From the Personal Data Protection Authority:

NOTIFICATION ON THE PROCEDURES AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE OBLIGATION TO INFORM

Purpose and scope

ARTICLE 1 – (1) The purpose of this Communiqué is to determine the procedures and principles to be followed within the scope of the obligation to inform that must be fulfilled by data controllers or authorized persons pursuant to Article 10 of the Law on the Protection of Personal Data No. 6698 dated 24/3/2016.

Base

ARTICLE 2 – (1) This Communiqué has been prepared based on subparagraphs (e) and (g) of the first paragraph of Article 22 of the Law on the Protection of Personal Data No. 6698.

Definitions

ARTICLE 3 – (1) The terms used in this Communiqué;

a) Recipient group: The category of natural or legal persons to whom personal data is transferred by the data controller,

b) Relevant person: The natural person whose personal data is processed,

c) Law: The Law on the Protection of Personal Data No. 6698 dated 24/3/2016,

ç) Board: The Personal Data Protection Board,

d) Institution: The Personal Data Protection Institution,

e) Registry: The Data Controllers Registry kept by the Presidency,

f) Data recording system: Any environment where personal data is processed by fully or partially automatic means or non-automatic means provided that it is part of any data recording system,

g) Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,

ğ) Data controller representative: Data controllers not resident in Turkey Data Controllers published in the Official Gazette No. 30286 dated 30/12/2017 It refers to a legal entity resident in Turkey or a natural person who is a citizen of the Republic of Turkey and is authorized to represent the subjects specified in the second paragraph of Article 11 of the Regulation on the Registry.

(2) The definitions in the Law shall apply for the definitions not included in this Communiqué.

Scope of the obligation to inform

ARTICLE 4 – (1) According to Article 10 of the Law; during the collection of personal data, the data controllers or the persons authorized by them must inform the relevant persons. In fulfilling this obligation, the information to be provided by the data controllers or the persons authorized by them must include at least the following subjects:

a) The identity of the data controller and, if any, their representative,

b) The purpose for which the personal data will be processed,

c) To whom and for what purpose the personal data may be transferred,

ç) The method and legal reason for collecting personal data,

d) Other rights of the relevant person listed in Article 11 of the Law.

Procedures and principles

ARTICLE 5 – (1) The following procedures and principles must be followed when fulfilling the obligation to inform by the data controller or the person authorized by him/her using physical or electronic media such as verbal, written, voice recording, call center:

a) The obligation to inform must be fulfilled in every case where personal data is processed based on the explicit consent of the relevant person or other processing conditions in the Law.

b) When the purpose of processing personal data changes, the obligation to inform must be fulfilled separately for this purpose before the data processing activity.

c) If personal data is processed for different purposes in different units of the data controller, the obligation to inform must be fulfilled separately in each unit.

ç) In the event of a registration obligation in the registry, the information to be given to the relevant person within the framework of the obligation to inform must be consistent with the information disclosed to the Registry.

d) Fulfillment of the obligation to inform is not dependent on the request of the relevant person.

e) The burden of proof that the obligation to inform has been fulfilled belongs to the data controller.

f) If the personal data processing activity is carried out based on the explicit consent requirement, the obligation to inform and the procedures for obtaining explicit consent must be fulfilled separately.

g) The purpose of processing personal data to be explained within the scope of the obligation to inform must be specific, clear and legitimate. While fulfilling the obligation to inform, general and ambiguous expressions must not be used. Expressions that give the impression that personal data may be processed for other purposes that may come to the agenda must not be used.

ğ) The notification to be made to the relevant person within the scope of the obligation to inform must be made using understandable, clear and plain language.

h) The “legal reason” in subparagraph (ç) of the first paragraph of Article 10 of the Law refers to the processing conditions specified in Articles 5 and 6 of the Law based on which personal data is processed within the scope of the obligation to inform. The legal reason must be clearly stated during the fulfillment of the obligation to inform.

ı) Within the scope of the obligation to inform, the purpose of transferring personal data and the recipient groups to be transferred must be specified.

i) Within the scope of the obligation to inform, personal data may be collected entirely or partially by automatic means or by non-automatic means provided that it is part of the data recording system.

​

It must be clearly stated that it was obtained by whom.

j) While fulfilling the obligation to inform, incomplete, misleading and incorrect information must not be included.

Information obligation in case personal data is not obtained from the relevant person

ARTICLE 6 – (1) In case personal data is not obtained from the relevant person;

a) Within a reasonable period of time after the personal data is obtained,

b) In case the personal data will be used for communication purposes with the relevant person, during the first communication,

c) In case the personal data will be transferred, at the latest during the first transfer of the personal data,

the obligation to inform the relevant person must be fulfilled.

Enforcement

ARTICLE 7 – (1) This Communiqué shall enter into force on the date of its publication.

Enforcement

ARTICLE 8 – (1) The President of the Personal Data Protection Authority shall execute the provisions of this Communiqué.