Bu Blogda Ara

12 Temmuz 2017 Çarşamba

Are you familiar with the new Law on Protection of Personal Data?


After the publication of the Law on Protection of Personal Data (“Law”) numbered 6698 on 07.04.2016, the draft Directive on Register of Data Controllers (“Directive”) has been prepared and will be finalized soon.
The Law is already in force and according to its articles; all personal information processed so far (before the adoption of the Law) shall be brought in compliance with the Law in two years. Otherwise violation of the Law may result in administrative fines and/or imprisonment and/or pecuniary and non-pecuniary damages. Thereby it is important to take necessary steps and prepare your organization for the Law as soon as possible.
This brief memorandum aims to give brief information relating the Directive.
What are Controller and Register of Data Controllers?
According to Law, Controller shall mean natural or legal person, which determines the purposes and means of the processing of personal data and which is responsible of establishment and management of the data recording system. For instance, an accounting firm shall be considered as a controller relating to collected personal data of its employees or call centers shall be considered as a controller relating to collected personal data of their clients, etc.
Register of Data Controllers (“Register”) is a register system which the Controllers have to sign up and announce their activities relevant to processing of personal data.
Who will be the Controller in legal entities?
For the legal entities, the Controller is the legal entity itself. Authorized body to represent and bind the company will be responsible with regard to the Law, Directive and the other related directives.
If the Controller is not located in Turkey, a natural person or a legal entity should be appointed to represent and bind the Controller with the authorities stated by the directive in minimum.
Do you need to sign up for the Registry?

As a rule, every organization that processes personal information has to sign up unless they are exempted.
What are the exemptions?
The Law defines some circumstances with Article 28 which excludes application of the Law entirely. For instance, if personal data processing is related to one’s own data or a family member who is cohabitant to a processor; if personal data processing is necessary for national defense, national security, public safety, public order, economic safety or for the purposes of art, history, science or freedom of expression provided that right of privacy or personal right of data subject are not violated; if personal data processing is carried out by investigating, prosecution, judgment or enforcement authorities.
However apart from the circumstances defined with Article 28, the Committee (the Committee of Protection of Personal Data which is established to enforce the Law) is also entitled to designate new exceptional conditions by taking into account the qualification, number, retention period of the personal data and purpose of processing etc.
Is there a deadline to sign up for the Registry?
The Controllers shall sign up for the Registry before processing any personal data or within 30 days after such an obligation arises. Failure to do so is subject to administrative fine from 20.000-TL to 1.000.000.-TL. 
Is there a fee to sign up for the Registry?
There will be an initial signup fee for the Registry and a fee for each and every registered year. Amount of these fees are not determined yet.   
Which Information do you need to share with the Committee?
Controllers are obliged to submit following information to the Committee to sign up for the Registry.
-       ID and address information of the Controller and the representative of the Controller if any,
-       Information asked in the application form which will be determined by the Committee later on,
-       Reasons/purposes for processing information,
-       Types/Classes of information processed,
-       Possible recipients of the personal data,
-       Personal data which may be transferred to foreign countries,
-       Precautions which are considered to be taken for data security in compliance with the criteria of the Committee.
Do you have Personal Data Inventory Map?
Controllers who are obliged to sign up for the Registry are also obliged to maintain Personal Data Inventory. Classifying personal data helps organizations to identify the personal data that they have collected and been processing. (What personal data is collected and why?, Who collects it?, Where it is stored?, Who it is disclosed to?)
Do you have Personal Data Retention and Disposal Policy?
Controllers who are obliged to sign up for the Registry are also obliged to have Personal Data Retention and Disposal Policy showing the retention periods of the related personal information as required by reasons/purposes for processing this information.
This brief memorandum is prepared based on the draft directive; accordingly it may be revised in compliance with the final version of the directive.
Av. Vedia Nihal Koyuncu, LL.M

Hiç yorum yok:

Yorum Gönder

Etiketler

marka Turkuaz Kart Türk Patent ve Marka Kurumu Uluslararası İşgücü Kanunu sınai mülkiyet kanunu Marka Koruması Sınai Mülkiyet marka tescili Auditor Board of Directors Corporate Responsibility Corporate Social Responsibility E-Commerce Web Sites E-Ticaret siteleri E-Ticarette Güven Faydalı Model; Teşvik; KOSGEB; Turquality; Sınai Mülkiyet Fikri Mülkiyet Güven Damgası Güven Damgası Sağlayıcısı Human Rights; Equality; Labour Law; discrimination; mobbing; 6701; Human Rights and Equality Institution Industrial Property Law International Workforce Law Kişisel Veriler; Kişisel Verilerin Korunması; Veri Sorumlusu; Veri Sorumluları; Kişisel Veri Envanteri; Veri Sorumluları Sicili Kurumsal Sosyal Sorumluluk Kurumsal Sürdürülebilirlik Madrid Protokolü Markanın Tescili Markaya Tecavüz Minority Minority rights OHAL Protection of Personal Data; Data Controller; Register of Data Controllers; Committee of Protection of Personal Data; Personal Data Inventory; Personal Data Retention and Disposal Policy Sanayinin Geliştirilmesi ve Üretimin Desteklenmesi; Ar-Ge; Teknoloji Transfer Ofisi Security Seal Communiqué Security Seal Providers Sermaye Şirketleri Sınai Mülkiyet Kanunu Tasarısı Trade Mark Turkish Commercial Code Turkuaz Kart nedir Turquoise Card Türk Patent Enstitüsü Yabancıların Türkiye'de Çalışması Yeni Türk Ticaret Kanunu; Tek Kişilik Şirketler; Anonim Şirketler; Limited Şirketler başvurusu data privacy elektrik enerjisi enerji enerji kaynakları ethics; code of ethics; corporate governance fazla çalışma; fazla sürelerle çalışma; fazla mesai; yazılı onay geçici iş ilişkisi gizli bilgi human rights convention ikamet izni intellectual property law iptali iş sırrı kimlere verilir kişisel veri kişisel verileri işleme kişisel verileri koruma kanunu marka hakkı marka itiraz marka korumasında yenilikler markaya itirazda süre merkezi tüzel kişilik bilgi sistemi personal data personal data processing personal data protection privacy private employment agencies residence permit in Turkey sadakat borcu taklit tanınmış marka temporary employment relationship ticaret sicil memurluğu veri gizliliği work permit in Turkey yenilenebilir enerji yönetim kurulu başkanı; TTK madde 366 yıllık ücretli izin yönetmeliği yıllık ücretli izin; izin süresinin tespiti Çalışma İzni çalışma izinleri çalışma izni çalışma izni muafiyeti özel istihdam büroları İflas Erteleme İkamet İzni İş Kanunu; Çağrı Üzerine Çalışma; Uzaktan Çalışma; Geçici İş İlişkisi; Yeni Düzenleme İş sözleşmesi