2020 KVKK & GDPR July Newsletter Headings


For Information About the Important Decision Summaries of the Month

Click Here


For Information About the Information Guide of the Month

Click Here


For Information About the Legislation Analysis of the Month

Click Here

Your Time is Running Out

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR July Newsletter Decision Summaries of The Month and News

  • Decision Regarding Applications with Incomplete Procedures Submitted by Proxy by a Person
  • Decision Regarding the Use of Printouts of Medula Eczane by the Spouse of the Pharmacist Which Belong To Data Subject
  • Summary of the Decision on the "Complaint regarding the illegal processing and disclosure of the personal data of the data subject by the lawyer who carries out enforcement proceedings"
  • Summary of the Decision on the "Request for an opinion on whether a foreign bank having a representation office in our country will be regarded as data controller under the Law No. 6698 and whether obligated to be registered with the Data Controllers' Registry"
  • Delisting the Results of Search Engines in Searches Made Through Search Engines with Names and Surnames of the Data Subjects "Exercising the Right to be Forgotten"
  • Doctor Ataman Egemen Koyuncu – Data Breach Notification
  • Fluke Corporation and Fluke Electronics Corporation - Data Breach Notification
  • Mert Grup Sigorta Aracılık Hizmetleri Ltd. Şti. Data Breach Notification
  • Belgian Data Protection Authority Imposed a Fine on Google Belgium
  • Spanish Data Protection Authority Fines 25.000 EUR to Spanish Company Glovo
  • The Dutch Data Protection Authority Fined the Netherlands Credit Bureau with 830.000 EUR.
  • A Fine of 16.700.000 EUR Imposed on the Italian Telecommunications Operator Wind Tre S.P.A (WINDTRE)
  • Polish Data Protection Authority (UODO) Fines 15.000 PLN to Polish Company East Power
  • Personal Data Protection Authority (UODO) Fined the Polish General Inspector (Główny Geodeta) For a Sum of 100.000 PLN.
  • The Polish Data Protection Authority Imposed 5.000 PLN Penal Sanctions on Kindergarten And Preschool Education Institutions
  • Frequently Asked Questions on the Judgement of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems
  • Baden-Württemberg State Commissioner for Data Protection and Freedom of Information Imposes Fine on AOK Baden-Württemberg

2020 KVKK & GDPR July Newsletter Information Guide

Administrative Measures – Obligation to Prepare Personal Data Processing Inventory and Register with VERBIS

As it is known, with the decision of the Board dated 23/06/2020 and numbered 2020/482, the deadlines of VERBIS registration have been extended and the deadline for natural and legal person data controllers with an annual number of employees more than 50 or with an annual financial balance exceeding 25 million TL, and the natural and legal person data controllers resident abroad to fulfill the obligation to register at the Registry has been determined as 30.09.2020. One of the obligations that depend on the registration obligation to VERBIS is to prepare a personal data processing inventory, and the fulfillment of this obligation requires a long-lasting determination study within the Organization. In other words, registration with VERBIS requires a detailed study and compliance with the Law No. 6698. In order to be ready for registration with VERBIS until 30.09.2020, it is recommended by the experts of the subject to start working within the Organization as soon as possible. You may access further information about preparing Personal Data Processing Inventory and registration with VERBIS via this link.

Technical Measure - Encryption and Key Management

According to the Article 12/1 of KVKK, data controllers have to take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data are stored in accordance with the law.

These measures are elaborated in the Personal Data Security Guide published by the Authority and specified at the notification stage to VERBIS.

One of these measures is encryption.

The use of access control authorization and/or encryption methods will help ensure personal data security against the loss or theft of devices containing personal data.

In terms of protecting data integrity, appropriate cryptographic methods should be applied in order to prevent an unauthorized alteration on the personal data.

2020 KVKK & GDPR July Newsletter Legislation Analysis

GDPR - Article 17 – Right to be Forgotten

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

The right to be forgotten can be defined as the right of individuals to request the deletion of their personal data from the data controller. According to the Article 17 of the GDPR, the data subject has the right to request the deletion of his/her personal data from the data controller without any delay, and if one of the conditions set forth in the relevant article is valid, the data controller has the obligation to delete the personal data immediately. According to the Article 17;

Right To Be Forgotten In Türkiye

About the implementation of the Right To Be Forgotten, the Law No. 6698 (KVKK), the decision of the Personal Data Protection Board dated 23.06.2020 and numbered 2020/481, the Article 20 of the Constitution, the Law No. 5651 and the Decision of the Constitutional Court (AYM) about N.B.B. should be considered and handled together. In general, the Law No. 6698 and the decision of the Board adopt a GDPR-based view; however, in accordance with the Constitution and the general legal norms, the decision of the Constitutional Court given in regards is important in the exercise and implementation of the Right to be Forgotten.