Q&A and booklets providing context on implementation of the Personal Data Protection Law (Privacy Act) no.6698 have been published on the website of the Board for Personal Data Protection in July and the factors to be taken into account by the Board for commenting on the Law are indicated. Essential parts from the aforementioned context are provided below: Certain concepts referred within the Law are clarified through the release titled as “Basic Concepts Existing in the Law no.6698”. One of those concepts are the matters related to CRM (customer relations management) activities provoking high interest throughout the sector. The Board, provided that it’s a part of a data registry system, considers the non-automatic data entries within the scope of the Law as well and indicates that in this context, every non - automatic transaction cannot be considered as out of the scope of Law. Since, it would be appropriate to say that the Law will have execution area in terms of CRM matters also and data entry will be performed pursuant to the required basic principles. Another significant issue explained within the same text is related to the situations paving the way for exception of express consent. The Board exemplifies the award and bonus implementation increasing employee loyalty for legitimate interest. Within that context, making a list for peoples’ hobbies would be accepted through commentary. In terms of publicity, which is another exceptional situation regarding the Law, the Board exemplifies the person’s obviously sharing his/her own contact information for emergency cases and in that context and this led to discussion regarding the social media channels such as LinkedIn etc…An intention of expropriation is sought from the viewpoint of the European Union approach to publicity and the assessment is performed limited to that. To the extent that the concepts of data controller and data processor are examined, within the scope of activities performed concerning personal data processing, legal entities will be the “data controllers” themselves and the legal liability indicated in the concerning regulations will be arising over the legal entity. Any divergence in terms of the legal entities of public law and private law was not pursued. An explanation has been issued as “Both for the penal and legal liability terms, general terms within the public law and private law will be applicable over the liabilities of legal entities”. Concepts of data controller and data processor are highlighted and defined within the same text as well. It’s indicated that the activities of the data processor are mostly limited with the technical parts of data processing. The authority of making decisions concerning personal data processing is assigned to the data controller. Data controller identifies the aim and method in personal data processing. In that context, so as to clarify the matter, the Board points out that the market research companies should be specified as data controllers since they decide on themselves for the data to be included and clients to be carried out surveys even though they are handling them for others. In line with that, couriers may also be considered as data controllers since they demand the personal identity number of people even if they are in charge of delivering others’ mails. Within the manual titled as “Corporate Terms in the Law no.6698”, it’s indicated that personal data containing privacy are in limited amount and cannot be copied. Another significant issue remarked in the manual is about the legal liability. On legal entity data controller’s side, the legal liability will be arising over the legal entity itself and any responsibility occurring on a real person in the company will not be possible. Through the manual titled as “Purpose and Scope of the Personal Data Protection Law no.6698”, purpose of the Law and individuals that would be existing in the scope of the Law are defined. The Law will not be applicable on the personal data that are not digital and contained within a data registry system. It’s indicated that the penal sanctions proposed through the Law would be commented within the context of Turkish Penal Code no.5237. In other words, the liability in terms of penal sanctions will be going on as stated through the Turkish Penal Code. Another significant point contained in the manual is about the anonymization and usage of personal data for certain purposes. Pertaining to the Article 28 of the concerning Law, in the circumstance that the personal data are anonymized through official statistics and processed in research, planning and statistical purposes, the Law terms will not be applied. The Board provides two separate commentaries to the act of anonymization in its published manual. As per the commentaries, in the circumstance that personal data are processed on the purpose of producing statistics, the Law terms will not have execution area. Another essential matter to attract attention is about publicity as mentioned above. The Board accepts sharing personal data through social media accounts as “making public” without indicating purpose. Again in accordance with our aforementioned comment, we are of the opinion that the matter should be assessed in compliance with the European Union approach. Our explanations provided above include general information on the issue. No responsibility can be claimed against EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.
Best Regards,
Kuzey YMM ve Bağımsız Denetim A.Ş. | 
Print 
Go to Top 
