2020 KVKK & GDPR October Newsletter Headings


For Information About the Important Decision Summaries of the Month

Click Here


For Information About the Information Guide of the Month

Click Here


For Information About the Legislation Analysis of the Month

Click Here

Have You Completed Your VERBIS Registration?

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR October Newsletter Decision Summaries of The Month and News

  • Public Announcement on the Transfer of Data Abroad
  • Decision of the Constitutional Court on Corporate E-mail Address Dated 14.10.2020
  • Vatan Bilgisayar Sanayi ve Ticaret A.Ş. – Data Breach Notification
  • Hanon Automotive Climate Sys. Manufacturing Industrial and Commercial Co. – Data Breach Notification
  • Hamburg Data Protection and Freedom of Information Commissioner Imposed a fine of 35.3 Million EUR on H&M for Data Breach
  • The Belgian Data Protection Authority Has Issued a Warning and Reprimand Penalty to a Regional Public Environmental Institution
  • The Norwegian Data Protection Authority Fines Bergen Municipality
  • The Lithuanian DPA Imposes Fine for Unlawfully Processed Personal Data of the Parents of an Adopted Child
  • The Norwegian DPA Fines Odin Flissenter for Performing a Credit Check of a Sole Proprietorship Without Having a Legal Basis for the Processing

2020 KVKK & GDPR October Newsletter Information Guide

Administrative Measures - Ensuring Physical Environment Security

In accordance with the Law on the Protection of Personal Data No.6698 (“KVKK”), natural and legal persons engaged in data processing activities are obliged to take administrative and technical measures regarding data processing activities. One of these administrative measures is to ensure the security of environments containing personal data. In addition to the technical measures to be taken to ensure the security of the digital environments where personal data are kept, it is essential to provide the security of physical environment in order to protect the data stored in devices or on paper. Certain monitoring methods can be used to ensure the security of physical environment, and various data recording systems can be set up. While taking this protection measure, the party engaged in data processing activity should not neglect other administrative and technical measures. Although not limited in number, some examples that can be taken to ensure physical environment security are listed as follows:
  • Security Cameras
  • Registering Visitors
  • Providing Additional Security Measures Inside or Outside the Organization
  • Providing Environments Resistant to Disasters Such as Fire/Flood
  • Other Aspects to Consider When Working Remotely During Pandemic

Technical Measures - Transferring Sensitive Personal Data Transferred to Removable Memory, CD, DVD with Encryption

According to the Article 12/1 of KVKK, data controllers have to take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data are stored in accordance with the law.

These measures are elaborated in the Personal Data Security Guide published by the Authority and specified at the notification stage to VERBIS.

One of these measures is to transfer of sensitive personal data transferred to portable memory, CD, DVD media with encryption.

Organizations are most likely to use removable memories and store their backups on DVDs in terms of tracking their daily operations and ease of access.

In addition to being protected against attacks that may come from outside, organizations should also be prepared against any data breach that may occur internally.

The most important step in preventing data breaches that may occur internally is to prevent the data of the organization from leaking out.

2020 KVKK & GDPR October Newsletter Legislation Analysis

Processing Data Based on Legitimate Interest Within the Scope of Article 5 of KVKK and Article 6 of GDPR

Article 5 of KVKK - Conditions for processing personal data


(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:


f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.


Article 6 of GDPR - Lawfulness of processing

(1)Processing shall be lawful only if and to the extent that at least one of the following applies.


f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


The fact that data processing is mandatory for the legitimate interests of data controllers is a legal reason for such data processing activity, provided that it does not harm the fundamental rights and freedoms of the data subject in KVKK and GDPR. On the other hand, both KVKK and GDPR do not include the definition of legitimate interest, this concept has been clarified with the decisions and guidelines of the Data Protection Authorities. Data controllers should evaluate the concrete situation regarding any data processing activity and determine the appropriateness of the legitimate interest as a legal reason.

Legitimate interest generally constitutes an appropriate legal reason for data processing activities that fall within the reasonable expectation of the data subjects and have minimal impact on privacy. The issues regarding the legitimate interest assessment in the light of the decision of the Turkish Personal Data Protection Board dated 25/03/2019 and numbered 2019/78, the opinions of the Working Group 29 and the reasons of the GDPR article are as follows: