- Who are the "Data Subject" and the "Data Controller"?
Under Turkish Personal Data Protection Law no. 6698 ("KVKK" or "Law") "Data Subject" is referred to as a natural person whose personal data are being processed.1 Taking into consideration that this definition, KVKK protects only natural persons as stated in the bright-line.
KVKK regulates a set of provisions that are meant to help data subjects and to enforce their rights against unlawfully personal data processing.
"Data Controller" can be defined as a natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for the establishment and management of the filing system.2
- What are the rights of Data Subject?
Privacy and protection of private life is a constitutional right under Turkish law and is regulated in Article 20 of the Constitution of The Republic of Turkey. According to the provision, everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives.3 Besides, later on, article stated that the principles and procedures regarding the protection of personal data shall be regulated in law.
In this respect, pursuant to the Article 11 of the KVKK, the rights of the data subject as follows;
a) to learn whether his/her personal data are processed or not,
b) to demand for information as to his/her personal data have been processed,
c) to learn the purpose processing of his/her data and whether these personal data are used in compliance with the purpose,
d) to know the third parties to whom his personal data are transferred in country or abroad,
e) to request the rectification of the incomplete or inaccurate data, if any,
f) to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
g) to request reporting of the operations carried out in compliance with sub-paragraphs (e) and f) to third parties to whom his personal data have been transferred,
h) to object to the occurrence of a result against the person himself/herself by analyzing the processed data solely through automated systems,
i) to claim compensation for the damage arising from the unlawful processing of his/her personal data.4
Every Data Subject, has right to apply with regard to above-mentioned matters and it is stated with the title of "Right to Make a Request to Data Controller" under Turkish legislation. The Data Subject may apply to the Data Controller in accordance with the Article 13 of the KVKK. In European practice, the similar rights are regulated under the Article 15 of General Data Protection Regulation ("GDPR") with the title of "Right of Access by The Data Subject". Accordingly, the Data Subject shall have the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the other information regulated under GDPR, Article 15.5
In case the application to Data Controller is rejected, replied insufficiently, or not replied in due time; the data subject may file a complaint with the Personal Data Protection Board ("Board") within 30 days following the date he/she learns the reply of the data controller and in any event, within 60 days following the date of application.6 This right is referred as "Right To Lodge a Complaint To Personal Data Protection Authority". Please note that this complaint remedy cannot be applied before making a request to Data Controller set forth under Article 13, KVKK. 7
- What are the obligations of Data Controller against Data Subjects's requests?
The Data Controller shall conclude the requests included in the application of the Data Subject free of charge, except the case of operation require a separate cost, and as soon as possible considering the nature of the request and within 30 days at the latest.8 Additionally, the Data Controller is required to act in accordance with the principles set out by the Communique On The Principles And Procedures For The Request To Data Controller ("Communique") published by the Personal Data Protection Authority.
The Data controller is obliged to take necessary organizational and technical measures to conclude the requests to be made by Data Subject within the scope of the Communique, effectively and in accordance with norms of lawfulness and fairness.9
Board ordered significant decisions regarding this matter with regard to the subject. For instance; according to The Decision of Board numbered 2019/277 dated 18/09/2019, Bank's response to the fact that Data Subject can receive information by calling the Bank Service Line is not explanatory response on the issues requested by the Data Subject.
In another decision, numbered 2019/296 dated 01/10/2019, the Data Controller has been informed that the Data Subject can only apply with a notary channel or e-signature in order to provide identity confirmation. This practice has been accepted as an undue hardship which is not regulated under KVKK or the Communique, and it has been decided that it is incompatible with the lawfulness and fairness rules under Article 6 of the Communique.
- What Are the Procedures of Data Subject's Request?
Data Subjects may make requests to Data Controllers within the context of their rights mentioned above, in writing or by registered electronic mail (KEP) address, secured electronic signature, mobile signature or by the e-mail address which has been previously recorded in the Data Controller's system or by means of a software or application designed for purposes of this request.10 As can be seen, Law provides various ways of application to the Data Controller for "Right to Request Protection of Personal Data" which is a constitutional right.
Also, all kind of requests must include the following information;11
a) Name, surname, and signature, if the request is made in writing,
b) For Turkish Citizens, TC identity number; for foreigners, nationality, passport number or identity number if available,
c) Residential and business address subject to the notification,
d) Electronic mail address, telephone, fax number subject to notification if available,
e) Subject of demand.
However, in my view, the above-stated information that the request must include in order to provide identity confirmation could be incompatible with the purpose of the KVKK and general principles. The above-mentioned requirements force persons to give more personal data, which perhaps they have never shared before with the Data Controller. In other words, you must submit more personal data, even your I.D number and address, to a person you have requested to delete your personal data.
As a solution, it would be more consistent to arrange an obligation for Data Subject in the way that share information contained making himself / herself identity and his / her application determinable, instead of requesting such information from all applications.
Unlike GDPR12, the fact that the application to the Data Controller is a precondition for the way of the complaint makes the request process more important. With this rule, it is aimed to resolve some of the disputes at the Data Controller stage.13
- What are the conditions for a duly application?
To lodge a complaint to the Board duly, the following 3 basic conditions must be provided;
- Making an application to the Data Controller
- Being comply with the durations
- Submitting the complaint to the Board/Authority in accordance with the, Article 6 under the Law on the Exercise of the Petition numbered 3071, except for the complaints lodged from the website of the Board
If the Data Controller responds to Data Subject's application within 30 days, he/she can lodge a complaint within 30 days of the person's data officer's response. However, if the Data Controller does not respond the Data Sbject's application, he/she can lodge complaint to the Board within 60 days from the date the he/she applied to the Data Controller.14
Please remember that, Board do not need the complaint of the Data Subject for the conduct an examination.
If Board determines the violation or breach claim in any way, it is authorized to conduct necessary investigation and take action ex officio.15 However, the question is, will the Board conduct investigation and take action ex officio in case of Data Subject's undue complaint? In other saying, if the 60-day complaint duration has passed or a complaint is lodged to the Board without the request to Data Controller, will the Board still make an ex officio review or might give a decision to stop data processing?
Considering the purpose and spirit of KVKK, in my opinion, Board should investigate ex officio in any way when it determined the violation, and should take further actions particularly in cases where uncompensable or substantial damages arise and clearly unlawful conditions occur together.
- Kişisel Verileri Koruma Kurulu, "100 Soruda Kişisel Verilerin Korunması Kanunu"
- Kişisel Verileri Koruma Kurulu, "Kişisel Verilerin Korunmasına İlişkin Başvuru ve Şikayet Hakkı"
- Kişisel Verileri Koruma Kurulu, "10.03.2018 tarih ve 30356 sayılı Veri Sorumlusuna Başvuru Usul Ve Esaslari Hakkında Tebliğ"
- T.C Kalkınma Bakanlığı, Ayşe Nur Akıncı "Avrupa Birliği Genel Veri Koruma Tüzüğü'nün Getirdiği Yenilikler ve Türk Hukuku Bakımından Değerlendirilmesi"
- International Association of Privacy Professionals, GDPR Complaint-Process Map
- 6. Comminuque On The Principles And Procedures For The Request To Data Controller
- An official EU website, "What should I do if I think that my personal data protection right haven't been respected?
1 Article 3/1(ç), Turkish Personal Data Protection Law No:6698
2 Article 3/1(ı), Turkish Personal Data Protection Law No:6698
3 Article 20/3, Constitution Of The Republic Of Turkey Law No:2709
4 Article 11, Turkish Personal Data Protection Law No:6698
5 Article 15/1, General Data Protection Regulation
6 Article 14/1, Turkish Personal Data Protection Law No:6698
7 Article 14/2, Turkish Personal Data Protection Law No:6698
8 Article 13/2, Turkish Personal Data Protection Law No:6698
9 Article 6, Comminuque On The Principles And Procedures For The Request To Data Controller
10 Article 5/1, Comminuque On The Principles And Procedures For The Request To Data Controller
11 Article 5/2, Comminuque On The Principles And Procedures For The Request To Data Controller
12 Article 77, General Data Protection Regulation
13 Question 60, 100 Soruda Kişisel Verilerin Korunması Kanunu, The Board
14 The Decision of Board No 2019/9 of 24.01.22019
15 Article 15/1, Turkish Personal Data Protection Law No:6698
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.