2020 KVKK & GDPR November Newsletter Headings


For Information About the Important Decision Summaries of the Month

Click Here


For Information About the Information Guide of the Month

Click Here


For Information About the Legislation Analysis of the Month

Click Here

Have You Completed Your VERBIS Registration?

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR November Newsletter Decision Summaries of The Month and News

  • Board Decision About an Association for Sending Short Messages to the Data Subject for Advertising Purposes Without Obtaining Explicit Consent
  • UPİ Trans Dış Ticaret A.Ş. - Data Breach Notification
  • Kale Holding A.Ş. and Group Companies - Data Breach Notification
  • Çizgi Telekomünikasyon A.Ş. - Data Breach Notification
  • EDPB Has Made Its Initial Decision Regarding Dispute Resolution Between Supervisory Authorities of Member Countries within the Scope of Article 65 of GDPR
  • Italian Data Protection Authority Fines Vodafone
  • Spanish Data Protection Authority Fines Telefónica Móviles España
  • Norwegian Data Protection Authority Fines Østfold HF Hospital

2020 KVKK & GDPR November Newsletter Legislation Analysis

The Principle of Purpose Limitation in the Scope of Article 4 of KVKK and Article 5 of GDPR

Article 4 of KVKK – General Principles


(2) The following principles shall be complied within the processing of personal data:


c) Being processed for specific, explicit and legitimate purposes.


Article 5 of GDPR - Principles relating to processing of personal data

1. Personal data shall be:


(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; … (‘purpose limitation’);


There are principles determined on the basis of the rules regarding the protection of personal data. These principles constitute the framework that surrounds all rules in the protection of personal data and affects each activity of the addressees of the rules. It is a general obligation to act in accordance with the principles, and the violation of these principles is subject to penalties regarding the relevant rules. The purpose limitation is one of these principles that are included in the Article 4 of KVKK and Article 5 of GDPR.

According to the principle of purpose limitation, data controllers are required to process data only for specific, legitimate and explicit purposes. Data controllers should be clear about their data processing activities and their operations on data should be in line with the expectations of the data subject. In this respect, data controllers should clearly state their purposes for data processing both in their internal records and when providing information to the data subject.

The principle of purpose limitation is highly related with principles of fairness, lawfulness and accountability. Being specific and clear for what purposes the data is processed ensures that the conditions of these other principles are also established, on the other hand, not using it for a limited purpose creates incompatibility with the mentioned principles.

Accordingly, data controllers shall:

  • Be clear about why and for what purposes they collect the personal data in question,
  • Prepare and keep the necessary documentation in which the objectives are explicitly stated,
  • Be transparent to the data subjects regarding the purposes,
  • If a purpose other than the one from which the data was obtained emerges, ensure that this second purpose is lawful.