an interest that already exists.
c) Fundamental rights and freedoms of the person concerned with the legitimate interest of the data controller
existence of a balance between: The existence of the legitimate interest of the data controller, the existence of the data controller
should not harm their fundamental rights and freedoms. To determine this situation, two-stage
A balance test should be applied. In the first evaluation to be made in this context,
It should be determined whether the data controller has a legitimate interest,
fundamental rights and freedoms of the data subject whose personal data will be processed in the evaluation.

Page 54
53

It should be determined what is going on and the rights and benefits mentioned should be evaluated.
should be judged to be superior. However, when making this evaluation, the data controller
legitimate interests and the purpose of processing personal data should not be confused. These two terms
Although related, they mean different things. Purpose of processing personal data
It is about why the data is processed.
It should also be noted that the data controller is based on the condition of legitimate interest.
situation, the last resort to be resorted to if the other conditions in the article cannot be applied.
as it is not, it can include everything in its scope and to the processing of all personal data.
Nor is it an element that renders its activities in accordance with the law.

12. Private Personal Data Limited in Law
Is it in number?
If personal data of special nature is learned by others, the relevant persons
data that carries the risk of causing victimization or discrimination.
In the law, it is stated individually which personal data are special quality personal data,
Other than those listed, they cannot be considered as sensitive personal data. From this perspective,
Special categories of personal data are considered to be limited.

Page 55
54

13. In Which Circumstances Special Personal Data
Can it be processed?
Special categories of personal data may be processed based on the explicit consent of the person concerned. However, the Law
in some exceptional cases, to the processing of special categories of personal data without seeking explicit consent.
has allowed. According to this; Special categories of personal data other than health and sexual life
if it is expressly provided for by law; personal data on health and sexual life
public health protection, preventive medicine, medical diagnosis, treatment and care.
Confidentiality obligation for planning and management of services and financing
The express consent of the person concerned by the persons or authorized institutions and organizations under
can be processed without a call. In the processing of special categories of personal data,
Adequate measures should be taken as determined by the Data Protection Board.

14. Reason for Processing Private Personal Data
Bound to More Strict Conditions?
Personal data of special nature, if it is learned by others, about the data subjects
data that carries the risk of causing discrimination and victimization. Therefore, other personal
data need to be protected much more strictly. On the other hand, all basic
As with rights and freedoms, this protection is not absolute and other rights and freedoms
may be limited in favor of This limitation is in line with the requirements of the democratic state of law and
Article 13 of the Constitution titled "Restriction of fundamental rights and freedoms"
must be carried out in accordance with the principles.

Page 56
55

In which cases and under which conditions special categories of personal data can be processed
It is clearly regulated in the law, thus legal certainty, which is a requirement of the rule of law.
provided. As a matter of fact, many issues such as the right to life, freedom of expression, freedom of communication
The exercise of fundamental rights and freedoms requires the processing of special categories of personal data.
makes it.

15. In Which Circumstances Can Personal Health Data Be Processed?
Personal health data:
• Explicit consent of the person concerned
• Persons or authorized institutions and organizations under the obligation to keep secrets
by; protection of public health, preventive medicine, medical diagnosis, treatment and
execution of care services, planning of health services and financing
determined by the Board without the explicit consent of the person concerned for the purpose of
taking adequate precautions
provided that it can be processed.

Page 57
56

16. Transfer of Personal Data with Processing Reason
Are they subject to the same conditions?
The processing of personal data in the law, personal data fully or partially automatic
or by non-automatic means, provided that they are part of any data recording system.
acquisition, recording, storage, preservation, modification, reuse
regulated, disclosed, transferred, taken over, made available,
carried out on data such as classification or prevention of use
refers to any transaction. In this context, the transfer of personal data is a data in the Law.
It is defined as a type of processing, and it is the same processing method for all processing formats.
conditions are stipulated.

17. What are the Exact Exceptions Arranged in the Law?
The provisions of the Law do not apply in the following cases, which are called full exceptions:
a) Not to give personal data to third parties and regarding data security
provided that the obligations are complied with, by real persons completely with himself or with the same
processing within the scope of activities related to family members living in the residence,
b) Research by anonymizing personal data with official statistics,
processing for purposes such as planning and statistics,
c) Personal data can be used to protect national defense, national security, public security, public
not to violate public order, economic security, privacy or personal rights
or for artistic, historical, literary or scientific purposes, provided that it does not constitute a crime; or
processed within the scope of freedom of expression,

Page 58
57

ç) Personal data can be used to protect national defense, national security, public security, public
duties and powers by law to ensure order or economic security.
preventive, protective and intelligence activities carried out by public institutions and organizations
processing within the scope of activities,
d) Personal data to investigation, prosecution, trial or execution proceedings
processing by the judicial authorities or enforcement authorities in relation to it.

18. What are the Partial Exceptions Arranged in the Law?
Provided that it is in accordance with the purpose and basic principles of the law and proportionally, the data controller
Article 10, which regulates the obligation to inform
Article 11 regulating the rights of the data subject and the data controllers registry, except for the right of
Article 16, which regulates the registration obligation, is limited to the following fields of activity.
not applicable. These cases, called partial exceptions, are listed below:
a) Processing personal data for the prevention of crime or for criminal investigation
be necessary,
b) Processing of personal data made public by the person concerned,
c) Personal data processing is authorized and authorized by law.
by public institutions and organizations and professional organizations in the nature of public institutions,
carrying out supervisory or regulatory duties and disciplinary investigation or
necessary for the prosecution,
ç) Regarding the budget, tax and financial issues of personal data processing,
necessary for the protection of their economic and financial interests.

Page 59
58

Page 60
59

D. RIGHTS OF THE RELATED PERSON
Page 62
61
61

1. Forward Against the Data Controller of the Data Subject
What Rights Can It Execute?
In accordance with Article 20 of the Constitution, everyone has the right to respect for his private and family life.
reserves the right to be displayed. In this respect, everyone has a personal
has the right to demand data protection. This right includes personal data relating to the person himself.
information about, access, correction or deletion of this data.
It also includes requesting and learning whether it is used for its purposes.
What are the rights of the persons concerned in Article 11 of the Law in accordance with the Constitution?
are held. Accordingly, the relevant persons apply to the data controller;
a) Learning whether personal data is processed or not,
b) If personal data has been processed, requesting information about it,
c) The purpose of processing personal data and whether they are used in accordance with their purpose
learning not to use
ç) To know the third parties to whom personal data is transferred in the country or abroad,
d) If personal data is incomplete or incorrectly processed, correcting them
request and transactions made within this scope, to third parties to whom personal data are transferred.
request notification,
e) In accordance with the provisions of the Personal Data Protection Law and other relevant laws
Although it has been processed as a processed, the disappearance of the reasons that require it to be processed

Page 63
62

request the deletion or destruction of personal data in case of
requesting the notification of transactions to third parties to whom personal data has been transferred,
f) Analyzing the processed data exclusively through automated systems
Objecting to the emergence of a result against the person himself,
g) Damage due to unlawful processing of personal data
requesting compensation for damage
they have rights.

2. Considered among the Rights of the Relevant Person “Personal
If the Data has been Processed, Information Request Regarding Them
How will the “Concept of Doing” be applied?
To act in accordance with the principle of honesty when exercising the rights of the person concerned as defined in the Law.
provided that it will be given to the person concerned in relation to the applications to be made to the data controller.
The answers are categorical and within the framework of the information to be disclosed to the Data Controllers Registry.
way it should be. The information disclosed to the Data Controllers Registry will be given to the person concerned.
information must be compatible.
The information to be given in this context is basically about which data of individuals is processed.
information.

Page 64
63

3. Regarding Personal Data by Relevant Persons
How Can Rights Be Invoked?
Pursuant to Article 13 of the Law, the requests of the persons concerned are primarily addressed to the data controller.
are required to be forwarded. Accordingly, the applications to be made by the relevant persons to the data controller
There are two basic provisions in the Law regarding the form. The first is written
is a reference.
Written application, application made with a wet signature document in accordance with the general provisions
means. In addition, documents signed with a secure electronic signature are also available.
will meet the written form requirement. Application methods other than written application
The Law authorizes the Personal Data Protection Board.
Based on this, the Board is appointed to the Data Controller published in the Official Gazette dated 10.03.2018.
With the Communiqué on Application Procedures and Principles, the applications to be made to the data controller
determined the method.
Accordingly, data controllers may be notified in writing or by the persons concerned.
Registered e-mail (KEP) address, secure electronic signature included in the Communiqué,
previously notified to the data controller by the mobile signature or the data subject and the data
by using the e-mail address registered in the system of the responsible person.
or by means of a software or application developed for application purposes.
according to their qualifications, as soon as possible and within thirty days at the latest, free of charge.
should finalize.

Page 65
64

4. Requests of Relevant Persons Regarding Personal Data
Is it Free of Charge?
Pursuant to Article 13 of the Law, the requests of the data controllers by the data subjects
Although it is determined that it must be met free of charge, the process to be done will also be
determining the fee that can be charged by data controllers if it requires a cost
Personal Data Protection Board has been authorized in this regard.
Based on this, prepared by the Board and published in the Official Gazette dated 10.03.2018
With the Communiqué on the Procedures and Principles of Application to the Data Controller; to the application of the person concerned
If a written answer is given, up to 10 pages will not be charged.
1 Turkish Lira transaction fee may be charged for each page on the page, the answer to the application is CD,
If it is given in a recording medium such as flash memory, it is requested by the data controller.
It has been determined that the fee to be charged cannot exceed the cost of the recording medium in question.
The request of the relevant person regarding the implementation of the Law on the Protection of Personal Data
If the data controller is at fault on the subject matter, the fee will be returned to the relevant person.
required.

5. Requests of Related Persons Regarding Their Rights
How Long By The Data Controller
Should it be answered?
Pursuant to Article 13 of the Law, data controllers will promptly respond to the requests of the persons concerned.
and within thirty days at the latest. According to the result of the review, the request should be accepted.
or reject it by explaining the reason, and also notify the relevant person of his/her answer.

Page 66
65

6. Requests of Related Persons Regarding Their Rights
to the Personal Data Protection Board
Is There a Right to Complain?
Rejection of the application regarding the rights of the person concerned, pursuant to Article 14 of the Law,
Inadequate response or failure to respond to the application on time
in cases; thirty years from the date of learning the answer given by the data controller and
probably within sixty days from the date of application to the Personal Data Protection Board.
can make a complaint.

7. Which Conditions of Complaints to be Made to the Board
Should you carry?
As stated in Article 6 of the Law No. 3071 on the Use of the Right to Petition
Notifications or complaints that do not meet the conditions will not be examined.
In addition, the issues in the regulations to be made by the Board in this context should be taken into account.
should be taken.

Page 67
66

8. Personal Data Protection Board, Relevant Person
How Long Should He Respond to His Complaint?
Pursuant to Article 15 of the Law; Upon the complaint, the Personal Data Protection Board
examines and gives an answer to the interested parties. Response within sixty days from the date of complaint
If not, the request will be deemed denied.

9. Acceptance of the Complaint of the Related Person
What are the results?
Upon the complaint or as a result of the examination made ex officio, the existence of the violation is understood
Personal Data Protection Board, in case of violation of the law determined by the data controller.
decides to remove it, and notifies the relevant parties of this decision. This decision is from the notification
must be carried out without delay and within thirty days at the latest.
Personal Data Protection Board, in case of irreparable or impossible damage and clearly
in case of illegality, data processing or transfer of data abroad
may decide to stop.
In addition, if the violation is determined to be widespread, the Personal Data Protection Board,
takes a policy decision on this matter.

Page 68
67

10. Your Personal Data Unlawfully
Personal Data of the Related Person in case of Processing
Except for Complaints to the Protection Board, Data
Another Demand From His Supervisor
Is there a right?
The person concerned suffers damage due to the unlawful processing of his personal data.
has the right to demand the compensation of the damage from the data controller.
In addition, the right to compensation according to the general provisions of the persons whose personal rights have been violated.
exists.

Page 69
68

Page 70
69

E. PERSONAL DATA
DELETING, DESTROYING
or RECOGNIZE
BRING
Page 72
71
71

1. What Does Deletion of Personal Data Mean?
Deletion of personal data; any of the personal data in question is provided by the relevant users.
It is the process of making it inaccessible and unusable again. data controller,
The deleted personal data cannot be accessed and reused by the relevant users.
takes all necessary technical and administrative measures to ensure

2. Who is the Relevant User?
“Deletion, Destruction of Personal Data” published in the Official Gazette dated 28.10.2017
or in article 4 of the Regulation on Anonymization, the relevant user;
“Responsible for technical storage, protection and backup of data
within the organization of the data controller, or with the exception of the person or unit.
Persons who process personal data in line with the authority and instruction received from the person responsible
has been defined as.
Accordingly, the relevant user is under the responsibility of the data controller, but technically the data
such as the database administrator, who is responsible for the storage, protection and backup of
within the data controller organization, except for a person or unit.
in this area, with the authority and instruction of all employees and units or from the data controller.
defines data processors such as third parties providing services.
For example, a data controller and information processing infrastructure work and transactions, his authority and instructions
a company that has made an agreement to fulfill it within the framework of
The company will be considered a data processor. In this case, this data controller is technically responsible for the data.

Page 73
72

the personnel or unit responsible for the storage, protection and backup of
If not, all employees will be related users. In addition, the data processing company
responsible for technical storage, protection and backup of data
All other employees, except for the personnel or unit, are also included in the relevant user concept.
will take place.
The difference between deletion and destruction of personal data is also related to the concept of user.
shaped accordingly.

3. What Does Personal Data Destruction Mean?
Destruction of personal data, personal data by no one in any way
It is the process of making it inaccessible, irrecoverable and unusable. Data
responsible for taking all necessary technical and administrative measures regarding the destruction of personal data.
gets. In order to destroy personal data, all copies of the data are detected
and de-magnetizing, physical destruction, depending on the type of systems in which the data is located.
One or more of the methods such as overwriting are used.

4. What is the Anonymization of Personal Data
Does it mean?
Anonymization of personal data, even if personal data is matched with other data
cannot be associated with an identified or identifiable natural person in any way.
is to be made. In other words, anonymization means all data in a dataset.
identification of the person concerned by removing or replacing direct and indirect identifiers.

Page 74
73

be undetectable or distinguishable in a group or crowd
It is the loss of its property of being in a way that cannot be associated with a real person. It
In this context, matching and supporting with other data by making a monitoring over the data
If it can be understood who the data belongs to, then this data is anonymized.
unacceptable.
Since the anonymized data will no longer have the characteristics of personal data, the Law
will not be considered within the scope of its provisions. Anonymizing datasets
Since they have the characteristics of personal data until the moment they are processed, this
Any operation to be performed on the data shall be considered as the processing of personal data.
is being done.

5. Under Which Conditions Should Personal Data Be Deleted?
Should it be made or made anonymous?
Personal data, ex officio or
It is deleted, destroyed or anonymized by the data controller at the request of the data subject.
is brought. In other words, the conditions regarding the processing of personal data in the Law
personal data ex officio or at the request of the person concerned, in case of disappearance of all
are deleted, destroyed or anonymized by the data controller.

Page 75
74

Page 76
75

F. PERSONAL DATA
TRANSFERRING
Page 78
77
77

1. Domestic Transfer of Personal Data in Law
How is it Organized?
According to the law, personal data can be transferred to third parties with the express consent of the person concerned.
foreseen. However, with Article 5 of the Law and adequate measures
Provided that the conditions in Article 6 are met, personal data is open
It is also possible to transfer it within the country without seeking consent.

2. Personal Data Pursuant to Article 8 of the Law
Who Can Be Transferred To Domestically?
While personal data only belongs to real persons, data controller and data processor
can be both natural and legal persons. Anyone who performs operations on data
any natural or legal person, according to the purposes and methods of data processing, or
controller or data processor. In this context, the domestic transfer of personal data
will be carried out between the data controller, or between the data controller and the data processor,
the regulations in Article 8 of the Law for all kinds of data transfer within the country.
needs to be implemented.

Page 79
78

The most important implementation of the regulation on the transfer of personal data in the country
The two results are:
• Data that takes place within the body of a legal entity with the title of data controller
transfers cannot be considered as transfers to third parties. contacts, personal
when they share their data with a legal entity, the said legal entity is the data controller.
has the title. Employees operating within the legal entity or
exchange of data between different units, in this sense, transfer to third parties
cannot be considered.
• Data transfer between different companies under a group of companies
means transferring data to a third party. One
Unlike data sharing between different units within the legal entity, the same
8 of the data transfer between different legal entities within the group of companies.
must be made in accordance with the provisions of the article.

Page 80
79

3. How to Transfer Personal Data Abroad
Is it organized?
In the first paragraph of Article 9 of the Law, provided that the personal data has the explicit consent of the person concerned.
regulated that it can be transferred abroad. However, in paragraph 2 of the article
Personal data within the scope of paragraph 2 of Article 5 and Article 3 of Article 6 of the Law.
Without the express consent of the person concerned, the sensitive personal data specified in the paragraph
The conditions that allow the processing are taken as basis and in case of existence of one of these conditions,
provided that there is adequate protection in the foreign country to which the personal data will be transferred,
It is possible to transfer personal data abroad without seeking the explicit consent of the person.
is indicated.
If there is not sufficient protection in the relevant foreign country,
data controllers in the country undertake in writing to an adequate protection and the Board
without seeking the explicit consent of the person concerned, provided that the personal data
possible to export.
Countries with adequate protection will be determined and announced by the Board. in foreign country
whether there is sufficient protection and permission to transfer personal data abroad
It will be decided by the Board which criteria will be taken into consideration while giving the award.
In addition, without prejudice to the provisions of the international convention, the country or the person concerned
In cases where his interests will be seriously damaged, personal data will only be
Transfer abroad with the permission of the Board by taking the opinion of a public institution or organization
foreseen.
On the other hand, in other laws regarding the transfer of personal data abroad,
provisions are reserved.

Page 81
80

4. Board, Data in the Transfer of Personal Data Abroad
Adequate Protection of the Transfer Country
Decision Based on Which Principles It Provides
Will you give?
Whether there is sufficient protection in the relevant country for the transfer of personal data abroad.
Since there is no such thing, it is necessary to make a binary distinction:
• If there is sufficient protection, then data transfer to the relevant country is possible.
• In the absence of adequate protection, in Turkey and in the relevant foreign country
provided that data controllers undertake in writing an adequate protection.
Board to transfer the data abroad;
a) International conventions to which Turkey is a party,
b) Regarding data transfer between the country requesting personal data and Turkey
reciprocity status,
c) Regarding each concrete personal data transfer, the nature of the personal data and
purpose and duration of processing,
ç) The relevant legislation and practice of the country to which the personal data will be transferred,

Page 82
81

d) Commitment by the data controller in the country to which the personal data will be transferred.
the measures taken
to evaluate and, if needed, the opinion of the relevant institutions and organizations.
takes decision.

Page 83
82

Page 84
83

G. DATA RESPONSIBILITIES
EXPLANATIONS ON
Page 86
85
85

1. Group of Companies and Data Controller
Who is Data Controller in Affiliates?
Each group company in a group of companies, if personal data processing purposes
If he determines himself and is responsible for keeping the data recording system, the Law
shall have the title of data controller accordingly. In this context, in the group of companies
status of the controlling shareholder and other group companies in personal data processing activities
will be defined by the role they play.
The situation is the same for the affiliates of the data controller. If the company concerned
determines the purposes for the processing of personal data and is responsible for keeping the data recording system.
If he is responsible, this company must be a company within the group of companies.
or if it is an affiliate of the data controller, it has the title of data controller.
will not affect it.
On the other hand, the data recording system, which determines the processing purposes of personal data and
All public institutions and organizations with legal personality that are responsible for keeping the data
shall be in charge of it.

Page 87
86

2. What are the Obligations of the Data Controller?
The obligations of data controllers are specified in the Law. According to this;
1) Everyone who is engaged in personal data processing, must comply with the law and
to comply with the rules of honesty, to be accurate and up-to-date when necessary, to be specific, clear and
being processed for legitimate purposes, being connected, limited and proportionate to the purpose for which they are processed,
storage for the period required by the legislation or for the purpose for which they are processed.
should act in accordance with the general principles of
2) Personal data by data controllers are subject to the regulations in the Law.
In accordance with this, special categories of personal data are determined by the Personal Data Protection Board.
in accordance with the regulations in the Law, provided that adequate measures to be determined are taken.
should be processed.
3) Although it has been processed in accordance with the law and other relevant legislation,
personal data ex officio or
It should be deleted, destroyed or anonymized by the data controller at the request of the data subject.
should be made.
4) In the transfer of personal data to third parties, Articles 8 and 9 of the Law
must be complied with in accordance with the regulations.
5) In accordance with Article 10 of the Law, relevant persons should be informed.
6) To ensure data security in accordance with Article 12 of the Law.
All necessary technical and administrative measures should be taken.
7) Applications made by data subjects to data controllers are subject to Article 13 of the Law.
must be answered appropriately.
8) In accordance with Article 16 of the Law, it must be registered in the Data Controllers Registry.

Page 88
87

3. Disclosure of Data Controller
What is the Scope of its Obligation?
The obligation to inform the data controller is regulated in Article 10 of the Law.
Accordingly, the data controller or the authorized person during the acquisition of personal data
person, to the persons concerned;
1) Identity of the data controller and its representative, if any,
2) For what purpose personal data will be processed,
3) To whom and for what purpose the processed personal data can be transferred,

4) Method and legal reason for collecting personal data,
5) Regarding other rights listed in Article 11 of the Law
responsible for providing information.
The fulfillment of the obligation to inform is not subject to the approval of the person concerned.
On the other hand, personal data processing is not dependent on the explicit consent of the person concerned and
In cases where the activity is carried out under other conditions in the Law, the data
The obligation of the responsible person and the person authorized by him to inform the relevant person continues.
is doing.

Page 89
88

4. While Fulfilling the Lighting Obligation
What are the Matters to Consider?
During the acquisition of personal data within the scope of personal data processing activity, the data
The responsible persons must be informed by the responsible person. Accordingly, personal
As the purpose and conditions of processing the data change, the lighting text should change accordingly.
However, the information to be given to the person concerned while fulfilling the obligation to inform,
If there is an obligation to register with the Data Controllers Registry,
must match the information. If there is no registration obligation, Articles 10 and 11 of the Law
The obligation to illuminate must be fulfilled.
On the other hand, prepared by the Board and published in the Official Gazette dated 10.03.2018
About the Procedures and Principles to be Followed in the Fulfillment of the Lighting Obligation
According to the Communiqué, fulfillment of the disclosure obligation by the data controller
The following procedures and principles must be followed:
a) Subject to the express consent of the person concerned or other processing conditions in the Law, personal
In all cases where data is processed, the obligation of disclosure must be fulfilled.
b) When the purpose of processing personal data changes, for this purpose before the data processing activity
The lighting obligation must also be fulfilled.
c) If personal data is processed for different purposes in different units of the data controller,
The obligation to illuminate must be fulfilled separately for each unit.
ç) In case there is an obligation to register in the registry, the obligation to inform
The information to be given to the person concerned must be compatible with the information disclosed in the Registry.

Page 90
89

d) The fulfillment of the obligation to inform is not dependent on the request of the person concerned.
e) The proof of fulfillment of the obligation to inform belongs to the data controller.
f) In case the personal data processing activity is carried out based on the condition of explicit consent,
fulfillment of the obligation to inform and obtaining explicit consent separately
required.
g) The specific purpose of personal data processing to be disclosed within the scope of the disclosure obligation,
It must be clear and legitimate. While fulfilling the obligation to inform,
and ambiguous expressions should not be included. Other possible goals
Expressions that lead to the opinion that personal data can be processed should not be used.
ğ) The notification to be made to the relevant person within the scope of the obligation to inform is understandable, clear and
It should be done using simple language.
h) The “legal law” in subparagraph (ç) of the first paragraph of Article 10 of the Law
What is meant by "reason" means that personal data within the scope of the obligation to inform
It is based on which of the processing conditions specified in Article 6 is processed.
During the fulfillment of the obligation to inform, the legal reason clearly
must be specified.
ı) Within the scope of the disclosure obligation, the purpose of transferring personal data and the
recipient groups must be specified.
i) Within the scope of disclosure obligation, personal data, wholly or partially
by automated means or non-automatically provided that they are part of a data recording system
It should be clearly stated which method was obtained.
j) While fulfilling the obligation to inform, incomplete, misleading and inaccurate information is provided to the relevant persons.
should not be included.

Page 91
90

5. In lieu of the Lighting Obligation
There Is Any Form Requirement To Bring
is it?
Any form requirement regarding the fulfillment of the obligation to inform
not available. Fulfillment of the obligation to inform is subject to the approval of the person concerned.
The obligation to inform can be fulfilled with a unilateral declaration.
The proof of fulfillment of the obligation to inform belongs to the data controller.

6. What is Layered Information, Lighting
Within the Scope of its Obligation
Informing” How is it done?
The scope of the obligation to inform and what information will be provided are specified in the Law.
explained. Despite this, all of this information is fulfilling its obligation to enlighten.
Disclosure to the person concerned during the acquisition of personal data, which is at the time of receipt
may not be possible. In this case, the data controller with the layered notification method
fulfill its lighting obligation.
Layered information provides personal information to the person concerned during the acquisition of personal data.
It is also possible to use a short, understandable, clear and simple method about the data obtained.
informing the person concerned, the scope of illumination in Article 10 of the Law.
means directing him to a medium where he can access and read after this information.
is coming.

Page 92
91

For example, in a workplace where a camera is recorded, the contact person records the camera with a camera icon.
can be informed that their personal data has been obtained by means of the method. camera recordings
such as for which purpose, with which legal reason and method it was obtained, the rights of the person concerned.
details are in a document (personal
policy on data protection and processing, lighting on camera recordings
text) can be detailed.

7. Personal Within the Scope of Disclosure Obligation
Name or Name of Third Parties to whom Data will be Transferred
Is It Necessary to Specify Their Titles?
Transfer of personal data processed by the data controller to third parties
the information regarding this transfer is notified to the relevant persons within the scope of the disclosure obligation.
However, in the clarification text in question, the third parties to whom personal data will be transferred
It will not be stated who they are one by one, the activities and activities of these people on a categorical basis.
disclosure in the form of supergroups such as sector groups (for example, “processing personal
your data to the cargo companies with which we have a contractual relationship, virtual
With the relevant banks, e-commerce sites, our suppliers, and legally, for the purpose of payment via POS
may be transferred to authorized public institutions and organizations.)
place will suffice.
In the clarification texts, to whom the personal data will be transferred to the relevant person.
While information can be given categorically, in accordance with Article 11 of the Law, the data controller
the response to the application made in detail by specifying each transferred recipient.
will have to be given.

Page 93
92

8. To Ensure Data Security of Data Controllers
What are its Obligations?
Obligations of the data controller to ensure data security
It is listed in article 12 of the law. Accordingly, the data controller;
a) To prevent the unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) To ensure the protection of personal data,
all kinds of techniques and techniques necessary to ensure the appropriate level of security for the purpose of
have to take administrative measures. The data controller, on his behalf,
in case it is committed by a natural or legal person, the measures specified in the first paragraph
shall be jointly responsible with these persons for the purchase.
Also; data controllers, in their own institutions or organizations,
To make or have the necessary inspections made in order to ensure the implementation of
has to. Data controllers are aware of the personal data they have learned against the provisions of this Law.
They cannot disclose it to anyone else and use it for purposes other than processing. This obligation
continues even after their dismissal.
Obtaining the processed personal data by others illegally
In the event of this, the data controllers notify the relevant person and the Board as soon as possible. Board,
where necessary, this situation on its own website or in another form that it deems appropriate.
method can be declared.

Page 94
93

9. Data under Article 12 of the Law
Appropriate Security Level by Those Responsible
How will it be supplied?
According to Article 12 of the Law, the data controller is responsible for ensuring the security of personal data.
It is obliged to take all necessary technical and administrative measures for the purpose. to data security
To take regulatory action in order to determine the obligations regarding the
among its duties.
However, based on the minimum criteria to be determined by the Board, the sector
It is also possible to take additional measures according to the nature of the personal data processed on the basis of
can be.

Page 95
94

10. Applications to the Data Controller
What are the procedures and principles to be followed?
Procedures and principles to be followed in applications to be made to the data controller
Article 13 and prepared by the Board pursuant to this article and dated 10.03.2018
About the Procedures and Principles of Application to the Data Controller published in the Official Gazette
With the Communiqué, the method of applications to be made to the data controller has been determined.
Accordingly, the relevant person's requests regarding the implementation of the Law shall be submitted in writing or
registered electronic mail (KEP) address, secure electronic signature, mobile signature or related
previously notified to the data controller by the person and in the system of the data controller
by using the registered e-mail address or for the purpose of application.
to the data controller by means of a software or application developed for
Upon the request, the data controller shall submit the requests in the application as soon as possible according to the nature of the request.
in a timely manner and within thirty days at the latest, free of charge.
However, if the transaction in question requires an additional cost,
If the application will be answered in writing, no fee will be charged for up to 10 pages.
A transaction fee of 1 Turkish Lira may be charged for each page on the page.
If it is given in a recording medium such as CD, flash memory, it will be provided by the data controller.
The fee that may be requested shall not exceed the cost of the recording medium in question.
The request of the relevant person regarding the implementation of the Law on the Protection of Personal Data
If the data controller is at fault on the subject matter, the fee will be returned to the relevant person.
required.

Page 96
95

11. Which Procedure is the Right of the Related Person to Complain to the Board
and Fundamentals?
Rejection of the application made to the data controller, insufficient response
or in case of not responding to the application in due time; the person concerned, the data controller
thirty days from the date of learning the answer and in any case from the date of application
complaints to the Board within sixty days.
Before exhausting the way of application to the data controller by the person concerned, the complaint can be made.
cannot be applied. Because; Application to the data controller for the right to complain to the Board
It is a prerequisite that must be met. Therefore, to apply
It is compulsory, and it is optional to go to the complaint procedure.
In addition, the right to compensation according to the general provisions of those whose personal rights are violated is reserved.

12. Retention Periods of Personal Data Who
Determined by?
The maximum period for which personal data will be stored for the purpose for which they are processed is determined by the legislator.
may be specified in the relevant legislation. If any maximum retention
responsibility for determining the storage period in which they are processed, the relevant
belongs to the data controller who processes personal data.

Page 97
96

13. Retention Periods of Personal Data
What Considerations Are Taken When Determining?
For personal data to be processed by data controllers,
the durations; data controllers, if not specified in the relevant legislation
the purpose for which they are processed.
The processing purposes of the data categories notified to the Registry by the data controller and these
regarding the maximum storage times necessary for their processing based on the purposes
The periods stipulated in the legislation may be different. In this case, the longest for this data category
A notification is made to the Registry based on the period.
While determining the maximum period required for the purpose for which personal data is processed, the following
criteria are taken into account:
a) The activity of the data controller within the scope of the processing purpose of the relevant data category
the period accepted as per the general custom in the sector indicated,
b) Requires the processing of personal data in the relevant data category and
the period during which the legal relationship established with the person will continue,
c) Depending on the purpose of processing the relevant data category, the data controller
legitimate interest to be obtained in accordance with the law and honesty rules.
period of validity,

Page 98
97

ç) The consequences of storing the relevant data category depending on the purpose of processing.
the period during which risks, costs and responsibilities will continue legally,
d) The relevant data category of the maximum period to be determined is correct and when necessary.
whether it is convenient to keep up to date,
e) In accordance with the legal obligation of the data controller, it is included in the relevant data category.
the period during which the recipient has to keep the personal data,
f) By the data controller, depending on the personal data in the relevant data category.
the statute of limitations for asserting a right.
Data controllers are responsible for the maximum period required for the purpose for which personal data is processed.
determination, compliance of these periods with the information specified in the personal data processing inventory.
and personal data retention and destruction policy to monitor whether the maximum period has been exceeded
and ensure the implementation of this policy.

Page 99
98

Page 100
99

I. DATA RESPONSIBILITIES
REGISTER
Page 102
101
101

1. What is Data Controllers Registry?
Data Controllers Registry, where data controllers have to register and data processing
It is a registration system where they declare information about their activities.
Natural and legal persons processing personal data, before starting data processing.
Those responsible must be registered in the Registry. However, with Article 16 of the Law, Data
The Authority has been given the authority to make exceptions to the obligation to register with the Register of Responsible Persons.
Based on this, it was prepared by the Board and published in the Official Gazette dated 30.12.2017.
In order to make an exception in Article 16 of the Regulation on the Data Controllers Registry,
Objective criteria were determined as follows.
a) The nature of the personal data.
b) Number of personal data.
c) Purpose of processing personal data.
ç) Field of activity in which personal data is processed.
d) Transfer of personal data to third parties.
e) The fact that the personal data processing activity originates from the law.
f) The period of retention of personal data.
g) The data subject group or categories of data.
Natural and legal persons processing personal data, before starting data processing.
Those responsible must be registered in the Registry. However, the nature and number of the personal data processed,
such as data processing arising from law or being transferred to third parties.
Considering the objective criteria to be determined by the Board, by the Board,
An exception may be made to the obligation to register with the Data Controllers Registry.

Page 103
102

2. How to Apply for Registration in the Data Controllers Registry
Makes?
The application for registration in the Data Controllers Registry is made with a notification containing the following:
a) Identity and address information of the data controller and its representative, if any,
b) For what purpose the personal data will be processed,
c) The data subject group and groups and the data categories of these persons
statements about
ç) Recipient or recipient groups to whom personal data can be transferred,
d) Personal data intended to be transferred to foreign countries,
e) Measures taken regarding personal data security,
f) The maximum period required for the purpose for which personal data is processed.

Page 104
103

3. Who Registers in the Data Controllers Registry
Should it be?
Natural and legal persons processing personal data, before starting data processing.
Those responsible must be registered in the Registry. However, the nature and number of the personal data processed,
such as data processing arising from law or being transferred to third parties.
Considering the objective criteria to be determined by the Board, by the Board,
An exception may be made to the obligation to register with the Data Controllers Registry. Also, the Law
Obligation of data controllers to register in the cases covered by Article 28
not available.

Page 105
104

Page 106
105

H. PERSONAL DATA
PROTECTION BOARD
Page 108
107
107

1. Main Duties of the Personal Data Protection Board
and What are its Powers?
The main duties of the Personal Data Protection Board are as follows:
a) To ensure that personal data are processed in accordance with fundamental rights and freedoms,
b) To take necessary and sufficient measures in the processing of personal data of special nature,
c) In the transfer of personal data abroad, the countries where there is sufficient protection
identify and announce
ç) Lack of adequate protection in the foreign country to which personal data will be transferred
in case of a sufficient level of data controllers in Turkey and in the relevant foreign country.
In addition to the requirement that they undertake in writing to protect
allow data transfer,
d) To determine the procedures and principles to be followed in the transfer of personal data abroad,
e) If deemed necessary, by the data controllers.
that personal data is obtained by others through unlawful means
to announce notifications about
f) Refusal of applications made to data controllers, insufficient response
in case of absence or failure to respond to the application in due time.
examining complaints,
g) To act ex officio upon learning of the complaint or alleged violation

Page 109
108

by the data controller of the unlawful
decide to remove
h) If it is determined that similar violations are common, the principle
make decisions,
i) Occurrence of irreparable or impossible damage and clearly unlawful
in case of suspension of data processing or transfer of data abroad.
to decide,
j) The Registry of Data Controllers kept open to the public by the Presidency
to oversee,
k) Exceptions to the obligation to register with the Data Controllers Registry, if necessary
to bring,
l) Those who violate the stipulated obligations regarding the protection of personal data
to the relevant institutions for disciplinary investigations against civil servants.
to notify,
m) To determine the obligations related to the functioning of the Authority, data security and to determine the data
regulatory authority regarding the duties, powers and responsibilities of the responsible person and his/her representative.
make transactions and
n) Provisions regarding personal data prepared by other institutions and organizations
To give an opinion on draft legislation containing
o) Regulation on the Working Procedures and Principles of the Personal Data Protection Board
Other duties and powers given to the Board within the scope of

Page 110
109

2. Review to the Board, Upon Complaint or Ex officio
Is the Opportunity Recognized?
The Board, upon complaint or ex officio if it learns about the alleged violation,
Makes the necessary investigations on the subject matters. This review is based on the complaint or ex officio
shall be exclusive to the alleged infringement.
If the Board does not respond within sixty days from the date of the complaint,
the request is deemed denied. Therefore, the sixty-day period from the date of the complaint
The period of filing a lawsuit in the administrative court will begin.
As a result of the examination to be carried out by the Board, upon a complaint or ex officio, the violation
If its existence is understood, the Board shall inform the relevant data controller of the illegalities it has determined.
decides to rectify it and notifies the relevant parties of the decision. This decision is from the notification
must be carried out without delay and within thirty days at the latest.

Page 111
110

3. Investigations Under the Law
In the event that a crime element is encountered as a result
What Way Will Be Followed?
Although there is no special regulation in this regard in the law, any crime
If an element is found, it is reported to the competent authorities in accordance with the Turkish Penal Code.
notification will be made.

4. Board of Data Processing or Dormitory of Data
Decision to Stop its Export
Can you give?
The Board, in the event of irreparable or impossible damage and clearly unlawful
In the event of a decision to suspend the processing of data or the transfer of data abroad.
can give.

Page 113
112
112

Page 114
113

J. ENFORCEMENT OF LAW
AFTER ENTERING
WORK TO BE DONE and
TRANSACTIONS
Page 116
115
115

1. Obligation of Data Controllers to Register
When does it start?
In Article 16 of the Law No. 6698; to the Data Controllers Registry by the Board.
It is possible to make an exception to the registration obligation and the Data Controllers Registry
shall be made publicly available. In this context, the Board
Decision on the exceptions to the registration obligation will be announced by the
Our Agency also prepared the Data Controllers Registry Information System (VERBIS) and put it into service.
it will open.
In addition, in the second paragraph of the Provisional Article 1 of the Law, “Data controllers, Board
To register with the Data Controllers Registry within the period determined and announced by
has to.” provision is included.
The effective date of the Regulation on the Registry of Data Controllers is 01.01.2018.
is determined, it means that the obligation to register in the Registry begins on this date.
is not coming. Accordingly, the announcement of the Decision on the exceptions by the Board,
For the commissioning of VERBIS and registration with the Data Controllers Registry by the Board, a
After determining the starting date and sharing it with the public, it is registered in the Data Controllers Registry.
registration will begin.

Page 117
116

2. Data Following the Enforcement of the Law
What should be done by those responsible?
For data controllers, in the Law No. 6698 and the Regulation on the Data Controllers Registry
certain obligations.
Obligations imposed on data controllers within the scope of Law No. 6698;
• According to the second paragraph of the Provisional Article 1 of the Law, data controllers are determined by the Board.
to register with the Data Controllers Registry within the specified and announced period
has to. In this context, first of all, registration by the Personal Data Protection Board.
A start date must be set for the obligation. Aforementioned
Registration in the Data Controllers Registry with the date determined and announced by the Board.
obligation will begin.
• Data Controllers by the Board in paragraph 2 of Article 16 of the Law.
There is a provision that exceptions can be made to the registration obligation to the Registry (Registry).
In this context, the Board has taken a Decision on the exception to the registration obligation.
must be announced. With the announcement of the decision, the registration
responsibilities will be determined.
• In paragraph 1 of Article 16 of the Law, the Data Controllers Registry
shall be made publicly available. In this context, Data
Following the preparation of the Responsible Persons Registry Information System (VERBIS) and putting it into service,
Registration obligation will begin for data controllers.

Page 118
117

• Pursuant to the third paragraph of the Provisional Article 1 of the Law, previously processed
Personal data must be brought into compliance with the provisions of the Law. Accordingly, the Law
Processing in violation of the principles in Article 4 or listed in Articles 5 and 6
Personal data processed without conditions should be brought into compliance with these principles and conditions,
cannot be retrieved, it should be immediately deleted, destroyed or anonymized.
• Pursuant to the 5th paragraph of the Provisional Article 1 of the Law, public institutions and
institutions in order to ensure coordination regarding the implementation of this Law.
A senior manager should be determined and reported to the Personal Data Protection Authority.
Obligations imposed on data controllers by the regulation;
• Data controllers, who are obliged to register in the Data Controllers Registry,
data processing inventory” and “personal data retention and destruction policy”
required.
• In case the public institution is not within the scope of the exemption and registration by the Board
Putting VERBIS into service by determining the obligation start date
subsequently by public institutions and organizations pursuant to the Provisional Article 1 of the Law.
Article 11 of the Regulation by the senior manager notified to our Presidency
As required, it is necessary to register with VERBIS as a contact person.

Page 119

