Pursuant to Article 16 of the Data Protection Law, an obligation to register in the Data Controllers Registry has been introduced for data controllers.
In 2018, the Board issued decisions granting exemptions from registration obligation to certain professional groups, associations and political parties. The Board also granted a general exemption to local data controllers that have less than 50 employees, and actively less than TRY 25 million on their balance sheets.
Data…
»
The Data Protection Law requires data controllers to notify the relevant data subject and the Board as soon as possible when being made aware of such data breach. In its decision dated January 24, 2019 and numbered 2019/9, the Board clarified the rules and procedures to be applied in data breach incidents.
The Board takes the GDPR approach in terms of timing of breach notifications, and clarified that the term of “as soon as possible” must be interpreted as 72 hours of…
»
Sensitive and non-sensitive personal data can be transferred abroad if the explicit consent of the data subject is obtained.
Furthermore, other legal grounds will also apply to the transfer of personal data to the foreign country. However, the destination country must have “sufficient protection” in order to conclude the transfer abroad based on legal grounds (except for having obtained explicit consent). A list of jurisdictions that provide sufficient protection is to be…
»
Sensitive and non-sensitive personal data can be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds is applicable for such transfer.
The Data Protection Law does not provide a definition for a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially in relation to transfers between data…
»
Processing Personal Data
In principle, personal data can be processed with the explicit consent of the data subject. On the other hand, personal data can be processed without explicit consent in the following circumstances:
If processing is clearly proposed under the laws;
If processing is mandatory for the protection of life, or to prevent the physical injury of a person, in cases where that person cannot express consent, or whose consent is legally invalid due to physical…
»
The Data Protection Law applies to data controllers who process and transfer personal data under their control. Furthermore, in the situation where data controllers utilise the services of third party data processors for these processes, the law holds them jointly liable for taking all of the technical and administrative measures required to ensure the safeguarding of personal data and to prevent any unlawful access or processing.
The Data Protection Law does not envisage the…
»
