This information note is about explanation of the determination of persons and entities encumbered with liabilities within the scope of Protection of Personal Data Law Nr. 6698 (“PPDL”) and liabilities of the same.
In accordance with PPDL, personal data is any data that define the owner of such data and contain any private and general information about its owner. In this context, not only the information that provides identification of an individual such as name, surname, date of birth, place of birth etc. but also the information regarding physical, family, economic, social and other properties of an individual are personal data as well. Name, telephone number, motor vehicle plate number, social security number, IP address, passport number, resume, photographs, health report, criminal record, image and audio records, finger prints, genetic information etc. are personal data due to being identifiable for an individual. Such data consist of data of the customers, personnel, visitors, suppliers, contracted third parties and employees thereof.
The customers receive and process identity, address and contact information of their customers, employees and other persons. Although it is not forbidden to process personal data; any person processing such data in contravention of protection of personal data law may be sentenced to imprisonment up to 6 years, imposed to millions of TRY administrative fines and exposed to below mentioned indemnities.
Upper and lower limits of the penalties that may be imposed by the Board are as follows.
It is required for companies, the employee number of which is equal to or more than 50 annually and the total financial statement of which is equal to or more than 25 Million TRY, to register to Registry Information System of Data Controllers through VERBIS. Registration to VERBIS can be made through VERBIS interface in the website of the Board. The Data Controllers that have liability of registering to Registry Information System of Data Controllers should prepare Personal Data Processing Inventory first.
It is required to obtain express consent of the data subject regarding processing of personal data of the data subject as of the first addressing moment.
It is required for the data controllers to prepare information notices during collection of personal data with due diligence in terms of purpose, principle, procedure and method for each data category by determining legal frame.
The procedure of making personal data impossible to access or to reuse for the users of the personal data. The data controller shall be liable to take any and all measures in order for deleted personal data not to be accessible or reusable for the related users. The Guideline for Deletion, Destroying or Anonymization of Personal Data is prepared by the Board in order to draw attention several subjects to clarify methods for such procedures and to constitute good practice examples.
It is regulated in the Law that the personal data obtained to be processed according to common principles set forth in the Law may be transferred to third parties by getting express consent of related data subject.
The data controller shall take any and all technical and administrative measures to ensure suitable security level in order to prevent illegal processing of personal data; to prevent illegal access to personal data; and to provide secured storage of personal data.
The data controller shall be liable to create personal data storage and destroying policy and principles; to determine storage periods as well as technical and administrative measures to be taken; and to provide storage of personal data according to such procedures.
By applying to the data controller; data subjects have the right to learn whether their personal data are processed or not; to request information if their personal data are processed; to request the rectification of the incomplete or inaccurate data, if any; to request deletion or destroying of any illegal data; to request such procedure to be informed to the third parties to whom their personal data were transferred; to request compensation for the damage arising from the unlawful processing of their personal data.
Even if legal grounds for processing of personal data differ, general principles set forth in article 4 of Law apply for all personal data processing activities.
You can reach the draft texts regarding this matter by making request by calling telephone no.02124650848 or by sending an e-mail to info@gulelhukuk.com.
Atty. Abide Birsen
Yazar : GülelHukuk