In the Official Gazette dated April 28, 2019,
· Communiqué Amending the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Light,
· Regulation Amending the Regulation on the Deletion, Destruction or Anonymization of Personal Data,
· The Regulation on the Amendment of the Regulation on the Registry of Data Controllers has been published.
The changes in the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Disclosure Obligation, the Regulation on the Deletion, Destruction or Anonymization of Personal Data, and the Regulation on the Data Controllers Registry are shown in the tables below.
AMENDMENTS MADE IN THE REGULATION ON THE DATA RESPONSIBLE REGISTRY:
Previous State of the Legislation | New Situation After 28.04.2019 Change |
Definitions ARTICLE 4/1 – ç) Contact person: The data controller for the communication to be established with the Authority regarding the obligations of the legal persons residing in Turkey and the data controller representative of the legal persons not residing in Turkey within the scope of the Law and secondary regulations to be issued based on this Law. The real person notified by the Registry at the time of registration,
h) Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating with the personal data processing purposes, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
p) Representative of data controller: Legal person residing in Turkey or real person who is a citizen of the Republic of Turkey, who is authorized to represent non-resident data controllers in the matters specified in the second paragraph of Article 11 of this Regulation, |
Definitions ARTICLE 4/1 – d) Contact person: To communicate with the Institution regarding its obligations under the Law and secondary regulations to be issued based on this Law, by the data controller for real and legal persons residing in Turkey, and by the representative of the data controller for real and legal persons residing in Turkey. The real person notified during registration to the Registry in order to ensure
h) Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
p) Data controller representative: Legal person residing in Turkey or a natural person who is a citizen of the Republic of Turkey, who is authorized to represent data controllers not residing in Turkey in the matters specified in the third paragraph of Article 11 of this Regulation,
|
Principles, procedures and principles ARTICLE 5/1 – ç) Information to be disclosed to the Registry in registration applications is prepared based on the Personal Data Processing Inventory.
ğ) The maximum period required for the purpose of processing the personal data submitted and published in the Registry by the data controllers; It is taken as a basis in fulfilling the obligations of data controllers to delete, destroy or anonymize as specified in Article 7 of the Law.
|
Principles, procedures and principles ARTICLE 5/1 – ç) Data controllers who are obliged to register in the Registry are obliged to prepare a Personal Data Processing Inventory. The information to be disclosed to the Registry in applications to the Registry is prepared based on the Personal Data Processing Inventory.
ğ) The maximum retention period required for the purpose for which the personal data submitted and published in the Registry by the data controllers are processed; It is taken as a basis in fulfilling the obligations of data controllers to delete, destroy or anonymize as specified in Article 7 of the Law.
|
Access to the Registry ARTICLE 7/2 – a) Name and address of the data controller, if any, the representative of the data controller and the contact person, and the KEP address if received,
|
Access to the Registry ARTICLE 7/2 – a) Data controller, representative of data controller, if any, address and KEP address if received, |
Obligations of data controller, data controller representative and contact person
ARTICLE 11 – (4) Legal entities residing in Turkey record their contact person information in the Registry during registration. The contact person is not authorized to represent the data controller in accordance with the provisions of the Law and Regulation. The contact person provides the communication regarding the response of the requests made by the relevant persons to the data controller.
(5) In public institutions and organizations, the contact person is the head of department or higher manager, who is registered in the Registry by the senior manager in order to ensure communication with the Agency.
|
Obligations of data controller, data controller representative and contact person
ARTICLE 11 – (4) Data controllers residing in Turkey and representatives of data controllers on behalf of data controllers not residing in Turkey record the contact person information in the Registry during registration. The contact person is not authorized to represent the data controller in accordance with the provisions of the Law and Regulation.
(5) In public institutions and organizations, the contact person is the head of department or higher manager who is registered in the Registry by the senior manager who will ensure the coordination, in order to ensure communication with the Agency.
|
Changes in registration information ARTICLE 13 – (1) In case of a change in the information registered in the registry, data controllers notify the Authority within seven days via VERBIS. | Changes in registration information ARTICLE 13 – (1) In case of a change in the information registered in the Registry, data controllers notify the Authority via VERBIS within seven days from the date of the change. |
Exception criteria
ARTICLE 16 – (1) The Board may make an exception to the registration obligation by considering the following criteria: a) The nature of the personal data. b) Number of personal data. c) Purpose of processing personal data. ç) Field of activity in which personal data is processed. d) Transfer of personal data to third parties. e) The fact that the personal data processing activity originates from the law. f) The period of retention of personal data. g) The data subject group or categories of data.
|
ğ clause has been added to article 16 titled exception criteria:
“ğ) The annual number of employees of the data controller or the annual financial balance sheet total information.” |
AMENDMENTS MADE IN THE COMMUNIQUÉ ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE LIGHTING OBLIGATION:
Previous State of the Legislation | New Situation After 28.04.2019 Change |
Definitions ARTICLE 3/1 – f) Data recording system: Any environment where personal data is fully or partially automated or processed by non-automatic means provided that it is a part of any data recording system,
ğ) Representative of data controller: Legal person residing in Turkey or legal person residing in Turkey, authorized to represent non-resident data controllers in the matters specified in the second paragraph of Article 11 of the Regulation on Data Controllers Registry published in the Official Gazette dated 30/12/2017 and numbered 30286. Natural person, citizen of the Republic of Turkey means. |
Definitions ARTICLE 3 – f) Data registration system: The registration system in which personal data are processed and structured according to certain criteria,
ğ) Representative of data controller: Legal person residing in Turkey or resident in Turkey, authorized to represent data controllers not residing in Turkey, in the matters specified in the third paragraph of article 11 of the Regulation on Data Controllers Registry published in the Official Gazette dated 30/12/2017 and numbered 30286. A natural person who is a citizen of the Republic of Turkey,
|
Procedures and Principles Article 5/1- c) If personal data is processed for different purposes in different units of the data controller, the obligation to inform must be fulfilled separately at each unit. | It has been repealed. |
ABOUT DELETING, DESTROYING OR MAKING PERSONAL DATA
CHANGES IN THE REGULATION:
Previous State of the Legislation | New Situation After 28.04.2019 Change |
Definitions ARTICLE 4/1-e) Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data with the purposes of processing, the data category, the transferred recipient group and the data subject group, explaining the maximum time required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security, | Definitions ARTICLE 4/1-e) Personal data processing inventory: Personal data processing activities carried out by data controllers depending on their business processes; The inventory they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security,
|
Principles ARTICLE 7/4- The data controller is obliged to explain in the relevant policies and procedures the methods applied for the deletion, destruction and anonymization of personal data. | Principles ARTICLE 7/4 – The data controller is obliged to explain in the relevant policies and procedures the methods applied for the deletion, destruction or anonymization of personal data. |
Periods of deletion and destruction of personal data if requested by the person concerned
ARTICLE 12 – (1) When the data subject requests the deletion or destruction of his/her personal data by applying to the data controller pursuant to Article 13 of the Law;
a) If all the conditions for processing personal data have disappeared; The data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller finalizes the request of the data subject within thirty days at the latest and informs the data subject.
b) If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; It ensures that the necessary actions are taken within the scope of this Regulation before the third party.
c) If all the conditions for processing personal data have not been eliminated, this request may be rejected by the data controller by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest. |
Periods of deletion and destruction of personal data if requested by the person concerned
ARTICLE 12 – (1) When the data subject requests the deletion or destruction of his/her personal data by applying to the data controller pursuant to Articles 11 and 13 of the Law;
a) If all the conditions for processing personal data have disappeared; The data controller deletes, destroys or anonymizes the personal data subject to the request. The data controller finalizes the request of the data subject within thirty days at the latest and informs the data subject.
b) If all the conditions for processing personal data have been removed and the personal data subject to the request has been transferred to third parties, the data controller notifies the third party; It ensures that the necessary actions are taken within the scope of this Regulation before the third party.
c) If all the conditions for processing personal data have not been eliminated, this request may be rejected by the data controller by explaining the reason in accordance with the third paragraph of Article 13 of the Law, and the refusal is notified to the relevant person in writing or electronically within thirty days at the latest. |