at acerca

Personal Data Protection Law

Law No: 6698

PERSONAL DATA PROTECTION LAW

March 24, 2016

Publication and Announcement in the Official Gazette: 7 April 2016 - Issue: 29677

FIRST PART

Purpose, Scope and Definitions

Aim

ARTICLE 1 - (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, particularly the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.

Scope

ARTICLE 2 - (1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.

Definitions

ARTICLE 3 - (1) In the implementation of this Law;

a)    Explicit consent: Consent about a specific subject, based on information and expressed with free will,
b)    Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching with other data,
c)    President: President of the Personal Data Protection Authority,
ç) Relevant person: The real person whose personal data is processed,
d)    Personal data: Any information relating to an identified or identifiable natural person,
e)    Processing of personal data: Obtaining, recording, storing personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system, all kinds of operations performed on data such as keeping, changing, rearranging, disclosing, transferring, taking over, making it available, classifying or preventing its use,
i) Board: Personal Data Protection Board,
g)    Institution: Personal Data Protection Authority,
ğ) Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
h)    Data recording system: The recording system in which personal data are processed and structured according to certain criteria,
ı) Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
means.

SECOND PART

Processing of Personal Data

General principles

ARTICLE 4 - (1) Personal data can only be processed in accordance with the procedures and principles stipulated in this Law and other laws.
(2)    The following principles must be complied with in the processing of personal data:
a)    Compliance with the law and good faith.
b)    Being accurate and up to date when needed.
c)    Processing for specific, explicit and legitimate purposes.
ç) Being connected, limited and restrained with the purpose for which they are processed.
d)    Preservation for as long as required by the relevant legislation or for the purpose for which they are processed.

Terms of processing personal data

ARTICLE 5 - (1) Personal data cannot be processed without the explicit consent of the person concerned.
(2)    In the presence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:
a)    expressly stipulated in laws.
b)    Being obligatory for the protection of life or bodily integrity of himself or another person who is unable to express his consent due to actual impossibility or whose consent is not given legal validity.
c)    It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligations.
d)    It has been made public by the person concerned.
e)    Data processing is mandatory for the establishment, exercise or protection of a right.
f)    Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

Conditions for the processing of special categories of personal data

ARTICLE 6 - (1) Data of individuals regarding their race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and clothing, membership in associations, foundations or unions, health, sexual life, criminal convictions and security measures. biometric and genetic data are special quality personal data.
(2)    It is forbidden to process sensitive personal data without the explicit consent of the person concerned.
(3)    Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life can only be used for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.
(4)    In the processing of personal data of special nature, adequate measures determined by the Board must also be taken.

Deletion, destruction or anonymization of personal data

ARTICLE 7 - (1) Personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject, in the event that the reasons requiring processing are eliminated, although it has been processed in accordance with the provisions of this Law and other relevant laws.
(2)    Provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved.
(3)    The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation.

Transfer of personal data

ARTICLE 8 - (1) Personal data cannot be transferred without the explicit consent of the person concerned.
(2)    Personal data;
a)    in the second paragraph of Article 5,
b)    In the third paragraph of Article 6, provided that adequate precautions are taken,
In case of existence of one of the conditions specified, it can be transferred without seeking the explicit consent of the person concerned.
(3)    Provisions in other laws regarding the transfer of personal data are reserved.

Transfer of personal data abroad

ARTICLE 9 - (1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.
(2)    Personal data, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 and in the foreign country to which the personal data will be transferred;
a)    Availability of adequate protection,
b)    In the absence of adequate protection, data controllers in Turkey and the relevant foreign country undertake in writing to provide adequate protection and the Board has permission,
may be transferred abroad without seeking the explicit consent of the person concerned, provided that the
(3)    Countries with adequate protection are determined and announced by the Board.
(4)    The Board determines whether there is adequate protection in the foreign country and whether permission will be granted in accordance with paragraph (b) of the second paragraph;
a)    International agreements to which Turkey is a party,
b)    The reciprocity of data transfer between the country requesting personal data and Turkey,
c)    The nature of personal data, the purpose and duration of its processing in relation to each concrete personal data transfer,
ç) The relevant legislation and practice of the country to which the personal data will be transferred,
d)    Measures committed by the data controller in the country to which personal data will be transferred,
and, if needed, by taking the opinion of the relevant institutions and organizations.
(5)    Personal data, without prejudice to the provisions of international conventions, in cases where the interests of Turkey or the person concerned would be seriously damaged, but only if the relevant public institution or organization may be transferred abroad with the permission of the Board.
(6)    The provisions in other laws regarding the transfer of personal data abroad are reserved.

THIRD PART

Rights and Obligations

The obligation to inform the data controller

ARTICLE 10 - (1) During the acquisition of personal data, the data controller or the person authorized by him/her;
a)    Identity of the data controller and its representative, if any,
b)    The purpose for which personal data will be processed,
c)    To whom and for what purpose the processed personal data can be transferred,
ç) Method and legal reason for collecting personal data,
d)    other rights listed in Article 11,
responsible for providing information.

Rights of the person concerned

ARTICLE 11 - (1) Everyone, by applying to the data controller;
a)    Learning whether personal data is processed,
b)    Requesting information about this if personal data has been processed,
c)    Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data is transferred in the country or abroad,
d)    Requesting correction of personal data in case of incomplete or incorrect processing,
e)    requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
i) Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
g)    Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automated systems,
ğ) To request the compensation of the damage in case of loss due to unlawful processing of personal data,
has rights.

Obligations regarding data security

ARTICLE 12 - (1) Data controller;
a)    To prevent the unlawful processing of personal data,
b)    To prevent unlawful access to personal data,
c)    To ensure the preservation of personal data,
must take all necessary technical and administrative measures to ensure the appropriate level of security for the purpose of
(2)    In case personal data is processed by another natural or legal person on his behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.
(3)    The data controller is obliged to carry out or have the necessary audits carried out in his own institution or organization in order to ensure the implementation of the provisions of this Law.
(4)    Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing, This obligation continues even after their dismissal. it does.
(5)    In case the processed personal data is obtained by others illegally, the data controller notifies the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.

CHAPTER FOUR

Application, Complaint and Data Controllers Registry

Application to data controller

ARTICLE 13 - (1) The person concerned submits his requests regarding the implementation of this Law to the data controller in writing or by other methods to be determined by the Board.
(2)    The data controller concludes the requests included in the application as soon as possible and within thirty days at the latest, free of charge, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
(3)    The data controller accepts the request or rejects it by explaining the reason and notifies the relevant person in writing or electronically. In case the request in the application is accepted, the data controller fulfills its requirements. In case the application is caused by the fault of the data controller, the fee is returned to the relevant person.

complaint to the board

ARTICLE 14 - (1) In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The person concerned may file a complaint with the Board within thirty days from the date of learning the reply of the data controller and in any case within sixty days from the date of application.
(2)    Complaints cannot be filed without exhausting the remedy in accordance with Article 13.
(3)    The right of compensation according to general provisions is reserved for those whose personal rights are violated.

Procedures and principles of examination upon complaint or ex officio

ARTICLE 15 - (1) The Board, upon complaint or ex officio if it learns about the alleged violation, makes the necessary examination on the matters falling under its jurisdiction.
(2)    Notices or complaints that do not meet the conditions specified in Article 6 of the Law on the Exercise of the Right to Petition dated 1/11/1984 and numbered 3071 will not be examined.
(3)    Except for information and documents qualified as state secrets; The data controller is obliged to send the information and documents requested by the Board regarding the subject of examination within fifteen days and to enable on-site examination when necessary.
(4)    Upon the complaint, the Board examines the request and gives a reply to the concerned. If no response is received within sixty days from the date of the complaint, the request is deemed to have been rejected.
(5)    In case the existence of a violation is understood as a result of the examination made ex officio, the Board decides that the illegal violations that it detects will be eliminated by the data controller and notifies the relevant parties. This decision shall be fulfilled without delay and within thirty days at the latest, following the notification.
(6)    In case it is determined that the violation is widespread upon the complaint or as a result of the examination made ex officio, the Board takes a principle decision on this issue and publishes this decision. The Board may also take the opinions of relevant institutions and organizations, if it needs it, before taking a decision in principle.
(7)    The Board may decide to suspend the processing of data or the transfer of data abroad, in case irreparable or impossible damages arise and there is a clear violation of the law.

Data Controllers Registry

ARTICLE 16 - (1) Under the supervision of the Board, the Data Controllers Registry is kept open to the public by the Presidency.
(2)    Natural and legal persons who process personal data must register with the Data Controllers Registry before starting data processing. However, the Board may make an exception to the obligation to register in the Data Controllers Registry, taking into account the objective criteria to be determined by the Board, such as the nature and number of the processed personal data, the legal origin of the data processing or the transfer to third parties.
(3)    The application for registration with the Data Controllers Registry is made with a notification containing the following:
a)    Identity and address information of the data controller and its representative, if any.
b)    The purpose for which personal data will be processed.
c)    Explanations about the data subject group and groups and their data categories.
ç) Recipient or recipient groups to whom personal data can be transferred.
d)    Personal data intended to be transferred to foreign countries.
e)    Measures taken regarding personal data security.
i) The maximum period required for the purpose for which personal data is processed.
(4)    Any changes in the information given in accordance with the third paragraph shall be immediately notified to the Presidency.
(5)    Other procedures and principles regarding the Data Controllers Registry are regulated by a regulation.

CHAPTER FIVE

Offenses and Misdemeanors

Crimes

ARTICLE 17 - (1) The provisions of Articles 135 to 140 of the Turkish Penal Code dated 26/9/2004 and numbered 5237 are applied for crimes related to personal data.
(2)    Contrary to the provision of Article 7 of this Law; Those who do not delete or anonymize personal data are punished according to Article 138 of the Law No. 5237.

misdemeanors

ARTICLE 18 - (1) This Law;
a) 5,000 Turkish liras to 100,000 Turkish liras for those who do not fulfill the lighting obligation stipulated in Article 10 of   ,
b) From 15,000 Turkish liras to 1,000,000 Turkish liras for those who do not fulfill their obligations regarding data security stipulated in article 12 of   ,
c) From 25,000 Turkish liras to 1,000,000 Turkish liras for those who fail to fulfill the decisions given by the Board in accordance with Article 15 of   ,
ç) From 20,000 Turkish liras to 1,000,000 Turkish liras for those who violate the obligation to register and notify in the Data Controllers Registry stipulated in Article 16,
administrative fine is imposed.
(2)    Administrative fines stipulated in this article are applied to natural persons who are data controllers and legal entities of private law.
(3)    In case the actions listed in the first paragraph are committed within the body of public institutions and organizations and professional organizations in the nature of public institution, upon the notification to be made by the Board, Civil servants and other public officials and those who work in professional organizations in the nature of public institutions are dealt with in accordance with disciplinary provisions and the result is reported to the Board.

CHAPTER SIX

Personal Data Protection Authority and Organization

Personal Data Protection Authority

ARTICLE 19 - (1) In order to fulfill the duties assigned by this Law, the Personal Data Protection Authority, which has administrative and financial autonomy and has a public legal personality, has been established.
(2)    Institution (Amended Statement: Decree Law/703.163-02.07.2018) It is related to the minister to be appointed by the President.
(3)    The headquarters of the institution is in Ankara.
(4)    The Institution consists of the Board and the Presidency. The decision body of the institution is the Board.

Duties of the institution

ARTICLE 20 - (1) The duties of the Institution are as follows;
a)    To follow the practices and developments in the legislation, to make evaluations and suggestions, to carry out research and examinations or to have them done.
b)    Collaborating with public institutions and organizations, non-governmental organizations, professional organizations or universities, if needed, on matters falling within its field of duty.
c)    To monitor and evaluate international developments regarding personal data, to cooperate with international organizations on matters within its scope of duty, to attend meetings.
ç) To submit the annual activity report to the Presidency, to the Human Rights Investigation Commission of the Turkish Grand National Assembly (...) (Repealed Statement: Decree Law/703.163-02.07.2018).
d)    To perform other duties assigned by law.

Personal Data Protection Board

ARTICLE 21 - (1) The Board carries out and uses its duties and powers given by this Law and other legislation independently, under its own responsibility. No organ, authority, authority or person can give orders, instructions, recommendations or suggestions to the Board regarding the subjects falling within its scope of duty.
(2)    The Board consists of nine members. The five members of the Board are elected by the President of the Turkish Grand National Assembly (Amended  Phrase:KHK/703.163- 02.07.2018 ).
(3)    The following conditions are required to become a member of the Board:
a)    To have knowledge and experience in the field of duty of the institution.
b)    Subparagraph (A) of the first paragraph of article 48 of the Civil Servants Law No. 657 dated 14/7/1965 (1), (4), (5 ), (6) and (7) to have the qualifications specified in sub-paragraphs.
c)    Not being a member of any political party.
d) To have completed at least four years of higher education at the undergraduate level.
d)    (...)(Repealed Clause: Decree Law/703.163- 02.07.2018 )
(4)   (...)(Repealed Paragraph: Decree Law/703.163- 02.07.2018 )
(5)    The Turkish Grand National Assembly elects members to the Board by the following procedure:
a)    For the election, two times the number of members to be determined in proportion to the number of members of the political party groups are nominated, and the members of the Board are based on the number of members per political party group among these candidates. elected by the General Assembly of the Turkish Grand National Assembly. However, political party groups cannot negotiate and decide on whom to vote in the elections to be held in the Turkish Grand National Assembly.
b)    The election of the members of the Board is made within ten days after the candidates are determined and announced. For the candidates nominated by political party groups, a combined ballot paper is drawn up as separate lists. Votes are cast by marking the special place opposite the names of the candidates. Votes given more than the number of members to be elected to the Board from the quotas of political party groups determined according to the second paragraph shall be deemed invalid.
c)    The candidate who receives the most votes in the election is elected as many as the number of vacant seats, provided that there is a quorum for the decision.
ç) Two months before the end of the term of office of the members; In case of a vacancy in the membership for any reason, elections are held with the same procedure within one month from the date of vacancy or if the Turkish Grand National Assembly is in recess, after the end of the recess. In these elections, the distribution of vacant memberships to political party groups is made by considering the number of members selected from the quota of political party groups in the first election and the current ratio of political party groups.
(6)    Forty-five days before the end of the term of one of the members elected by the President (...)(Repealed Statement: Decree Law/703.163- 02.07.2018 ) or for any reason, the situation is notified to the Presidency (...) by the Institution within fifteen days (Repealed Statement: KHK/703.163- 02.07.2018 ) . One month before the expiry of the term of office of the members, a new member is elected. If there is a vacancy in these memberships for any reason before the expiry of the term of office.
. In this case, the election is held within fifteen days as of the notification.
(7)    The Board elects the President and the Vice President from among its members. The Chairman of the Board is also the Chairman of the Institution.
(8)    The term of office of the members of the Board is four years. A member whose term has expired can be re-elected. The person elected to replace the member whose term of office expires for any reason, completes the remaining term of the member for which he was elected.
(9)    The elected members said in the presence of the First Presidency of the Supreme Court of Appeals: “I am honored to fulfill my duty in accordance with the Constitution and the laws, with full impartiality, honesty, fairness and justice. And I swear on my honor." they take an oath. An application for an oath to the Supreme Court is considered a hasty job.
(10)    Unless based on a special law, the members of the Board cannot take any official or private duties other than the execution of their official duties in the Board, cannot be a manager in associations, foundations, cooperatives and similar places, They cannot engage in trade, engage in self-employment activities, act as arbitrators or experts. However, the members of the Board may publish for scientific purposes, give lectures and conferences, and receive the royalties arising from these, and the fees for lectures and conferences, without hindering their primary duties.
(11)    Investigations regarding the crimes alleged to have been committed by the members due to their duties are carried out in accordance with the Law No. 4483 dated 2/12/1999 on the Trial of Civil Servants and Other Public Officials and these Permission to investigate (Amended Statement: Decree Law/703.163- 02.07.2018) is given by the President.
(12)    The provisions of Law No. 657 are applied in the disciplinary investigation and prosecution to be made against the members of the Board.
(13)    Board members cannot be dismissed for any reason before their term expires. Board members;
a)    It is later understood that they do not meet the requirements for being selected,
b)    Finalization of the conviction of them due to the crimes they have committed in relation to their duties,
c)    It is definitively determined by the medical board report that they cannot fulfill their duties,
ç) It is determined that they did not continue their duties without permission, excuse and uninterrupted for fifteen days or for a total of thirty days in a year,
d)    It is determined that they did not attend three Board meetings in a month without permission and excuse, and a total of ten Board meetings in one year,
In such cases, their membership ends with the decision of the Board.
(14)    Those elected as members of the Board are dismissed from their previous duties as long as they serve in the Board. Those who are elected to membership while they are public officials, provided that they do not lose the conditions for entering the civil service, are appointed to a suitable staff within one month by the competent authority, in case their term of office expires or they request to leave the office and apply to their former institutions within thirty days. Until the appointment is made, all kinds of payments they receive are continued to be paid by the Institution. All kinds of payments they receive are continued to be paid by the Institution until they start any duty or job, and the payment to be made by the Institution to those whose membership is terminated in this way cannot exceed three months. The time they spent in the Institution is deemed to have been spent in their previous institution or organization in terms of their personal and other rights.

Duties and powers of the board

ARTICLE 22 - (1) The duties and powers of the Board are as follows:
a)    To ensure that personal data are processed in accordance with fundamental rights and freedoms.
b)    To decide the complaints of those who claim that their rights regarding personal data have been violated.
c)    Upon complaint or ex officio, upon learning of the alleged violation, to examine whether personal data are processed in accordance with the law and to take temporary measures when necessary.
ç) To determine the adequate measures sought for the processing of sensitive personal data.
d) To maintain the    Data Controllers Registry.
e)    To carry out the necessary regulatory actions regarding the duties of the Board and the functioning of the Agency.
f)    To take regulatory action to determine obligations regarding data security.
g)    To take regulatory action regarding the duties, powers and responsibilities of the data controller and its representative.
ğ) To decide on the administrative sanctions stipulated in this Law.
h)    To give an opinion on draft legislation prepared by other institutions and organizations and containing provisions regarding personal data.
i) The Institution; to decide on the strategic plan, to determine its goals and objectives, service quality standards and performance criteria.
i)    To discuss and decide on the budget proposal prepared in accordance with the strategic plan and goals and objectives of the institution.
j) To approve and publish the draft reports prepared on the performance, financial situation, annual activities and needed issues of the institution.
k) To discuss and decide on the proposals regarding the purchase, sale and lease of immovable property.
1) To perform other duties assigned by law.

Working principles of the board

ARTICLE 23 - (1) The Chairman determines the meeting days and agenda of the Board. The President may call the Board for an extraordinary meeting when necessary.
(2)    The Board convenes with at least six members, including the chairman, and takes decisions with the absolute majority of the total number of members. Board members cannot vote abstaining.
(3)    Board members; They cannot participate in meetings and voting on matters concerning themselves, their relatives by blood up to the third degree and in-laws up to the second degree, their adopted children and their spouses even if the marriage ties between them have been terminated.
(4)    The members of the Board cannot disclose the secrets they learn about related parties and third parties during their work to anyone other than the authorities authorized by law, and cannot use them for their own benefit. This obligation continues even after they leave office.
(5)    The matters discussed in the committee are recorded in the minutes. Decisions and grounds for dissenting votes, if any, are written within fifteen days at the latest from the date of the decision. The Board announces to the public the decisions it deems necessary.
(6)    Unless otherwise agreed, discussions at Board meetings are confidential.
(7)    Working procedures and principles of the Board, writing decisions and other issues are regulated by a regulation.

Minister

ARTICLE 24 - (1) The President, in the capacity of the Board and the head of the Institution, is the highest supervisor of the Institution and organizes and executes the services of the Institution in accordance with the legislation, objectives and policies of the Institution, strategic plan, performance criteria and service quality standards, and ensures coordination between service units.
(2)    The President is responsible for the general management and representation of the Corporation. This responsibility covers the duties and authorities of arranging, executing, supervising, evaluating the works of the Institution and making it known to the public when necessary.
(3)    The duties of the President are:
a)    Conducting Board meetings.
b)    To ensure that the Board decisions are communicated and those deemed necessary by the Board to be announced to the public and to monitor their implementation.
c)    To appoint the Vice President, heads of departments and Agency personnel.
ç) To present the suggestions coming from the service units to the Board by giving their final shape.
d)    To ensure the implementation of the strategic plan, to establish human resources and work policies in line with service quality standards.
e)    To prepare the annual budget and financial statements of the Institution in accordance with the determined strategies, annual goals and targets.
f)    To ensure coordination in order for the Board and service units to work in a harmonious, efficient, disciplined and orderly manner.
g)    To carry out the relations of the Institution with other organizations.
ğ) To determine the area of duty and authority of the personnel authorized to sign on behalf of the President of the Institution.
h)    To perform other duties related to the management and operation of the Institution.
(4)    In the absence of the President of the Institution, the Vice President shall act for the President.

Composition and duties of the Presidency

ARTICLE 25 - (1) Presidency; It consists of the Vice President and service units. The Presidency fulfills the duties listed in the fourth paragraph through service units organized as departments. The number of heads of departments cannot exceed seven.
(2)    A Vice President is appointed by the President to assist in his duties relating to the Corporation.
(3)    Vice President and heads of departments; are appointed by the President from among those who have graduated from at least four years of higher education and have served in public service for ten years.
(4)    The duties of the Presidency are as follows:
a) Maintaining the    Data Controllers Registry.
b)    To carry out the bureau and secretariat operations of the Institution and the Board.
c)    Representing the Institution through lawyers in the lawsuits and enforcement proceedings to which the Institution is a party, to follow up the cases or to carry out legal services.
ç) To carry out the personnel procedures of the members of the Board and those working in the Institution.
d)    To perform the duties assigned to financial services and strategy development units by law.
e)    To ensure the establishment and use of the information system in order to carry out the business and transactions of the institution.
f)    To prepare draft reports on the annual activities of the Board or on the matters needed and present it to the Board.
g)    To draft the strategic plan of the institution.
ğ) To determine the personnel policy of the institution, to prepare and implement the career and training plans of the personnel.
h)    To carry out the appointment, transfer, discipline, performance, promotion, retirement and similar procedures of personnel.
ı) To determine the ethical rules to be followed by the personnel and to provide the necessary training.
i)    All kinds of purchasing, leasing, maintenance, repair, construction required by the Institution within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003 To carry out archive, health, social and similar services.
j) To keep the records of the movable and immovable properties of the Institution.
k) To perform other duties assigned by the Board or the President.
(5)    Service units and the working principles and procedures of these units, upon the proposal of the Authority in accordance with the field of activity, duties and authorities specified in this Law 703.163- 02.07.2018 ) It is determined by the regulation put into effect by the President.

Personal Data Protection Specialist and assistant specialists

ARTICLE 26 - (1) Personal Data Protection Specialist and Assistant Personal Data Protection Specialist can be employed in the Institution. Among these, those who are appointed to the Personal Data Protection Specialist staff within the framework of additional article 41 of the Law No. 657 are subject to a one-time promotion.

Provisions regarding personnel and personal rights

ARTICLE 27 - (1) The personnel of the Institution are subject to the Law No. 657, except for the issues regulated by this Law.
(2)    To the Chairman and members of the Board and the personnel of the Institution, financial and social benefits to the precedent personnel determined in accordance with the additional article 11 of the Decree Law No. 375 dated 27/6/1989 Payments made within the scope of rights are paid within the framework of the same procedures and principles. Those who are not subject to tax and other legal deductions from payments made to peer personnel are also not subject to tax and other deductions according to this Law.
(3)    The Chairman and members of the Board and the personnel of the Institution are in accordance with the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510 of 31/5/2006 (c ) clause
subject to its provisions. The Chairman and members of the Board and the personnel of the Institution are considered equivalent to the personnel determined as a precedent in terms of retirement rights. Among those appointed to the Chairman and membership of the Board while insured under item (c) of the first paragraph of Article 4 of the Law No. 5510, the terms of service spent in these duties of those whose duties have ended or who wish to leave these duties are taken into account in the determination of their earned rights, salaries, degrees and levels. Among these, the periods spent in these duties of those who fall under the scope of the temporary article 4 of the Law No. 5510 are considered as the period for which office compensation and representation compensation must be paid. In public institutions and organizations, those who are insured within the scope of subparagraph (a) of the first paragraph of Article 4 of the Law No. 5510 and who are appointed as the Chairman and members of the Board, dismissing their relations with the previous institutions and organizations do not require the payment of severance pay or termination indemnity. The service periods for which severance pay or termination indemnity must be paid for those in this situation are combined with the term of service as the Chairman of the Board and the Board membership, and the retirement bonus is considered as the period to be paid.
(4)    In public administrations within the scope of central government, social security institutions, local administrations, administrations affiliated to local administrations, local administration unions, organizations with revolving funds, funds established by law, Consent of civil servants working in institutions with public legal personality, institutions with more than fifty percent of the capital owned by the public, state-owned enterprises and state-owned enterprises and their subsidiaries and institutions, and other public servants institutions (Additional phrase: 7061 sa.ka.119-28.11.2017) “On the other hand, judges and prosecutors may be temporarily appointed to the Institution with their consent”, provided that their pensions, allowances, all kinds of raises and compensations and other financial and social rights and benefits are paid by their institutions. The requests of the institution in this regard are primarily finalized by the relevant institutions and organizations. Personnel assigned in this way are deemed to be on paid leave from their institutions. As long as these personnel are on leave, their civil service and personal rights continue, these periods are also taken into account in their promotion and retirement, and their promotions are made on time without the need for any further action. The time spent in the Institution by those assigned under this article shall be deemed to have been spent in their own institutions. The number of those appointed in this way cannot exceed ten percent of the total number of Personal Data Protection Specialist and Personal Data Protection Assistant Specialist, and the duration of the assignment cannot exceed two years. However, in case of need, this period can be extended in one-year periods.
(5)    Staff titles and numbers of the personnel to be employed in the institution are shown in the attached table (I). Not to exceed the total number of staff, but limited to the staff titles included in the tables attached to the Decree-Law on General Staff and Procedure No. 190 and dated 13/12/1983, making changes in titles and degrees, adding new titles and canceling vacant positions are made by the decision of the Board.

CHAPTER SEVEN

Miscellaneous Provisions

Exceptions

ARTICLE 28 - (1) The provisions of this Law shall not be applied in the following cases:
a)    Processing of personal data by real persons within the scope of activities related to themselves or family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
b)    Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
c)    Provided that personal data does not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime processed for artistic, historical, literary or scientific purposes or within the scope of freedom of expression,
ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been authorized by law to ensure national defense, national security, public safety, public order or economic security.
d)    Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, trial or execution proceedings.
(2)    10, which regulates the obligation of the data controller to inform, in accordance with the purpose and basic principles of this Law and proportionally, regulating the rights of the person concerned, excluding the right to demand the compensation of the damage Articles 11 and 16 regulating the obligation to register in the Data Controllers Registry are not applicable in the following cases:
a)    If personal data processing is necessary for the prevention of crime or for criminal investigation.
b)    Processing of personal data made public by the person concerned.
c)    Personal data processing based on the authority given by the law, by public institutions and organizations and professional organizations in the nature of public institution, conducting inspection or regulation duties and disciplinary investigation or prosecution to be necessary.
ç) The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters.

Institution's budget and revenues

ARTICLE 29 - (1) The budget of the Institution is prepared and accepted in accordance with the procedures and principles determined in the Law No. 5018.
(2)    The revenues of the institution are as follows:
a)    Treasury grants from the general budget.
b)    Revenues from movable and immovable properties belonging to the Institution.
c)    Donations and donations received.
ç) Incomes from the evaluation of their income.
d)    Other income.

Changed and added bends

ARTICLE 30 - (1) The following order has been added to the Schedule (III) of the Law No. 5018.

“10) Personal Data Protection Authority”

(2)    The phrase "Persons" in the second paragraph of Article 135 of Law No. 5237 is "personal data, persons"; The phrase "the person who records the information as personal data will be punished according to the provisions of the above paragraph" has been amended as "the penalty to be imposed in accordance with the first paragraph is increased by half".

(3) The phrase "children" in the third paragraph of Article 226 of the Law No.

(4)    The phrase "and" in the first paragraph of Article 243 of Law No. 5237 was changed to "or" and the following paragraph was added to the article.

“(4) A person who unlawfully monitors data transmissions within an information system or between information systems, without entering the system, by technical means, is sentenced to imprisonment from one year to three years.

(5)    The following article 245/A has been added to the Law No. 5237 following article 245.

“Forbidden devices or programs
ARTICLE 245/A- (1) A device, computer program, password or other security code; In the event that it is made or constituted exclusively for the commission of crimes in this Section and other crimes that can be committed through the use of information systems as a tool, it manufactures, imports, forwards, transports, stores, accepts, sells, offers for sale, purchases, The person who gives or keeps it is punished with imprisonment from one year to three years and a judicial fine up to five thousand days.”

(6)    The first paragraph (f) of Article 3 of the Health Services Basic Law dated 7/5/1987 and numbered 3359 has been amended as follows.

“f) In order to monitor everyone's health status and to provide health services more effectively and quickly, the necessary registration and notification system is established by the Ministry of Health and its affiliates. This system can also be created electronically in accordance with e-Government applications. For this purpose, a nationwide information system can be established by the Ministry of Health, including its affiliates.

(7)    Article 47 of the Decree-Law on the Organization and Duties of the Ministry of Health and its Affiliates, dated 11/10/2011 and numbered 663, has been amended as follows.
 

“ARTICLE 47- (1) The personal data of those who apply to public or private health institutions and health professionals to receive health services, which they have to provide as a requirement of health care or the service provided to them, may be processed.
(2)    For the purpose of providing health services, protecting public health, conducting preventive medicine, medical diagnosis, treatment and care services, planning health services and calculating costs, the Ministry can process the data obtained within the scope of the paragraph. These data cannot be transferred except for the conditions stipulated in the Personal Data Protection Law.
(3)    The Ministry establishes a system that will provide access to the personal data collected and processed in accordance with the second paragraph, by the data subjects themselves or by third parties authorized by them.
(4)    The standards regarding the security and reliability of the systems established according to the third paragraph are determined by the Ministry in accordance with the principles set by the Personal Data Protection Committee. The Ministry takes the necessary measures to ensure the security of personal health data obtained in accordance with this Law. For this purpose, it establishes a security system that allows control of which officer uses the information registered in the system and for what purpose.
(5)    Public institutions and organizations employing health personnel, private law legal entities and real persons are obliged to inform the Ministry of the personnel and personnel movements they employ,
(6)    Other matters related to the processing and security of personal health data and the implementation of this article are regulated by the regulation put into effect by the Ministry.”

regulation

ARTICLE 31 - (1) Regulations regarding the implementation of this Law shall be put into effect by the Theory.

Transitional provisions

PROVISIONAL ARTICLE 1 - (1) Within six months from the date of publication of this Law, Board members are elected according to the procedure stipulated in Article 21 and the Presidency is formed.
(2)    Data controllers must register with the Data Controllers Registry within the period determined and announced by the Board.
(3)    Personal data processed prior to the publication of this Law are brought into compliance with the provisions of this Law within two years from the date of publication. personal data is immediately deleted, destroyed or anonymized. However, consents obtained in accordance with the law before the publication date of this Law shall be deemed to be in accordance with this Law, unless a declaration of intent is made to the contrary within one year.
(4)    The regulations stipulated in this Law shall be put into effect within one year following the publication of this Law.
(5)    Within one year following the publication of this Law, a senior manager is determined and notified to the Presidency in order to ensure coordination regarding the implementation of this Law in public institutions and organizations.
(6)    First elected President, Second President and two members determined by lot for six years; the other five members serve for four years.
(7)    Until a budget is allocated to the Agency;
a)    The expenses of the institution are covered from the Prime Ministry budget.
b)    All necessary support services such as buildings, tools, equipment, furnishings and hardware are provided by the Prime Ministry in order for the Institution to perform its services.
(8)    Secretariat services are performed by the Prime Ministry until the service units of the institution become operational.

PROVISIONAL ARTICLE 2 - (Added: 7061 sa.ka.120-28.11.2017) (1) Faculties of electronics, electrical-electronics, faculties of engineering, faculties of political sciences, economics and administrative sciences, economics, law and business administration, which provide at least four years of undergraduate education. Graduates from departments of electronics and communication, computer, information systems engineering or from higher education institutions in Turkey or abroad whose equivalence is accepted by the Council of Higher Education; He was appointed to the cadres of the central organizations of the institutions related to the titles specified in the subparagraph (11) of the paragraph (A) of the section titled "Common Provisions" of the article 36 of the Law No. 657, after a certain period of in-service training and a special proficiency exam, entered with a special competitive exam for the profession. Those who have been in the positions for at least two years excluding unpaid leave periods and those who have been in the positions of faculty members, provided that they have received at least seventy points from the Foreign Language Proficiency Exam and have not attained the age of forty as of the date of appointment, within one year from the date of entry into force of this article. They can be appointed as Data Protection Specialists. The number of those to be appointed in this way cannot exceed fifteen.

Force

ARTICLE 32 - (1) This Law;
a)    Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 six months from the date of publication Then,
b)    Other articles on the date of publication,
enters into force.

Executive

ARTICLE 33 - (1) The provisions of this Law are executed by the Council of Ministers.
 

SCHEDULE NO (I) PERSONAL DATA PROTECTION INSTITUTION STAFF LIST