2020 KVKK & GDPR September Newsletter Headings


For Information About the Important Decision Summaries of the Month

Click Here


For Information About the Information Guide of the Month

Click Here


For Information About the Legislation Analysis of the Month

Click Here

Have You Completed Your VERBIS Registration?

What is VERBIS?

For Further Information About Data Controllers' Registry Information System

Click Here

2020 KVKK & GDPR September Newsletter Decision Summaries of The Month and News

  • Appointment of the Same Natural Person as Contact Person for More Than One Data Controller Residing Abroad
  • The Personal Data Protection Authority Published the Decision Summary on Personal Data Transfer to Abroad Pursuant to the Convention no. 108
  • Board Decision Concerning Housing Estate Managements in Line with the KVKK No. 6698 and the Condominium Law no. 634
  • The Decision in a Case Where the Father of an Data Subject Who Is A Minor Applies to the Data Controller for the Destruction of the Medical Report of that Data Subject
  • Board Decision for the Use of Biometric Signature Data
  • Public Announcement on VERBIS Registration Obligation
  • Yalova Municipality Data Breach Notification
  • PSL Elektronik San. ve Tic. A.Ş. Data Breach Notification
  • Polish Data Protection Authority imposed a fine of 100,000PLN on Polish General Surveyor
  • Polish Data Protection Authority imposed a sanction on a School for Processing of Students’ Data Through Survey
  • Hungarian Data Protection Authority penalized the publisher of the Hungarian edition of the Forbes in the amount of 4,5 Million Forint
  • Polish DPA Fines Warsaw University of Life Sciences
  • Norwegian Data Protection Authority Imposed a Fine of 37.400 EUR on the Norwegian Public Roads Administration
  • Finnish DPA imposed a Financial Sanction on a Company for Carrying Out Electronic Marketing Without Obtaining Prior Consent and by Violating Rights of Data Subjects

2020 KVKK & GDPR September Newsletter Information Guide

Administrative Measure: Information Obligation and Transparency Principle under the GDPR and the KVKK

Within the personal data processing activities, a data controller should be transparent in its relations with the data subject. Data subject should be given a clear, understandable and honest information about the aspects of the data processing operation. This principle applies to all rights and obligations under the applicable laws as it affects all processing operations by the data processor. This concept, referred as "transparency" in international literature, manifests itself in the privacy (information) notice obligation of the data controller in national literature.

Article 5 of the GDPR introduces 7 basic principles in data processing. These principles, including transparency, are the principles that encompass the processing of personal data within legal limits and shape up the data protection regime. These principles may only be restricted by those laws to be enacted by Member States of European Union provided that they are necessary and proportionate in the democratic social order without interfering with fundamental rights and freedoms.

Pursuant to Article 5 of the GDPR, personal data should be processed lawfully, fairly and transparently. Lawful and fair processing was already addressed in international regulations prior to GDPR and regulations concerning transparency completed the last leg of these three principles. In other words, these three principles are inseparable. According to the general acceptance in the European Union Law, if data controller processes data unlawfully or unfairly, it will be deemed to have violated all these principles.

Technical Measure: Usage Updated Antivirus Systems

According to Article 12/1 of KVKK, data controllers have to take all necessary technical and administrative measures in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to ensure that personal data are stored in accordance with the law.

These measures are set out in the Personal Data Security Guide published by the Authority and specified during the notification stage on VERBIS.

One of these measures is the usage of up-to-date anti-virus systems.

The Data Security Guideline published by the Authority prescribes that in order to protect one’s systems against malware, certain anti-virus and anti-spam products should be used to regularly scan the information system network and identify risks; that it would not suffice to merely set up these products as they need to be constantly updated to make sure that necessary files are regularly scanned.

Anti-virus programs should be installed and to be ensured to have it kept up to date to identify malware within the organization to ensure cyber-security.

2020 KVKK & GDPR September Newsletter Legislation Analysis

The Processing of Sensitive Personal Data for a Valid Legal Reason and Adoption of Protective Measures at Adequate Level

As it is known, sensitive personal data are subject to special protective measures and data processing conditions as per the Law. According to the Third Paragraph of Article 6 of the Law, sensitive personal data other than personal data related to health and sexual life may be processed only if the data subject gives his explicit consent and it is expressly prescribed in the law, meaning that unlike other ordinary personal data, it is not possible to process such data for the purposes of entering into or performing a contract, actual impossibility, performance of legal obligations, legitimate interest of data controller, assertion, use or protection of a right.

Sensitive personal data may be processed without the explicit consent of the data subject only if the processing is expressly prescribed in the applicable laws and it is understood from the applicable regulation that the processing of such sensitive personal data is necessary. For instance, this requirement is evident in the regulation in Article 67 of the Social Security and General Health Insurance Law no. 5510 as it stipulates that biometric data should be obtained in order to benefit from health services.

Another condition set out in Paragraph 4 of Article 6 of the Law in order to process sensitive personal data is the adoption of an adequate level of measures. Methods of taking these measures are described in the decision taken by the Authority on 31.01.2018 under no. 2018/10 as follows:

According to the relevant resolution, it is necessary to;

  • Determine a separate manageable and sustainable policy and procedure for the security of sensitive personal data, which is systematic, and which features clear rules,
  • With regards to employees who are involved in the processing of sensitive personal data;
  • Provide regular trainings relating to the Law and the relevant regulations as well as security of the sensitive personal data,
  • Execute confidentiality agreements,
  • Define the scope of powers and terms in a clear manner for the users who are authorized to access the data,
  • Carry out periodical...