PERSONAL DATA PROTECTION LAW - III

CONCEPTS OF DATA CONTROLLER AND RELEVANT PERSON

DATA CONTROLLER

A data controller is defined under Law No. 6698 on the Protection of Personal Data as "the natural or legal person responsible for determining the purposes and means of processing personal data and for establishing and managing the data recording system." Therefore, the data controller is responsible for all decisions regarding how personal data will be processed, which personal data will be processed, and how the data will be transferred domestically or internationally. The data controller is obligated to take all necessary technical and administrative measures to prevent the unlawful processing of personal data and unlawful access to this data, and to ensure the appropriate level of security to ensure the safeguarding of personal data. Furthermore, the data controller is authorized to conduct the necessary audits within its own institution and organization regarding the implementation of these measures. The data controller may not disclose personal data it learns about the relevant person in violation of Law No. 6698 on the Protection of Personal Data and is obligated to notify the relevant person and the institution as soon as it learns that this data has been accessed or processed by someone else. The responsibility placed on data controllers is significant.

The duties of data controllers are listed in the Personal Data Protection Law No. 6698. Accordingly, data controllers;

a) To inform people about the identity of the data controller and its representative, if any.

b) To inform the relevant persons about the purposes for which personal data will be processed.

c) To inform the data owner about to whom, how and for what purpose the processed personal data can be transferred.

d) To inform the relevant persons about the methods and legal reasons for collecting personal data.

d) It is obliged to inform the relevant persons about the other rights of the relevant persons listed in Article 11 of the Law on the Protection of Personal Data No. 6698.

Data controllers are subject to audits to determine whether they fulfill these burdensome duties. Before processing data, data controllers must register with the Data Controllers Registry, stating the purposes for which personal data will be processed and the conditions under which the data may be transferred. However, the Personal Data Protection Board may grant exceptions to the requirement to register with the Data Controllers Registry based on objective criteria determined by the Board, such as the nature and quantity of personal data processed, the legal basis for processing, or the transfer to third parties.

CONTACT PERSON

Individuals whose personal data is processed are considered data subjects under Law No. 6698 on the Protection of Personal Data. We've already discussed the importance of personal data and the stringent requirements it faces for processing and transfer. Therefore, the legislature has implemented measures to protect data subjects. Data subjects have the opportunity to learn how their data will be processed and where it will be transferred by contacting the data controller.

The person concerned;

a) To learn whether or not your personal data is being processed,

b) To request information regarding the processing of personal data, if such data has been processed,

c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,

d) To learn the third parties to whom personal data is transferred, either domestically or abroad,

d) To request correction of personal data in case it is processed incompletely or incorrectly,

e) Request the deletion or destruction of personal data within the framework of the conditions stipulated under the title “Deletion, Destruction or Anonymization of Personal Data” in Article 7 of the Law on the Protection of Personal Data No. 6698,

f) To request that the actions taken in accordance with the provisions regarding the correction, deletion or destruction of personal data be notified to third parties to whom personal data has been transferred,

g) To object to the emergence of a result to the detriment of the person himself/herself, by means of analysis of the processed data exclusively through automated systems,

g) In case of any damage caused by the unlawful processing of personal data, the person has the right to demand compensation for the damage.

APPLICATION TO THE DATA CONTROLLER AND COMPLAINT TO THE PERSONAL DATA PROTECTION AGENCY

The data subject whose data is processed has the right to submit their requests to the data controller, within the framework of their rights stipulated in Law No. 6698 on the Protection of Personal Data, through a method (written, verbal, etc.) determined by the Personal Data Protection Authority. The data controller is obligated to resolve these requests within the most reasonable timeframe and within the latest 30-day period stipulated by the legislature as a regulatory requirement. As a rule, resolving data subject requests is free of charge, but in some cases, an additional cost may be required for the processing. In such cases, a fee specified in the tariff may be charged by the Personal Data Protection Authority. The data controller may accept or reject the data subject's request, but in the event of a rejection, the data controller must explain the reason and notify the data subject. If the request was caused by the data controller's error and additional costs were incurred for the processing and collected from the data subject, this fee will be refunded to the data subject.

If a data subject requests a data controller pursuant to their rights stipulated in Law No. 6698 on the Protection of Personal Data, and if their request is rejected, the response is deemed inadequate, or the application is not responded to within the timeframe, they may file a complaint with the Personal Data Protection Board, the next higher authority, within sixty days. After sixty days, this right to complain lapses. However, the fundamental requirement for filing a complaint is to first apply to the data controller. Applications cannot be made to the Personal Data Protection Board without first applying to the data controller. If, based on the decision of the Personal Data Protection Board, a violation of a personal right occurs, the right to seek compensation arises in accordance with general provisions.