|
Obligation |
Explanation |
Documentation |
Is Documentation Required or Recommended? |
Risk1 |
||
|
1 |
Obligation to Ensure Personal Data Security |
Data controllers should take all necessary technical and administrative measures to ensure the data security. There are specific measures announced by the Turkish Data Protection Authority ("DPA") with regards to the special categories of personal data.2 Any incident resulting in the acquisition of processed personal data by third parties through unlawful means is considered as a data breach. Data controllers should notify the DPA within 72 hours after becoming aware of a breach and notify the data subjects whose data have been affected within a reasonable time.3 |
Data Breach Response Plan Employee Confidentiality Agreement |
Required |
Administrative fine up to 1.802.640 TRY (approx. US$233.000) |
|
|
2 |
Obligation to Comply with the General Principles |
Data processing activities should be carried out in accordance with the general principles stated below: (1) Lawfulness and fairness, (2) Being accurate and kept up to date where necessary, (3) Being processed for specified, explicit and legitimate purposes, (4) Being relevant, limited and proportionate to the purposes for which they are processed, |
DPIA4 |
Recommended |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
(5) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed. |
||||||
|
3 |
Obligation to Process Personal Data Based on the Legal Grounds |
Personal data processing activities should be carried out based on the legal grounds stated under Articles 5 and 6 of the LPPD.5 |
DPIA6 |
Recommended |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
4 |
Obligation to Fulfill Data Subject Applications |
The data controller should fulfill the DSAs and respond to the data subject within 30 day. |
Data Subject Application Form |
Recommended |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
5 |
Obligation to Conduct Audits |
The data controller is obliged to carry out the necessary audits, or have them carried out, in its own institution or organization, to ensure its compliance. |
Internal Governance and Audit Policy |
Recommended |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
6 |
Obligation to Lawfully Transfer Personal Data |
Transfer Within Turkey: Based on the legal grounds stated under the LPPD, personal data could be transferred within Turkey. Cross-Border Data Transfer: Since the DPA has not yet announced the list of the countries with adequate protection; in order to transfer personal data from Turkey to abroad (a) the explicit consent of the data subjects should be obtained or (b) (i) executing a data protection undertaking agreement between the transferor and transferee parties and (ii) submitting it to the Board's approval. This option could be |
Cross-border Data Transfer Agreement / Local BCR |
Recommended [Required if option (b) is chosen for cross-border data transfer] |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
fulfilled by either executing a bilateral data transfer agreement or local binding corporate rules. |
||||||
|
7 |
Obligation to Prepare Personal Data Processing Inventory |
Data controllers are required to prepare a personal data processing inventory similar to Records of Processing Activities required under the Article 30 of the GDPR. |
Personal Data Processing Inventory |
Required |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
8 |
Obligation to Inform |
Data controllers must inform data subjects about the personal data processing activity while obtaining personal data. In this regard, Article 10/1 of the LPPD stipulates the minimum content requirement of the obligation to inform and therefore, the privacy notices should involve the elements stated under the mentioned Article. |
Privacy Notice |
Required |
Administrative fine up to 180.263 TRY (approx. US$23.300) |
|
|
9 |
Obligation to Register before the Data Controllers' Registry |
Data controllers residing in Turkey that (i) have an annual turnover more than or equal to 25M TRY or (ii) employ more than 50 employees should register to the Registry. Each non-resident data controller processing personal data of the data subjects in Turkey as a data controller should register before the Data Controllers Registry. |
N/A |
N/A |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) |
|
|
10 |
Obligation to Ensure Erasure, Destruction, Anonymization of Personal Data |
Personal data should be erased, destructed, or anonymized by the data controller, ex officio or upon the request of the data subject, in the event that the purposes for the processing no longer exist. The data controller should keep the records of all operations relating to erasure, destruction and anonymization of personal data at least for 3 years. |
Personal Data Storage and Disposal Policy |
Required |
Administrative fine up to 1.802.640 TRY. (approx. US$233.000) In case of failure to destroy the data within a defined system despite the expiration of legally prescribed period, persons responsible from this failure are sentenced to imprisonment from 6 months to 1 year. |
|
1 Administrative fines are increased each year on the basis of legal yearly revaluation ratio.
2 DPA Decision No 2018/10.
3 Please see our FAQ On Making Data Breach Notifications in Turkey. https://www.mondaq.com/turkey/data-protection/887546/faq-on-making-data-breach-notifications-in-turkey
4 Please see our Article on Privacy by Design And By Default Approach Under Turkish Data Protection Law. https://www.mondaq.com/turkey/privacy-protection/712466/privacy-by-design-and-by-default-approach-under-turkish-dataprotection-law
5 Conditions for processing personal data - Article 5 of Law No. 6698: Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met (a) It is expressly provided for by the laws. (b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.(c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.(d) It is necessary for compliance with a legal obligation to which the data controller is subject. (f) Personal data have been made public by the data subject himself/herself. (g) Data processing is necessary for the establishment, exercise, or protection of any right. (h) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject. Conditions for processing special categories of personal data - Article 6/3 of Law No.6698 : (i) personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws (ii) personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
6 Please see our Article on Privacy by Design And By Default Approach Under Turkish Data Protection Law. https://www.mondaq.com/turkey/privacy-protection/712466/privacy-by-design-and-by-default-approach-under-turkish-dataprotection-law
