2020 KVKK & GDPR June Newsletter Headings


For Information About the Important Decision Summaries of the Month

Click Here


For Information About the Information Guide of the Month

Click Here


For Information About the Legislation Analysis of the Month

Click Here

Your Time is Running Out

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR June Newsletter Decision Summaries of The Month and News

  • Summaries of Various Decisions of the Turkish Personal Data Protection Board on the Data Breach in the Risk Center by Various Factoring Companies
  • Summary of the Decision of the Turkish Personal Data Protection Board on a Gaming Company's Data Breach Notification
  • Summary of the Decision of the Turkish Personal Data Protection Board on a Bank's Data Breach Notification
  • Deadlines for VERBIS Registration Have Been Extended
  • Public Announcement Regarding Fulfillment of the Disclosure Obligation dated 26.06.2020
  • Halk Sigorta – Data Breach Notification
  • Sezgi Dental Ağız ve Diş Sağlığı Polikliniği – Data Breach Notification
  • AvivaSA Emeklilik ve Hayat A.Ş. – Data Breach Notification
  • Avon Türkiye – Data Breach Notification
  • Finnish Data Protection Board Imposed Administrative Fine to Taxi Helsinki Oy
  • Penalty for Local Election Candidate in Belgium
  • Penalty Fine from the Spanish Data Protection Authority to a Company Named Iberdrola
  • An Administrative Fine Was Issued on an Association in Belgium
  • Belgian Data Protection Authority Fines 10,000 Euros to a Data Controller
  • In Belgium, An Administrative Fine Has Been Imposed to the Data Controller Who Failed to Respond to the Data Subject's Request for Information
  • Covid-19 Contact Tracking Application Suspended in Norway
  • Fines were imposed to a Residential Cooperative Housing Association in Sweden

2020 KVKK & GDPR June Newsletters Information Guide

Administrative Measures – Compliance on Fundamental Principles of the Law

There are fundamental principles relating to the processing of personal data which have been recognized in international regulations, in particular regulations of the European Union including the European Convention on Human Rights and which are reflected in the national law of many countries. Although these general principles have been regulated within the constitutional framework in our national law, the process and procedures concerning the processing of personal data are regulated in the Article 4 of the Law under “General Principles” and clear legislations have been introduced in line with the European Treaty Series - No. 108. Convention for the Protection of Individuals regarding Automatic Processing of Personal Data and GDPR. The principles listed below relating to the processing of personal data should be at the core of all personal data processing activities and all personal data processing activities should be carried out in accordance with these principles. Basically, the core of all measures to be taken for the protection and processing of personal data consists of these general principles. All administrative or technical measures to be taken are either measures to ensure these general principles or are based on these principles.

Technical Measures – Performing Back Up

According to the Article 12 and Paragraph 1 of KVKK, data controllers must take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, prevent unlawful access to personal data and to protect personal data in accordance with the law. These measures are elaborated in the Personal Data Security Guideline published by the Authority and specified in the notification phase to VERBIS.

One of the measures is to perform back up and provide the security of backed up personal data.

Back-up of Personal Data is required to prevent the probability of damage, disappearance, theft or loss of personal data for any reason whatsoever. In this way, data controllers can act as soon as possible by making use of the data which have been backed-up.

2020 KVKK & GDPR June Newsletters Legislation Analysis

Article 10 – Disclosure Obligation of the Data Controller

Law No. 6698 on the Protection of Personal Data ("KVKK") stipulates that with Article 10, data subjects will be informed regarding data processing activities about themselves. This institution takes places in the Law as an obligation for data controllers, and as a right for data subjects. This obligation is one of the mandatory requirements for the processing of personal data.

The Authority touched upon the importance of the disclosure obligation in both their decisions and other opinions they have reported and published several publications to correct the mistakes made in the application.

In addition, the provision of administrative fines on the failure to fulfill the disclosure obligation in item (a) of the Article 18 of the Law shows the importance of the issue.