Law on Protection of Personal Data

Frequently Asked Questions

  • What is Sensitive Personal Data?

    It is data that carries the risk of causing the date subject to be victimized or discriminated against if it is learned by others. In the law, it is specified which personal data are special quality personal data one by one, and the ones other than those listed cannot be considered as sensitive personal data. In this regard, it is considered that sensitive personal data is considered limited.
    Sensitive personal data include data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and clothing, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, biometric data and genetic data.

  • What is Personal Health Data?

    All kinds of data related to the physical and mental health of the person and information about the health service provided to the person. For example, data such as the results of any kind of analysis, the diseases the person has had, and the drugs used are personal health data. Personal health data is sensitive personal data. Therefore, although it is subject to the processing conditions of sensitive personal data regulated in the Law, adequate measures determined by the Board should be taken in the processing of sensitive personal data.

  • What Does Data Recording System Mean?

    It refers to the recording system in which personal data is processed and structured according to certain criteria. The data recording system, which can be described as a filing system, can be created electronically or physically. Accordingly, in the data recording system, while personal data can be classified by name, surname or identity number, and a classification, for example, to be created for those who do not pay their loan debts is also considered within this scope.

  • Is Express Consent Subject to Any Form Conditions?

    Express consent is not subject to any form requirement. The important thing is that the express consent carries the elements of the Law and is provable. Therefore, express consent through verbal, written, electronic media etc. is possible. However, in cases where explicit consent is written, explicit consent texts should be written in a clear, understandable and plain manner. In addition, express consent must include a positive statement of will. In other words, explicit consent should not leave any room for doubt, and the procedures regarding requesting and obtaining consent should clearly reveal the intention of the data subject in this matter. The burden of proof that express consent has been obtained rests with the data controller.

  • Can Express Consent Be Withdrawn?

    Express consent can be withdrawn because this is a right that is strictly attached to the person. In addition, the right to determine the future of personal data belongs to the data subject. In this context, the person can withdraw his explicit consent given to the data controller at any time. However, the withdrawal has future consequences. From the moment the declaration reaches the data controller, all activities carried out based on explicit consent by the data controller should be stopped. Withdrawal takes effect from the moment the declaration reaches the data controller.

  • Who is Mainly Responsible for Fulfilling Obligations Regarding Data Processing Enumerated in the Law?

    In the law, the data controller is based on the fulfillment of legal obligations regarding personal data processing activities. The data controller is the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. The data processor is the natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. Accordingly, it is clear that the data processor fulfills the instructions of the data controller.

  • What Does Legitimate Purpose Mean?

    The purpose being legitimate means that the data processed by the data controller is related to and necessary for the work he/she has done or the service he/she has provided. For example, while the processing of the identity and contact information of its customers by a ready-made clothing store is within the scope of the legitimate purpose, the processing of the mother's maiden name cannot be considered within the scope of the legitimate purpose.

  • What is the Difference Between Anonymous Data and Anonymized Data?

    Anonymous data refers to data that cannot be associated with a specific person from the beginning, while anonymized data is data that was previously associated with a person but is no longer linked.

  • Under Which Conditions Should Personal Data Be Deleted, Destroyed or Anonymized?

    In the event that all the conditions regarding the processing of personal data in the law are eliminated, the personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject.

  • What is Data Controllers Registry?

    It is a registration system where natural and legal persons processing personal data must register before starting personal data processing and enter information on a categorical basis regarding the personal data they are processing. The Data Controllers Registry is the registry open to the public by the Presidency under the supervision of the Personal Data Protection Board.

With the constitutional amendment made in 2010, the right to demand the protection of personal data, which is regulated as a fundamental right as stated in Article 20 of the Constitution, which regulates the privacy of private life, is included in the section of the Constitution on the rights and duties of the individual. Subsequently, after the studies, the Personal Data Protection Law (“KVKK”) was published in the Official Gazette dated 7 April 2016 and numbered 29677 and entered into force.

KVKK applies to natural persons whose personal data are processed and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.

According to the law, personal data is any information relating to an identified or identifiable natural person.

With all kinds of information phrases, it is not only the information that provides the definitive diagnosis of the individual such as name, surname, date of birth, place of birth, it also refers to information about the person’s physical, familial, economic, social and similar characteristics. In this context, opinions about the real person, IP addresses and MAC addresses of electronic devices, voice recordings, location information, criminal record, fingerprint, Turkish identity number, photograph, blood group information, health report and similar data are also personal data.

The processing of personal data  refers to any operation performed on the data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system.

Article 4 of the Personal Data Protection Law sets out the general principles to be followed in the processing of personal data. These principles are being in compliance with the law and honesty rules, being accurate and up-to-date when necessary, being processed for specific, clear and legitimate purposes, being limited and proportional to the purpose for which they are processed, being kept for the period required by the relevant legislation or for the purpose for which they are processed.

The data controller is obliged to comply with the general principles, regardless of which legal reason the data processing activity is based on, including express consent.

Demir Law Firm aims to provide effective, fast, economical and solution-oriented services by protecting the interests of its clients in the field of Personal Data Protection Law.

Demir Law Firm provides legal services to its clients on the following matters regarding the Protection of Personal Data Law:

  • Determination and analysis of the obligations of our clients within the scope of KVKK,
  • Creating the Personal Data Inventory and data flow chart of the legal entity,
  • Within the scope of administrative measures, creating contracts, express consent and clarification texts for all personal groups, especially employees, whose data is processed,
  • Establishing all policies (destruction policy, camera monitoring policy, privacy policy, etc.) regarding the protection of personal data of the client company, which is the data controller,
  • Preparation of framework agreements and approval texts to be signed in case personal data is transferred domestically or abroad,
  • Providing the necessary support to ensure the necessary cooperation with the IT departments and to harmonize the data recording systems currently in use with the obligations at the stage of establishing the data recording systems that the clients should use in order to fulfill the relevant obligations,
  • Carrying out the registration process of the data controller with VERBIS.

Get Information About Our Services

All Services