The Law on the Protection of Personal Data entered into force by being published in the Official Gazette dated 24.03.2016. The law clarifies many issues such as the acquisition/storage of data, permissioned information, information sharing and limits. Complaint processes, sanctions and exceptions are of course still within the scope of the law.

However, not only as personal data; It is also necessary to look at them as legal entities, that is, institutions. The law also includes legal entities within the scope and becomes determinant in the collection, processing and sharing of data of institutions.

We would like to share with you the relevant sections of the law, which closely concerns all persons and legal entities whose scope is curious.

PERSONAL DATA PROTECTION LAW (12301)

Law Number : 6698

Accepted Date: 24/3/2016

Published in the R. Newspaper: Date: 7/4/2016 Issue: 29677

Published Code: Arrangement: 5 Volume: 57

FIRST PART

Purpose, Scope and Definitions

Aim

ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.

Scope

ARTICLE 2- (1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.

Definitions

ARTICLE 3- (1) In the implementation of this Law;

a) Explicit consent: Consent on a specific subject, based on information and expressed with free will,

b) Anonymization: Making personal data incapable of being associated with an identified or identifiable natural person in any way, even by matching with other data,

c) Chairman: Chairman of the Personal Data Protection Authority,

ç) Relevant person: The real person whose personal data is processed,

d) Personal data: Any information relating to an identified or identifiable natural person,

e) Processing of personal data: Fully or partially automatic or any data recording

All kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making it available, classifying or preventing its use, provided that it is a part of the system,

f) Board: Personal Data Protection Board,

g) Institution: Personal Data Protection Authority,

ğ) Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller, 12302

h) Data registration system: The registration system in which personal data is processed and structured according to certain criteria,

ı) Data controller: means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

SECOND PART

Processing of Personal Data

General principles

ARTICLE 4- (1) Personal data can only be processed in accordance with the procedures and principles stipulated in this Law and other laws.

(2) The following principles must be complied with in the processing of personal data:

a) Compliance with the law and honesty rules.

b) Being accurate and up-to-date when necessary.

c) Processing for specific, explicit and legitimate purposes.

ç) Being connected, limited and restrained with the purpose for which they are processed.

d) To be kept for the period required by the relevant legislation or for the purpose for which they are processed.

Terms of processing personal data

ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the person concerned.

(2) In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:

a) It is clearly stipulated in the laws.

b) It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally valid.

c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.

ç) It is mandatory for the data controller to fulfill its legal obligation.

d) The person concerned has been made public by himself.

e) Data processing is mandatory for the establishment, exercise or protection of a right.

f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Conditions for the processing of special categories of personal data

ARTICLE 6- (1) Data regarding the race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, membership of associations, foundations or trade unions, health, sexual life, criminal convictions and security measures. biometric and genetic data are special quality personal data.

(2) Processing of sensitive personal data without the explicit consent of the person concerned is prohibited. 12303

(3) Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life can only be used for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.

(4) In the processing of personal data of special nature, it is also obligatory to take adequate measures determined by the Board.

Deletion, destruction or anonymization of personal data

ARTICLE 7- (1) Personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject, in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of this Law and other relevant laws.

(2) The provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved.

(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation.

Transfer of personal data

ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the person concerned.

(2) Personal data;

a) In the second paragraph of Article 5,

b) Provided that adequate measures are taken, it can be transferred without seeking the explicit consent of the person concerned, provided that one of the conditions specified in the third paragraph of Article 6 is met.

(3) Provisions in other laws regarding the transfer of personal data are reserved.

Transfer of personal data abroad

ARTICLE 9- (1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.

(2) Personal data, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6, and in the foreign country to which the personal data will be transferred;

a) The availability of adequate protection,

b) In the absence of sufficient protection, it can be transferred abroad without the explicit consent of the data subject, provided that the data controllers in Turkey and in the relevant foreign country undertake to provide adequate protection in writing and that the Board has permission.

(3) Countries with adequate protection are determined and announced by the Board. 12304

(4) The Board shall determine whether there is sufficient protection in the foreign country and whether a permit will be granted pursuant to subparagraph (b) of the second paragraph;

a) International conventions to which Turkey is a party,

b) The reciprocity of data transfer between the country requesting personal data and Turkey,

c) Regarding each concrete personal data transfer, the nature of the personal data, the purpose and duration of its processing,

ç) The relevant legislation and practice of the country to which the personal data will be transferred,

d) It decides by evaluating the measures undertaken by the data controller in the country where the personal data will be transferred, and by taking the opinion of the relevant institutions and organizations if needed.

(5) Personal data may be transferred abroad with the permission of the Board, only after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the relevant person would be seriously harmed, without prejudice to the provisions of international conventions.

(6) Provisions in other laws regarding the transfer of personal data abroad are reserved.

THIRD PART

Rights and Obligations

The obligation to inform the data controller

ARTICLE 10- (1) During the acquisition of personal data, the data controller or the person authorized by him/her;

a) Identity of the data controller and its representative, if any,

b) For what purpose the personal data will be processed,

c) To whom and for what purpose the processed personal data can be transferred,

ç) Method and legal reason for collecting personal data,

d) He is obliged to inform about his other rights listed in Article 11.

Rights of the person concerned

ARTICLE 11- (1) Everyone, by applying to the data controller;

a) Learning whether personal data is processed or not,

b) If personal data has been processed, requesting information about it,

c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,

ç) To know the third parties to whom personal data is transferred in the country or abroad,

d) Requesting correction of personal data in case of incomplete or incorrect processing, 12305

e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,

f) Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,

g) Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,

ğ) In case of loss due to unlawful processing of personal data, it has the right to demand the compensation of the damage.

Obligations regarding data security

ARTICLE 12- (1) Data controller;

a) To prevent the unlawful processing of personal data,

b) To prevent unlawful access to personal data,

c) It is obliged to take all kinds of technical and administrative measures to ensure the protection of personal data and to ensure the appropriate level of security.

(2) In case the personal data is processed by another real or legal person on his behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.

(3) The data controller is obliged to carry out or have the necessary inspections carried out in his own institution or organization in order to ensure the implementation of the provisions of this Law.

(4) Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after they leave office.

(5) In case the processed personal data is obtained by others unlawfully, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

CHAPTER FOUR

Application, Complaint and Data Controllers Registry

Application to data controller

ARTICLE 13- (1) The person concerned submits his requests regarding the implementation of this Law to the data controller in writing or by other methods to be determined by the Board.

(2) The data controller concludes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.

(3) The data controller accepts the request or rejects it by explaining its reason and notifies the relevant person in writing or electronically. In case the request in the application is accepted, the data controller fulfills its requirements.

In case the application is caused by the fault of the data controller, the fee collected is returned to the relevant person.

12306

complaint to the board

ARTICLE 14- (1) In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The person concerned may file a complaint with the Board within thirty days from the date of learning the reply of the data controller and in any case within sixty days from the date of application.

(2) Pursuant to Article 13, no appeal can be made before the remedy has been exhausted.

(3) The right to compensation according to the general provisions of those whose personal rights are violated is reserved.

Procedures and principles of examination upon complaint or ex officio

ARTICLE 15- (1) The Board, upon complaint or ex officio if it learns about the alleged violation, makes the necessary examination on the matters falling under its jurisdiction.

(2) Notifications or complaints that do not meet the conditions specified in Article 6 of the Law on the Use of the Right to Petition dated 1/11/1984 and numbered 3071 shall not be examined.

(3) Except for information and documents that are in the nature of state secrets; The data controller is obliged to send the information and documents requested by the Board regarding the subject of examination within fifteen days and to enable on-site examination when necessary.

(4) Upon the complaint, the Board examines the request and gives an answer to the relevant parties. If no response is received within sixty days from the date of the complaint, the request is deemed to have been rejected.

(5) In the event that the existence of a violation is understood as a result of the examination made upon the complaint or ex officio, the Board decides that the illegal violations it detects will be eliminated by the data controller and notifies the relevant parties. This decision shall be fulfilled without delay and within thirty days at the latest, following the notification.

(6) If it is determined that the violation is widespread as a result of the examination made upon the complaint or ex officio, the Board takes a principle decision on this issue and publishes this decision. The Board may also take the opinions of relevant institutions and organizations, if it needs it, before taking a decision in principle.

(7) The Board may decide to suspend the processing of data or the transfer of data abroad, in the event that irreparable or impossible damages arise and there is a clear violation of the law.

Data Controllers Registry

ARTICLE 16- (1) Under the supervision of the Board, the Data Controllers Registry is kept open to the public by the Presidency.

(2) Natural and legal persons who process personal data must register with the Data Controllers Registry before starting data processing. However, the Board may make an exception to the obligation to register in the Data Controllers Registry, by taking into account the objective criteria to be determined by the Board, such as the nature and number of the processed personal data, the legal origin of the data processing or the transfer to third parties.

(3) The application for registration in the Data Controllers Registry is made with a notification containing the following:

a) Identity and address information of the data controller and its representative, if any.

b) The purpose for which personal data will be processed.

12307

c) Explanations about the data subject group and groups and the data categories of these persons.

ç) Recipient or recipient groups to whom personal data can be transferred.

d) Personal data intended to be transferred to foreign countries.

e) Measures taken regarding personal data security.

f) The maximum period required for the purpose for which personal data is processed.

(4) Changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency.

(5) Other procedures and principles regarding the Data Controllers Registry shall be regulated by regulation.

CHAPTER FIVE

Offenses and Misdemeanors

Crimes

ARTICLE 17- (1) The provisions of Articles 135 to 140 of the Turkish Penal Code dated 26/9/2004 and numbered 5237 are applied for crimes related to personal data.

(2) Contrary to the provision of Article 7 of this Law; Those who do not delete or anonymize personal data are punished according to Article 138 of the Law No. 5237.

misdemeanors

ARTICLE 18- (1) This Law;

a) From 5,000 Turkish Liras to 100,000 Turkish Liras for those who do not fulfill the obligation to inform as stipulated in Article 10,

b) From 15,000 Turkish liras to 1,000,000 Turkish liras for those who do not fulfill their obligations regarding data security stipulated in Article 12,

c) From 25,000 Turkish liras to 1,000,000 Turkish liras for those who do not fulfill the decisions given by the Board in accordance with Article 15,

ç) An administrative fine from 20,000 Turkish lira to 1,000,000 Turkish lira is imposed on those who violate the obligation to register and notify in the Data Controllers Registry stipulated in Article 16.

(2) Administrative fines stipulated in this article are applied to natural persons who are data controllers and legal entities of private law.

(3) In the event that the actions listed in the first paragraph are committed within the body of public institutions and organizations and professional organizations in the nature of public institutions, upon the notification to be made by the Board, in accordance with the disciplinary provisions regarding the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations with the nature of public institutions. action is taken and the result is reported to the Board.

CHAPTER SEVEN

Miscellaneous Provisions

Exceptions

ARTICLE 28- (1) The provisions of this Law shall not be applied in the following cases:

a) Processing of personal data by real persons within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.

_________________

(1) With the 119th article of the Law No. 7061 dated 28/11/2017, the phrase “consent of the judges and prosecutors themselves” has been added after the phrase “consent of other public officials institutions”.

12315

b) Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.

c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.

ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security.

d) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.

(2) In accordance with the purpose and basic principles of this Law, Article 10, which regulates the obligation of disclosure of the data controller, Article 11, which regulates the rights of the data subject, with the exception of the right to demand the compensation of the damage, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not be applied in the following cases:

a) The processing of personal data is necessary for the prevention of crime or for criminal investigation.

b) Processing of personal data made public by the person concerned.

c) If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulation duties and for disciplinary investigation or prosecution, based on the authority given by the law.

ç) The processing of personal data is necessary for the protection of the economic and financial interests of the State regarding budget, tax and financial matters.

CPM Software Inc. As we will take all measures to protect your personal data and to protect them, you should rest assured that protecting your rights is our important priority and principle. Both the storage and use of data within the scope of the law, as well as the protection of all information and data belonging to your company are matters that we observe meticulously and are our priority.