03May2019

NEW REGULATIONS HAVE BEEN ANNOUNCED BY THE PROTECTION OF PERSONAL DATA INSTITUTION

NEW REGULATIONS HAVE BEEN ANNOUNCED BY THE PROTECTION OF PERSONAL DATA INSTITUTION

In the 28 April 2019 dated and 30758 numbered Official Gazette, certain amendment texts directly related with the law on protection of personal data legislation, have been published. These amendments have been done in legislations of purge/destruction/anonymization of personal data, VERBİS and the obligation to inform, are respectively as follows:

  • Regulation on Purging, Destruction and Anonymization of Personal Data
  • Regulation on the Data Controllers’ Registry System
  • Communiqué on Procedures and Principles to Be Followed in Fulfilling Obligation to Inform

Our comments along with the amendments regarding the abovementioned legislations are as follows:

1. Regulation on Purging, Destruction and Anonymization of Personal Data

Article No.

Previous Text

Updated Text

Art. 4/1

e) Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary duration by linking with data processing goals, data category, recipient group and elaborates by explaining the precautions regarding data security.

e) Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary retention period by linking with data processing goals and legal cause, data category, recipient group and elaborates by explaining the precautions regarding data security.

Art. 7/4

Data controller is required to explain the methods applied when conducting transactions of purge, destruction, anonymization of personal data in the related policies and procedures.

Data controller is required to explain the methods applied when conducting transactions of purge, destruction or anonymization of personal data in the related policies and procedures.

Art. 12

When relevant individual requests purge or deletion of his/her own personal data as per the 13th clauses of the Law.

When relevant individual requests purge or deletion of his/her own personal data as per the 11th and 13th clauses of the Law.

In the above table, amendments and additions are indicated in the column “Updated Text” as underlined. Amendment on the 4th clause of the Regulation draws an inference regarding the necessity of including legal cause and maximum retention period in the data inventory. On the same day of regulation change, 28 April 2019, “Personal Data Inventory Preparation Guide” and “Personal Data Inventory Processing Sample” are published on Personal Data Protections Agency’s website. As known, Sample Inventory and the Guide containing details regarding personal data inventory which is required to be prepared by data controllers in the compliance process of the Law on Protection of Personal Data (“Law”) could be reached in Turkish from here.

Another amendment made in the Regulation consists of inclusion of the 11th clause with the title “relevant person’s rights” into 12th clause to establish a conjunction between the legislations, because former also regulates relevant person’s rights to request deletion or destruction of the personal data by making an application to data controller.

2. The Regulation on the Data Controllers’ Registry System

Art No.

Previous Text

Updated Text

Art. 4/1 (ç)

Contact person: In relation with the obligations of legal entities reside in Turkey and the data controller representative of the non-resident legal entities under the Law and secondary regulations linked with this Law, the contact person refers to the individual notified while registering the System by the data controller for the contact to be made with the Institution.

Contact person: In relation with the obligations of data controller for the natural persons and legal entities reside in Turkey, and the data controller’s representative for the natural persons and legal entities that are non-resident in Turkey under the Law and secondary regulations linked with this Law, the contact person refers to the individual notified while registering the System in order to make contact.

Art. 4/1 (h)

Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary duration by linking with data processing goals, data category, recipient group and elaborates by explaining the precautions regarding data security.

Personal data processing inventory: refers to the inventory where data controllers conduct their data processing activities which are dependent on their business processes and defines the maximum necessary retention period by linking with data processing goals and legal cause, data category, recipient group and elaborates by explaining the precautions regarding data security.

Art. 4/1 (p)

Data controller’s representative: refers the natural person citizen of the Turkish Republic or Turkey resident legal entity that is authorized to represent non-resident data controllers for the issues mentioned in the clause two of Art. 11 of this Regulation.

Data controller’s representative: refers the natural person citizen of the Turkish Republic or Turkey resident legal entity that is authorized to represent non-resident data controllers for the issues mentioned in the third clause of Art. 11 of this Regulation.

Art. 5/1 (ç)

The information to be disclosed to the Registry System while making an application, shall be prepared based on the Personal Data Processing Inventory.

The data controllers who are obliged to register the Registry System, are obliged to prepare a Personal Data Processing Inventory. The information to be disclosed to the Registry System while making an application, shall be prepared based on the Personal Data Processing Inventory.

Art. 5/1 (ğ)

The necessary minimum period for the personal data processing purpose to be published and submitted to the Registry by the data controllers; shall be based upon while fulfilling the data controllers’ obligations of purging, destruction and anonymization mentioned in the Art 7 of the Law.

The necessary minimum retention period for the personal data processing purpose to be published and submitted to the Registry by the data controllers; shall be based upon while fulfilling the data controllers’ obligations of purging, destruction and anonymization mentioned in the Art 7 of the Law.

Art. 7/2 (a)

Data controller, data controller’s representative if any and full name of the contact person, address and REM (registered e-mail) address if provided,

Data controller, data controller’s representative if any, address and REM (registered e-mail) address if provided,

Art. 11/4

The legal entities resident in Turkey, shall process the information of contact person into the Registry while registering the system. The contact person is not authorized to represent the data controller according to provisions of the Law and the Regulation. The contact person shall provide contact as regards answering the demands that data subjects may direct to the data controller.

The data controllers resident in Turkey and the data controller’s representatives on behalf of the non-resident data controllers, shall process the information of contact person into the Registry while registering the system. The contact person is not authorized to represent the data controller according to provisions of the Law and the Regulation.

Art. 11/5

The contact person in the public institutions and organizations, is the head of departments or the top manager that is registered to the Registry determined by the senior executive to make contact with the Institution.

The contact person in the public institutions and organizations, is the head of departments or the top manager that is registered to the Registry determined by the senior executive who shall ensure coordination, to make contact with the Institution.

Art. 13/1

The data controllers shall notify the Institution of the any change in the registered information, within seven days on VERBIS.

The data controllers shall notify the Institution of the any change in the registered information, within seven days as of the occurrence date of the alteration through VERBIS.

Art. 16 (ğ)

-

Total employee number or total annual financial statement information of the data controller.

The art. 5/1(ç) alteration is important beyond the above alterations of which states that it is obligatory to prepare a personal data processing inventory for the data controllers who are also obliged to register into the registry. You may reach our previous article on the registration deadline of the data controllers for the Registry (VERBIS) here.

With the “ğ” clause added to the Art. 16 of the Regulation is regulated that the Institution may exempt some data controllers from registering the Registry with considering “the data controllers’ total annual employee number or annual financial statement info”. This regulation has secured uniformity between the Regulation and the registration exemptions published by the Institution. You may reach the Turkish announcement of the Institution about the data controllers who are exempted from registering the Registry, here.

3. Communiqué on Procedures and Principles to Be Followed in Fulfilling Obligation to Inform

Art No.

Previous Text

Updated Text

Art. 3/1 (f)

The Data registration system: any kind of environment that the personal data are found of which are processed non-automatic ways with the provision of being a part of any data registry system or processed fully or partially automatic ways.

Veri kayıt sistemi: refers to the registry system in which personal data are processed into according to certain criteria.

Art. 3/1 (ğ)

The data controller’s representative: refers to Turkish Republic citizen natural person or Turkey resident legal entity who is authorized to represent non-resident data controllers in the issues mentioned in the second clause of Art. 11 of the Regulation on the Data Controller’s Registry published on 30/12/2017 dated and 30286 numbered Official Gazette.

The data controller’s representative: refers to Turkish Republic citizen natural person or Turkey resident legal entity who is authorized to represent non-resident data controllers in the issues mentioned in the third clause of Art. 11 of the Regulation on the Data Controller’s Registry published on 30/12/2017 dated and 30286 numbered Official Gazette.

Art. 5/1 (c)

The obligation to inform shall be fulfilled for each unit separately if the personal data are processing with different purposes by different units of the data responsible.

Abrogated

The amendment in the 3/1 (f) clause of the Regulation secured uniformity in the definition of “data registry system” found in related regulations. The abrogation of the 5/1(c) clause makes it easy for the data controllers in practice, so that it is not necessary for each department of the data controller which are processing personal data, to fulfill obligation to inform separately.

Posted in Personal Data Protection Law

  • Notification !

    Contents provided on this article serve to informative purpose only. The article is confidential and property of CottGroup® and all of its affiliated legal entities. Quoting any of the contents of this notification without credit being given to the source is strictly prohibited. Regardless of having all the precautions and importance is put in the preparation of this article, CottGroup® and member companies cannot be held liable of the application or interpretation of the information provided. It is strictly advised to consult a professional for the application of the above-mentioned subject. Prior to taking any action in regards the above, please consult your client representative if you are a customer of CottGroup® or consult to a relevant party.

This website is using cookies.
In this website, we use cookies to develop your user experience, obtain efficient work and track statistical data. You are agreeing to our use of cookies by browsing our website. Please review Çerezler (Cookies) page for detailed information of how we manage the cookies. This choice is valid for 30 days until you delete the cookies in your web browser.
x