IN FULFILLMENT OF THE DISCLOSURE OBLIGATION
COMMUNIQUÉ ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED
Purpose and scope
ARTICLE 1 – (1) The purpose of this Communiqué is to determine the procedures and principles to be followed within the scope of the disclosure obligation to be fulfilled by the data controllers or the persons authorized by them in accordance with Article 10 of the Personal Data Protection Law No. 6698 dated 24/3/2016.
Underlying
ARTICLE 2 – (1) This Communiqué has been prepared on the basis of subparagraphs (e) and (g) of the first paragraph of Article 22 of the Law on the Protection of Personal Data No. 6698.
Definitions
ARTICLE 3 – (1) In this Communiqué;
a) Recipient group: The category of natural or legal person to whom the personal data are transferred by the data controller,
b) Relevant person: The natural person whose personal data is processed,
c) Law: The Law on the Protection of Personal Data dated 24/3/2016 and numbered 6698,
ç) Board: Personal Data Protection Board,
d) Authority: Personal Data Protection Authority,
e) Registry: The Registry of Data Controllers maintained by the Presidency,
f) Data recording system: Any medium in which personal data is processed by fully or partially automated means or by non-automatic means provided that it is part of any data recording system,
g) Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
ğ) Data controller representative: The legal entity resident in Turkey or the natural person who is a citizen of the Republic of Turkey authorized to represent the data controllers who are not resident in Turkey in the matters specified in the second paragraph of Article 11 of the Regulation on the Registry of Data Controllers published in the Official Gazette dated 30/12/2017 and numbered 30286
expresses.
(2) The definitions in the Law shall be valid for the definitions not included in this Communiqué.
Scope of the disclosure obligation
ARTICLE 4 – (1) According to Article 10 of the Law; During the acquisition of personal data, the data controllers or the persons authorized by them must inform the relevant persons. While fulfilling this obligation, the information to be made by the data controllers or the persons authorized by them should include at least the following issues:
a) The identity of the data controller and, if applicable, his representative,
b) The purpose for which the personal data will be processed,
c) To whom and for what purpose the personal data may be transferred,
ç) The method and legal reason for collecting personal data,
d) Other rights of the data subject listed in Article 11 of the Law.
Procedures and principles
ARTICLE 5 – (1) The following procedures and principles must be followed during the fulfillment of the disclosure obligation by the data controller or the person authorized by him by using physical or electronic media such as verbal, written, voice recording, call center:
a) The obligation to inform must be fulfilled in all cases where personal data is processed subject to the explicit consent of the person concerned or other processing conditions in the Law.
b) When the purpose of personal data processing changes, the obligation to inform for this purpose must be fulfilled separately before the data processing activity.
c) If personal data is processed for different purposes in different units of the data controller, the obligation to inform must be fulfilled separately in each unit.
ç) In the event that there is an obligation to register in the Register, the information to be provided to the person concerned within the framework of the disclosure obligation must be compatible with the information disclosed in the Register.
d) The fulfillment of the disclosure obligation does not depend on the request of the person concerned.
e) The proof that the disclosure obligation has been fulfilled belongs to the data controller.
f) If the personal data processing activity is carried out on the basis of explicit consent, the disclosure obligation and the procedures of obtaining explicit consent must be fulfilled separately.
g) The purpose of personal data processing to be disclosed within the scope of the disclosure obligation must be specific, clear and legitimate. While fulfilling the obligation to clarify, general and ambiguous statements should not be included. Expressions that give rise to the opinion that personal data can be processed for other purposes that are likely to come up should not be used.
ğ) The notification to be made to the relevant person within the scope of the disclosure obligation must be carried out using a clear, clear and simple language.
h) What is meant by the "legal reason" in the first paragraph (ç) of Article 10 of the Law is on which basis the personal data are processed within the scope of the disclosure obligation on the basis of the processing conditions specified in Articles 5 and 6 of the Law. During the fulfillment of the disclosure obligation, the legal reason must be clearly stated.
i) Within the scope of the disclosure obligation, the purpose of the transfer of personal data and the recipient groups to be transferred should be specified.
i) Within the scope of the disclosure obligation, it must be clearly stated whether the personal data is obtained by fully or partially automatic means or by non-automatic methods, provided that it is part of the data recording system.
j) While fulfilling the obligation to disclose, incomplete, misleading and false information should not be included.
Obligation to clarify if personal data is not obtained from the data subject
ARTICLE 6 – (1) In the event that personal data is not obtained from the relevant person;
a) Within a reasonable period of time from the acquisition of the personal data,
b) If the personal data will be used for the purpose of communication with the person concerned, during the first contact,
c) If personal data is to be transferred, at the latest at the time of the first transfer of personal data
the obligation to inform the person concerned must be fulfilled.
Effective
ARTICLE 7 – (1) This Communiqué shall enter into force on the date of its publication.
Execution
ARTICLE 8 – (1) The provisions of this Communiqué are executed by the President of the Personal Data Protection Authority.