2020 KVKK & GDPR May Newsletter Headings

Decision
Summaries

For Information About the Important Decision Summaries of the Month

Click Here

Information
Guide

For Information About the Information Guide of the Month

Click Here

Legislation
Analysis

For Information About the Legislation Analysis of the Month

Click Here

Your Time is
Running Out

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR May Newsletter Decision Summaries of The Month and News

  • Board Decision on the data controller, who provides gym services, making the control of entrance and exit of its members by processing biometric data
  • Data Controllers to Be Exempted From The Registration Obligation to the Data Controllers' Registry
  • Review of Board Decision
  • Decision on Data Breach Notification by an Internet Service Provider
  • Announcement Regarding The Points To Be Considered In The Letters Of Undertaking To Be Prepared In Personal Data Transfer Abroad
  • A Guide to “False Facts” Published by the Turkish Personal Data Protection Authority
  • EasyJet Plc (EasyJet) – Data Breach Notification
  • Making HES Code Mandatory in Domestic Flights
  • Swedish Data Protection Authority Imposes Administrative Fine on The Health Committee at Örebro District
  • Danish Data Protection Authority Imposed an Administrative Fine of 50.000 DKK to a Recruitment Company Named JobTeam
  • Information on Remote Education and Examinations by the French Data Protection Board (CNIL)
  • The Belgian Data Protection Authority Imposed a Fine of 50,000 Euros to One of the Social Networks
  • The Dutch Data Protection Authority Published a Second Opinion on Measuring Temperature at the Workplace
  • The Amendment of Application in EDPB For the Evaluation of Data Breaches
  • The Topic of Protection of Personal Data Has Also Taken Place in the Guidelines on the Restart of Tourism Services Gradually and Health Protocols Published by the European Union Commission (EC)
  • French Council of State Suspended the Use of Drone Within the Scope of Covid-19 Measures
  • Administrative Fines from Finnish Data Protection Board to 3 Companies

2020 KVKK & GDPR May Newsletters Information Guide

Application To The Data Controller And Complaint To The Board

The rights of the data subject are counted in the 11th article of the Law No. 6698. These rights are those that are strictly bound to the person whose personal data regarding the implementation of this Law will be used against the data controller of the data subject. In other words, the relevant rights can only be used by the data subject on his behalf; it cannot be used on behalf of someone else (if there is no representation relationship between the data controller and the data subject).

Application To The Data Controller

The rights of the data subject are counted in the 11th article of the Law No. 6698. These rights are those that are strictly bound to the person whose personal data regarding the implementation of this Law will be used against the data controller of the data subject. In other words, the relevant rights can only be used by the data subject on his behalf; it cannot be used on behalf of someone else (if there is no representation relationship between the data controller and the data subject). The data controller should respond to these requests submitted to him as soon as possible or within 30 days as stated in the Law; otherwise the right of the person to complain to the Board will arise. The point to be considered in terms of the data subject is that the application ways to the data controller should all be used, and the complaint should not be made directly to the Board.

Complaint To The Board

If the data subject finds the reply of the data controller inadequate within the aforementioned timeframe, the application is not answered by the data controller or the application is rejected; the data subject has the right to make a complaint to the Board within 30 days. This right is also strictly bound to the data subject such as the application to the data controller and can only be used by the data subject.

Technical Measure: Application Security

According to the Article 12 and Paragraph 1 of KVKK, data controllers must take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, prevent unlawful access to personal data and to protect personal data in accordance with the law. These measures are elaborated in the Personal Data Security Guideline published by the Authority and specified in the notification phase to VERBIS.

2020 KVKK & GDPR May Newsletters Legislation Analysis

ARTICLE 9/4 Of By-Law On Data Controllers’ Registry

In the Article 4 of the Law No. 6698, the principle of keeping personal data as long as required by the legislation or necessary for the purpose for which they are processed is set out. In accordance with this principle, in case the reasons requiring the processing of personal data disappear, the necessity of being destructed ex officio or at the request of the data subject is regulated in the article 7 of the Law. As can be seen, there are two criteria for determining the retention periods of personal data: one of them is the time prescribed in the legislation; and if a period is not prescribed in the legislation, it is the period of time required for the purpose for which they are processed. In this regard, the Authority does not make a direct orientation to the data controllers or assign this period for how long they can store personal data. If no period is prescribed in the relevant law, then the data controllers should specify this period themselves and when determining the retention period, the criteria specified in the article 9 of the By-Law on the Data Controllers' Registry should be taken into consideration.