Page 1

PERSONAL DATA
TO THE LAW OF PROTECTION
RELATED IMPLEMENTATION GUIDE

Page 2

PRACTICE GUIDE REGARDING THE LAW ON THE PROTECTION OF PERSONAL DATA
KVKK Publications No: 1
ISBN: 978-605-80554-7-6
December 2019, Ankara
Personal Data Protection Authority
Address: Nasuh Akar Mahallesi 1407. Sokak No: 4 Çankaya/ANKARA
Phone: 0 312 216 50 00
Web: www.kvkk.gov.tr

Page 3

“The content in this book may be partially or completely copied without permission, except for individual use.
Reproduction, reproduction, use, publication and distribution is strictly prohibited. Those who do not comply with this law
Legal action will be taken against him in accordance with the Law on Intellectual and Artistic Works No. 5846. All rights to the product
reserved.”

Page 4

CONTENTS
I. THE NEED FOR THE LAW ON THE PROTECTION OF PERSONAL DATA

10

II. LEGISLATION

15

A. INTERNATIONAL REGULATIONS

17

1. Council of Europe Regulations

17

a. Against Automatic Processing of Personal Data No. 108
Convention for the Protection of Individuals

17

b. Against Automatic Processing of Personal Data No. 181
Supervisory Authorities and Transboundary Data Supplement to the Personal Protection Convention
Flow Protocol

17

c. Relevant Provisions of the European Convention on Human Rights

18

2. European Union Regulations

19

a. Regarding the Processing and Free Movement of Personal Data No. 95/46/EC
European Parliament and Council of Europe for the Protection of Individuals
directive

19

b. EU General Data Protection Regulation (GDPR) No. 2016/679 of the European Union

19

c. Other Arrangements

20

B. NATIONAL REGULATIONS

21

1. Constitution

21

2. Law No. 6698 on the Protection of Personal Data

23

3. Turkish Penal Code No. 5237

23

International Regulations

24

National Regulations

25

III. THE RIGHT TO REQUEST THE PROTECTION OF PERSONAL DATA AS A CONSTITUTIONAL RIGHT27
IV. PERSONAL DATA PROTECTION LAW NO. 6698

33

A. IN GENERAL

35

Page 5

B. PURPOSE

35

C. SCOPE

37

1. Scope of the Law

37

2. Circumstances Not Covered by Law

39

a. Cases Totally Excluded from the Scope of the Law

40

b. Circumstances Partially Excluded from the Scope of the Law

43

3. Application of the Law in Terms of Time

45

4. Implementation of the Law in Terms of Person

45

D. FUNDAMENTAL CONCEPTS IN LAW NO. 6698

46

1. Explicit Consent

46

a. Relating to a Specific Subject

48

b. Based on Information

49

c. Free Will Disclosure

50

2. Anonymization (Anonymization)

51

3. Contact Person

51

4. Personal Data

52

5. Processing of Personal Data

53

a. Automatic Processing

54

b. Non-Automated Processing (Being Part of the Data Recording System)
on record)

55

6. Data Controller and Data Processor

56

a. Generally

56

b. Examples

59

7. Data Recording System

62

E. BASIC PRINCIPLES ON THE PROCESSING OF PERSONAL DATA

63

1. In General

63

a. Principle of Compliance with Law and Integrity Rules

64

b. The Principle of Being Accurate and Up-to-Date When Necessary

66

Page 6

c. Principle of Processing for Specific, Explicit and Legitimate Purposes

67

c. The Principle of Being Related to the Purpose for which they are Processed, Limited and Measured
68
D. Duration Envisioned in the Related Legislation or Required for the Purpose of Processing
Principle of Conservation

69

F. TERMS OF PROCESSING PERSONAL DATA

71

1. Explicit Consent

74

2. Explicitly Provided in Laws

74

3. Actual Impossibility

74

4. Necessary for the Establishment and Performance of the Contract

75

5. Obligation of the Data Controller to Fulfill His Legal Obligation 75
6. Personal Data Made Public by the Relevant Person

76

7. For Establishment, Use or Protection of a Right to Process Personal Data
Being Mandatory

77

8. Provided that Data Processing Does Not Harm the Fundamental Rights and Freedoms of the Data Subject
Obligatory for the Legitimate Interests of the Data Controller

77

G. PROCESSING CONDITIONS OF SPECIAL QUALITY PERSONAL DATA

80

H. DELETING, DESTROYING OR MAKING PERSONAL DATA

83

I. TRANSFERRING PERSONAL DATA

87

1. Domestic Transfer of Personal Data

87

2. Transfer of Personal Data Abroad

90

a. Data Transfer Abroad

90

b. In the Determination of Countries with Sufficient Protection and Outwarding by the Board
Matters to be Considered in Permissions to be Granted for Data Transfer
J. RIGHTS AND OBLIGATIONS UNDER THE LAW

93
95

1. Obligations of the Data Controller

95

a. Lighting Obligation

96

b. Obligations Regarding Data Security

97

c. Answering the Applications Made by Relevant Persons and the Board
Obligation to Fulfill Decisions

one hundred

Page 7

D. Obligation to Register with the Data Controllers Registry

101

to. Notification Obligation

102

2. Rights of the Relevant Person

103

3. Methods of Claiming Rights of the Related Person

104

a. Application to Data Controller

104

a.1. Rules Regarding Application and Response Method

105

a.2. Rules Regarding Cost of Application to Data Controller

107

b. Complaint

108

b.1. Investigation of the Personal Data Protection Board

108

b.2. Conditions for Notifications and Complaints to the Board 109
b.3. Authority and Obligations of the Board Regarding the Investigation Process 110
b.4. Finalization of the Review of the Board
4. Obligations of the Data Processor

111
112

K. DATA RESPONSIBILITIES REGISTRY

113

1. Characteristics of the Data Controllers Registry

113

2. Obligation and Exceptions to Register with the Data Controllers Registry

113

3. Notification of Registration in the Data Controllers Registry

115

L. PENALTY PROVISIONS (CRIMES AND MISUSES)

116

1. Offenses

117

2. Misdemeanors

119

M. TRANSITIONAL PROVISIONS

121

ATTACHMENTS

123

APPENDIX-1: About Deletion, Destruction or Anonymization of Personal Data
regulation

124

Annex-2: Regulation on the Data Controllers Registry

130

Annex-3: Procedures and Principles to be Followed in the Fulfillment of the Lighting Obligation
About the Communiqué

140

Annex-4: Communiqué on Application Procedures and Principles to the Data Controller

144

Page 8
8

Page 9
9

I. PERSONAL DATA
TO THE LAW OF PROTECTION
THE NEED

Page 10
11
11th

Today, both state institutions and private organizations, thousands of people every day.
access to various information regarding The information obtained is in information technologies.
With the effect of the developments, it can be easily processed and transferred. It
Increasingly, personal data is also included among the information.
raised the need for data protection.

Since the 1970s, personal data has been collected through national and international regulations.
conservation efforts are underway. The first regulation in this field was dated 1970.
It is the data protection law adopted in the German State of Hessen. This Law is
In the face of access to land registry records with the help of
It has been prepared in order to determine the procedures and principles regarding storage and storage.
Similarly, the data protection laws of Sweden 1973 and France 1978
recording a large number of data in its possession with a system similar to "identity number"
and, as a result of its integration, effective data processing becomes possible.
and in this context, there is a need for legal protection against possible risks.
made with the mindset. As an international regulation, the Council of Europe in 1973 and
In 1974, personal data kept in private and public electronic data banks.
The two resolutions adopted to set the necessary standards for data protection, personal
It has been the source of the later regulations on data protection.

The first comprehensive international agreement on the protection of personal data is the European
“Automated Data Processing of Personal Data”, dated 1981 and numbered 108, adopted by the Council of
Convention on the Protection of Persons Against Processing”.

Page 12
12

In addition, the Committee of Ministers of the Council of Europe has implemented the Convention No. 108.
It has issued a total of 20 recommendations that determine the procedures and principles for

Following these developments, national
the United Nations (UN), the Council of Europe, the Economic
Within the scope of the Organization for Cooperation and Development (OECD) and the European Union (EU), various
directives, directives and international agreements have been prepared.

To prepare our country to prepare a legal regulation for the protection of personal data.
the main driving factors; effective protection of human rights,
accession negotiations and the need to increase international cooperation and trade.
can be sorted.

Firstly; protection of personal data, privacy of private life, which is a fundamental human right
is directly related to. In order to ensure the privacy of individuals' private life, third parties
It is necessary to legally protect the data that is inconvenient for individuals to receive.

Also; In the ongoing European Union full membership process regarding our country, negotiation
Five of the chapters are related to the protection of personal data. European Union, about our country
national legislation on the protection of personal data in the country reports it prepares.
highlights the need.

Page 13
13

Finally; A legal regulation on the protection of personal data in our country
EUROPOL, which has implemented effective cooperation between police units due to the lack of
and our security units, and between EUROJUST and our judicial authorities.
There have been difficulties in electronic data sharing. In addition, foreign capital
to invest in our country and to make effective use of these investments and investments in other countries.
the data transfer needed to manage it properly, the absence of legal regulation
was carried out in difficult conditions due to the fact that foreign capital
considered as a deterrent to investment.

Page 14
14

Page 15
15

II. LEGISLATION

Page 17
16
17

A. I INTERNATIONAL ORGANIZED ELE
1. Council of Europe Regulations
a. Automatic Processing of Personal Data No. 108
Against the Convention for the Protection of Individuals
The Council of Europe has been working on the protection of personal data since the 1970s.
he did. As a result of the work done, it was signed in Strasbourg on 28 January 1981.
“Protection of Individuals Against Automatic Processing of Personal Data”
“Convention” entered into force on 1 October 1985. Turkey, 28 January 1981
became one of the first countries to sign this convention in its history; this Convention, March 17
It was published in the Official Gazette dated 2016 and numbered 29656 and included in the domestic law.
The main purpose of the Convention, also known as the Convention No. 108 today; in each member state,
fundamental rights and freedoms of natural persons, regardless of their nationality or residence, and
subject to automatic processing of personal data concerning them in particular.
to guarantee the right to private life against detention.

b. Automatic Processing of Personal Data No. 181
Supplementary Controller to the Convention for the Protection of Individuals Against
Protocol on Authorities and Transboundary Data Flow
In this protocol, the states party to the protection of personal data to be implemented in their countries
to establish a supervisory authority that will carry out its duties with full independence in the field of

Page 18
18

has committed. Turkey signed this protocol on 8 November 2001. Protocol,
It was included in domestic law by being published in the Official Gazette dated 5 May 2016 and numbered 29703.
has been done.

c. Relevant Provisions of the European Convention on Human Rights
Prepared by the Council of Europe, of which our country is one of the founding members.
and Human Rights, signed in Rome on 4 November 1950 and entered into force on 3 September 1953.
European Convention for the Protection of Freedoms and Freedoms (ECHR), personal data
Although it does not contain a direct regulation on the processing of the European Human Rights
The Court has protected personal data with its case-law.
On the other hand, Article 8 of the ECHR titled “Right to Respect for Private and Family Life” is “1.
Everyone has the right to respect for his private and family life, his home and his correspondence.
2. Intervention by a public authority in the exercise of this right only
prescribed by law and in a democratic society national security, public safety,
the economic well-being of the country, the maintenance of order, the prevention of crime, the health or
be a necessary measure for the protection of morals or the rights and freedoms of others.
situation may occur” . With this article, the protection of personal data
not directly referred to, but essentially the right to respect for private and family life
The personal data included in the scope of the law are protected by law.

Page 19
19

2. European Union Regulations
a. Processing and Free Movement of Personal Data No. 95/46/EC
The European Parliament for the Protection of Individuals and
Council of Europe Directive
Studies on the protection of personal data in the European Union that started in the 1990s
As a result of this, the European Parliament and the European Council established the "Personal Data
Directive on the Protection of Individuals with respect to the Processing and Free Movement
has accepted. The main purpose of the directive is to ensure that personal data in the member states of the European Union
harmonization of regulations. EU member states,
The legal regulations on data protection are based on this Directive. 6698
Law No. has been prepared largely on the basis of this Directive.
On the other hand, sector-based regulations based on Directive 95/46/EC in the EU are also available.
available. The most important of these regulations is the "Electronic Communications" numbered 2002/58/EC.
Regarding the Processing of Personal Data and Protection of Private Life in the Industry
Directive”.

b. EU General Data Protection Regulation No. 2016/679 of the European Union
(GDPR)
The European Union aims to meet the emerging needs in the field of personal data protection.
In 2012, a new regulation was initiated. European Parliament, Europe
The regulation, prepared by the Council of the European Commission and the European Commission, was adopted in 2016.
and entered into force on 25 May 2018 by repealing Directive 95/46/EC.

Page 20
20

c. Other Arrangements
In addition, at the international level on the protection of personal data, the OECD's “Special
Guidelines on the Protection of Life and Cross-Border Flow of Personal Data” (23
September 1980) and the UN's “Guideline on Computer Processed Personal Data Files
Principles” (14 December 1990).

Page 21
21

B. NATIONAL REGULATIONS
1. Constitution
The second part of the Constitution regulates the fundamental rights and duties of the individual. Special
The privacy of life is one of the fundamental rights of the person. This right is enshrined in Article 20 of the Constitution.
has been guaranteed. Intervention of technological developments in fundamental rights and freedoms
the fact that it has made it easier to do so and that this situation presents itself as a legal problem.
made it necessary to make legal arrangements in this regard.
With the Constitutional amendment made in 2010 with the Law No. 5982, the 20th Amendment of the Constitution.
By adding a clause to the article, personal data is defined as “the right to privacy and protection of private life”.
under constitutional guarantee. In the mentioned paragraph; “ Everyone with
has the right to request the protection of the relevant personal data. This right; about the person himself
to be informed about personal data, to access, correct or rectify such data.
requesting its deletion and learning whether it is used for its intended purpose.
also covers. Personal data can only be collected in cases stipulated by law or with the explicit consent of the person.
can be processed. The principles and procedures regarding the protection of personal data are regulated by law. ”
provision is included.

Page 22
22

With this regulation included in the Constitution;
• Everyone has the right to demand the protection of their personal data,
• This right; being informed about the personal data of the person, this
access, rectification or deletion of data, and their purpose
It also includes learning whether it is used in accordance with
• Personal data can only be collected in cases stipulated by law or with the explicit consent of the person.
can be processed
has been adjudicated.

Page 23
23

2. Law No. 6698 on the Protection of Personal Data
1989 for the first time to enact a separate law on the protection of personal data in Turkey.
A commission was established in This commission has not yet completed its work.
dispersed. A new commission was established in 2000 and this commission lasted for three years.
As a result of the study, a draft law was prepared. However, the draft prepared
reasons, it was not enacted. In 2008 and 2014, under the leadership of the Ministry of Justice
Although a new bill has been prepared and submitted to the Turkish Grand National Assembly (TBMM), the legislative
Since the end of the period, the relevant law proposals have become obsolete.
In the Constitution, detailed regulations on the protection of personal data are provided by law.
will be specified. In this context, on 26 December 2014, “Personal Data
Draft Law on the Protection of the Conservation” was submitted to the Presidency of the Turkish Grand National Assembly. Draft, 24 March 2016
Law No. 6698 on the Protection of Personal Data, which was enacted and enacted on
It was published in the Official Gazette dated 7 April 2016 and numbered 29677 and entered into force.

3. Turkish Penal Code No. 5237
Recording personal data in Article 135 of the Turkish Penal Code (TCK) No. 5237,
In Article 136, giving or obtaining data unlawfully, 138.
In the article, the acts of not destroying the data are regulated as a crime. In addition, the 140th article of the TCK.
In the article, it is stated that security measures will be applied to legal persons in relation to these crimes.
has been enacted.

Page 24
24

INTERNATIONAL REGULATIONS

Page 25
25

NATIONAL REGULATIONS

Page 26
26

Page 27
27

III. A CONSTITUTIONAL
RIGHT TO PERSONAL
DATA PROTECTION
RIGHT TO REQUEST
Page 29
28
29

The second part of the Constitution regulates the fundamental rights and duties of the individual. Special
The privacy of life is one of the fundamental rights of the person. This right is enshrined in Article 20 of the Constitution.
has been guaranteed. Intervention of technological developments in fundamental rights and freedoms
the fact that it has made it easier to do so and that this situation presents itself as a legal problem.
made it necessary to make legal arrangements in this regard.
With the Constitutional amendment made in 2010 with the Law No. 5982, the 20th Amendment of the Constitution.
By adding a clause to the article, personal data is defined as “the right to privacy and protection of private life”.
under constitutional guarantee. In the mentioned paragraph; “Everyone with
has the right to request the protection of the relevant personal data. This right; about the person himself
to be informed about personal data, to access, correct or rectify such data.
requesting its deletion and learning whether it is used for its intended purpose.
also covers. Personal data can only be collected in cases stipulated by law or with the explicit consent of the person.
can be processed. The principles and procedures regarding the protection of personal data are regulated by law.
provision is included.
According to the aforementioned Constitutional provision;
• Everyone has the right to demand the protection of their personal data. It
In this sense, individuals basically collect personal data about them from unrelated third parties.
has the right to demand that necessary measures be taken to prevent it from falling into his hands.
• This right; being informed about the personal data of the person,
access, request their correction or deletion, and
It also includes learning whether it is used or not. In this sense, individuals
has the right to learn which personal data is used, as well as the

Page 30
30

In case of any inaccuracy in the personal data, this situation will be corrected.
or to request the deletion of their data.
• Personal data can only be collected in cases stipulated by law or with the explicit consent of the person.
can be processed. The absence of a legal regulation or the individual's own personal
In the absence of a clear declaration of intent to process the data, the personal
data cannot be processed.
In the justification of the amendment proposal regarding this article; “Personal data in the Constitution
Although there are indirect provisions for protection, they are not sufficient. comparative
Protection of personal data in law and in international documents to which we are a party
is strongly emphasized. With the article, everyone's personal data related to him
The right to demand protection is guaranteed as a constitutional right. It
In this context, what rights and authorities do individuals have over the personal data that concerns them?
when deciding which personal data it has and under what circumstances it can be processed, personal data
It is foreseen that the principles and procedures regarding the protection of data will be regulated by law.”
statement is included.
The protection of personal data is foreseen in the 3rd paragraph of Article 20 of the Constitution.
In addition, unlawful processing of personal data is subject to Article 17 of the Constitution.
the inviolability of the person guaranteed, the protection of the material and spiritual existence of the person
and the right to development and the private life regulated in Articles 20 and 22 of the Constitution.
It also constitutes a violation of the right to privacy and protection.
In paragraph 3 of Article 20 of the Constitution, personal data can only be obtained with the express consent of the individual or
on how to protect personal data, where it can be processed in cases stipulated by law

Page 31
31

It is stated that the principles and procedures will be regulated by law. constitutionally, by law
Although it is stated that personal data can be processed in foreseen cases, special limitation
reasons are not given.
Pursuant to the provision stipulated in the Constitution, on 26 December 2014 “Personal Data
Draft Law on the Protection of the Conservation” was submitted to the Presidency of the Turkish Grand National Assembly. Draft, 24 March 2016
Law No. 6698 on the Protection of Personal Data, which was enacted and enacted on
It entered into force by being published in the Official Gazette dated 7 April 2016 and numbered 29677,
thus, the necessary legal infrastructure for the protection of personal data has been completed.

Page 32
32

Page 33
33

IV. PERSONAL NO. 6698
DATA PROTECTION
LAW

Page 35
34
35

A. IN GENERAL
In today's world, where technology has completely penetrated into daily life, the identity of the individual,
personal data such as communication, health and financial information, religious belief, political opinion.
Protecting your privacy is of paramount importance. Personal data, both private sector
frequently by both the public sector and automated means over information systems.
is processed. The processing of this data is in terms of individuals and providers of goods and services.
Although it provides some conveniences and advantages, the risk of exploitation of the data in question
brings with it. Therefore, between these two interests is legitimate and reasonable.
balance needs to be struck.
Creating legislation on the protection of personal data in our country since 1981
works are carried out. Personal No. 6698, which entered into force on April 7, 2016
The Data Protection Law is the most important stage of this legalization process.
has taken its place in our legal system. Law No. 6698 is the best in this field.
It has been prepared in a way that reflects the application principles and principles.

B. PURPOSE
With the paragraph added to Article 20 of the Constitution with the Law No. 5982 in 2010, everyone
The right to demand the protection of personal data relating to himself is guaranteed as a constitutional right.
been taken under. In this context, individuals' personal data concerning them
what rights and authorities it has and in which cases personal data can be processed
While the decision is made, the procedures and principles regarding the protection of personal data are enforced by law.
is anticipated to take place.
As a matter of fact, the purpose of the Law is clearly stated in Article 1 of the Law. It
Pursuant to the provision, the purpose of the processing of personal data, especially the privacy of private life, is

Page 36
36

protecting the fundamental rights and freedoms of individuals and real and legal entities that process personal data.
is to regulate the obligations of individuals and the procedures and principles that they will comply with.
As stated in the justification of the article, the purpose of the Law is to
disciplinary proceedings and the privacy of private life stipulated in the Constitution.
protection of fundamental rights and freedoms. Importance in recent years with the law
The winner is the protection of the privacy of the person, ensuring data security and personal
the obligations of natural and legal persons processing the data and the procedures and principles to be complied with.
regulation is also considered in this context.
By law, unlimited and arbitrary collection of personal data, unauthorized persons
personality as a result of being made available, disclosed, or misused or misused.
aimed at preventing the violation of their rights.
Subject to which rules and under what conditions personal data can be processed.
The Law, which aims to take control of personal data, controls the processing of personal data.
to prevent the unlawful processing of these data by introducing mechanisms
aims. In addition, obligations of natural and legal persons processing personal data
It is among the aims of the Law to regulate the principles and procedures to be followed by
takes.
Pursuant to this article, the purpose of the Law is:
• To protect the fundamental rights and freedoms of individuals in the processing of personal data,
• The obligations of natural and legal persons processing personal data and the procedures and procedures to be followed.
to regulate (discipline) the principles,
• Protecting the privacy of individuals (privacy of private life),
• Ensuring personal data security,
can be counted as

Page 37
37

C. SCOPE
1. Scope of the Law
In Article 2 of the Law, the scope of the Law is specified. According to this article, the Law
natural persons whose personal data are processed and those whose data is fully or partially automated.
or by non-automatic means, provided that they are part of any data recording system.
It will be applied to real and legal persons.
The law does not distinguish between public institutions and private institutions. of the law
As a rule, the procedures and principles determined by him are valid for all institutions and organizations.
Therefore, the provisions of this Law also apply to the personal data processed by public institutions.
will be applied.
Personal data protected under the Law No. 6698 can only be sent to real persons.
Personal data belonging to legal entities are not protected.
However, obtaining the data belonging to the legal person, one or more real persons
If it leads to the identification of your identity, such data is also protected from the Law.
may benefit. In this case, the protected, real person
are personal data.
In the law, personal data can be partially or completely automated or
processing by non-automatic means, provided that it is part of the data recording system
No difference was foreseen in terms of In this direction, access to personal data
Any system structured according to a certain criterion, in a way that facilitates
will be evaluated within the scope of

Page 38
38

Today, personal data is processed mostly by automatic means. Earlier
data processed by non-automatic means are rapidly transferred to electronic media in many places.
appears to be transmitted. Accordingly, “fully or partially automated means”
processed data” and “automatically provided that it is part of any data recording system.
data processed by illegal means” is protected under the Law No. 6698.
Therefore, the Law is completely out of the scope of the data processed by non-automatic means.
does not leave. What is important here is that the data processed by non-automatic means
whether it is part of the registration system. For example, regardless of any criteria
The cases where the names and surnames of the persons are randomly included in the paper are not covered by the Law.
recording the names in question on a piece of paper according to a certain criterion.
In this case, this data record will be evaluated within the scope of the Law. In this context:
• What does the term “processing partially or completely automatically” mean in the law?
where it came from has not been clarified. In Council of Europe Convention No. 108
on the other hand, from the expression “automatic processing”; record of data, logical and/or
or applying arithmetic operations, changing, deleting, recovering data
automatic or partially automated methods of distribution or distribution
realized is understood.
• By non-automatic means, provided that they are part of any data recording system.
The processed data is also protected under the Law No. 6698. data recording system,
Article 3 of the Law states that “personal data is structured according to certain criteria and
is defined as the “registration system in which it is processed” . Hence hand-processed (manual)
incorporation of data into a recording system structured according to any criteria
In case of such data, the Law No. 6698 will be applied.

Page 39
39

• Personal data processed by non-automated means, part of a data recording system
otherwise it will not be considered within the scope of the Law. However, this situation
Since it will not affect the quality of personal data, unlawful actions regarding this data are also included.
It will continue to constitute a crime under the TPC numbered 5237.

2. Circumstances Not Covered by Law
The law applies only to data related to natural persons. Data on legal entities
It is not covered by the law. Because in the 1st article of the Law, “personal data are processed
real persons”.
In addition, the provisions of the Law regarding the processing of personal data are physically recorded.
It also does not apply to personal data received and not part of the data recording system. Thus,
In the 1st article of the Law, “wholly or partially automatic or any data
processing by non-automatic means, provided that it is part of the registration system”
used.
On the other hand, in Article 28 of the Law, which is completely or partially out of scope.
cases are settled. Full exceptions in paragraph 1 of this article,
Partial exceptions have been made. In the case of full exception, the provisions of the Law shall not be
will not be applied. In cases of partial exception, only some provisions of the Law
will not be applied.

Page 40
40

a. Cases Totally Excluded from the Scope of the Law
In the first paragraph of Article 28 of the Law, the cases that are not within the scope of the Law are listed individually.
counted. These:
• Not to give personal data to third parties and to comply with obligations regarding data security.
by real persons completely with himself or in the same residence, provided that it is complied with.
Processing within the scope of activities related to living family members,
• Research by anonymizing personal data with official statistics,
processing for purposes such as planning and statistics,
• National defense, national security, public security, public order,
not to violate economic security, privacy or personal rights; or
for artistic, historical, literary or scientific purposes, or
processed within the scope of freedom of expression,
• Personal data protect national defense, national security, public security, public order.
mandate and authority given by law to ensure economic security.
preventive, protective and intelligence activities carried out by public institutions and organizations.
processing within the scope of activities,
• Regarding the investigation, prosecution, trial or execution of personal data
It is processed by judicial authorities or execution authorities.

Page 41
41

Activities related to the personal data itself or family members living in the same residence
Processing within the scope of:
Personal data not to be given to third parties and obligations regarding data security
by real persons completely with himself or in the same residence, provided that it is complied with.
In case of processing within the scope of activities related to family members living in
provisions do not apply.
Within the scope of this paragraph; family data of family members living in the same residence
There are exceptions for processing. For example, on special occasions such as birthdays
Photographs taken within the family are not within the scope of this Law. However, these data
if it is shared with third parties or made public, for example on a birthday
In case the photos taken are shared publicly on social media
no exception can be made.
Research by anonymizing personal data with official statistics,
processing for purposes such as planning and statistics:
Research, planning by anonymizing personal data with official statistics
If it is processed for purposes such as statistics and statistics, the provisions of the Law do not apply. This
According to the provisions of the law, in case personal data is processed within the scope of official statistics
will not be applied.
On the other hand, collecting personal data for purposes such as research, planning and statistics
Anonymization of data afterwards is also within the scope of the exception. For example,
personal data included in the survey conducted by a public opinion research institution.
subsequent anonymization.

Page 42
42

The word "like" in the regulation "such as research, planning and statistics" means that
states as an example. Therefore, similar methods are also covered by the exception.
can be said to be included. The important thing here is that this information is anonymized.
that is.
To make it anonymous; personal data, even by matching with other data
cannot be associated with an identified or identifiable natural person in any way.
means to be brought.
Personal data for art, history, literature or scientific purposes or freedom of expression
Processing within the scope of:
Personal data can be used to protect national defense, national security, public security, public order,
not to violate economic security, privacy or personal rights; or
for artistic, historical, literary or scientific purposes or for expression
The provisions of this Law do not apply if it is processed within the scope of freedom of movement.
For example, writing a biography of a publicly known artist for literary purposes,
It is not within the scope of the Law, provided that it is limited to this field of activity.
Personal data can protect national defense, national security, public security, public order.
mandate and authority given by law to ensure economic security.
preventive, protective and intelligence activities carried out by public institutions and organizations.
Processing within the scope of activities:
Personal data can be used to protect national defense, national security, public security, public order or
public authorities that have been given the duty and authority by law to ensure economic security.
preventive, protective and intelligence activities carried out by institutions and organizations

Page 43
43

In case of processing within the scope of this Law, the provisions of this Law shall not apply. According to this
national defense, public security, national security, public order
and data processed within the scope of activities aimed at ensuring economic security.
excluded from its scope. Likewise, proceeds of crime for the stated purposes
money laundering, preventing the financing of terrorism and investigating financial crimes.
Data processed within the scope of activities carried out by authorized units are also subject to this exception.
covered.
Processing of personal data by judicial and enforcement authorities:
Regarding the investigation, prosecution, trial or execution of personal data
In case of processing by judicial authorities or enforcement authorities, this Law
provisions do not apply.

b. Circumstances Partially Excluded from the Scope of the Law
In the second paragraph of Article 28 of the Law, only certain situations and conditions
The cases not covered by the articles are regulated. According to this; Purpose of the law
provided that it is in accordance with and proportional to the basic principles of the data controller,
Article 10, which regulates the liability of the person concerned, except for the right to demand compensation for the damage.
Article 11 regulating the rights of the person and the obligation to register in the Data Controllers Registry.
The provisions of Article 16 regulating the following are limited to the following fields of activity.
not applicable:

Page 44
44

• Personal data processing is necessary for the prevention of crime or criminal investigation.
to be. (For example, when a policeman processes the personal data of a suspect in a crime, this
scope can be evaluated. Because what personal data the police process
or for what purposes it has been processed, the suspect's relevant data
there will be a risk that it will be destroyed or deleted.)
• Processing of personal data made public by the person concerned. (For example,
the person's personal data in a social media account that is accessible to everyone
processing of the data in case of sharing.) In order for this provision to be implemented, the personal
revealing the will to make the data public by the person concerned and
should not be used for intended purposes.
• Personal data processing based on the authority given by the law and the authorized public
institutions and organizations and professional organizations in the nature of public institutions,
carrying out supervisory or regulatory duties and disciplinary investigation or
necessary for prosecution.
• State economics regarding the budget, tax and financial issues of personal data processing.
and necessary for the protection of its financial interests.
As stated in the law, in order not to apply the 10th, 11th and 16th articles,
One of the conditions mentioned must be fulfilled. However, it should be noted that the data
In any case, the processing is in accordance with the purpose and basic principles of the Law and is proportionate.
must be.

Page 45
45

3. Application of the Law in Terms of Time
In the 3rd paragraph of the Provisional Article 1 of the Law, the personal data already processed
status has been adjusted. Accordingly, those processed before the publication date of the Law
Personal data shall be submitted to the provisions of the Law within two years following the publication of the Law.
is made suitable. During this process, it is determined that it is contrary to the provisions of the Law.
personal data is immediately deleted, destroyed or anonymized. But the promulgation of the Law
consents obtained lawfully before the date of
In the absence of a declaration, it is deemed to be in accordance with the Law.

4. Implementation of the Law in Terms of Person
Pursuant to Article 2 of the Law, the provisions of this Law are the real persons whose personal data are processed.
with persons who completely or partially automatic or any data recording
real and legal entities operating by non-automatic means, provided that they are part of the system
applied to individuals. Accordingly, personal data belonging to legal entities are within the scope of the Law.
However, it is not possible to determine the natural person from the data of the legal person.
If so, these data will also be considered within the scope of the Law.

Page 46
46

D. FUNDAMENTALS IN LAW NO. 6698
CONCEPTS
1. Explicit Consent

After the law comes into force, personal data and the processing of this data
One of the concepts that entered our lives is the concept of “explicit consent”. Article 3 of the Law
express consent; “About a particular subject, based on information and freely expressed
defined as “consent” .
In addition, in the 3rd paragraph of Article 20 of the Constitution, personal data can only be processed in the law.
It is stipulated that it can be processed in stipulated cases or with the explicit consent of the person.
Explicit consent, in the Law, includes both special quality personal data and non-special quality personal data.
It is one of the reasons for compliance with the law in terms of data.
According to the Law, respectively;
• In paragraph 1 of Article 5, “Personal data without the express consent of the person concerned
cannot be processed”,
• In paragraph 2 of Article 6, “Explicit consent of the data subject of the personal data of special nature
processing is prohibited without

Page 47
47

• In paragraph 1 of article 8, “Personal data cannot be processed without the explicit consent of the person concerned.
cannot be transferred”,
• In paragraph 1 of Article 9, “Personal data cannot be transferred to the dormitory without the explicit consent of the person concerned.
cannot be exported.”
regulations are included.
Explicit consent is an important concept that also finds its place in international texts. With this
However, the GDPR includes both consent and express consent, but only
The definition of the concept of consent is given. consent under GDPR; a statement or affirmative action
that the person concerned has agreed to the processing of personal data relating to him.
freely given, subject-specific, informed and
defined as an expression that does not contain ambiguity. Processing of personal data in GDPR
While seeking consent for the processing of special categories of personal data, explicit consent is required.
is heard. In our law, both personal data and special quality personal data
Obtaining explicit consent for the processing of data is considered among the personal data processing conditions.
Explicit consent within the framework of the law, the processing of the data that the person has, his/her own will.
It means to give approval with or upon request from the other party. Open
Another importance of the consent declaration is that it provides guidance to the data processor about the action to be taken.
is to show. The person actually gives his/her own legal consent to the data controller with the express consent statement.
declares its decision regarding its value. Explicit consent statement of the person concerned,
the limit, scope and mode of execution of the data it allows to be processed.
will determine.
In this sense, express consent includes the "positive statement of will" of the person giving the consent.

Page 48
48

required. Without prejudice to the regulations in other legislation, express consent
is not dependent on form. Electronic media and call center etc. of express consent.
ways are also possible. Here, the burden of proof lies with the data controller.
Within the scope of the definition of explicit consent in Article 3 of the Law, 3 elements of express consent
There are:
• Relating to a specific subject,
• Consent is based on information,
• Disclosure of free will.

a. Relating to a Specific Subject
In order for the express consent given to process data to be valid, the express consent must be given to a specific subject.
should be relevant and limited to that subject. Statement of explicit consent by the data controller
It should be clearly stated on which subject is requested. This
According to the data subject, with a general statement of will, “I agree to the processing of my personal data.
open-ended and ambiguous consent as “I am willing” alone “explicit consent” in the context of the Law
as unacceptable.
If you express your consent to the processing of data for more than one category,
the processing, such as which data and for what purposes the express consent will be processed.
should also be given in terms of different points.
For secondary operations that the data controller will perform after using the data,
(such as data transfer abroad) will also need to obtain express consent. Same situation,
It also applies if the purposes of processing the data change. So for each purpose
An express consent must be obtained.

Page 49
49

b. Based on Information
Explicit consent is a declaration of will, and in order for a person to freely consent, what must be done?
He must also know that he consents. not only on the subject, but also
He must also have full knowledge of the consequences of his consent.
Informing in a clear and understandable manner on all matters related to data processing
should be carried out. The notification must be made before the data is processed.
must. The nature of the data to be processed will also determine the level of information.
Informing the relevant person also determining the future of the person's own data
constitutes a reflection of the right.
For what purposes will the personal data obtained while informing be used?
should be clearly stated, when terms that the person does not understand or when written information is given
Small fonts should not be used as it will cause difficulty in reading.

c. Free Will Disclosure
Consent, which is a person's declaration of will, means that the person is aware of his behavior and is his own decision.
case it will be valid. All kinds of acts that will injure the will of the person, personal data
will also cripple his explicit consent to be processed. such as algebra, threat, error, and deception.
It is not possible for the person to decide freely in injurious situations. Hence,
In such cases, it is not possible to talk about a free will statement. However, here every
The reason should be evaluated in itself and the degree of influence on consent should be determined.

Page 50
50

where the parties are unequal or one party has influence over the other
careful consideration of whether consent is given freely
must. Especially in the employee-employer relationship, the possibility of not giving consent to the employee is an effective
It is a possible negative situation for the worker that the employee is not presented in a way or not giving consent.
It cannot be accepted that consent is based on free will.
On the other hand, since the express consent must be expressed with free will, the
obtaining consent, the provision of a product or service, or the use of a product or service.
should not be considered as a prerequisite for its use. So any express consent
not subject to the terms of service.
For example, in places where the use of a service is a condition of membership, being a member
fingerprinting and processing of the person who wants to be subject to the membership agreement.
It would be unlawful for it to be foreseen as a necessity for its establishment. Because this way
the explicit consent obtained is contrary to the principle of giving open consent with free will and the principle of proportionality.
will be.

Page 51
51

2. Anonymization (Anonymization)
Anonymization or anonymization, even if the data is matched with other data,
cannot be associated with an identified or identifiable natural person in any way.
means to be made. In this context, a monitoring on the remaining data
after matching and supporting with other data, who the data belongs to
If it can be understood, it cannot be accepted that this data has been anonymized.
At this point, the point to be noted is the difference between anonymous data and anonymized data.
is the difference. Anonymous data that cannot be associated with a specific person from the beginning
While denoting data, anonymized data has been previously associated with a person but
data that is no longer connected.

3. Contact Person
The law provides for the protection of only natural persons' data. Therefore
In the law, the term "relevant person" is used to express the real person whose personal data is processed.
As clearly stated in the definitions section of the Law, the person to be protected is a “real person”.
person”.
According to the definition of personal data in the law, any real data of a legal person
If it identifies or makes the person identifiable, these data are protected under the Law.
below. However, the interest protected here is not the legal person, but the
shall belong to the real person determined or to be determined as a matter of priority. Because the Law
does not regulate the protection of data belonging to legal persons in any way.

Page 52
52

4. Personal Data
Personal data is any information relating to a specific or identifiable person. It
In this case, in order to distinguish personal data from non-personal data, there are basically two criteria.
can be said to have been used. Accordingly, in order to be able to talk about personal data, the data must be given to a person.
and this person must be specific or identifiable.
Personal data, showing the personal, professional and family characteristics of the individual,
It is all kinds of information that is suitable for distinguishing individuals from individuals and revealing their qualities. in law
personal data; as “any information relating to an identified or identifiable natural person”
has been defined. This information includes the identity, ethnic origin, physical characteristics,
health, education, employment status, sexual life, family life,
communications, residence address, credit card information, personal thoughts and beliefs, association,
It also covers issues such as foundation or union memberships and shopping habits.
In line with the definition of personal data in the law, a natural person is determined or
Any information that makes it identifiable must be considered as personal data.
Regarding which information will be considered as personal data in the definition made in the law,
It is seen that the limited count principle is not adopted. With emerging technologies in law
A broad definition of personal data, including the categories of data from which it can be derived
is offered.
The fact that a person is specific or identifiable means that the available data is in any way
means making that person identifiable by associating it with a real person.
is doing. In the justification of the law, such as the name, surname, date of birth and place of birth of the individual

Page 53
53

In addition to the data providing the definitive diagnosis, the person's physical, familial, economic, social and
It has been stated that data regarding other characteristics are also in the nature of personal data.

Personal data express the physical, economic, cultural, social or psychological identity of the person.
It can carry a tangible content, such as identity, tax, insurance number.
all data that enables the person to be identified as a result of associating with a record
covers.
As a matter of fact, in the justification of the Law, phone number, motor vehicle license plate, social
security number, passport number, resume, picture, image and sound recordings,
data such as fingerprints and genetic information can make the person identifiable, albeit indirectly.
It has been pointed out that due to its characteristics, it should be considered as personal data.

5. Processing of Personal Data
The concept of processing personal data refers to a chain cycle. of the law
Article 2 states that personal data is fully or partially automated or
obtained for the first time by non-automatic means, provided that it is part of a data recording system.
A process that starts with data processing and any subsequent processing is data processing.
has been defined. Deletion, destruction of personal data after collection as specified
or any kind of process carried out in the process up to anonymization
activity is considered as the processing of personal data within the scope of the Law.
In fact, when it comes to personal data, how the data is kept and used is the most important.
Few are as important as the data itself.

Page 54
54

Some of the methods of processing personal data are described below:
• Retrieval or recording: From the moment personal data are obtained for the first time
processing begins.
• Storage/Preservation: Storing personal data in digital or physical environment,
hosting or storage is considered as part of processing.
• Modification / Rearrangement: Personal data, using various methods
Changing or rearranging by means of
• Transfer / Assignment: Transmission of personal data by various methods is also processed.
covered by its activity.
Personal data may be processed by automatic or non-automatic means:

a. Automatic Processing
While there is no definition of what automatic processing is in the Directive and the Law,
The definition given by the OECD; “The need for human intervention or assistance
Interconnected and interactive electrical or electronic
data processing activity performed by a system” . however,
In the justification of the Law, while the scope of the Law was explained, “Today, these data are
by the private sector and the public sector by automatic means through information systems.
used frequently.” indirectly, automatic processing, information systems
activities carried out on it.

Page 55
55

Accordingly, automatic data processing; computer, phone, clock etc. owner of the processor
through software or hardware features that are fulfilled by devices
spontaneously without human intervention within the scope of prepared algorithms
processing activity.

b. Non-Automated Processing (Part of Data Recording System)
Being)
As stated above, although personal data is not subject to automatic processing, “data recording
They will also be subject to the provisions of the Law when they are processed through the “system”. in law
data recording system, “the record in which personal data is processed and structured according to certain criteria.
system” . These systems can be created electronically or physically.
Accordingly, for example, personal data, name, surname or identity number in the data recording system
as can be classified on the basis of the debts that will be created for those who do not pay their loan debts.
classification can also be evaluated in this context. law, automatic
does not completely exclude the processing of data by means of the Law. So, automatic
non-transfer data processing if it is part of the data logging system, then data processing
activity will be considered within the scope of the Law.
As a result;
Providing all the following conditions together for the legal processing of personal data
must:
• The processing is based on data processing conditions,
• The fact that the lighting has taken place,
• Compliance with general (basic) principles.

Page 56
56

6. Data Controller and Data Processor
a. Generally
Data controller, which determines the purposes and means of processing personal data,
natural or legal person responsible for the establishment and management of the system
means. Activities carried out by legal entities in processing personal data
Within the scope of the scope, they are themselves “data controllers” and
legal responsibility will arise in the person of the legal person. public law in this matter
No difference was observed in terms of individuals and private law legal entities.
Since the units within a company do not have separate legal entities,
It is not possible for these units to be data controllers. However, a company
Since each company forming the group of companies has a legal personality, each of these companies
It is possible for one of them to be a separate data controller.
If the data processor is the data controller, the personal data on his behalf based on the authority given by the data controller.
as natural or legal persons outside the organization of the data controller.
is defined. These persons, within the framework of the instructions given to them,
authorized by the data controller by making a personal data processing contract.
is a separate natural or legal person.
Any natural or legal person can be both a data controller and a data controller at the same time.
may be functioning. For example, an accounting firm retains data about its personnel.
data held by the companies that are its customers.
shall be considered as data processor.

Page 57
57

The activities of the data processor are mostly limited to the technical parts of the data processing. Personal
The authority to take decisions regarding the processing of data rests with the data controller. Data
The responsible person is the person who determines the purpose and method of processing personal data. So personal
within the scope of data processing, which has the authority to make decisions on its own behalf and
It is the person who will answer the questions of “why” and “how” the activity will be done.
In order to determine the data controller, it should be taken into account who decides on the following issues:
• Collection and collection method of personal data,
• Types of personal data to be collected,
• For what purposes the collected data will be used,
• Which individuals' personal data will be collected,
• Whether the collected data will be shared, and if so, with whom it will be shared,
• How long the data will be retained.
However, with the personal data processing agreement that the data controller will make,
For example, it may leave the decision-making authority to the data processor on the matters stated:
• Which information technology systems or other
methods will be used,
• The method by which personal data will be stored,
• Details of the security measures to be taken for the protection of personal data,
• The method by which personal data will be transferred,
• To be used for the correct implementation of the periods for the storage of personal data.
method,

Page 58
58

• Method of deletion, destruction and anonymization of personal data.
Some common points between the data controller and the data processor need to be specified.
First, in terms of data controller, from data processing activities within a company.
no responsible person is implied. The data controller is the legal entity itself.
Being a data controller (as well as a data processor), legal obligations of the Law
It is a status that it determines in order to designate it and it must meet the characteristics given in the definition.
case, the legal entity of the company will also be included in this status. For example, data processing
not the person who receives and records documents in a company as part of his or her activity,
The company itself has the title of “data controller”.
Secondly, both concepts apply to both natural and legal persons. For example,
both a self-employed financial advisor and a financial advisory firm,
as well as a data processor. Legal personality of units within a company
Since there is no data controller, it is possible for these units to be data controllers or data processors.
is not. However, each company forming a group of companies is a legal entity.
of these companies, if it also carries other elements in the definition of data controller.
each can take place in two separate statuses.
Finally, a legal or natural person is both a data controller and a data controller at the same time.
It is possible to say that it can work. For example, a cloud computing service provider
While the company is a “data controller” in terms of the data of its employees,
acts as a “data processor” in terms of its data.

Page 59
59

b. Examples * 1
Market Research Companies
In accordance with a contract with a pharmaceutical company, a research company
undertakes to organize an employee satisfaction survey. The company, the employee to be surveyed
list, selection of survey method and presentation of survey results.
left to the research company. In this case, the research company, although on behalf of the company
Although it conducts the survey and processes personal data, the data controller together with the pharmaceutical company
status. Because which employees will be surveyed, which data will be collected, etc.
It is a research company that has the authority to decide on the issues.
Payment Services
Agreement of a person who sells online with a payment service company
in the case of processing the data of its customers; payment service company
is not a data processor. It is in the status of data controller in terms of processing this data.
Because the payment service company; (1) In order for the payments to be made correctly, which
decides that data should be collected. (2) For what purpose the collected data
has control over its use. (3) Directly regardless of the seller
It has its own terms and conditions that apply to customers whose personal data is processed.
(4) Independent of the seller, it has its own legal obligations.
For example; deletion of credit card information.

1- What is explained in this section is about concrete examples and is a general statement for the relevant data controllers.
It is not an evaluation.

Page 60
60

lawyers
One of a company's resigning employees stole the company's client list and
In return, the owner of the company applied to a lawyer about how to get the list back.
in one example; by the owner of the firm handing over the personal data of his former employee to the lawyer,
The lawyer also has the status of data controller. In this case, the lawyer's owner of the firm
The fact that he is acting on his behalf does not change that. Because the personal data obtained from the lawyer
will determine how it will be processed. Therefore, with regard to the personal data provided,
both the owner of the company and the lawyer are in the status of data controller. In this sense, each
has its own obligations to comply with (for example, the data subject's personal data
both are individually responsible for fulfilling the access request).
Financial Advisors
Financial advisors keep records related to their clients' accounts.
are the data controllers for the processing of personal data. Because financial advisors
many professionals that require them to take responsibility for the personal data they process.
have legal obligations. For example, when reviewing a company's accounts
In case of encountering corruption, the financial advisors' judicial and administrative units or other
It is obligatory to notify the competent authorities. While making the notification
It is clear that the customer will not be acting in accordance with his instructions. Hence this
specialist service providers, such as
As long as they are in the status of data controller, they will not be data controllers.
partly or wholly to the customer by agreement
will not be possible.

Page 61
61

Cloud Service Providers
A cloud service for the storage of personal data collected by a government agency
the cloud service provider, in the case of a contract with the data processor,
status. Because, pursuant to the contract between the parties, the cloud service provider
It is not possible to use the data for its own purposes. In addition, cloud service provider,
does not process data on its behalf within the scope of the service it provides. public only activity
the personal data from the public institution in accordance with the instructions of the public institution.
is to hide.

Page 62
62

7. Data Recording System
The data recording system is the registry where personal data is processed and structured according to certain criteria.
represents the system. These systems can be created electronically or physically.
Accordingly, personal data in the data recording system; via name - surname or ID number
can be classified, for example, for those who do not pay their loan debts.
classification will also be evaluated in this context.
According to the justification of the law, personal data processed by non-automatic means is a data
If it is not part of the registration system, it will not be considered under the Law.
The law will find application in the following two cases:
• Processing of personal data partially or completely by automatic means,
• Personal data in non-automatic ways, but in a data recording system.
processing.
According to this definition, a processing activity performed on data,
1) first determining whether it is automatic,
2) If there is non-automatic processing, this time the data is processed in a data recording system.
understanding of not working
required.

Page 63
63

E. REGARDING THE PROCESSING OF PERSONAL DATA
BASIC PRINCIPLES
1. In General
accepted in international documents and reflected in the practice of many countries.
There are basic principles regarding the processing of personal data. Article 4 of the Law
The procedures and principles regarding the processing of personal data are in accordance with the Convention No. 108 and 95/46/EC.
It has been regulated in accordance with the European Union Directive No. According to this; in law
The general (basic) principles counted in the processing of personal data are as follows:
• Compliance with the law and honesty rules,
• Being accurate and up-to-date when necessary,
• Processing for specific, explicit and legitimate purposes,
• Being connected, limited and restrained with the purpose for which they are processed,
• As long as required by the relevant legislation or for the purpose for which they are processed.
preservation.
Principles regarding the processing of personal data, all personal data processing activities
must be inherent and all personal data processing activities must be carried out in accordance with these principles.
should be carried out.

Page 64
64

a. Principle of Compliance with Law and Integrity Rules
Compliance with the law and the rule of honesty, in the processing of personal data,
and to act in accordance with the principles brought by other legal regulations
expresses an obligation. Data in accordance with the principle of compliance with the rule of integrity
The controller, while trying to achieve his goals in data processing, aims to protect the interests of the persons concerned.
and reasonable expectations. In other words, the person concerned does not expect
and act in a way that prevents the consequences that one does not have to wait for.
it has to. Pursuant to the principle, the data processing for the data subject is also
transparency of the data controller's activities and compliance with the information and warning obligations of the data controller.
must act appropriately.
The principle of being in compliance with the law and the rule of honesty has an inclusive feature as well.
has. Compliance with the law, in general legal norms and universal legal principles
is suitability. The scope of legality is broad, including regulatory compliance.
For example, an illegal practice also brings about illegality.
Compliance with the rules of honesty is in our law, in Article 2 of the Civil Code.
The principle of honesty is not violated when processing personal data. It
The principle is to comply with the prohibition on abuse of right when processing personal data.
requires. The rule of honesty is in accordance with the rules of trust when using the rights of people
and to behave in the manner expected of a reasonable person. Integrity rule
boundaries are determined according to the behavior to be expected from an objective person in each concrete case,
Subjective status of individuals is not taken into account. There is a violation of the rule of honesty
the person uses his right and acts within the limits of this right,
however, it acts contrary to the purpose of the right.

Page 65
65

In terms of the protection of personal data, the honesty rule is
based on legal rules that authorize or order processing
processing the least possible amount of data in accordance with the purpose of this legal rule,
It requires behaviors such as not acting in a way that cannot be foreseen by the persons concerned.
Data controllers take into account the interests and reasonable expectations of the data subjects
It is a requirement of the honesty rule. private life of the person concerned without a justified reason.
The processing of data in a way that violates the privacy and dignity, of course, constitutes a violation of this principle.
will. For example, unreasonable data within the framework of privacy, related
requested from the person or it is against the rules of honesty by the data controller.
processing is against this principle.
The rule of integrity is embodied in other principles of data protection. to these principles
Processing data without complying with the rule of good faith and therefore lawful data processing
will be inconsistent.
For example, in case of deletion of personal data before a legal entity, the data is technically
data by persons responsible for its storage, protection and backup.
Although it is possible to access the data within the legal entity in question,
the number of persons responsible for its storage, protection and backup is required.
Providing access to personal data deleted by these persons in case of over-determination
will constitute a violation of the honesty rule.
Whether this principle is applicable or not, first of all, the fundamental rights and freedoms of the Constitution
regime should be considered. The processing of personal data, the basic
means an interference with their rights, and this interference is fair and lawful.

Page 66
66

In order to be considered appropriate, the Constitution must be limited by the restriction of fundamental rights and freedoms.
must comply with the relevant regulations. Emphasis on legality
One of the most important points to be made is that this concept refers to the entire legal system. One
data processing is permitted or even ordered by law.
presumed to be appropriate.

b. The Principle of Being Accurate and Up-to-Date When Necessary
With this principle emphasizing the importance of the accuracy and up-to-dateness of personal data,
The envisaged right of the data subject to request the correction of the data is compatible. Personal
keeping the data accurate and up-to-date is in the best interest of the data controller.
as well as it is necessary for the protection of the fundamental rights and freedoms of the person concerned.
Active in ensuring that personal data is accurate and up-to-date when necessary
duty of care; If the data controller provides a relevant information to the data subject based on this data,
valid if it yields results (for example, lending transactions). Apart from that, data
The responsible person will always ensure that the information of the person concerned is correct and up-to-date.
keep the channels open.
Due to the outdated or incorrectly kept personal data of individuals, material and moral
possible damage. For example, a person is registered in the system of the data controller.
the phone number is not correct or is no longer used by the person concerned,
erroneous results because it does not reflect real data about that person.
may cause. Again, a person whose address information is registered incorrectly belongs to himself.
In case of failure to receive notifications on time or served to a wrong person
the person concerned may suffer material and moral damage. As this principle protects the rights of the person concerned,
It is also in the interests of the data controller.

Page 67
67

In order to ensure that personal data can be kept accurate and up-to-date; personal data
The sources from which it is obtained must be certain, the accuracy of the source from which the personal data is collected
should be determined, the requests arising from the inaccuracy of personal data should be taken into account.
and reasonable precautions should be taken in this regard.

c. Principle of Processing for Specific, Explicit and Legitimate Purposes
The principle that the purposes of processing personal data are specific, legitimate and clear;
• The personal data processing activities can be clearly understood by the person concerned.
to be,
• Based on which legal processing condition of personal data processing activities
detecting that it has been done,
• The specificity of the personal data processing activity and the purpose of this activity.
to be presented in detail to
provides.
This principle requires that the data controller clearly and precisely determine the purpose of data processing and that
necessitates that the purpose be legitimate. Data controllers specify to the person concerned
in case they process data for other purposes other than those purposes,
responsibilities will arise. The purpose is legitimate, the data processed by the data controller,
being related to and necessary for the work it has done or the service it has provided
means. For example, the name and surname of the customers of a ready-made clothing store.
It is legitimate to process the mother's maiden name, while the processing of the information is legitimate.
will not be considered within the scope of the purpose.

Page 68
68

Knowing the purposes of processing personal data only for the data controller, or
being predictable is against this principle. In this respect, the purposes of personal data processing
in the legal proceedings and texts (explicit consent, clarification, application of the person concerned)
response, registration in the Data Controllers Registry) in compliance with the principle of certainty and clarity.
must be sensitive and avoid the use of obscure, technical-legal expressions.
should be avoided. Acting in accordance with this principle also complies with the principle of honesty.
also extremely important.

c. The Principle of Being Related to the Purpose for which they are Processed, Limited and Measured
The processed data is suitable for the realization of the determined purposes,
personal data that is not relevant or needed for the realization of the purpose
processing is to be avoided. likely to occur later
Data processing should not be used to meet the needs. Because
Data processing for possible needs means a new data processing activity.
will come. In this case, the personal data regulated in Article 5 of the Law
one of the processing conditions must be fulfilled. In addition, the processed data is
will be limited to the personal data necessary for the realization of the purpose. for purpose
Processing data other than necessary will be contrary to the principle of limitation.
The important thing here is to provide sufficient data to achieve the purpose,
avoiding data processing that is not necessary for other purposes. currently available
Personal data should not be collected for purposes that are not intended to be realized later.
or should not be processed.
The principle of proportionality requires a reasonable compromise between data processing and the intended purpose.
It means establishing a balance. In other words, data processing will achieve the purpose.

Page 69
69

means to a large extent. For example, from the credit card applicant
requesting information about their preferences for life and social activities
may constitute a violation of the principle of proportionality.

D. Necessary for the Purpose of Processing or Envisioned in the Relevant Legislation
Principle of Conservation for the Time That Is
Necessary for the purpose for which personal data is processed, as a requirement of the "purpose limitation principle"

must be preserved for the given time. In this regard, the data controller, administrative
and technical measures. As stated in Article 12 of the Law
data controller; to prevent the unlawful processing of personal data,
prevent unlawful access and ensure the protection of personal data
all kinds of technical and administrative procedures necessary to ensure the appropriate level of security for the purpose of
have to take measures.
In this regard, the data controller is responsible for determining the necessary technical and administrative measures and
is obliged to ensure that personal data is kept in accordance with these principles. Personal
responsible for preparing data retention and destruction policy (Registration obligation
Data controllers should also act in accordance with these principles.
In accordance with the purpose limitation principle for the storage of personal data, by the data controller
In addition to the specified retention periods, the relevant legislation to which the data controller is subject
There are also specified storage periods. According to this; data controllers,
If there is a period stipulated in the legislation for the relevant personal data, it will comply with this period; if
If such a period is not foreseen, only the data necessary for the purpose for which they are processed.

Page 70
70

can be stored for a period of time. A valid reason for further retention of data
If not, that data will be deleted, destroyed or anonymized.
Personally, for future reuse or for any other reason.
data will not be preserved.
In addition, the data controller, when applying for registration in the Registry pursuant to Article 16 of the Law.
Data Controllers Registry for the maximum time required for the purpose of processing personal data.
To determine by considering Article 9 of the Regulation on
Data Controllers must notify the period to the Registry Information System (VERBIS).
The processing purposes of the data categories notified to the Registry by the data controller and these
with the maximum retention periods necessary for their processing based on the purposes
The periods stipulated in the legislation may be different. In this case, maximum protection in the legislation
If a period of expiry is foreseen, this period, otherwise, this period is based on the longest period of them.
A notification is made to the Registry for the data category.
It should be noted here that; Compliance with these deadlines stipulated in the legislation
The storage activities for the data controller are determined by the data controller.
exceeds, these activities only fulfill the obligations specified in the relevant legislation.
should be conducted as a limited storage and processing activity. Both the data controller
the periods stipulated within the scope of the legislation to which it is subject due to its legal obligations,
and in case the storage periods determined by the data controller are exceeded, the personal
Deletion, Destruction or Anonymity of Personal Data by the data controller
Deletion, destruction or anonymization according to the Regulation on
must be brought.

Page 71
71

F. TERMS OF PROCESSING PERSONAL DATA
The processing of personal data is defined in Article 3 of the Law. According to this; personal
wholly or partially automated or any data recording system.
non-automatic means, provided that it is a part of
storage, preservation, alteration, rearrangement, disclosure,
transfer, take over, make available, classify or
Any operation performed on the data, such as preventing the use of
considered as data processing.
The conditions for the processing of personal data are listed in Article 5 of the Law and accordingly
Processing of personal data in case of at least one of the following conditions
possible.
• Existence of the explicit consent of the person concerned,
• It is clearly stipulated in the laws,
• Those who are unable to express their consent due to actual impossibility or who
the life of the person or another person whose legal validity is not recognized, or
necessary for the preservation of bodily integrity,
• Provided that it is directly related to the establishment or performance of a contract
It is necessary to process the personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The person concerned has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data controller
data processing is necessary for their legitimate interests.

Page 72
72

Processing conditions of personal data, that is, compliance with the law, by counting in the Law
determined and these terms cannot be extended.
If the personal data processing is based on one of the conditions other than express consent in the Law,
In this case, the explicit consent of the person concerned is not required. Data processing
While it is possible to carry out the activity on a basis other than express consent, express consent is required.
reliance on; deceptive due to mislead and misdirection of the person concerned
and it will be an abuse of right by the data controller. Indeed, the person concerned
In case the express consent given by the data controller is withdrawn, other personal data
Continuing the data processing activity based on one of the processing conditions is legal and
It will mean taking action against the rules of honesty.
In this context, the purpose of the personal data processing activity by the data controller
whether it is primarily based on one of the processing conditions other than express consent
should be evaluated, if this purpose is the least of the conditions other than the express consent specified in the Law.
does not meet at least one of them, in this case, the person's consent for the continuation of the data processing activity
consent should be sought.
The terms of processing personal data are based on the purpose of each personal data processing activity.
constitutes its legal basis. Personal data processing activity
There may be more than one personal data processing condition for its purpose. For example, salary
legal process of processing personal data of employees in order to issue payroll.
the basis of the personal data processing conditions, the performance of the contract and the legal status of the data controller.
fulfillment of its obligation.

Page 73
73

Table-1 shows the processing conditions of personal data other than express consent:
Processing Conditions

Scope

Provision of Law

Sample
The law on the personal information of the employee
keeping as required.

Tax Laws, Labor Law, Turkish
Commercial Law etc.

Performance of Contract

Employment Contract, Sales Contract, Transportation
For delivery, the company
Contract, Contract of Work etc.
save the address information of the person.

Actual Impossibility

Consent due to actual impossibility
unable to give or discern
powerless person.

Data Controller
Legal Responsibility

Banking, energy, capital markets
Financial Audits, Security Legislation,
information in field-specific controls such as
Compliance with Industry Oriented Regulations.
making sharing.

Location of the kidnapped or missing person
information.

Personal information of the person concerned

Making Public

to be made available to the public.

The person who wants to sell his house
include contact information in the advertisement.

Establishment of Right,
protection,
Using

Litigation, registration procedures,
IR required of an employee leaving from evil
all kinds of deed transactions etc. in the works information during the statute of limitations
mandatory data.
storage.

Legitimate Interest

Fundamental rights of the person concerned
data without prejudice
Rewards and bonuses that increase employee loyalty
for the legitimate interest of the person responsible
data processing for the purpose of implementation.
data processing if necessary

Table-1: Processing Conditions of Personal Data Except for Explicit Consent

Page 74
74

1. Explicit Consent
Explicit consent is one of the personal data processing conditions. Data processing by the data controller
whether it is primarily based on one of the other data processing conditions in the realization of the activity.
It should be considered that it cannot be tolerated, if there is none of these, the express consent of the person concerned
should be taken.

2. Explicitly Provided in Laws
One of the data processing conditions is that it is clearly stipulated in the law. personal in law
A provision regarding the processing of data will constitute the data processing condition. Personal
If there is an express provision in any law regarding data processing or if there is an express provision
If a referral has been made to the secondary legislation, in this case, the processing of personal data
possible.
For example, in accordance with Article 75 of the Labor Law No. 4857, the employer pays for each employee he employs.
the provision that a personnel file should be prepared and the identity information of this worker should be included
is located. In this context, the employer is entitled to keep the identity data of the employee he/she employs “in accordance with the law”.
expressly stipulated” will be able to process on the basis of the processing condition.

3. Actual Impossibility
Those who are unable to express their consent due to actual impossibility or
life or body of an unrecognized person, himself or another
Personal data of the person concerned, if necessary for the protection of its integrity
can be processed.

Page 75
75

In case of actual impossibility according to the law, the person concerned or
Obligation to protect the life or bodily integrity of a third person
must exist. For example, in order to save a person whose freedom is restricted,
or phone, computer, credit card, debit card or other
such as processing this data to locate it via a technical tool.

4. Necessary for Establishment or Performance of Contract
to be
Provided that it is directly related to the conclusion or performance of a contract,
In the event that the processing of personal data belonging to the parties to the contract is mandatory, the relevant
It is possible to process personal data of individuals for this purpose limited to this purpose. For example,
Obtaining the creditor's account number for payment of money under a contract
or at the time of making a loan agreement with a bank, the salary of that person
such as obtaining the payroll, title deed records, the document that there is no enforcement debt. Also,
In accordance with the contract, the seller must address the buyer's address in order to fulfill his obligation to deliver the goods.
employees to register or to pay the employer's salary.
Holding bank information can be considered in this context.

5. Fulfilling the Legal Obligation of the Data Controller
Mandatory to Bring
In order for the data controller to fulfill its legal obligation, the data processing
In cases where it is necessary, the personal data of the person concerned may be processed. To a company employee
To be able to pay salary, bank account number, whether he is married, dependents
obtaining data such as the persons with whom the spouse is working, whether the spouse is working, and the social insurance number.

Page 76
76

processing and processing can be given as an example of this situation. During the employer's tax audit
to the examination of the information of its employees or customers by the relevant public officials.
can also be evaluated in this context.

6. Personal Data Made Public by the Relevant Person
to be
in any way made public by the person concerned, in other words,
Personal data disclosed to the public may be processed. As an example of this situation
contact information of a person in order to be contacted in certain situations.
may be publicly announced. On corporate websites, employees
workplace phone numbers and corporate e-mail addresses of third parties
Publication can also be mentioned if it is shared openly for public access.
However, in order for the personal data to be publicly accepted, the public of the person to whom it belongs
should want it to be. In other words, the realization of publicization
There must be a will to make it public. Otherwise, a person's personal data
Just because it's in a place where you can see it doesn't make it public. Also, in the case of publicizing
Personal data should not be used other than for its purpose. For example, used vehicle
the contact information of the person who wants to sell his vehicle on the websites where the sale is made.
It cannot be used for marketing purposes.

Page 77
77

7. Establishment of a Right to Process Personal Data,
Mandatory for Use or Protection
If it is necessary for the establishment, exercise or protection of a right, the person concerned
It is possible to process personal data. For example, by a company's own employee
the use of some data for proof in a lawsuit or the rights of a restricted person.
such as the guardian or trustee keeping the financial information of the restricted person for the purpose of protection.
In addition, after the end of the contract, the statute of limitations against possible legal proceedings
keeping documents such as invoices, contracts, bails for these purposes until the end
will be evaluated in this context.

8. Fundamental Rights of the Data Processing Person and
Data Without Harming Their Freedoms
Obligation for the Legitimate Interests of the Responsible Person
Provided that the fundamental rights and freedoms of the data subject are not harmed, the data controller
In the event that data processing is necessary for their legitimate interests, personal data
processing is possible.
In some cases, data processing is involved in the legitimate interest of the data controller.
can happen. For example, a company owner's fundamental rights and freedoms
their promotions, salary increases or social benefits, provided that they do not harm
Role and role in the organization or restructuring of the business
The processing of personal data of the employees to be taken as a basis in the distribution of the company owner
included in its legitimate interests.

Page 78
78

In order to process data based on this condition, the legitimate interest of the data controller
and the fundamental rights and freedoms of the person concerned should not be harmed.
The legitimate interest of the data controller is obtained as a result of the processing to be carried out.
it is for the benefit and the benefit. Benefit of the data controller; legitimate,
effective, specific and already existing at a level that can compete with the fundamental rights and freedoms of the person concerned.
must be related to an existing interest. Performed by the data controller
It is a process that is related to current activities and will benefit it in the near future.
required.
A situation such as the sale, acquisition or change of ownership of a company
when it comes to purchasing the company, the person who will buy the company has a good grasp of the current situation
In order to be able to measure certain information, including personal data, and
The cases of examination by taking the necessary security measures are also within the scope of legitimate interest.
can be obtained. However, the point to be noted here is that the data controller is legitimate.
is interpreted in accordance with the purpose and spirit of the Law.
In addition to the legitimate interests of the data controller, the fundamental rights and
their freedom should not be compromised. Therefore, the legitimate interest of the data controller
the fundamental rights and obligations of the data subject whose personal data will be processed.
It is necessary to determine what freedoms are. The balance to be made next
According to the test, if the legitimate interest of the data controller is not very strong and effective,
The rights and interests of the data controller are legitimate but less important to the data controller.
may outweigh his interests. In this regard, the legitimate
The interest must be serious, substantial, and readily available.
In order to be able to process data on the basis of this condition, it will be made between competing interests.
As a result of the evaluation, personal data is processed within the scope of this provision.

Page 79
79

It must be decided whether or not to work. Therefore, the relevant provision does not apply to data processing.
cannot be considered as an unlimited power. On the contrary, specified in the article
a reasonable compromise between the interests of the data controller and the fundamental rights and freedoms of the person concerned.
requires a balance.
The implementation of this provision requires a two-stage evaluation. To do
In the first evaluation, the existence of the legitimate interest of the data controller should be determined,
secondly, that this benefit does not harm the fundamental rights and freedoms of the person concerned.
should be determined. While making this evaluation, with the legitimate interest of the data controller
The purpose of processing personal data should not be confused with each other. These two terms are related
though it means different. Purpose of processing personal data, specifically
related to processing. However, the legitimate interest of the data controller is wider.
should be interpreted. The legitimate interest of the data controller is the processing to be carried out.
to the benefit it will derive as a result. Benefit of the data controller;
legitimate, effective, specific and effective at a level that can compete with the fundamental rights and freedoms of the person concerned.
must relate to an already existing interest.
In this context, among the issues to be evaluated first; data
the legitimate interest of the person concerned, the personal rights and freedoms of the person concerned.
The effect of the processing of the data differs according to the situation and the nature of the event.
balances (evaluation of the prevailing interest and right)
exists.
It should also be noted that; legitimate interest condition, other situations in the article
is not applicable, it is not a last resort in terms of data processing.
regarding the processing of all personal data and
Nor is it a regulation that will make the activities lawful.

Page 80
80

G. SPECIAL QUALIFIED PERSONAL DATA
PROCESSING CONDITIONS
Personal data of special nature, if it is learned, may cause the person concerned to be victimized or
data that may cause discrimination. Therefore other
They need to be protected much more strictly than personal data.
The law attaches special importance to these data and a different regulation regarding these data
brings. The law considers them as sensitive personal data or sensitive data.
is doing. Personal data of special nature, with the express consent of the person concerned, or as specified in the Law.
can be processed in limited situations.
The law also makes a distinction between special categories of personal data. Accordingly, health and
processing of personal data related to sexual life and other special categories of personal data
The cases where data can be processed without express consent are regulated differently.
In the law, special categories of personal data are determined by limited counting. These; of persons
race, ethnicity, political opinion, philosophical belief, religion, sect or other belief, disguise
and clothing, association, foundation or union membership, health, sexual life, criminal conviction
and security measures, as well as biometric and genetic data. special qualification
Personal data cannot be extended by comparison.
It should be noted that as with all fundamental rights and freedoms, personal
Data protection is not absolute, as with other rights and freedoms.
can be limited. This restriction is in accordance with the principles set forth in Article 13 of the Constitution.
should be performed as Therefore, special categories of personal data
the exact conditions and conditions under which the processing can be carried out

Page 81
81

It is stipulated in the law. As a matter of fact, the right to life, freedom of expression, freedom of communication
use of many fundamental rights and freedoms such as
makes it mandatory. In this regard, the processing of sensitive personal data is an absolute
cannot be considered prohibited.
According to the law, special categories of personal data can be processed in case of explicit consent. Also, according to the law,
without the express consent of the data subject;
• Special categories of personal data other than health and sexual life, but only in accordance with the law.
where foreseen,
• Personal data on health and sexual life, but protection of public health,
preventive medicine, medical diagnosis, treatment and care services, health
secrecy for the purpose of planning and managing its services and financing
by persons or authorized institutions and organizations under the obligation
processing is possible.
In addition, in the Law, in terms of the processing of personal data of special nature, the Board
required to take adequate measures.
NOTE: Regarding this issue, “In the Processing of Special Quality Personal Data, Data Controllers
2018/10 of the Personal Data Protection Board regarding the “Adequate Measures to be Taken”
Decision No.
In addition, “Health data is subject to one of the processing conditions in Article 6 of the Law.
About the data controller who transfers it to a third party without relying on "Personal Data Protection"
The Summary of Decision No. 2018/143 of the Board of Directors can also be examined.

Page 82
82

Table-2 contains the processing conditions for special categories of personal data.
Processing Conditions

Scope

Sample

Explicit Consent of the Relevant Person
The explicit consent of the person concerned
Within
has been
the scope
obtained.
of clinical trials
to be
obtaining the consent of the persons concerned.

Provision of Law

Other than health and sexual life
personal data of the person concerned
may be processed without consent.
Tax Laws, Labor Law, Turkish
Commercial Law etc. tighter
sensitive data processing conditions.

Employee's union information
as per the legislation in the personnel file
keeping.

Protection of public health,
preventive medicine, medical
diagnosis, treatment and care
execution of services
with health services
planning, management and
financing

Protection of public health,
About the doctor's patient
preventive medicine, medical diagnosis, the health data it processes.
treatment and care services
health with the
planning services,
for the management and financing of
under the obligation of secrecy
persons or authorized bodies
and processing by organizations

Table-2: Processing Conditions of Special Quality Personal Data

Page 83
83

H. DELETING PERSONAL DATA, NO
DECLARE OR ANONYMOUSLY
In Article 7 of the Law, deletion, destruction and anonymization of personal data are also provided.
brought has been arranged. Accordingly, personal data has been processed in accordance with the law.
However, in case the reasons requiring its processing disappear,
data is deleted or destroyed by the data controller ex officio or upon the request of the data subject.
or anonymized.
According to this;
• Changing the provisions of the relevant legislation, which is the basis for processing personal data
or repeal,
• The fact that the contract between the parties has never been established means that the contract is valid.
non-existence of the contract, expiration of the contract, termination of the contract or
withdrawal from the contract,
• The disappearance of the purpose that requires the processing of personal data,
• It is determined that the processing of personal data is against the law or the rule of good faith.
to be made,
• In cases where the processing of personal data takes place only on the basis of explicit consent,
the person concerned withdraws their consent,

Page 84
84

• Rights of the person concerned in subparagraphs (e) and (f) of paragraph 1 of Article 11 of the Law
within the framework of the personal data processing activity,
accepted by the responsible
• Deletion or destruction of personal data of the data controller by the person concerned
rejecting the application made to him with the request of
or in case of not responding within the time stipulated in the Law; Complain to the board
and this request is approved by the Board,
• Although the maximum period for keeping personal data has passed,
there are no conditions to justify keeping personal data for a longer period of time.
absence,
• The conditions that require the processing of personal data in Articles 5 and 6 of the Law.
disappearance
In such cases, personal data must be deleted, destroyed or anonymized.
Deleting personal data in cases where the reasons that require processing are eliminated,
It is the responsibility of the data controller to make it anonymous or to make it anonymous. Its
The application of the person concerned is not required. However, the breach of the data controller
request the deletion or destruction of the personal data of the person concerned, in case of
has the right.
On the other hand, Deletion, Destruction or Anonymization of Personal Data
Prepared a personal data storage and destruction policy within the framework of the Regulation on
deletion, destruction or anonymization of personal data
In the first periodic destruction process following the date on which the liability arises, personal
deletes, destroys or anonymizes data.

Page 85
85

NOTE: "Personal Information" prepared by the Board and published on the Institution's website.
In the Guide for Deletion, Destruction or Anonymization of Data, personal
deletion and destruction methods, taking into account the environment in which the data is processed and located
The methods of anonymization and the deterioration of anonymity are explained separately.
explained in detail with application examples.
In addition, the "Personal data in the registry files,
not to be destroyed, due to the fact that the reasons requiring their processing do not disappear
Summary of Decision No. 2018/69” should also be taken into account.
Also; Personal data processed before the publication date of the Law
within two years from the date of this Law, it is brought into compliance with the provisions of the Law.
Personal data that are found to be in violation are immediately deleted, destroyed or anonymized.
Deletion of personal data, personal data is in no way accessible to the relevant users

and making it unusable again. Deletion, Destruction of Personal Data
or the relevant user in article 4 of the Regulation on Anonymization;
“ Responsible for technical storage, protection and backup of data ”
within the organization of the data controller, or with the exception of the person or unit.
Persons who process personal data in line with the authority and instruction received from the person responsible for
has been defined. Data controller, deleted personal data is inaccessible to relevant users
and to take all kinds of technical and administrative measures necessary to ensure that it is not reusable.
liable.
Destruction of personal data, personal data by no one in any way
It is the process of making it inaccessible, irrecoverable and unusable. Data
responsible for all necessary technical and administrative measures regarding the destruction of personal data.
liable to take.

Page 86
86

Anonymization of personal data, even if personal data is matched with other data
cannot be associated with an identified or identifiable natural person in any way.
is to be made. In order for personal data to be anonymized; personal data,
return and return of data by the data controller, recipients or groups of recipients.
appropriate in terms of the recording medium and the relevant field of activity, such as matching with other data.
with an identified or identifiable natural person, even through the use of techniques
must be made unrelated. Data controller, anonymizing personal data
responsible for taking all necessary technical and administrative measures.
It should be noted that in case the reasons requiring processing disappear
deletion, destruction or anonymization of personal data, personal data
It is a natural consequence of the general principles that govern its processing. mentioned above
Personal data can only be processed as stipulated in the relevant legislation or in Article 4 of the Law.
It is envisaged that they can be stored for as long as necessary for the purpose for which they are processed.
When there is no longer any legitimate purpose for the preservation of personal data,
deletion, destruction or anonymization is a must.
In the second paragraph of Article 7 of the Law, the deletion, destruction or
Reserving the provisions in other laws regarding anonymization
foreseen. In this context, for example, deletion of data in the Judicial Registry Law or
Provisions regulating the destruction will be applied with priority according to the Law.

Page 87
87

I. TRANSFERRING PERSONAL DATA
The transfer of personal data is handled under two headings in the Law. 8 of the Law.
Provisions regarding the transfer of personal data within the country in Article 9,
The provisions regarding the transfer of personal data abroad are included. Stated
Within the scope of the articles, there are both personal and special categories of personal data.
Pursuant to the regulations in the law, the data must be processed in accordance with the law.
In order to be transferred, the conditions in the specified articles must be fulfilled.
must.

1. Domestic Transfer of Personal Data
Personal data obtained for processing within the framework of the general principles specified in the law.
In accordance with the provisions of Article 8, the data is transferred to the dormitory by obtaining the explicit consent of the person concerned
It is stipulated that it can be transferred to third parties. law, personal data
It seeks the same conditions in terms of processing and transferring these data domestically.
In this article, personal data cannot be transferred to third parties without seeking the explicit consent of the person concerned.
conditions under which it can be transferred.
On the other hand, the processing of personal data in accordance with the law in the country
It does not mean that it can be transmitted directly. So, 5th and 6th for transfer.
The conditions in the article should also be sought.

Page 88
88

In this context, the presence of one of the following situations for the transfer of personal data
required:
• Obtaining the explicit consent of the person concerned,
• It is clearly stipulated in the laws,
• Those who are unable to express their consent due to actual impossibility or
the life of the person or another person whose legal validity is not recognized, or
necessary for the preservation of bodily integrity,
• Provided that it is directly related to the establishment or performance of a contract,
It is necessary to process the personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The person concerned has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data controller
Data processing is mandatory for legitimate interests
In order to transfer special categories of personal data within the country; of the following
one has to be found.
• In case of obtaining the explicit consent of the person concerned,
• In terms of special quality personal data other than health and sexual life, the laws
if foreseen,

Page 89
89

• In terms of personal data on health and sexual life, public health
protection, preventive medicine, medical diagnosis, treatment and care services,
secrecy for the planning and management of health services and its financing.
by persons or authorized institutions and organizations under its obligation;
It is possible to transfer it to third parties. On the other hand, special categories of personal data
In cases other than express consent, adequate measures are taken by the data controller.
must have been taken.
NOTE: About these measures, “Data in the Processing of Special Categories of Personal Data”
Protection of Personal Data regarding “Adequate Precautions to be Taken by Those Responsible”
Information can be obtained by examining the Decision of the Board of Directors dated 31/01/2018 and numbered 2018/10.
In addition, in the Law, the transfer of personal data within the country is specified in other laws.
it is stated that the provisions are reserved.
Contrary to the fact that personal data can only belong to real persons, the "data controller"
and “data processor” can be both natural and legal persons. on personal data
any natural or legal person performing the transaction, the purpose of data processing and
According to its methods, it is either a data controller or a data processor.
Some of the issues that may arise regarding data transfer in the country are as follows:
Data transfer that takes place within the body of a legal entity with the title of data controller,
It cannot be considered as a transfer within the framework of Article 8 of the Law. Legal entity
Handling of data between employees or different units operating within
change is not considered a transfer in this sense.

Page 90
90

Data transfer between different companies under a group of companies
The realization of this means data transfer within the scope of Article 8 of the Law.
is coming. Sharing data between different units within a legal entity
on the contrary, data between different legal entities within the same group of companies.
Data transfer will be considered as data transfer within the scope of Article 8.
between public institutions and organizations and/or public institutions and organizations
Data transfers between individuals and private law legal entities are also covered by the Law.
It will be evaluated within the scope of Article 8. Public institutions and organizations
within the framework of the duties and authorities given to them by both public institutions and
collects various personal data from private law persons. In this context, carried out
data transfers fall within the scope of application of Article 8 of the Law. For example,
assessing suitability for staff, carrying out appointments, or
such as retirement transactions.

2. Transfer of Personal Data Abroad
a. Data Transfer Abroad
Data transfer abroad according to Article 9 of the Law;
• Having the explicit consent of the person concerned,
• Countries with adequate protection (countries deemed safe by the Board)
the existence of the situations specified in the Law (with the 2nd paragraph of Article 5 of the Law)
Conditions referred to in paragraph 3 of article 6),

Page 91
91

• If it will be done in countries where there is no adequate protection, the situations specified in the Law
existence of the law (specified in paragraph 2 of article 5 and paragraph 3 of article 6 of the Law)
conditions) Adequate protection by data controllers in Turkey and in the relevant foreign country.
to be committed in writing and to have the permission of the Board,
cases can be performed.
NOTE: Signed by data controllers and approved by the Board for data transfer abroad.
“Legislation” at www.kvkk.gov.tr ​for the undertakings that must be submitted.
It can be accessed under the heading “Commitments” in the section.
In terms of processing personal data and transferring these data abroad, the law
seeking the same conditions. In addition, additional measures are taken in the transfer of personal data abroad.
foreseen to be taken.
Transfer of personal data abroad in case of explicit consent of the person concerned
possible. In cases other than express consent, the Law does not allow personal data to be exported abroad.
transfer, whether there is adequate protection in the country to which the transfer is to be made.
brought different provisions.
Availability of adequate protection
Personal data;
• It is clearly stipulated in the laws,
• Those who are unable to express their consent due to actual impossibility or
the life of the person or another person whose legal validity is not recognized, or
necessary for the preservation of bodily integrity,

Page 92
92

• Provided that it is directly related to the establishment or performance of a contract,
It is necessary to process the personal data of the parties to the contract,
• It is mandatory for the data controller to fulfill its legal obligation,
• The person concerned has been made public by himself,
• Data processing is mandatory for the establishment, exercise or protection of a right,
• Provided that it does not harm the fundamental rights and freedoms of the data subject, the data controller
Data processing is mandatory for legitimate interests
can be transferred abroad.
Special categories of personal data;
Except for health and sexual life, if adequate protection is available in the country of transfer.
Personal data may be transferred abroad, provided that it is stipulated by law.
Personal data on health and sexual life of individuals in countries with adequate protection
public health protection, preventive medicine, medical diagnosis, treatment and care.
planning and management of health services and financing
for the purpose of keeping secrets, persons or authorized institutions and
It can be transferred abroad by institutions without seeking the explicit consent of the person concerned.
Countries with adequate protection will be announced by the Board.
Lack of adequate protection
• For personal data, in paragraph 2 of Article 5 of the Law, for special categories of personal data
The realization of one of the conditions specified in paragraph 3 of Article 6 of the Law,

Page 93
93

• Data controllers in Turkey and in the relevant foreign country must provide an adequate protection in writing.
their commitment,
• Having the permission of the board
can be transferred abroad.

b. Determination of Countries with Sufficient Protection and by the Board
To be taken into account in the permissions to be given for data transfer abroad
considerations
Whether there is sufficient protection in the relevant country for the transfer of personal data abroad.
In case of lack of adequate protection, in Turkey and the relevant
data controllers in a foreign country undertake in writing to an adequate protection
the Board to transfer personal data abroad, provided that;
• International conventions to which Turkey is a party,
• Reciprocity regarding data transfer between the country requesting personal data and Turkey
status,
• Regarding each concrete personal data transfer, the nature of the personal data and its processing
purpose and duration,
• The relevant legislation and practice of the country to which personal data will be transferred,
• Committed by the data controller in the country to which the personal data will be transferred.
measures

Page 94
94

to evaluate and, if needed, the opinion of the relevant institutions and organizations.
takes decision. In addition, without prejudice to the provisions of international conventions,
In cases where the interests of Turkey or the person concerned would be seriously harmed,
Personal data can only be obtained with the permission of the Board by taking the opinion of the relevant public institution or organization.
transfer abroad.
Regarding the subject, "Publications" on the website of the Institution, www.kvkk.gov.tr
From the "Guides" step in the "Transferring Personal Data Abroad" guide
accessible.
Provisions in other laws regarding the transfer of personal data abroad are reserved.

Page 95
95

J. RIGHTS UNDER LAW AND
OBLIGATIONS
1. Obligations of the Data Controller

In the 3rd article of the Law, the data controller states “the purposes and means of processing personal data.
who are responsible for the establishment and management of the data recording system
or legal person” .
The data controller can process personal data personally or perform data processing.
may also authorize a third party. Based on the authority given by the data controller
such natural or legal persons who process personal data on his behalf,
It is named as "data processor" in subparagraph (ğ) of paragraph 1. Personal data in the law
Some obligations regarding the protection of data also apply to data processors together with data controllers.
has been brought.
Although the data controller has many obligations under the law,
Some of these are detailed below:

Page 96
96

a. Lighting Obligation
The legislator will inform the persons whose personal data are processed, by whom and by which
For purposes and legal reasons, it can be processed, to whom it can be transferred, for what purposes.
grants the right to obtain information about the issue and informs the data controller about these issues.
covered under the obligation. Accordingly, the data controller is subject to Article 10 of the Law.
personally or authorized by him during the acquisition of personal data within the framework of Article
It is obliged to provide the following information to the relevant person through the person concerned:
• Identity of the data controller and its representative, if any,
• For what purpose personal data will be processed,
• To whom and for what purpose personal data can be transferred,
• Method and legal reason for collecting personal data,
• Other rights listed in Article 11.
On the other hand, published in the Official Gazette dated 10.03.2018 by our Institution.
“About the Procedures and Principles to be Followed in the Fulfillment of the Illumination Obligation
With the Communiqué, data controllers must comply with the obligation to inform.
Regulations have been made on the procedures and principles, and the information is provided by the data controllers.
These issues will need to be taken into account when fulfilling the obligation.
NOTE: To the data controllers regarding the fulfillment of the disclosure obligation.
“Lighting” in order to guide and show good practice examples.
Fulfilling its Obligation Guide” has been prepared and this guide is
“Guides” in the “Publications” section of the website www.kvkk.gov.tr
available at step.

Page 97
97

The data processing activity is dependent on the express consent of the person concerned or the activity is in accordance with the Law.
in cases where it is carried out within the scope of another condition, the data controller
The obligation to inform continues. That is, the person concerned, whose personal data is processed and
It should be clarified in every case that the purpose of personal data processing changes.
Clarification in case of obligation to register in the Data Controllers Registry
The information to be given to the person concerned within the framework of the obligation is compatible with the information disclosed in the Registry.
should be. The fulfillment of the obligation to inform depends on the request of the person concerned.
is not. The obligation to inform can be fulfilled with a unilateral declaration. Lighting
The proof of fulfillment of the obligation belongs to the data controller.

b. Obligations Regarding Data Security
According to Article 12 of the Law on data security, the data controller;
• To prevent the unlawful processing of personal data,
• To prevent unlawful access to personal data,
• To ensure the protection of personal data,
responsible for.
In order to fulfill these obligations of the data controller, the appropriate security level
must take all necessary technical and administrative measures to ensure

Page 98
98

NOTE: Data on technical and administrative measures that data controllers should take
“Personal Data Security Guide” has been prepared in order to guide those responsible.
and "Publications" on the website of the Institution, www.kvkk.gov.tr
It can be accessed from the "Guides" step in the
In addition, regulatory action to determine data security obligations
is among the powers and duties of the Board. However, the Board
personal data processed on a sectoral basis, based on the minimum criteria to be determined by
Depending on the nature of the data, additional measures may be taken.
In the continuation of the article, the data controller, personal data on behalf of another fact
or legal person, taking the measures specified in the first paragraph
It is stated that he is jointly responsible with these persons in this regard. Hence
Data processors are also obliged to take measures to ensure data security.
Accordingly, for example, records relating to the company of the data controller are
the measures specified in the first paragraph regarding the processing of data.
jointly responsible with the data controller accounting company
will be.
In the law, there is also an audit obligation to the data controller regarding data security.
has been brought. Data controller, in his/her own institution or organization, in accordance with the provisions of this Law.
To make or have the necessary inspections made in order to ensure the implementation of
has to. The law states that the audit should be done by the data controller.
foresees. The data controller can perform this control himself or
It can also be done through a third party.

Page 99
99

On the other hand, data controllers and data processors can not use the personal data they learn in accordance with this Law.
They cannot disclose it to others in violation of its provisions and cannot use it for purposes other than processing.
This obligation continues even after they leave office.
Finally, the personal data being processed is obtained by others through unlawful means.
In case of a request, the data controller informs the relevant person and the Board as soon as possible.
If necessary, the Board may report this situation on its website or as it deems appropriate.
You can declare it in another way.
NOTE: Regarding the data breach notifications, the Personal Data Protection Board's 24.01.2019
in its Decision dated and numbered 2019/10; Notification to the board and to persons affected by the breach
The purpose of doing so is to determine the negative effects that may arise about these persons due to the violation.
that will allow the consequences to be prevented or minimized as soon as possible.
indicated that measures should be taken.
In addition, the European Union, which constitutes the source of the Law No. 6698, has no. 95/46/EC.
Data breach notifications are also available in the European General Data Protection Regulation, which repealed the Directive.
Considering that there are detailed regulations on the contrary to the Directive regarding the
There is no room for any inconsistency between the decisions to be taken by the Board on this issue.
In order not to be given and to ensure a standardization in practice; 12 of the Law.
The fifth paragraph of the article "Personal data processed by others by unlawful means.
If it is obtained by the data controller, the data controller shall inform the relevant person as soon as possible.
and reports to the Board…” The expression "as soon as possible" in the provision is 72 hours.
interpretation and in this context, from the date the data controller learns about this situation.
It is decided to notify the Board without delay and within 72 hours at the latest.
specified.

Page 100
one hundred

The structure, activities and activities of each data controller regarding the measures to be taken regarding data security.
and must be appropriate to the risks to which it is subject. Therefore, regarding data security
A single model cannot be predicted. The size of the company in determining appropriate measures
or financial balance sheet, as well as the work of the data controller and the protected personal data.
The quality is also important. For example, small-scale but sensitive personal data processors
The data controller should take higher standards of protection.

c. Answering the Applications Made by Relevant Persons and the Board
Obligation to Fulfill Decisions
In the Official Gazette dated 10.03.2018, pursuant to the 13th article of the Law and this article
According to the Communiqué on the Procedures and Principles of Application to the Data Controller, published
responsible persons, in writing by the relevant persons or registered in the said Communiqué.
by electronic mail (KEP) address, secure electronic signature, mobile signature or the person concerned.
previously notified to the data controller and registered in the data controller's system.
developed by using the e-mail address or for the purpose of application.
applications made through a software or application as soon as possible according to their qualifications.
and it must be concluded free of charge within thirty days at the latest.
However, if the process requires a separate cost, the data controller, determined by the Board,
may request the fees in the tariff from the applicant.
If the data controller accepts the request or rejects it by explaining its reason,
notifies the person concerned in writing or electronically. Acceptance of the request in the application
In case of a request, the data controller fulfills this request. your application
In the event that it is caused by the fault of the data controller, the fee collected is returned to the relevant person.

Page 101
101

If the application is rejected, the answer given is insufficient, or the application is not submitted on time.
in case of no response; from the date on which the data subject learns the reply of the data controller.
complaints to the Board within thirty days from the date of application and in any case within sixty days from the date of application.
can be found.
The Board, upon complaint or ex officio if it learns about the alleged violation,
If it detects the existence of a violation as a result of the examination to be made on the matters within the scope of
Deciding that the violations will be corrected by the data controller, and notifying the relevant parties of the decision.
it does. The data controller shall make this decision without delay and at the latest thirty days from the date of notification.
It has to be done within the day.

D. Obligation to Register with the Data Controllers Registry
According to Article 16 of the Law, under the supervision of the Personal Data Protection Board, the Presidency
The Data Controllers Registry is kept open to the public. According to this article, personal
natural and legal persons who process the data, to register in the Registry before starting the data processing.
has to.
However, in the second paragraph of Article 16 of the Law, the nature, number, data

by the Board, such as the processing arising from the law or transferring it to third parties.
Data Controllers by the Board, taking into account the objective criteria to be determined.
It is stated that exceptions can be made to the registration requirement.
Based on this provision, the said criteria were determined by the Board and dated 30.12.2017
These criteria are included in the Regulation on the Data Controllers Registry published in the Official Gazette.
counted. Said criteria:
a) The nature of the personal data.

Page 102
102

b) Number of personal data.
c) Purpose of processing personal data.
ç) Field of activity in which personal data is processed.
d) Transfer of personal data to third parties.
e) The fact that the personal data processing activity originates from the law.
f) The period of retention of personal data.
g) The data subject group or categories of data.
ğ) Data controller's annual number of employees or annual financial balance sheet total information.

to. Notification Obligation
Another obligation of the data controller is that the processed personal data is illegal.
in case it is obtained by others by other means, this situation is reported to the relevant person as soon as possible and
reporting to the board. If necessary, the Board may report this situation on its website or
may declare it by any other method it deems appropriate.

NOTE: In the Decision of the Personal Data Protection Board dated 24.01.2019 and numbered 2019/10;
In the fifth paragraph of Article 12 of the Law, “Personal data processed is illegal.
In the event that it is obtained by others by means of other means, the data controller shall notify this situation as soon as possible.
notifies the relevant person and the Board in due time…” 72 of the expression “as soon as possible” in the provision
be interpreted as a clock and in this context, the data controller learns about this situation.
It is decided to notify the Board without delay and within 72 hours at the latest from the date of
specified.

Page 103
103

2. Rights of the Relevant Person
Within the framework of Article 11 of the Law, the data subject can always apply to the data controller.
about himself;
• Learning whether personal data is processed or not,
• If personal data has been processed, requesting information about it,
• The purpose of processing personal data and whether they are used in accordance with their purpose
learning not to use
• Knowing the third parties to whom personal data is transferred in the country or abroad,
• Correction of personal data in case of incomplete or incorrect processing.
don't want,
• Requesting the deletion or destruction of personal data,
• Transactions regarding the correction, deletion or destruction of personal data
requesting the notification of the third parties to whom the data has been transferred,
• By analyzing the processed data exclusively through automated systems
objecting to the emergence of a result against the person himself,
• In case of loss due to unlawful processing of personal data
to demand compensation for the damage,
has rights.

Page 104
104

3. Methods of Claiming Rights of the Related Person
The Law allows the persons concerned to submit their requests regarding the implementation of the Law and to
brings a number of legal remedies to protect their rights regarding their data.
Thus, in order to exercise their rights regarding the protection of their personal data,
In addition to applying directly to the judiciary, other legal remedies brought by the Law
methods can also be used. The first of the methods of claiming rights brought by the law
It is the method of application to the data controller regulated in Article 13. The second is the 14th and 15th.
Complaint to the Personal Data Protection Board regulated in the articles.

a. Application to Data Controller
According to Article 11 of the Law, by applying to the data controller; with themselves
to learn whether the relevant personal data is processed, and if so, information about them
to request, if the content of the data is incomplete or inaccurate, to correct them,
if it is against the law, it will be deleted, destroyed and made accordingly.
informing the third parties to whom the data has been disclosed, and that the data is illegal.
have the right to demand the compensation of their damages due to the processing of
The law provides a gradual application for applications within the scope of protection of personal data.
prescribed procedure. In order for the persons concerned to exercise their rights, they must first
It is obligatory to apply to the data controller. Before this method is exhausted, a complaint will be made to the Board.
cannot go.
Depending on the nature of the request, as soon as possible and within 30 days at the latest.
must be answered by the data controller. Application rejected

Page 105
105

or who finds the answer insufficient, or whose application is not answered in due time.
individuals will be able to use their right to complain to the Board.
In the law, the compensation rights of the persons whose personal rights are violated according to the general provisions
has been reserved. It is obligatory to go to the remedy, and optional to go to the complaint.
on the one hand, of the person whose application has been rejected indirectly or explicitly because
Being able to make a complaint to the Board, on the other hand, to go directly to the judiciary
will be possible. However, at this point, it should be noted that the rights violations of the persons concerned
any obstacle preventing them from applying directly to the judicial organs for
not available. In other words, before the matter is referred to the court,
There is no obligation to apply to the data controller. directly to the data controller
It is an obligation that must be complied with before the matter is submitted to the Board.
NOTE: Prepared by the Board pursuant to Article 13 of the Law, on 10.03.2018
“Application Procedures and Principles to the Data Controller” published in the Official Gazette dated
Detailed information on the subject can be obtained by examining the “Communiqué on the subject”.

a.1. Rules Regarding Application and Response Method
There are two basic provisions in the Law on the form of applications to be made to the data controller.
exists. The first of these is the written application. Written application, in accordance with general provisions
means an application made with a document containing a wet signature. In addition
Documents signed with a secure electronic signature will also meet the written form requirement.
Regarding the determination of other application methods other than written application
The law authorizes the Personal Data Protection Board. Accordingly, the Board
Application Procedure to the Data Controller published in the Official Gazette dated 10.03.2018

Page 106
106

With the Communiqué on its Principles and Principles, the method of applications to be made to the data controller
determined. Accordingly, data controllers may be informed in writing or by the relevant persons.
The registered electronic mail (KEP) address included in the subject Notification, secure electronic signature,
previously notified to the data controller by the mobile signature or the data subject and the data
by using the e-mail address registered in the system of the responsible person.
or by means of a software or application developed for application purposes.
according to their qualifications, as soon as possible and within thirty days at the latest, free of charge.
should finalize.
As a rule, the data controller is responsible for responding to the requests addressed to him as soon as possible.
has to. However, this period is limited to a maximum of 30 days.
The data controller can accept the requests made to him or give the reason.
may refuse to explain. By requiring the refusal to be justified,
It is aimed to protect the rights of the persons concerned more effectively. reasoned refusal decision
must be written, there must be a legal document regarding the rejection decisions of data controllers.
requires justification.
If the data controller accepts the request addressed to him, he shall fulfill the requirements of the request.
directly and promptly. Despite the request being granted,
If the requirements are not fulfilled, the data controller rejects the request.
must assume. Because the Law only requires the data controller to apply to the data subject.
refusal, insufficient response, or failure to respond in a timely manner.
gives the person the right to apply to the Board in cases of In this case, the person concerned
It is an important issue in terms of enabling the board to file a complaint.
The law allows the data controller to notify his decision regarding the applications made to him.
Written notification or electronic notification about the method to be followed

Page 107
107

included its provisions. Therefore, by the person concerned, the data controller is required in writing.
as a data controller or when applied by other methods determined by the Board.
gives the answer through the method applied by the person concerned.
In case the data controller to whom the application is made is a public institution or organization
should be given special attention. Because public institutions and organizations will
notifications are regulated by the Notification Law No. 7201. Notification Law
Considering that it allows electronic notification, public institutions and organizations
in both written and electronic environment, by complying with the relevant legislation.
notification will be possible.

a.2. Rules Regarding Cost of Application to Data Controller
Pursuant to Article 13 of the Law, the requests of the data controllers by the data subjects
Although it is determined that it must be met free of charge, the process to be done will also be
determining the fee that can be charged by data controllers if it requires a cost
Personal Data Protection Board has been authorized in this regard.
Based on this, prepared by the Board and published in the Official Gazette dated 10.03.2018
With the Communiqué on the Procedures and Principles of Application to the Data Controller; to the application of the person concerned
If a written answer is given, up to 10 pages will not be charged.
1 Turkish Lira transaction fee may be charged for each page on the page, the answer to the application is CD,
If it is given in a recording medium such as flash memory, it is requested by the data controller.
It has been determined that the fee to be charged cannot exceed the cost of the recording medium in question.
The request of the relevant person regarding the implementation of the Law on the Protection of Personal Data
If the data controller is at fault on the subject matter, the fee will be returned to the relevant person.
required.

Page 108
108

b. Complaint
If the application to the data controller is rejected, the answer given is insufficient or
Persons whose applications are not answered will be able to use their right to complain to the Board.

b.1. Investigation of the Personal Data Protection Board
According to Article 15 of the Law, the Board's authority to make an examination in case of violation
exists. The Board may exercise this authority upon complaint or ex officio.
Ex officio Investigation: The Board is authorized ex officio to initiate an investigation,
Acting spontaneously in the event of a violation of which the Board is aware
means you can initiate an investigation. In other words, the Board's review
There is no need to make a complaint to him in order to initiate it. This situation is related
the fact that people do not complain and even do not know about the relevant violation.
However, it ensures that the Board can prevent violations of rights. Therefore, relevant
rights of individuals can be protected more effectively. Board to initiate an investigation
Another consequence of being authorized ex officio is to evaluate the notices received and
has the authority to initiate an investigation, if necessary.
Investigation on Complaint: First of all, the data for the relevant persons to exercise their rights
It is obligatory for them to contact their supervisor. If the data controller rejects this application,
If the answer given is insufficient or does not respond in time, the person concerned
The right to file a complaint with the Board on the issue arises. with a complaint
The issue is brought to the Board and a decision is made as a result of the Board's examination.

Page 109
109

b.2. Requirements for Notifications and Complaints to the Board
Conditions
In order for the notices and complaints to be made to the Board to be processed, Petition No. 3071
In accordance with the provisions specified in Article 6 of the Law on the Use of the Right
should be presented as The first of the conditions specified within the scope of the aforementioned article,
The petition to be submitted contains a specific subject.
The second condition is that the petition is not related to the matters falling within the jurisdiction of the judicial authorities.
For example, requesting the data controller to rectify the damage suffered by the data subject.
right, as per subparagraph (ğ) of paragraph 1 of Article 11 of the Law,
If the person in charge does not fulfill this request, the person concerned shall file a complaint with the Board.
may also be present. In addition, for the compensation of the damages of the person concerned,
It is also possible to apply to the judicial authorities within the framework of general provisions. According to this,
Petitions containing requests concerning the Turkish Penal Code, jurisdiction of judicial authorities
Therefore, it will not be evaluated by the Authority within the scope of this article.
The last condition to be complied with in complaint or notice petitions is that these petitions
the owner's name-surname, signature and work or residence addresses. Hence
It will not be possible to report or complain anonymously to the Board .
Without applying to the data controller to exercise the rights of the persons concerned
It is not possible to make a complaint. Therefore, it is a prerequisite to make a complaint to the Board.
One of the conditions is accepted as making an application to the data controller.

Page 110
110

In order to make a complaint after applying to the data controller, the data subject has a certain period of time.
must comply with its limitations. Accordingly, the person concerned shall reply to the data controller.
may file a complaint with the Board within thirty days from the date of learning. Each
In this case, within sixty days from the date of application to the data controller, the data subject
It is possible to file a complaint with the Board.

b.3. Authority and Obligations of the Board Regarding the Review Process
While examining the requests received by the Board, all necessary information and information from the data controllers
has the power to request documents. The board also conducts on-site inspections.
also has authority. In this context, on-site inspection of data controllers
and to enable the requested information and documents to be made within fifteen days.
They have obligations to submit to the Board.
An exception in the law regarding the obligation of data controllers to submit information and documents
has been brought. Accordingly, the data controller of the information and documents qualified as state secrets
It is not allowed to be submitted by the Board.
Another authority granted to the Board by the Law is that before the review process is concluded.
the occurrence of irreparable or impossible damages beforehand and clearly unlawful
In the event of a decision to stop the data processing or the transfer of data abroad,
is to be given. Thanks to this authority, which is similar to the interim injunction institution in the judicial organs,
It will be possible to prevent possible damages and violations of rights quickly.
It is foreseen that the Board will give a reply to the person concerned within sixty days. if
If the Board does not respond to the applicant during that period, the request is denied.

Page 111
111

will be counted. The mentioned sixty-day time limit is limited to the information received from the relevant persons to the Board.
applied to requests. Any period in the investigations initiated by the Board ex officio
No limitation is foreseen.

b.4. Finalization of the Review of the Board
The Board may make a decision upon a complaint or as a result of the investigation initiated ex officio.
However, if no response is received within sixty days from the date of the complaint, the claim
is deemed rejected. As a result of its examination, the Board decided to protect personal data.
if he concludes that his right has been violated,
will decide to have it removed by the responsible person and will notify the parties of this decision.
The requirements of such a decision shall be fulfilled without delay and at the latest from the date of notification of the decision.
must be fulfilled within thirty days.
As a result of the examination to be made by the Board, it also has the authority to make a policy decision
exists. Policy decisions are made if it is determined that the violation under investigation is widespread.
received and published. The principle decisions reflect the Board's approach to the event subject to the decision.
and for all concerned, as it will demonstrate its stance on subsequent investigations and complaints.
They are extremely important legal texts to comply with. In addition, policy decisions
In terms of the uniformization of the implementation of the legislation on the protection of
is of utmost importance. Because different interpretations of the legislation thanks to the principle decisions
and different applications arising from them will be prevented.

Page 112
112

4. Obligations of the Data Processor
Data processor; personal data on behalf of the data controller based on the authority given by him.
means the real or legal person who operates. These persons are the data controller's service
is a separate natural or legal person determined by purchasing. any fact
or the legal entity can be both a data controller and a data processor at the same time.
Processing personal data based on the authority of the data controller and on behalf of him.
to prevent the unlawful processing of personal data,
to prevent unlawful access to personal data and to protect personal data
all necessary measures to ensure the appropriate level of security in order to ensure
together with the data controller, who processes the data, in order to take technical and administrative measures.
jointly responsible.
In addition, data processors may not use the personal data they learn in violation of the provisions of the Law.
is under the obligation not to disclose it to anyone else and not to use it for purposes other than processing.
This obligation continues even after the data processor leaves his/her job.

Page 113
113

K. DATA RESPONSIBILITIES REGISTRY
According to Article 16 of the Law, it is open to the public by the Presidency under the supervision of the Board.
Data Controllers Registry must be kept. The law that processes personal data
to the Data Controllers Registry of natural and legal persons before starting data processing.
requires registration. Therefore, who are the data controllers?
the right to be disclosed to the public and the protection of personal data by this method is more effective.
intended to be used.
The procedures and principles regarding the registry are in the Regulation on the Registry of Data Controllers.
determined.

1. Characteristics of the Data Controllers Registry
The Data Controllers Registry must be kept open to the public within the scope of the Law.
The concept of publicity means that the person who wishes can examine the Registry.
is coming. The principle of publicity is important for the protection of personal data. For
the fact that data controllers are known to the public, against the rights violations of the data subjects
will allow it to be dealt with more effectively.

2. Obligation to Register in the Data Controllers Registry
and Exceptions
As a rule, all data controllers are required to register with the Data Controllers Registry.
Completion of the said registration process before starting data processing activities
must.

Page 114
114

However, in cases listed in paragraphs 1 and 2 of Article 28 of the Law,
Provisions of Article 16 regulating the obligation to register in the Data Controllers Registry
will not be applied.
In addition, making an exception to the Board and the Registry obligation in Article 16 of the Law.
authority has been given and the said criteria have been determined by the Board.
and About the Data Controllers Registry published in the Official Gazette dated 30.12.2017
These criteria are listed in the regulation.
Said criteria:
a) The nature of the personal data.
b) Number of personal data.
c) Purpose of processing personal data.
ç) Field of activity in which personal data is processed.
d) Transfer of personal data to third parties.
e) The fact that the personal data processing activity originates from the law.
f) The period of retention of personal data.
g) The data subject group or categories of data.
ğ) Data controller's annual number of employees or annual financial balance sheet total information.
In line with this provision, the Board is obliged to register to the Registry for some data controllers.
exception has been made.
NOTE: Based on the authority given by paragraph 2 of Article 16 of the Law, Personal Data
An exception has been made to the Registry obligation for some data controllers by the Protection Board.
and the Board decisions that brought the said exception Officially dated 15.05.2018 and 18.08.2018
Published in newspapers.

Page 115
115
According to Article 16 of the Law by the Personal Data Protection Board
Data controllers who are exempted from the obligation to register with the Data Controllers Registry
Board Decision
Data Controllers
Historical

Formal
in the newspaper
Release Date

Number

Part of any data logging system
one

2nd

only non-automatic
those who process personal data by means of
Operating in accordance with the Notary Law No. 1512
notaries showing

02.04.2018

2018/32

15.05.2018

02.04.2018

2018/32

15.05.2018

2018/32

15.05.2018

According to the Associations Law No. 5253
Foundations numbered 5737, one of the established associations
Foundations established according to the law and 6356
Unions and Collective Bargaining Agreement No.
unions established under the law.
02.04.2018
only in accordance with the relevant legislation and purposes,
limited to its fields of activity and only
its employees, members, members and

3

those who process personal data for their donors
4

According to the Political Parties Law No. 2820
established political parties

02.04.2018

2018/32

15.05.2018

5

In accordance with the Attorneyship Law No. 1136
lawyers operating

02.04.2018

2018/32

15.05.2018

02.04.2018

2018/32

15.05.2018

7

In accordance with the Customs Law No. 4458
Customs Brokers and
Authorized Customs Brokers

28.06.2018

2018/68

18.08.2018

8

Mediators

05.07.2018

2018/75

18.08.2018

19.07.2018

2018/87

18.08.2018

Certified Public Accountant No. 3568
Consultancy and Certified Public Accountant
Freelance operating under the law

6

Accountants and Certified Public Accountants
Financial Advisors

Annual number of employees less than 50 and annual financial
balance sheet total of less than 25 million TL
9

natural or legal person data controllers
main field of activity is personal data of special nature
non-processing

Being exempt from the obligation to register with the Data Controllers Registry, Protection of Personal Data No. 6698
NOTE It does not mean that it is an exception from the law. Data controllers who are exempt from the registration obligation
like other data controllers, must comply with the provisions of the Law No. 6698.

Page 116
116

3. Notification of Registration in the Data Controllers Registry
In the Provisional Article 1 of the Law, after the Law comes into force, data controllers
issues to be fulfilled.
In the second paragraph of the aforementioned article, “ Data controllers are the ones determined and announced by the Board.
must register with the Data Controllers Registry within the period. ” clause is included.
In this context, the starting dates for the registration obligation by the Personal Data Protection Board
and the said dates were determined by the Board on 19/07/2018 and 2018/88.
Obligation to register in the Data Controllers Registry, determined and announced by Decision No.
started
According to the Provisional Article 1 of the Law No. 6698, determined by the Personal Data Protection Board.
Dates of obligation to register in the Data Controllers Registry
Registration obligation
Data Controllers

Deadline for registration Deadline for registration
Starting date

Annual number of employees more than 50 or
annual balance sheet total of 25 million
one

01.10.2018

15 months

31.12.2019

01.10.2018

15 months

31.12.2019

01.01.2019

15 months

31.03.2020

01.04.2019

15 months

30.06.2020

Real and legal person with more than TL
data controllers
Natural and legal person residing abroad
2nd
data controllers
Annual number of employees less than 50 and annual
financial balance sheet total is 25 million TL
3

is low and its main activity is special quality.
real and legal entities that process personal data
personal data controllers
Public institutions and organizations data

4
those responsible

Page 117
117

Application to register with the Data Controllers Registry, a notification containing the following information
will be done with The information in question is:
• Identity and address information of the data controller and its representative, if any,
• For what purpose personal data will be processed,
• About the data subject group and groups and the data categories of these persons.
descriptions,
• Recipient or recipient groups to whom personal data can be transferred,
• Personal data intended to be transferred to foreign countries,
• Measures taken regarding personal data security,
• The maximum period required for the purpose for which personal data is processed.
If there is any change in the information listed above,
VERBIS within 7 days at the latest from the date of changes
must be reported to the Authority. Thus, the up-to-dateness of the Registry
targeted to be provided.
NOTE: According to the 13th article of the Regulation on the Data Controllers Registry, the data
in case of a change in the information registered in the Registry,
VERBIS changes the changes within seven days from the date of the change.
must notify the Authority.

L. PENALTY PROVISIONS
(Crimes and Misdemeanors)

Turkish Law No. 5237 in terms of crimes related to personal data in Article 17 of the Law.
While referring to the relevant articles of the Penal Code, misdemeanor in article 18
acts having the characteristic of being regulated.

Page 118
118

Accordingly, crimes and misdemeanors regarding the processing of personal data are illegal.
It can be analyzed under two headings.

1. Offenses
According to Article 17 of the Law; “(1) In terms of crimes related to personal data, 26.9.2004
The provisions of articles 135 to 140 of the Turkish Penal Code dated and 5237 are applied. (2nd)
Contrary to the provisions of Article 7 of this Law; does not delete personal data or is anonymous
Those who do not comply will be punished according to Article 138 of the Turkish Penal Code.” .
Offenses related to personal data, "Crimes Regarding Private Life and Confidential Area of ​Life" of the TCK
discussed in the section.
According to paragraph 1 of Article 135 of the TCK: “Anyone who unlawfully records personal data
anyone is sentenced to imprisonment from six months to three years” . The relevant article of the law and the TCK
any information relating to an identified or identifiable natural person
unlawful recording of personal data defined in
enough. Here, the precondition for the formation of the crime is determined as illegality.
need attention. According to the second paragraph of Article 135 of the TCK: “Personal data,
their political, philosophical or religious views, racial origins; unlawfully moral
their sexual orientation, health, or union affiliation.
the penalty to be imposed pursuant to the first paragraph shall be increased by half”.
According to Article 136 of the TCK: “ Giving personal data to another person unlawfully,
The person who spreads it or seizes it is punished with imprisonment from two to four years”.
Similar to the regulation in Article 135 of the TCK, personal data can be sent to a third party.
the precondition of illegality of the crimes of giving, spreading or seizing to a person
appears to be connected.

Page 119
119

According to Article 137 of the TCK, which regulates qualified cases: “In the above articles,
identified crimes;
a) By a public official and by misuse of his/her duty,
b) By taking advantage of the convenience provided by a certain profession and art,
If committed, the penalty to be imposed is increased by half.”
According to Article 138 of the TCK: “(1) Even though the periods determined by the laws have passed,
However, those who are responsible for destroying the data within the system fulfill their duties.
Failure to do so is punished with imprisonment from one year to two years. (2) Punishment of the subject of the crime
which must be eliminated or destroyed in accordance with the provisions of the Code of Procedure.
In case of data, the penalty to be imposed is increased by one fold.”
Complaint procedure is regulated in Article 139 of the TCK. Accordingly, personal data
recording, illegally giving or capturing data, and destroying data
The investigation and prosecution of the offenses covered in this section, with the exception of non-compliance, is subject to complaint.
it depends.
In Article 140 of the TCK, committing the crimes defined in the above articles
therefore, security measures specific to them will be imposed on legal persons.
is indicated.

Page 120
120

2. Misdemeanors
In Article 18 of the Law; “ (1) This Law;
a) Those who do not fulfill the obligation of enlightenment stipulated in Article 10
from 5,000 Turkish Liras to 100,000 Turkish Liras,
b) To fulfill the obligations regarding data security stipulated in Article 12
from 15,000 Turkish Liras to 1,000,000 Turkish Liras for those who do not bring,
c) Those who do not fulfill the decisions given by the Board in accordance with Article 15
from 25,000 Turkish Liras to 1,000,000 Turkish Liras,
ç) Obligation to register and notify in the Data Controllers Registry stipulated in Article 16
from 20,000 Turkish Liras to 1,000,000 Turkish Liras for those who act in violation,
administrative fine is imposed.
(2) Administrative fines stipulated in this article are imposed on real persons who are data controllers and private
law applies to legal persons.
(3) Public institutions and organizations and public institutions of the actions listed in the first paragraph
In case it is processed within the body of professional organizations, the Board will
Upon notification, civil servants and other public officials working in the relevant public institution and organization
about those who work in public institutions and professional organizations
Action is taken in accordance with the disciplinary provisions and the result is reported to the Board.”
provision is included. Administrative fines in paragraph 1 of the article
The figures are calculated every year in accordance with the seventh paragraph of Article 17 of the Misdemeanors Law No. 5326.

Page 121
121

increased by the revaluation rate.
Clarification in the article, ensuring data security, fulfilling the Board decisions, Data
Failure to register and notify the Responsible Persons Registry is a misdemeanor.
regulated and subject to an administrative fine to be determined by the Board.
Administrative fines, natural persons who are data controllers and legal entities of private law
about will apply. Actions regulated as misdemeanor in the article
institutions and organizations and professional organizations in the nature of public institutions
the relevant public institution and organization, upon the notification of the Board.
civil servants and other public officials and professions in the nature of a public institution
Actions will be taken against those who work in their organizations in accordance with disciplinary provisions.
To inform the Board about the results of the investigations of the relevant institutions.
has to.

Page 122
122

M. TRANSITIONAL PROVISIONS
Personal data processed before the date of publication of the law, two years from the date of publication.
shall be brought into compliance with the provisions of this Law within the year. contrary to the provisions of this Law.
The personal data detected are immediately deleted, destroyed or anonymized.
However, the consents obtained in accordance with the law before the publication date of this Law shall be valid for one year.
Unless there is a declaration of intent to the contrary, it is deemed to be in accordance with this Law.
Another issue related to compliance with the law; processed within the scope of current sectoral legislation.
is the status of the data after the entry into force of the Law. especially electronic
to the processing of personal data in force, such as the communication and finance sector.
Although there is legislation regulating the issues related to
Since it is a framework regulation for processing, sectoral regulations
It needs to be harmonized with the law.

Page 124
123

ATTACHMENTS
Page 125
125

APPENDIX-1: DELETING PERSONAL DATA,
DESTRUCTION OR ANONYMOUS
REGULATION ON IMPLEMENTATION

Page 126
126
FIRST PART
Purpose, Scope, Basis and Definitions
Goal
ARTICLE 1 – (1) The purpose of this Regulation is wholly or partially automatic or any
personal data processed by non-automatic means, provided that it is part of a data recording system.
to determine the procedures and principles regarding the deletion, destruction or anonymization.
Scope
ARTICLE 2 - (1) The provisions of this Regulation; Personal Data dated 24/3/2016 and numbered 6698
It is applied to data controllers in accordance with Article 7 of the Law on the Protection of Data.
Rest
ARTICLE 3 - (1) This Regulation is governed by the third paragraph of the 7th article of the Law No. 6698 and the 22nd
It has been prepared on the basis of subparagraph (e) of the first paragraph of the article.
Definitions
ARTICLE 4 – (1) In the implementation of this Regulation;
a) Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
b) Relevant user: Responsible for technical storage, protection and backup of data
within the organization of the data controller or with the exception of the person or unit
Persons who process personal data in line with the authority and instruction received from the person responsible,
c) Destruction: Deletion, destruction or anonymization of personal data,
ç) Law: Law on Protection of Personal Data No. 6698, dated 24/3/2016,
d) Recording medium: Fully or partially automatic or any data recording system
All kinds of personal data that are processed by non-automatic means, provided that they are part of
environment,
e) Personal data processing inventory: It is carried out depending on the business processes of the data controllers.
their personal data processing activities; personal data processing purposes and legal reason, data category,
and personal data created by associating with the transferred recipient group and the data subject group.
the maximum storage period necessary for the purposes for which they are processed, their transfer to foreign countries
explaining the personal data envisaged and the measures taken regarding data security,
inventory,
f) Personal data retention and destruction policy: For the purpose for which personal data is processed, data controllers
for the deletion, destruction and anonymization process with the process of determining the maximum time required
the policy on which they are based,

Page 127
127
g) Board: Personal Data Protection Board,
ğ) Periodic destruction: Elimination of all the conditions for the processing of personal data in the law
ex officio at repetitive intervals specified in the personal data retention and destruction policy.
deletion, destruction or anonymization to be carried out,
h) Registry: The registry of data controllers kept by the Personal Data Protection Authority,
ı) Data recording system: The recording system in which personal data is processed and structured according to certain criteria,
i) Data controller: The data recording system, which determines the purposes and means of processing personal data.
means the natural or legal person responsible for its establishment and management.
(2) For definitions not included in this Regulation, the definitions in the Law are valid.
SECOND PART
Personal Data Retention and Disposal Policy
Principles of personal data retention and destruction policy
ARTICLE 5 – (1) By registering with the Data Controllers Registry in accordance with Article 16 of the Law
Data controllers responsible for personal data storage and processing in accordance with the personal data processing inventory.
Responsible for preparing a disposal policy.
(2) A personal data retention and destruction policy has been prepared; Personal data to the Law and Regulation
does not mean that it has been properly stored, deleted, destroyed or anonymized.
(3) Data that is not under the obligation to prepare a personal data retention and destruction policy
to store, delete, destroy or destroy personal data in accordance with the Law and this Regulation.
Anonymization obligations remain.
Scope of personal data retention and destruction policy
ARTICLE 6 – (1) Personal data retention and destruction policy, as a minimum;
a) The purpose of preparing the personal data storage and destruction policy,
b) Recording media regulated by the personal data retention and destruction policy,
c) Definitions of legal and technical terms included in the personal data retention and destruction policy,
ç) Regarding legal, technical or other reasons that require the storage and destruction of personal data
to explain,
d) Safe storage, unlawful processing and access of personal data
technical and administrative measures taken to prevent
e) Technical and administrative measures taken for the legal destruction of personal data,
f) The titles, units and duties of those involved in the storage and destruction processes of personal data.
their definitions,

Page 128
128
g) The table showing the storage and destruction periods,
ğ) Periodic destruction times,
h) If the current personal data retention and destruction policy has been updated, the said change,
includes information about
THIRD PART
Deletion, Destruction or Anonymization of Personal Data
Principles
ARTICLE 7 – (1) The conditions for processing personal data in Articles 5 and 6 of the Law
In case of disappearance of all personal data, by the data controller ex officio or related
It must be deleted, destroyed or anonymized at the request of the person.
(2) In the deletion, destruction or anonymization of personal data, Article 4 of the Law
the general principles in the article and the technical and administrative
measures, relevant legislation provisions, Board decisions and personal data retention and destruction policy.
appropriate action is required.
(3) All transactions regarding the deletion, destruction and anonymization of personal data
are recorded and such records are kept for at least three years, excluding other legal obligations.
is stored for a period of time.
(4) The data controller is responsible for the deletion, destruction or anonymization of personal data.
is obliged to explain the methods applied in the relevant policies and procedures.
(5) Unless the Board decides otherwise, the data controller ex officio deletes personal data, does not
chooses the appropriate method of anonymization or anonymization. At the request of the person concerned
chooses the appropriate method by explaining the reason.
Deletion of personal data
ARTICLE 8 – (1) Deletion of personal data is in no way for the relevant users.
is the process of making it inaccessible and unusable.
(2) Data controller, deleted personal data cannot be accessed and reused for relevant users.
It is obliged to take all kinds of technical and administrative measures necessary to ensure
Destruction of personal data
ARTICLE 9 – (1) Destruction of personal data, personal data by no one in any way
It is the process of making it inaccessible, irrecoverable and unusable.
(2) The data controller takes all necessary technical and administrative measures regarding the destruction of personal data.
liable to take.

Page 129
129
Anonymization of personal data
ARTICLE 10 – (1) Anonymization of personal data, even if personal data is matched with other data
Even if it cannot be associated with an identified or identifiable natural person under any circumstances.
is to be brought.
(2) In order for personal data to be anonymized; personal data, data controller, recipient or recipient
recording media and related data, such as returning by groups of data and matching of data with other data.
can be identified or determined even through the use of appropriate techniques for the field of activity.
must be rendered unrelated to a natural person.
(3) The data controller is responsible for all necessary technical and administrative matters regarding the anonymization of personal data.
responsible for taking measures.
Periods for ex officio deletion, destruction or anonymization of personal data
ARTICLE 11 – (1) The data controller, who has prepared a personal data retention and destruction policy,
following the date on which the obligation to delete, destroy or anonymize data arose
In the first periodic destruction process, it deletes, destroys or anonymizes personal data.
(2) The time period in which the periodic destruction will be carried out, personal data by the data controller.
determined in the storage and disposal policy. This period cannot exceed six months in any case.
(3) The data controller, who is not obliged to prepare a personal data retention and destruction policy,
following the date on which the obligation to delete, destroy or anonymize data arose
within three months, deletes, destroys or anonymizes personal data.
(4) In the event that irreparable or impossible damages arise and there is a clear violation of the law, the Board
may shorten the periods specified in this article.
Periods of deletion and destruction of personal data if requested by the person concerned
ARTICLE 12 – (1) The data subject is assigned to the data controller pursuant to Articles 11 and 13 of the Law.
when he/she requests the deletion or destruction of his/her personal data by applying;
a) If all the conditions for processing personal data have disappeared; personal data subject to the request
deletes, destroys or anonymizes data. The data controller shall respond to the request of the data subject within thirty days at the latest.
and informs the relevant person.
b) All the conditions for processing personal data have been removed and the personal data subject to the request
if it has been transferred to third parties, the data controller notifies the third party; in third party
ensures that the necessary procedures are carried out within the scope of this Regulation.
c) If all the conditions for processing personal data have not disappeared, this request is made by the data controller.
In accordance with the third paragraph of Article 13 of the Law, it can be rejected by explaining the reason and the rejection
The answer is notified to the relevant person in writing or electronically within thirty days at the latest.

Page 130
130
CHAPTER FOUR
Miscellaneous and Final Provisions
Elimination of doubts
ARTICLE 13 – (1) Hesitations that may arise during the implementation of this Regulation and
to eliminate the problems related to the problem, to direct the implementation, to determine the principles and standards, and to
to make the necessary arrangements to ensure the unity of application, to provide all necessary information and
to request the document, within the framework of the provisions of the relevant legislation on matters not included in this Regulation.
The Board is authorized to decide.
Force
ARTICLE 14 – (1) This Regulation enters into force on 1/1/2018.
Executive
ARTICLE 15 – (1) The President executes the provisions of this Regulation.

Page 131
131

APPENDIX-2: REGISTRY OF DATA RESPONSIBILITIES
REGULATION ABOUT

Page 132
132
FIRST PART
Purpose, Scope, Basis and Definitions
but
ARTICLE 1 – (1) The purpose of this Regulation is the Protection of Personal Data dated 24/3/2016 and numbered 6698
to be kept open to the public by the Presidency under the supervision of the Board in accordance with the Law.
Establishment and administration of the Data Controllers Registry and envisaged making to the Data Controllers Registry
To determine the procedures and principles regarding the records and to ensure their implementation.
Scope
ARTICLE 2 – (1) This Regulation is a data recording policy that determines the processing purposes and means of personal data.
It covers the natural and legal persons responsible for the establishment and management of the system.
Rest
ARTICLE 3 - (1) This Regulation is governed by the fifth paragraph of the 16th article of the Law No. 6698 and the 22nd
It has been prepared based on subparagraphs (d) and (e) of the first paragraph of the article.
Definitions
ARTICLE 4 – (1) In this Regulation;
a) Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
b) Chairman: President of the Personal Data Protection Authority,
c) Presidency: Presidency of the Personal Data Protection Authority,
ç) Contact person: By the data controller for real and legal persons residing in Turkey,
By the representative of the data controller for natural and legal persons not resident in Turkey,
with its obligations under the Law and secondary regulations to be issued based on this Law.
regarding the real person notified during registration to the Registry in order to ensure communication with the Institution,
d) Law: Law on Protection of Personal Data No. 6698,
e) Registration: The procedures and procedures determined by the Regulation of the data controllers under the registration obligation.
the statement made in accordance with the principles,
f) Registration obligation: The obligation regarding registration to be carried out in accordance with the Regulation,
g) Registered e-mail (REM) address: Including the sending and delivery of electronic messages
The qualified form of e-mail, which provides legal evidence for its use,
ğ) Personal data: Any information relating to an identified or identifiable natural person,
h) Personal data processing inventory: It is carried out depending on the business processes of the data controllers.
their personal data processing activities; personal data processing purposes and legal reason, data

Page 133
133
category, the transferred recipient group and the data subject group, and the personal data they create.
the maximum period necessary for the purposes for which the data is processed, the transfer of which to foreign countries is foreseen.
the inventory they detail by explaining their personal data and the measures taken regarding data security,
ı) Personal data retention and destruction policy: For the purpose for which personal data is processed, data controllers
for the deletion, destruction and anonymization process with the process of determining the maximum time required
the policy on which they are based,
i) Processing of personal data: Fully or partially automatic or any processing of personal data.
to be obtained, recorded by non-automatic means, provided that it is a part of the data recording system,
storage, preservation, modification, rearrangement, disclosure, transfer,
to be acquired, made available, classified or prevented from being used
all kinds of operations performed on data such as
j) Board: Personal Data Protection Board,
k) Institution: Personal Data Protection Authority consisting of the Board and the Presidency,
l) Registry: The Registry of Data Controllers kept by the Presidency,
m) Data category: The data subject group in which personal data are grouped according to their common characteristics
personal data class of or groups,
n) Data subject person group: The category of the person whose personal data data controllers process,
o) Data controllers registry information system (VERBIS): Data controllers must apply to the Registry and
by the Presidency, which can be accessed via the internet, which they will use in other related transactions.
created and managed information system,
ö) Data controller: Data recording system that determines the purposes and means of processing personal data.
the natural or legal person responsible for the establishment and management of
p) Data controller representative: Data controllers who are not resident in Turkey, in Article 11 of this Regulation.
Legal entities residing in Turkey authorized to represent the minimum in the matters specified in the third paragraph of the article
person or natural person who is a citizen of the Republic of Turkey,
means.
(2) For definitions not included in this Regulation, the definitions in the Law are applied.

Page 134
134
SECOND PART
Establishment, Administration, Oversight and Access to the Registry
Principles, procedures and principles
ARTICLE 5 – (1) The following principles, procedures and principles regarding the establishment, administration and supervision of the registry
obeyed:
a) Data controllers must register with the Registry before starting to process personal data.
b) Data controllers who are not resident in Turkey, before starting data processing,
must be registered in the Registry through its representative.
c) The registry is kept open to the public. Provided that the principle of publicity is ensured, the Board may
has the authority to determine the scope and exceptions.
ç) Data controllers who are obliged to register in the Registry, prepare Personal Data Processing Inventory.
liable. The information to be disclosed to the registry in the registry applications is based on the Personal Data Processing Inventory.
as prepared.
d) In the disclosure obligation specified for data controllers in Article 10 of the Law,
Responding to the related person applications specified in Article 13 of the Law and
to the personal data processing inventory in determining the scope of the express consent to be disclosed by
based on the information submitted to the Registry and published in the Registry.
e) Data controllers must ensure that the information submitted to and published in the Registry is complete, accurate, up-to-date and legal.
responsible for its compliance. Registration of data controllers in the Registry
does not relieve its obligations.
f) Without prejudice to the situations specified in Article 28 of the Law, Article 16 of the Regulation
Data controllers who meet certain conditions based on the objective criteria specified in the article
Not being held liable for registration in the Registry by the Board; of these data controllers within the scope of the Law.
does not relieve its obligations.
g) Registry-related transactions are carried out by data controllers over VERBIS.
ğ) Processing of personal data submitted to the Registry by data controllers and published in the Registry
the maximum storage period necessary for the purpose; Data specified in Article 7 of the Law
in the fulfillment of the obligations of those responsible for deletion, destruction or anonymisation.
is based.
Establishment, administration and oversight of the registry
ARTICLE 6 – (1) The registry is created by the Presidency. Presidency, Creation, administration of the Registry,
in order to keep and maintain it up to date; For the establishment and operation of VERBIS
takes the necessary technical and administrative measures.

Page 135
135
(2) The service unit responsible for the creation and administration of the Registry, Data Management Department
It is the presidency.
(3) The registry is supervised by the Board. by the Data Management Department
The annual report, which is prepared in monthly periods and whose scope will be determined by the Board
It is submitted to the board.
Access to the registry
ARTICLE 7 – (1) The Presidency shall determine the current information in the Registry in accordance with the Board decisions.
publicly disclosed by appropriate means.
(2) Of the information contained in the data controllers registry, the following are disclosed to the public:
a) Data controller, if any, data controller representative, address and KEP address if received,
b) The purposes for which personal data can be processed,
c) The data subject group and groups and the data categories of these persons,
ç) Recipient and recipient groups to whom personal data can be transferred,
d) Personal data intended to be transferred to foreign countries,
e) The date of registration in the registry and the date the registration ends,
f) Measures taken regarding personal data security,
g) The maximum period required for the purpose for which personal data is processed.
THIRD PART
Beginning of Registration Obligation, Information to be Entered in VERBIS, Registration Application,
Renewal and Deletion of Registration
Beginning of registration obligation
ARTICLE 8 – (1) Data controllers fulfill their registration obligations to the Registry before starting to process personal data.
has to fulfill.
(2) Data controllers who are not under the registration obligation and later become registration obligations,
They are registered in the Registry within thirty days following their obligation.
(3) Data controllers, who are under the registration obligation, are responsible for any de facto, technical or legal
If registration obligations cannot be fulfilled due to impossibility, this impossibility
to apply in writing to the Authority within 7 working days at the latest from the date of its occurrence, and
requesting additional time from the Institution to fulfill the registration obligations, provided that the reason is stated.
they can. The institution may grant an additional period of time, for once and not exceeding thirty days in any case.
can give.

Page 136
136
Information to be transmitted within the scope of registration obligation
ARTICLE 9 – (1) The registration application made to the Registry contains the following information:
a) Identity and address information of the data controller, the representative of the data controller and the contact person, if any.
information in the application form to be determined by the Board,
b) For what purpose the personal data will be processed,
c) Explanations about the data subject group and groups and the data categories of these persons,
ç) Recipient or recipient groups to whom personal data can be transferred,
d) Personal data intended to be transferred to foreign countries,
e) According to the criteria stipulated in Article 12 of the Law and determined by the Board,
measures,
f) Maximum retention of personal data required by the legislation or for the purpose for which they are processed.
duration of time.
(2) To be disclosed to the Registry by data controllers in accordance with subparagraphs (b), (c), (ç) and (d) of the first paragraph.
informations; Based on the Personal Data Processing Inventory, using the titles specified in VERBIS
It is transmitted to the Registry via VERBIS.
(3) Information to be disclosed to the Registry by data controllers in accordance with subparagraph (e) of the first paragraph;
Titles specified in VERBIS to cover the issues specified in Article 12 of the Law
and transmitted to the Registry via VERBIS.
(4) Personal data to be disclosed to the Registry by data controllers in accordance with subparagraph (f) of the first paragraph
the maximum storage period stipulated in the legislation or required for the purpose for which they are processed.
The relevant information is matched with the data categories and reported to the Registry. Sicily by the data controller
necessary for the processing purposes of the declared categories of data and for their processing based on those purposes.
The maximum storage periods and the periods stipulated in the legislation may be different. In this case
If the maximum storage period is stipulated in the legislation, this period is not foreseen, if not, the most
A notification is made to the Registry for this data category based on a long period of time. Personal data are processed
while determining the maximum storage period required for the purpose;
a) In the sector in which the data controller operates within the scope of the purpose of processing the relevant data category
the period accepted by general custom,
b) Established with the data subject and requiring the processing of personal data in the relevant data category.
the duration of the legal relationship,
c) Depending on the purpose of processing the relevant data category, the data controller will obtain legitimate
the period during which the benefit will be valid in accordance with the law and honesty rules,
ç) The risk, cost and cost of storing the relevant data category depending on the purpose of processing.
the period during which the responsibilities will continue legally,
d) Keeping the relevant data category of the maximum period to be determined accurate and up-to-date when necessary.
whether it is convenient,

Page 137
137
e) Personal data in the relevant data category as required by the legal obligation of the data controller
the time it has to keep,
f) Further right of a personal data-related right in the relevant data category by the data controller.
the statute of limitations for expulsion,
are taken into account.
(5) Data controllers, determining the maximum period required for the purpose for which personal data is processed,
compliance of these periods with the information specified in the personal data processing inventory and whether the maximum period has been exceeded.
By preparing a personal data retention and destruction policy to monitor that it is not exceeded,
ensure their implementation.
(6) The titles and contents specified in VERBIS are carried out by the data controller.
if it does not fully cover the activities and the information required to be transmitted to the Registry; data controller
You can also enter this information in the "Other" section in VERBIS reserved for this purpose.
Completes the Sicile statement.
Registration application
ARTICLE 10 – (1) Data controllers, by uploading the information specified in Article 9 to VERBIS.
shall be deemed to have fulfilled its registration obligation.
(2) As stated in the third paragraph of Article 8 by the Institution, additional time is given to them.
Data controllers who have been given a license must complete the registration application before this period expires.
Obligations of data controller, data controller representative and contact person
ARTICLE 11 – (1) In legal persons, the data controller is the legal entity itself. Legal entity residing in Turkey
Data controller obligations of persons within the scope of the Law, in accordance with the provisions of the relevant legislation,
by the body authorized to represent and bind the personality or by the person or persons specified in the relevant legislation.
is brought. The body authorized to represent the legal entity shall be fulfilled in terms of the implementation of the Law.
may appoint one or more persons regarding the obligations. This assignment law
does not remove the liability of the legal entity in accordance with its provisions.
(2) Regarding the appointment of a data controller representative who is not resident in Turkey,
Certified copy of the decision to be taken by the authorized body or person,
submitted to the Authority by the representative of the responsible person.
(3) The decision to appoint a data controller representative shall at least cover the following issues.
arranged as follows:
a) Notification or acceptance of the notification or correspondence made by the Authority on behalf of the data controller.
don't,
b) To forward the requests directed to the data controller by the Authority to the data controller,
forwarding the reply from the responsible person to the Institution,

Page 138
138
c) If no other basis has been determined by the Board; 13 of the Law of the persons concerned
In accordance with the first paragraph of the third article, the data controller can apply to the data controller.
receiving on behalf of and transmitting to the data controller,
ç) If no other basis has been determined by the Board; 13 of the Law to the persons concerned.
To transmit the reply of the data controller in accordance with the third paragraph of Article 3,
d) Performing the Registry-related works and transactions on behalf of the data controller.
(4) On behalf of data controllers residing in Turkey and data controllers not residing in Turkey
data controller representatives process the contact person information in the Registry during registration. Contact person data
is not authorized to represent the responsible person in accordance with the provisions of the Law and Regulation.
(5) Contact person in public institutions and organizations, senior manager who will provide coordination
Head of department determined and registered in the Registry by the Authority in order to ensure communication with the Institution.
or higher manager.
Ensuring communication
ARTICLE 12 – (1) With regard to the implementation of the Law, the Authority is contacted by the data controller.
any communication to be established;
a) For legal entities residing in Turkey, the identity, address or KEP address information reported to the Registry
the relevant legal person,
b) For real persons residing in Turkey, the identity, address or KEP address information reported to the Registry
the real person concerned,
c) For data controllers not residing in Turkey, the representative of the data controller notified to the Registry,
carried out by means of
Changes to registration information
ARTICLE 13 – (1) Data controllers are responsible for the changes in the information registered in the registry.
changes are made via VERBIS within seven days from the date of the change.
Notifies the institution.
Deletion of the registry record
ARTICLE 14 – (1) The data controller, regarding the deletion of the registry record, is sent to the Authority via VERBIS.
applies.
(2) If the activity requiring the registration obligation ends or disappears, the registration record is deleted. It
Records are accessible when requested, but no changes can be made to them.
is kept.
(3) The deletion of the registry records the obligations of the data controller during the period when it was registered in the Registry.
does not eliminate.

Page 139
139
CHAPTER FOUR
Exceptions to the Registration Obligation
Circumstances to be exempted
ARTICLE 15 – (1) In terms of the personal data processing activities stated below, this
There is no obligation to register and notify the activities in the Registry:
a) The processing of personal data is necessary for the prevention of crime or for criminal investigation.
b) Processing of personal data made public by the person concerned.
c) Authorized and authorized public institutions and organizations based on the authority given by the law for personal data processing.
supervision or regulation by professional organizations and public institutions
necessary for the performance of their duties and for disciplinary investigation or prosecution.
ç) Regarding the budget, tax and financial issues of personal data processing, the State's economic and financial
necessary for the protection of their interests.
Exception criteria
ARTICLE 16 – (1) The Board, taking into account the following criteria, exempts from the registration obligation.
can bring:
a) The nature of the personal data.
b) Number of personal data.
c) Purpose of processing personal data.
ç) Field of activity in which personal data is processed.
d) Transfer of personal data to third parties.
e) The fact that the personal data processing activity originates from the law.
f) The period of retention of personal data.
g) The data subject group or categories of data.
h) Data controller's annual number of employees or annual financial balance sheet total information.
(2) The Board shall determine the scope of the exceptions determined within the framework of the criteria listed in the first paragraph and the implementation.
has the authority to make decisions in order to determine the procedures and principles. The Board complies with these decisions.
publicly by publishing it.

Page 140
140
CHAPTER FIVE
Miscellaneous and Final Provisions
Administrative sanction
ARTICLE 17 – (1) Those who violate the obligation to register and notify the data controllers registry
Administrative fine specified in subparagraph (ç) of the first paragraph of Article 18 of the Law.
is applied.
(2) The act of violating the obligation to register and notify with the data controllers registry,
Processing within the body of public institutions and organizations and professional organizations in the nature of public institution
In the event of a notification by the Board, those working in the relevant public institution and organization
civil servants and other public officials and professional organizations in the nature of public institutions
Action is taken against those who do so in accordance with the disciplinary provisions and the result is reported to the Board.
Elimination of doubts
ARTICLE 18 – (1) Hesitations that may arise during the implementation of this Regulation and
to eliminate the problems related to the problem, to direct the implementation, to determine the principles and standards, and to
to make the necessary arrangements to ensure the unity of application, to provide all necessary information and
to request the document, within the framework of the provisions of the relevant legislation on matters not included in this Regulation.
The Board is authorized to decide.
Force
ARTICLE 19 – (1) This Regulation enters into force on 1/1/2018.
Executive
ARTICLE 20 – (1) The President executes the provisions of this Regulation.

Page 141
141

ANNEX-3: LIGHTING OBLIGATION
IN IMPLEMENTATION
PROCEDURES AND PRINCIPLES TO BE COMPLIED
NOTIFICATION ABOUT

Page 142
142
Purpose and scope
ARTICLE 1 – (1) The purpose of this Communiqué is Protection of Personal Data dated 24/3/2016 and numbered 6698
performed by data controllers or authorized persons pursuant to Article 10 of the Law.
It is to determine the procedures and principles to be complied with within the scope of the lighting obligation to be brought.
Rest
ARTICLE 2 – (1) This Communiqué is based on Article 22 of the Law on Protection of Personal Data No. 6698.
It has been prepared based on subparagraphs (e) and (g) of the first paragraph.
Definitions
ARTICLE 3 – (1) In this Communiqué;
a) Recipient group: The natural or legal person category to which personal data is transferred by the data controller,
b) Relevant person: The real person whose personal data is processed,
c) Law: Law on Protection of Personal Data dated 24/3/2016 and numbered 6698,
ç) Board: Personal Data Protection Board,
d) Institution: Personal Data Protection Authority,
e) Registry: The Data Controllers Registry kept by the Presidency,
f) Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
g) Data controller: The data recording system, which determines the purposes and means of processing personal data.
the natural or legal person responsible for the establishment and management of
ğ) Data controller representative: Data controllers who are not resident in Turkey, dated 30/12/2017 and
11 of the Regulation on the Registry of Data Controllers published in the Official Gazette No. 30286
Legal entities residing in Turkey authorized to represent the minimum in the matters specified in the third paragraph of the article
person or natural person who is a citizen of the Republic of Turkey,
means.
(2) For definitions not included in this Communiqué, the definitions in the Law will be valid.
Scope of the obligation to inform
ARTICLE 4 – (1) According to Article 10 of the Law; data at the time of obtaining personal data
responsible persons or authorized persons, the relevant persons must be informed. This obligation
The minimum amount of information to be provided by data controllers or authorized persons
It should include the following topics:
a) Identity of the data controller and its representative, if any,

Page 143
143
b) For what purpose the personal data will be processed,
c) To whom and for what purpose personal data can be transferred,
ç) Method and legal reason for collecting personal data,
d) Other rights of the person concerned as listed in Article 11 of the Law.
Procedures and principles
ARTICLE 5 – (1) Verbal, written, audio recording, call by the data controller or the person authorized by him.
fulfilling the lighting obligation by using physical or electronic media such as
The following procedures and principles must be complied with:
a) Personal data is processed depending on the explicit consent of the data subject or other processing conditions in the Law.
In any case, the obligation to illuminate must be fulfilled.
b) When the purpose of personal data processing changes, clarification for this purpose before the data processing activity
obligation must also be fulfilled.
c)(Repealed:RG-28/4/2019-30758)
ç) In case there is an obligation to register in the registry, within the framework of the obligation to inform
The information to be given to the person concerned must be compatible with the information disclosed in the Registry.
d) The fulfillment of the obligation to inform is not dependent on the request of the person concerned.
e) The proof of fulfillment of the obligation to inform belongs to the data controller.
f) In case the personal data processing activity is carried out based on the condition of explicit consent, the clarification
Obligation and obtaining explicit consent must be fulfilled separately.
g) The purpose of processing personal data to be disclosed within the scope of the disclosure obligation is specific, clear
And it must be legitimate. While fulfilling the obligation to inform, general and ambiguous
statements should not be included. Personal data for other purposes that may be on the agenda
Expressions suggesting that it can be processed should not be used.
ğ) A clear, clear and simple statement of the notification to be made to the person concerned within the scope of the obligation to inform
language must be used.
h) What is meant by “legal reason” in subparagraph (ç) of the first paragraph of Article 10 of the Law,
Within the scope of disclosure obligation, personal data specified in Articles 5 and 6 of the Law
It is processed on the basis of which of the processing conditions. fulfilling the obligation to inform
The legal reason must be clearly stated at the time of submission.
ı) Within the scope of the disclosure obligation, the purpose of transferring personal data and the recipient to be transferred
groups must be specified.
i) Within the scope of the disclosure obligation, the personal data shall be fully or partially automated.
or by non-automatic methods, provided that it is a part of the data recording system.
should be clearly stated.
j) While fulfilling the obligation to inform, it contains incomplete, misleading and incorrect information to the relevant persons.
should not be given.

Page 144
144
Obligation to inform if personal data is not obtained from the person concerned
ARTICLE 6 – (1) In case the personal data is not obtained from the person concerned;
a) Within a reasonable time from the acquisition of personal data,
b) In case the personal data will be used for communication with the person concerned, the first contact should be made.
during,
c) In case personal data is to be transferred, at the latest, the first transfer of personal data will be made.
In the meantime, the obligation to inform the person concerned must be fulfilled.
Force
ARTICLE 7 – (1) This Communiqué enters into force on the date of its publication.
Executive
ARTICLE 8 – (1) The provisions of this Communiqué are executed by the President of the Personal Data Protection Authority.

Page 145
145

APPENDIX-4: APPLICATION TO THE DATA SPEAKER
COMMUNIQUÉ ON AND PRINCIPLES

Page 146
146
Purpose and scope
ARTICLE 1 – (1) This Communiqué states that the application to the data controller and the transaction require a separate cost.
It has been prepared to determine the procedures and principles regarding the fee to be collected in case of
Rest
ARTICLE 2 – (1) This Communiqué is based on the Law on Protection of Personal Data dated 24/3/2016 and numbered 6698.
Based on subparagraphs (e) and (g) of the first paragraph of article 13 and article 22
has been prepared.
Definitions
ARTICLE 3 – (1) In this Communiqué;
a) Application: The application made within the scope of Article 13 of the Law,
b) Secure Electronic Signature: It is solely dependent on the signatory, only the signatory
qualified electronic signature created with the secure electronic signature creation tool at your disposal.
in signed electronic data that enables the identification of the signatory based on the certificate
The electronic signature that enables the determination of whether any changes have been made afterwards,
c) Relevant person: The real person whose personal data is processed,
ç) Law: Law on Protection of Personal Data dated 24/3/2016 and numbered 6698,
d) Recording medium: Fully or partially automatic or any data recording system
All kinds of personal data that are processed by non-automatic means, provided that they are part of
environment,
e) Registered e-mail (REM) address: Including the sending and delivery of electronic messages
The qualified form of e-mail, which provides legal evidence for its use,
f) Board: Personal Data Protection Board,
g) Institution: Personal Data Protection Authority,
ğ) Mobile signature: An electronic signature created using a mobile device.
means.
(2) For definitions not included in this Communiqué, the definitions in the Law will be valid.
Right to apply
ARTICLE 4 – (1) Real persons whose personal data are processed have the right to apply to the data controller.
(2) Relevant persons may benefit from this right provided that they make their application in Turkish.

Page 147
147
Application procedure
ARTICLE 5 – (1) The person concerned, within the scope of his rights specified in Article 11 of the Law,
in writing or by registered electronic mail (KEP) address, secure electronic signature, mobile signature or
previously notified to the data controller by the data subject and registered in the data controller's system.
developed by using the e-mail address available or for the purpose of application.
transmits it to the data controller by means of a software or application.
(2) In the application;
a) Name, surname and signature if the application is written,
b) TR identity number for citizens of the Republic of Turkey, nationality for foreigners, passport
number or identification number, if any,
c) Domicile or workplace address for notification,
ç) If available, the e-mail address, telephone and fax number for notification,
d) Subject of the request,
must be present.
(3) Information and documents related to the subject are attached to the application.
(4) In written applications, the date of notification of the document to the data controller or his representative, the application
is historical.
(5) In applications made by other methods; the date on which the application is received by the data controller, the application
is historical.
Reply to application
ARTICLE 6 – (1) The data controller is responsible for the applications to be made by the data subject within the scope of this Communiqué.
All kinds of administrative and administrative and legal actions necessary to conclude effectively, in accordance with the law and the rule of good faith.
responsible for taking technical measures.
(2) The data controller accepts the application or rejects it by explaining its reason.
(3) The data controller notifies the relevant person in writing or electronically.
(4) Reply letter;
a) Information about the data controller or its representative,
b) The applicant; name and surname, Turkish identity number for citizens of the Republic of Turkey,
For foreigners, their nationality, passport number or identification number, if any, are the basis for notification.
domicile or workplace address, if any, e-mail address for notification, telephone and fax
number,
c) The subject of the request,
ç) The explanations of the data controller regarding the application,
must contain.

Page 148
148
(5) The data controller shall submit the requests included in the application as soon as possible and at the latest within thirty days, depending on the nature of the request.
concludes free of charge within a day. However, if the transaction requires an additional cost,
The fee specified in the article may be charged. The application is caused by the fault of the data controller
In such case, the fee will be refunded to the person concerned.
(6) In case the request of the data subject is accepted, the data controller will act as soon as possible as required by the request.
carried out and the relevant person is informed.
Fee
ARTICLE 7 – (1) If the application of the person concerned is to be answered in writing, the fee up to ten pages
not taken. A transaction fee of 1 Turkish Lira may be charged for each page over ten pages.
(2) If the response to the application is given in a recording medium such as CD or flash memory, the data controller
The fee may not exceed the cost of the recording medium.
Force
ARTICLE 8 – (1) This Communiqué enters into force on the date of its publication.
Executive
ARTICLE 9 – (1) The provisions of this Communiqué are executed by the President of the Personal Data Protection Authority.

Page 149

