Number: 3

Date: 14/03/2018

Title:

Principal resolution of the Board for Protection of Personal Data (Precautions required to be taken by data controllers).


A brief abstract concerning the principal resolution of the Board for Protection of Personal Data titled as “Appropriate measures that should be taken by data controllers required for the processing of special categories of personal data” dated 31.01.2018 is provided below:

The 4th clause of Article 6 within the Law for Protection of Personal Data no.6698 (“Law”) contains a provision indicating that “taking the appropriate measures identified by the Board is a requirement in the processing of special categories of personal data”.

The Board has identified the appropriate measures pursuant to the sub-clauses (ç) and (e) of the first clause within the Law’s Article 22, that should be taken by data controllers during processing of special categories of personal data summed up as below:

1. Setting a policy and procedure that is systemic, with clear and obvious rules, manageable and sustainable for the safety of special categories of personal data,

2. For the employees assigned for the stages of processing of special categories of personal data, (i) supplying regular training on safety of special categories of personal data specific to the related law and regulation (ii) drawing up the contracts of privacy (iii) defining the authorization scopes of users with data access and their periods clearly (iv) performing periodical checks for authorization (v) removing the authorities of people having their assignments changed or resigned immediately,

3. In the circumstance that the special categories of personal data are processed, accessed or preserved in an electronical environment; (i) preserving the data through cryptographic methods (ii) keeping the cryptographic keys in safe and different places (iii) logging the data process entries safely   (iv) tracking the safety updates on data environment periodically, handling regular tests for data safety and keeping their outcome registered (v) if data access through software is available, making the assignments for users and handling regular tests on the software and keeping their outcome registered

(vi) providing an identity verification system with at least two stages if remote access to the data is required.

4. In the circumstance that the special categories of personal data are processed, accessed or preserved in a physical environment; (i) taking the required precautions with respect to the features of the environment (theft, fire, flood, etc…) (ii) preventing the unpermitted access to the concerning environment,

5. If the special categories of personal data will be transmitted (i) sending the data through a corporate e-mail account or registered electronic mail account (ii) if transmission is performed through a memory stick, CD or DVD, encoding with a cryptographic method and keeping the key in a different environment     (iii) to set up VPN connection between servers or perform the data transmission through sFTP if transmission occurs between servers in different physical environments (iv) in case the transmission is performed by hard copy means, the document should be sent in the form of “classified documents” so as to avoid risks of theft, being lost or seen by unauthorized people or the required measures should be taken.  

 

Our explanations provided above include general information on the issue. No responsibility can be claimed against EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.


Best Regards,
Kuzey YMM ve Bağımsız Denetim  A.Ş.

 

 Print

Go to Top