Subject 16 – Personal Data Protection

  • Personal data

Personal data, as defined in Article 3/d of the Personal Data Protection Law No. 6698 (“KVKK”), is translated as follows: “Personal data” means any information relating to an identified or identifiable natural person.

In this regard, it can be said that there are primarily two criteria used to distinguish personal data from non-personal data. Therefore, in order to talk about personal data:

  • The data must be related to a real person, and
  • This person must be specific or identifiable.

The term “being specific or identifiable” for an individual means making that individual identifiable through any means of associating the available data with a real person. 

Personal data can encompass all data that enables the identification of a person when linked to any record, including but not limited to identity, tax, or insurance numbers.

Personal data includes information such as an individual’s name, surname, date of birth, and place of birth, as well as details related to a person’s physical, family, economic, and other characteristics. Data like a person’s name, phone number, vehicle license plate, social security number, passport number, and more fall under the category of personal data. Therefore, for data to be considered personal, it should either concretely express an individual’s physical, economic, cultural, social, or psychological identity or have the nature of enabling the identification of a person when linked to a record such as identity, tax, or insurance numbers.

(KVKK Guide: https://www.kvkk.gov.tr/Icerik/4187/6698-Sayili-Kanun’da-Yer-Alan-Temel-Kavramlar)

  • History of Personal Data

Date

Legal Regulation

September 3, 1953

European Convention on Human Rights

September 23, 1980

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

January 28, 1981

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data No. 108

December 14, 1990

United Nations Guidelines for the Regulation of Computerized Personal Data Files

October 25, 1998

Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

April 7, 2016

Personal Data Protection Law

April 14, 2016

2016/679 General Data Protection Regulation – GDPR

  • Definitions in the KVKK (Personal Data Protection Law)
  • Explicit consent, means freely given, specific and informed consent,
  • Anonymization, means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data
  • Personal data: means any information relating to an identified or identifiable natural person,
  • Processing of personal data: means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,
  • Data Processor: means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,
  • Data filing system: means the system where personal data are processed by being structured according to specific criteria,
  • Data Controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.
  • The Principles Applicable to the Processing of Personal Data 

According to Article 4 of the KVKK (Personal Data Protection Law),

(1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

  1. a) Lawfulness and fairness
  2. b) Being accurate and kept up to date where necessary.
  3. c) Being processed for specified, explicit and legitimate purposes.

ç) Being relevant, limited and proportionate to the purposes for which they are processed.

  1. d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

The summary of the Personal Data Protection Board’s Decision No. 2019/81 dated 25/03/2019 and Decision No. 2019/165 dated 31/05/2019 regarding the processing of biometric data for access control by data controllers providing gym services:

In the 4th article titled “General Principles” of the Law(KVKK), it is stated that personal data can only be processed in accordance with the procedures and principles foreseen in this Law and other laws. After this regulation, it is emphasized that personal data can only be processed in compliance with the law and the principles of honesty, for specific, clear, and legitimate purposes, provided that they are accurate, up-to-date when necessary, related to the purpose of processing, limited, proportionate, and retained for a period as required by the relevant legislation or the purpose of processing.

From these principles, it is inferred that the principle of being related, limited, and proportionate to the purpose of processing requires that the processed data should be suitable for the realization of the specified purposes, and processing of personal data that is irrelevant or unnecessary for the purpose should be avoided. It is emphasized that data processing should not be carried out for the purpose of meeting potential future needs.

The principle of proportionality implies establishing a reasonable balance between the data processing activity and the intended purpose, in other words, data processing should be carried out to the extent necessary to achieve the purpose. In this context, it is emphasized that personal data that is not necessary for the realization of the personal data processing activity should not be collected and/or processed, and the data controller should request the minimum amount of information from the data subject in accordance with the principle of proportionality within the framework of their purpose. Any data processing beyond this should be avoided. It is also pointed out that even if the processing of personal data is based on the consent of the data subject and is specific to a particular purpose, explicit consent does not legitimize the excessive collection of data. Therefore, personal data should only be collected to the extent necessary for specific purposes, used in places required by the purpose, and not retained for longer than necessary.

In fact, in the decision numbered 2017/816 Main by the Council of State, in the case brought with the request for the annulment of the decision made by the Administrative Court rejecting the action for the annulment of the practice of the facial recognition system introduced to ensure the monitoring of working hours of the personnel working in the wholesale unit of the defendant administration, it was concluded that the application was not unlawful on the grounds that the said method was not used in the working hours monitoring of all units of the defendant administration, and the application was initiated due to the difficulties in controlling and supervising the personnel because of the location and shift working system of the unit where the application was implemented. In light of the fact that the facial recognition system worked by converting the facial images of the personnel into numerical codes for comparison, it was deemed that the application could not be classified as data recording, and the decision of the Administrative Court to reject the action to annul the relevant process was found not to comply with the law.

In the decisions numbered 2014/2242 Main and 2014/4562 Main, the Council of State also regarded biometric methods such as “fingerprint or facial scanning systems” as falling under the scope of the “right to the privacy of private life,” even in public spaces, and as being evaluated as unlawful acts, taking into account the absence of assurances that the collected data would not be used in another way in the future.

Similarly, the European Court of Human Rights in its decision on December 4, 2008, in the case of S. and Marper v. the United Kingdom, emphasized that the storage of individuals’ fingerprints, cell samples, and DNA profiles constituted a disproportionate and excessive interference with the applicants’ right to the privacy of private life, and could not be considered a necessary intervention in a democratic society, thus ruling that the practice violated Article 8 of the European Convention on Human Rights.

Furthermore, in Document WP193 titled “Opinion 3/2012 on Developments in Biometric Technologies” prepared by the Article 29 Working Party, an example was given where the storage and processing of the fingerprints of all customers and staff, solely for facilitating access to a fitness club or gym and managing memberships, was considered disproportionate to the need and was discouraged. It was suggested that instead of such an application, different measures, such as a simple checklist or the use of RFID tags, or methods that do not require the processing of biometric data, such as magnetic stripe cards, could meet the same needs. Considering these points, it is decided that the “hand and fingerprint scanning” system implemented by data controllers for access to a gym, presented as the mandatory and sole method for benefiting from the service, does not comply with the principle of proportionality in the processing of personal data and is not in line with the principle of requesting the minimum amount of data from individuals.

  • Conditions For Processing Personal Data (Lawful Basis)

Processing of personal data is defined in Article 3 of the KVKK. Accordingly; any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided  that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof. 

The conditions for the processing of personal data are listed in Article 5 of the Law, and according to this, personal data may be processed if at least one of the following conditions is met:

(1) Personal data shall not be processed without explicit consent of the data subject.

(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

  1. a) It is expressly provided for by the laws.
  2. b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  3. c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

ç) It is necessary for compliance with a legal obligation to which the data controller is subject.

  1. d) Personal data have been made public by the data subject himself/herself.
  2. e) Data processing is necessary for the establishment, exercise or protection of any right.
  3. f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

The conditions for processing personal data, i.e The grounds for lawfulness, are limited in the Law, and these conditions cannot be expanded. 

 

If personal data processing is based on one of the conditions other than explicit consent specified in the Law, then it is not necessary to obtain explicit consent from the data subject.

 

While the data processing activity is possible based on a legal ground other than explicit consent, resorting to explicit consent will be deceptive and constitute an abuse of rights. Indeed, if explicit consent provided by the data subject is withdrawn, and the data controller continues data processing activities based on one of the personal data processing conditions, this would entail acting contrary to the law and principles of fairness. In this context, the data controller should assess whether the primary purpose of the personal data processing activity is based on one of the conditions other than explicit consent as outlined in the Law. If this purpose does not meet at least one of the conditions specified in the Law, then it is necessary to obtain the individual’s explicit consent for the continued data processing activity. (https://www.kvkk.gov.tr/Icerik/2050/Kisisel-Veriler)

 

The conditions for processing personal data constitute the legal basis of each personal data processing activity. A single personal data processing activity may have multiple legal grounds based on different conditions. For instance, in the case of processing employees’ personal data to prepare payroll, the legal basis for this processing could be the performance of a contract and the fulfillment of the legal obligations of the data controller.

( KVKK Guide)

  • Special Categories of Personal Data

Special categories of personal data are limited to the examples provided in Article 6 of the KVKK, which include the following:

  • Ethnic origin, 
  • Political opinion,
  • Philosophical belief, religion, religious sect or other belief, 
  • Appearance, 
  • Membership to associations, foundations or trade-unions, 
  • Data concerning health, sexual life, 
  • Criminal convictions and security measures, 
  • Biometric and genetic data.
  •  Conditions for Processing of Special Categories of Personal Data (Lawful Basis)

The conditions for processing special categories of personal data are specified in Article 6 of the Law. Accordingly, the processing of special categories of personal data is permitted if at least one of the following conditions is met:

(1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data

  • Personal Data Protection Board Decision on “Taking Sufficient Precautions for the Processing of Special Categories of Personal Data”

 

According to Article 6, paragraph (4) of Law No. 6698 on Personal Data Protection, it is a requirement to take additional sufficient measures determined by the Board for the processing of personal data of special categories. 

 

In this context, the Personal Data Protection Board has established the adequate measures that data controllers processing special categories of personal data must take, as stipulated in paragraph (c) and (e) of Article 22, as follows:

1- Establishing a systematic, clear, manageable, and sustainable separate policy and procedure for the security of special categories of personal data.

2- For employees involved in the processes of processing special categories of personal data,

  1. a) Providing regular training on the law and related regulations, as well as data security measures for special categories of personal data.
  2. b) Establishing confidentiality agreements.
  3. c) Clearly defining the scope and duration of access rights for users who have access to data.

ç) Performing periodic authorization checks.

  1. d) Immediately revoking the privileges of employees who have changed roles or left their positions in this area. In this context, data controllers should retrieve the inventory allocated to them.

3- In environments where special categories of personal data are processed, stored, and/or accessed, if in electronic format:

  1. a) Data preservation using cryptographic methods,
  2. b) Secure storage of cryptographic keys in different environments,
  3. c) Secure logging of all actions performed on the data,

ç) Continuous monitoring of security updates for the environments where data is stored, regular security testing, recording of test results,

  1. d) If data is accessed through software, user authorizations for this software are to be established, and regular security testing is performed, with the results recorded,
  2. e) If remote access to data is required, a two-factor authentication system is provided.

4- In physical environments where special categories of personal data are processed, stored, and/or accessed:

  1. a) Ensuring that adequate security measures are in place (against electrical leaks, fires, flooding, theft, etc.) depending on the nature of the environment where special categories of personal data are located,
  2. b) Ensuring the physical security of these environments to prevent unauthorized access.

5- If special categories of personal data need to be transferred:

  1. a) If data needs to be transferred via email, it should be encrypted and sent using a corporate email address or a Registered Electronic Mail (KEP) account,
  2. b) If data needs to be transferred through physical media such as portable storage, CD, DVD, it should be encrypted using cryptographic methods, and cryptographic keys should be kept in separate storage,
  3. c) If data transfer occurs between servers in different physical locations, data transfer should be conducted through the establishment of a VPN between servers or by using the sFTP method,

ç) If data needs to be transferred in paper format, necessary precautions should be taken against risks such as theft, loss, or unauthorized access to documents, and the documents should be sent in the format of “classified documents.”

6- In addition to the measures mentioned above, technical and administrative measures to ensure the appropriate level of security, as specified in the Personal Data Security Guide published on the Personal Data Protection Authority’s website, should also be taken into consideration.

  • Erasure, Destruction or Anonymization of Personal Data

The erasure, destruction, or anonymization of personal data is regulated in Article 7 of the KVKK and in the Regulation on the Erasure, Destruction, or Anonymization of Personal Data, enacted based on the KVKK. According to this regulation,

“Erasure of personal data” is the process of rendering personal data inaccessible and unusable for the relevant users. (Example: revoking access permissions from a database)

“Destruction of personal data” is the process of making personal data inaccessible, irretrievable, and unusable by anyone in any way. (Example: burning or shredding disks)

“Anonymization of personal data” is the process of making personal data in such a way that, even when matched with other data, it cannot be associated with the identity of a specific or determinable natural person in any manner.

Article 7 of the KVKK (Personal Data Protection Law) regulates the erasure, destruction, and disposal of personal data as follows:

‘‘(1) Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.

(2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.

(3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.’’

  • Transfer of Personal Data
  • Transferring Personal Data Within the Country

According to Article 8 of the KVKK (Data Protection Law):

(1) Personal data shall not be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:

  1. a) the second paragraph of Article 5,
  2. b) the third paragraph of Article 6, provided that sufficient measures are taken.

(3) The Provisions of other laws relating to transfer of personal data are reserved.

  • Transfer of Personal Data Abroad

According to Article 9 of the KVKK (Data Protection Law):

(1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Türkiye and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

  • Obligation of Data Controller to Inform

According to Article 10 of the KVKK (Data Protection Law):

(1) At the time when personal data are obtained, the data controller or the person authorized by it is obliged to inform the data subjects about the following:

  1. a) the identity of the data controller and of its representative, if any,
  2. b) the purpose of processing of personal data;
  3. c) to whom and for which purposes the processed personal data may be transferred,

ç) the method and legal basis of collection of personal data,

  1. d) other rights referred to in Article 11.
  • Obligations Concerning Data Security

According to Article 12 of the KVKK (Data Protection Law):

(1) The data controller is obliged to take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:

  1. a) preventing unlawful processing of personal data,
  2. b) preventing unlawful access to personal data,
  3. c) ensuring protection of personal data.

(2) In case the processing of personal data is carried out by another natural or legal person on behalf of the data controller, the data controller shall jointly be responsible with these persons for taking the measures laid down in the first paragraph.

(3) The data controller is obliged to carry out the necessary audits, or have them made, in its own institution or organization, in order to ensure the implementation of the provisions of this Law.

(4) The data controllers and data processors shall not disclose the personal data that they have learned to anyone contrary to the provisions of this Law, neither shall they use such data for purposes other than that for which the personal data have been processed. This obligation shall continue even after the end of their term of office.

(5) In case the data processed are obtained by others by unlawful means, the data controller shall communicate the breach to the data subject and notify it to the Board within the shortest time. Where necessary, the Board may announce such breach at its official website or through in any other way it deems appropriate.

  • Registration in the Data Controllers Registry

According to Article 16 of the KVKK (Data Protection Law):

(1) Under the supervision of the Board, the Data Controllers’ Registry shall be kept by the Presidency and be made publicly available.

(2) Natural or legal persons who process personal data shall register with the Data Controllers’ Registry prior to the start of data processing. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry.

(3) Application for registration with the Data Controllers’ Registry shall be made with a notification including:

  1. a) The identity and address of the data controller and of its representative, if any,
  2. b) The purpose for which the personal data will be processed,
  3. c) The explanations relating to group(s) of persons subject to the data and the data categories of these persons,

ç) The recipients or groups of recipients to whom the personal data may be transferred,

  1. d) The personal data which are envisaged to be transferred abroad,
  2. e) The measures taken concerning the security of personal data.
  3. f) The maximum storage period necessary for the purpose for which personal data are processed.

(4) Any changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency

(5) Other procedures and principles relating to the Data Controllers’ Registry shall be laid down through a by-law.

  • Rights of The Data Subject

According to Article 3/ç of the KVKK, “Data subject” means the natural person, whose personal data are processed.

According to Article 11 of the KVKK (Data Protection Law):

(1) Each person has the right to request to the data controller about him/her;

  1. a) to learn whether his/her personal data are processed or not,
  2. b) to demand for information as to if his/her personal data have been processed,
  3. c) to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

ç) to know the third parties to whom his personal data are transferred in country or abroad,

  1. d) to request the rectification of the incomplete or inaccurate data, if any,
  2. e) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
  3. f) to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties to whom his/her personal data have been transferred,
  4. g) to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,

ğ) to claim compensation for the damage arising from the unlawful processing of his/her personal data.

  • Request and Complaint
  • Request to the Data Controller

According to Article 13 of the KVKK (Data Protection Law):

(1) The data subject shall make the requests relating to the implementation of this Law to the data controller in writing or by other means to be determined by the Board.

(2) The data controller shall conclude demands in the request within the shortest time by taking into account the nature of the demand and at the latest within thirty days and free of charge. However if the action requires an extra cost, fees may be charged in the tariff determined by the Board.

(3) The data controller shall act on the request or refuse it together with justified grounds and communicate its response to the data subject in writing or by electronic means. In case the demand in the request is accepted, it shall be fulfilled by the data controller. If the request is made due to the fault of the data controller, the fee is refunded to the data subject.

  • Complaint to the Board

(‘‘Board’’: Personal Data Protection Board)

https://sikayet.kvkk.gov.tr/ 

According to Article 14 of the KVKK (Data Protection Law):

(1) If the request is refused, the response is found insufficient or the request is not responded within the specified time period, the data subject may lodge a complaint with the Board within thirty days as of he or she learns about the response of the data controller, or within sixty days as of the request date, in any case.

(2) A complaint shall not be lodged before exhausting the remedy of the request to the data controller pursuant to Article 13.

(3) The right to compensation, under the general provisions, of those whose personal rights are violated, is reserved.

  • Penalties and Misdemeanours
  • Misdemeanours

ACTION

LEGAL BASIS

2023 (Revaluation Rate) Administrative Monetary Fines

Those who fail to fulfill the obligation to inform

KVKK Article 18/1-a

26.852 ₺ – 597.191 ₺

Those who fail to fulfill their obligations regarding data security.

KVKK Article 18/1-b

89.571 ₺ – 5.971.989 ₺

Those who do not comply with the decisions made by the Board.

KVKK Article 18/1-c

149.285 ₺ – 5.971.989 ₺

Those who act in violation of the obligation to register with and notify the Data Controllers Registry.

KVKK Article 18/1-ç

119.478 ₺ – 5.971.989 ₺

  • Penalties Under the Turkish Criminal Code

ACTION

LEGAL BASIS

PENALTY

Processing personal data unlawfully

TCK Article 135/1

Imprisonment for a term of one to three years.

Unlawfully processing personal data related to individuals’ political, philosophical, or religious beliefs, racial or ethnic origin, moral tendencies, sexual life, health conditions, or union membership.

TCK Article 135/2

Imprisonment for a term of one to three years is increased by fifty percent.

To unlawfully disclose, disseminate, or obtain personal data from another party.

TCK Article 136

Imprisonment for a term of two to four years

These crimes, when committed by a public official through the abuse of their authority, by taking advantage of the conveniences provided by a specific profession or trade, result in:

TCK Article 137

The penalties mentioned above have increased by fifty percent.

Failing to fulfill their duties of erasing data within the timeframes specified by the laws, despite the expiration of such periods.

TCK Article 138/1

Imprisonment for a term of one to two years.

The subject of the offense being data that should be eliminated or destroyed according to the provisions of the Criminal Procedure Code.

TCK Article 138/2

The penalty mentioned above is increased by one.

  • In the decision of the 12th Criminal Division of the Supreme Court with the file number 2019/532 E. and 2019/10827 K., it is stated that:

“…The profile picture on the victim’s own Facebook account cannot be considered as an image related to their private life area, which they would not want others to see or know; however, when the victim’s personal data in the form of an image is unlawfully published by the defendant on the Ktü 2nd Hand Goods, Mutual Assistance, Communication, and Announcement Platform with a method that leaves no doubt, the action described in the indictment and proven in the trial constitutes the crime of unlawfully providing or obtaining data as defined in Article 136/1 of the Turkish Penal Code (TCK)…”

  • In the decision of the 12th Criminal Division of the Supreme Court with the file number 2017/12054 E. and 2018/7023 K., it was ruled that:

“…without considering that the defendant’s actions, which were established as creating a fake Facebook account on behalf of the injured party by using the victim’s picture, constitute the crime of unlawfully providing or obtaining data as regulated in Article 136/1 of the Turkish Penal Code (TCK), and by making an error in the assessment of evidence, the judgment of conviction was rendered for the crime of recording personal data as defined in Article 135/1 of the TCK, which is not applicable within the scope of the case file…”

  • General Data Protection Regulation (GDPR)

The Directive 95/46/EC, known as the EU Data Protection Directive, could not be effectively implemented due to its inadequacy in data security and insufficient representation in domestic law. Therefore, the need for a new data protection regulation arose.

 

The GDPR, or General Data Protection Regulation in English, is a regulation aimed at protecting the data and privacy of individuals across the entire European Union. It was adopted on May 24, 2016, and just like the KVKK coming into effect, the GDPR also set May 25, 2018, as the date to start its enforcement, following a two-year transition period.

  • Application Scope and Long-Arm Principle

GDPR applies not only to data controllers or processors within the European Union but also to the processing of personal data of data subjects within the European Union. The absence of a data controller or data processor within the European Union does not prevent the law from being applied. The European Court of Justice stated in the Weltimmo C-230/14 case that the concept of establishment should be broadly interpreted when determining the geographical scope of local data protection laws.

In this context, an organization that processes the data of citizens of European Union member states, even if it is established under the laws of a different country, will be considered as if it were established within the European Union and subject to evaluation.

  • Data Protection Officer (DPO)

Under the GDPR, data protection officers are regulated in Article 37. In certain cases, data controllers may appoint individuals to provide them with information, advice, and guidance on operating in compliance with data protection rules. These individuals are referred to as “Data Protection Officers.”

Under the GDPR, a Data Protection Officer (DPO) must be appointed in the following circumstances:

  • If a data processing activity is carried out by a public authority,
  • If the core activities of the data controller or data processor involve large-scale, regular, and systematic monitoring of individuals,
  • If the core activities of the data controller or data processor primarily consist of processing special categories of personal data or data related to criminal convictions and offenses, then a Data Protection Officer (DPO) must be appointed.

Data Protection Officers’ (DPO) Responsibilities:

  • Informing and advising data controllers about their responsibilities;
  • Ensuring compliance with the GDPR, other data protection provisions of the Union, or of the Member States, and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising, and training of staff involved in processing operations, and the related audits;
  • Providing advice where requested as regards the data protection impact assessment and monitoring its performance;
  • Cooperating with the supervisory authority.
  • The Principles in GDPR

The principles for processing personal data under GDPR, as stated in Article 5, are as follows:

  1. a) Legality and fairness.
  2. b) Equity; The legal norms underlying the processing activity must be organized in accordance with justice.
  3. c) Processing for specified, explicit, and legitimate purposes (Principle of purpose limitation).

ç) Being relevant, limited, and proportionate to the purposes for which they are processed (Principle of data minimization).

  1. d) Storage for the period specified by relevant legislation or for the time necessary for the purposes for which they are processed,
  2. e) Principle of data security,
  3. f) Accountability requirement
  4. g) Accuracy and, where necessary, kept up to date. These principles are parallel to KVKK in terms of principles.

 

KVKK 

GDPR

KVKK, a law that covers all natural and legal persons conducting data operations in Turkey.

GDPR is a law that encompasses the obligations and sanctions related to the processing of personal data of individuals living in the European Union and its member states.

Personal data must be retained for the duration specified in the relevant legislation or for the period necessary for the purposes for which they were processed.

Personal data should not be retained for a longer period than is necessary for the purpose of processing.

In Turkey, certain data controllers have an obligation to register with the publicly available registry system known as VERBIS.

There is no regulations in GDPR.

The KVKK (Data Protection Law) imposes an obligation to appoint a contact person for data controllers, and there is no obligation to appoint a Data Protection Officer (DPO).

According to Article 37 of the GDPR, certain data controllers are obligated to appoint a Data Protection Officer (DPO).

Under the KVKK (Turkish Data Protection Law), the maximum fine envisaged for non-compliance with the obligations of data controllers is set at 5,971,989 Turkish Liras..

Under the GDPR, administrative fines can be imposed up to 2-4% of the annual global turnover or up to 20 million Euros. There is no specific limit set.

There is no specific regulation regarding child data in the KVKK

Under the GDPR, the processing of personal data of children under the age of 16 is subject to the consent or authorization of the holder of parental responsibility over the child to ensure lawful processing.

————————————————————————————————————

The copyrights pertaining to these lecture notes and all of their content, including the rights to reproduce, distribute, duplicate, represent, transmit via signals, and publicly communicate through any means of text, sound, and/or visual presentation, are protected by the Turkish Intellectual and Artistic Works Law and related legislation.All these intellectual and moral rights belong to Attorney and Lecturer Ozge EVCI ERALP. These lecture notes cannot be duplicated, published, or used without permission, and they cannot be published on internet websites without obtaining the necessary permissions. Ozge Evci ERALP 2023-2024