Main Obligations Of The Data Controllers Under The Law On The Protection Of Personal Data

Obligation

Explanation

Documentation

Is Documentation

Required or

Recommended?

Risk1

 

1

Obligation to Ensure

Personal                    Data

Security

Data controllers should take all necessary technical and administrative measures to ensure the data security. There are specific measures announced by the Turkish Data Protection Authority ("DPA") with regards to the special categories of personal data.2

Any incident resulting in the acquisition of processed personal data by third parties through unlawful means is considered as a data breach. Data controllers should notify the DPA within 72 hours after becoming aware of a breach and notify the data subjects whose data have been affected within a reasonable time.3

Data            Breach

Response Plan

Employee

Confidentiality

Agreement

Required

Administrative fine up to 1.802.640 TRY (approx. US$233.000)

2

Obligation to Comply with the General

Principles

Data processing activities should be carried out in accordance with the general principles stated below: 

(1)    Lawfulness and fairness,

(2)    Being accurate and kept up to date where necessary,

(3)    Being processed for specified, explicit and legitimate purposes,

(4)    Being relevant, limited and proportionate to the purposes for which they are processed,

DPIA4

Recommended 

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

   

(5) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

       

3

Obligation to Process Personal Data Based on the Legal Grounds 

Personal data processing activities should be carried out based on the legal grounds stated under Articles 5 and 6 of the LPPD.5

DPIA6

Recommended 

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

4

Obligation to Fulfill

Data                       Subject

Applications

The data controller should fulfill the DSAs and respond to the data subject within 30 day.

Data            Subject

Application

Form 

Recommended 

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

5

Obligation                      to

Conduct Audits 

The data controller is obliged to carry out the necessary audits, or have them carried out, in its own institution or organization, to ensure its compliance.

Internal

Governance and

Audit Policy

Recommended 

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

6

Obligation                      to

Lawfully            Transfer

Personal Data 

Transfer Within Turkey: Based on the legal grounds stated under the LPPD, personal data could be transferred within Turkey.

Cross-Border Data Transfer: Since the DPA has not yet announced the list of  the countries with adequate protection; in order to transfer personal data from Turkey to abroad (a) the explicit consent of the data subjects should be obtained or (b) (i) executing a data protection undertaking agreement between the transferor and transferee parties and (ii) submitting it to the Board's approval. This option could be

Cross-border

Data          Transfer

Agreement / 

Local BCR

Recommended

[Required if option (b) is chosen for cross-border data

transfer]

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

   

fulfilled by either executing a bilateral data transfer agreement or local binding corporate rules.

   

7

Obligation to Prepare

Personal                    Data

Processing Inventory

Data controllers are required to prepare a personal data processing inventory similar to Records of Processing Activities required under the Article 30 of the GDPR.

Personal         Data

Processing

Inventory

Required

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

8

Obligation to Inform

Data controllers must inform data subjects about the personal data processing activity while obtaining personal data. In this regard, Article 10/1 of the LPPD stipulates the minimum content requirement of the obligation to inform and therefore, the privacy notices should involve the elements stated under the mentioned Article. 

Privacy Notice

Required

Administrative fine up to 180.263 TRY (approx. US$23.300)

9

Obligation to Register before the Data

Controllers' Registry 

Data controllers residing in Turkey that (i) have an annual turnover more than or equal to 25M TRY or (ii) employ more than 50 employees should register to the Registry.

Each non-resident data controller processing personal data of the data subjects in Turkey as a data controller should register before the Data Controllers Registry. 

N/A

N/A

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

10

Obligation to Ensure Erasure, Destruction, Anonymization of

Personal Data

Personal data should be erased, destructed, or anonymized by the data controller, ex officio or upon the request of the data subject, in the event that the purposes for the processing no longer exist. 

The data controller should keep the records of all operations relating to erasure, destruction and anonymization of personal data at least for 3 years.

Personal         Data

Storage             and

Disposal Policy

Required

Administrative fine up to 1.802.640 TRY. (approx. US$233.000)

In case of failure to destroy the data within a defined system despite the expiration of legally prescribed period, persons responsible from this failure are sentenced to imprisonment from 6 months to 1 year.

Footnotes

1 Administrative fines are increased each year on the basis of legal yearly revaluation ratio.

2 DPA Decision No 2018/10.

3 Please see our FAQ On Making Data Breach Notifications in Turkey. https://www.mondaq.com/turkey/data-protection/887546/faq-on-making-data-breach-notifications-in-turkey

4 Please see our Article on Privacy by Design And By Default Approach Under Turkish Data Protection Law. https://www.mondaq.com/turkey/privacy-protection/712466/privacy-by-design-and-by-default-approach-under-turkish-dataprotection-law

5 Conditions for processing personal data - Article 5 of Law No. 6698: Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met (a) It is expressly provided for by the laws. (b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.(c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.(d) It is necessary for compliance with a legal obligation to which the data controller is subject. (f) Personal data have been made public by the data subject himself/herself. (g) Data processing is necessary for the establishment, exercise, or protection of any right. (h) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. Conditions for processing special categories of personal data - Article 6/3 of Law No.6698 : (i) personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws (ii) personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

6 Please see our Article on Privacy by Design And By Default Approach Under Turkish Data Protection Law. https://www.mondaq.com/turkey/privacy-protection/712466/privacy-by-design-and-by-default-approach-under-turkish-dataprotection-law

Changing the legal landscape by technology
Changing the legal landscape by technology
Explore BTS&Partners