2020 KVKK & GDPR August Newsletter Headings


For Information About the Important Decision Summaries of the Month

Click Here


For Information About the Information Guide of the Month

Click Here


For Information About the Legislation Analysis of the Month

Click Here

Your Time is Running Out

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR August Newsletter Decision Summaries of The Month and News

  • Penti Clothing Industry and Trade Co. and Its Subsidiaries Data Breach Notification
  • Barilla Gıda A.Ş. Data Breach Notification
  • Turkish Personal Data Protection Authority Published A Public Announcement Regarding The Introduction Form For Data Controllers
  • Kariyer.net Data Breach Notification
  • Dap Rotana Dalga ve Vazo Rezidans Toplu Yapı Yöneticiliği Data Breach Notification
  • Rezzan Günday (Şimşek Pharmacy) Data Breach Notification
  • What Is Brought with the Identity Sharing System Regulation?
  • The Danish Data Protection Authority Fined Privatbo 150.000 DKK for the Unintentional Disclosure of Personal Information
  • Administrative Fine for Rælingen Municipality by the Norwegian Data Protection Authority
  • About the Infringement
  • The Spanish Data Protection Authority (AEPD) Imposed a fine of 70.000 EUR to XFERA MOVILES for Disclosing a Customer's Personal Data to a Third Party
  • Spanish Data Protection Authority (AEPD) Imposed A Fine to Vodafone Spain of 75,000 EUR
  • Spanish Data Protection Authority (AEPD) Imposed a Fine of 1200 EUR for the Company for Ad Search to Data Subject Without Consent
  • Belgian Data Protection Authority Fined Proximus 20.000 EUR For Several Various Data Protection Breaches During The Processing Of Personal Data For The Purpose Of Publishing Public Phone Directories
  • Illegal And Discriminatory Methods Used By Dutch Tax And Customs Administration
  • CNIL Fined the Spartoo Which Recorded the Phone Calls Made with Customers for Employees’ Training
  • The Pilot Project of the South Wales Police Service ("SWP") Was Challenged Regarding the Lawfulness of the Use of Automatic Facial Recognition Technology ("AFR")
  • Data Breach by the Danish Data Protection Authority ('Datatilsynet') Itself on 20th August 2020

2020 KVKK & GDPR August Newsletter Information Guide

The Relation Between Electronic Messages and KVKK

As per the scope of the Law No. 6563 on the Regulation of Electronic Commerce (“Law”) and the Regulation on Commercial Communication and Electronic Commercial Messages ("Regulation"), the procedures and principles for commercial communication with recipients in electronic environment are set out. The legislation also includes essential regulations in terms of personal data.

In accordance with the Article 10 of the Law titled "Protection of Personal Data", the service provider or intermediary service provider is responsible for the security of the data obtained due to the transactions covered by the Law. Personal data cannot be transferred to third parties or used for other purposes without the consent of the data subject.

  • Personal Data Processing Conditions for Commercial Messages for Merchants-Tradesmen
  • Personal Data Processing Conditions for Commercial Messages for Individual Recipients
  • What Are the Methods to Obtain Explicit Consent for e-Messages within the Framework of KVKK?
  • Processing for Purposes Other than the Activity of Sending E-Message and Explicit Consent

Technical Measure: Labeling and Classification

According to the Article 12/1 of KVKK, data controllers have to take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data are stored in accordance with the law.

These measures are elaborated in the Personal Data Security Guide published by the Authority and specified at the notification stage to VERBIS.

2020 KVKK & GDPR August Newsletter Legislation Analysis

KVKK Art. 11 – Rights of the Data Subject

The rights of the data subject are counted in the Article 11 of the Law No. 6698. These rights can only be used by the data subject; that is, except for the power of attorney, third parties other than the data subject cannot use these rights.

  1. Learn whether or not their personal data are being processed
  2. Request information in this respect, if personal data have been processed
  3. Obtain information with regards to the purpose of processing the personal data and find out whether personal data is being used in line with such purpose
  4. Obtain information about the third parties with whom personal data were shared domestically or abroad
  5. Request the correction of personal data that may be incompletely or inaccurately processed
  6. Request the deletion or destruction of personal data within the scope of the provisions set forth in the Article 7
  7. Request that the third parties to whom personal data are disclosed are informed about the transaction carried out pursuant to items (d) and (e)
  8. Object to the occurrence of a result which is to the detriment of the data subjects, by means of analyzing the personal data exclusively through automated systems
  9. Request compensation in the event that losses are sustained as a result of unlawful processing of personal data