05 Ekim 2023
Obligation to Inform and Scope
"The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data."
The Right to Privacy is an increasingly important issue and the rapid development of technology and the widespread use of smart systems have been very effective in this regard. People are becoming more and more aware of this issue and want to protect their private lives and privacy. The Personal Data Protection Law, which is a young law entered into force in 2016, includes the requirements of our age at this point and protects this right with the provisions inside.
The KVKK imposes certain rules and obligations in order to protect the privacy of the individual and to ensure data security. One of these is the obligation to inform.
Persons whose personal data are processed have the right to obtain information about the processing of their data. This right is protected as the data controller's obligation to inform. This obligation is regulated in Article 10 of the KVKK as follows:
"At the time when personal data are obtained, the data controller or the person authorised by it is obliged to inform the data subjects about the following:
- the identity of the data controller and of its representative, if any,
- the purpose of processing of personal data,
- to whom and for which purposes the processed personal data may be transferred,
- the method and legal basis of collection of personal data,
- other rights referred to in Article 11."
As specified above, there is a lot of information of which the person whose personal data is processed has the right to obtain. The name and surname or trade name of the controller, the explicit consent of the data subject, legal reasons such as the protection of a right or explicitly stipulated by law are among the information that can be obtained by the data subject.
The other rights enumerated in Article 11 also extend the right granted to the data subject. Accordingly, everyone may be able to learn many things about themselves by contacting the data controller. Some of these are;
- "to learn whether his/her personal data are processed or not,
- to demand for information as to if his/her personal data have been processed,
- to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
- to know the third parties to whom his personal data are transferred in country or abroad,
- to request the rectification of the incomplete or inaccurate data, if any,
- to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
- to request reporting of the operations carried out pursuant to sub-paragraphs (d) and (e) to third parties
- to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,"
In addition, persons have the right to claim compensation for the damage arising from the unlawful processing of his/her personal data in accordance with Article 11.
As specified, the obligation to inform has a wide scope. This is of great importance and benefit for persons to protect their rights and privacy.
Procedures and Principles to be Followed in Inform
The Personal Data Protection Authority prepared a Communique On Principles And Procedures To Be Followed In Fullfillment Of The Obligation To Inform (In Turkish) and published it on 10th of March, 2018. The procedures and principles are clearly listed in the communiqué. The following procedures and principles shall be followed at the time of the fulfilment of the obligation to inform by the data controller or the person authorized by him/her by using physical or electronic media such as oral or written statement, voice recording, call centre:
- "The obligation to inform shall be fulfilled in any case of processing depending on the explicit consent of data subject or other conditions for processing in the Law.
- In case the purpose of personal data processing changes, the obligation to inform shall be fulfilled for this purpose prior to data processing operation, as well.
- (Repealed: OG-28/4/2019-30758)
- If the data controller is obliged to register with the Registry, information to be given to data subject within the scope of the obligation to inform shall conform to those given in the Registry.
- Fulfilment of the obligation to inform does not depend on the request of data subject.
- Proof of fulfilment of the obligation to inform shall be under responsibility of the data controller.
- In the event that processing personal data is on the basis of explicit consent, procedures of the obligation to inform and obtaining explicit consent shall be performed separately.
- The purpose of processing personal data to be explained within the scope of the obligation to inform shall be specified, explicit and legitimate. While the obligation to inform is being fulfilled, general and ambiguous statements should be avoided. Statements which may raise opinions on processing of personal data for other possible purposes shall not be used.
- The notification to be given within the scope of the obligation to inform shall be performed by using intelligible, clear and plain language
- "Legal basis" mentioned in sub-paragraph (ç) of Article 10(1) of the Law means that personal data are processed on the basis of which processing conditions determined in the Article 5 and 6 of the Law within the scope of the obligation to inform. Legal basis shall be explicitly provided at the time of fulfilment of the obligation to inform.
- Within the scope of the obligation to inform, the purpose of processing of personal data and recipient group to which personal data will be transferred shall be stated.
- Within the scope of the obligation to inform, it shall be clearly stated by which method personal data are obtained from wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.
- At the time of fulfilment of the obligation to inform; information that is incomplete, incorrect and misleading the data subjects shall not be used."
If the personal data is not obtained from the data subject himself/herself and If, within a reasonable period of time after the personal data is obtained, the personal data will be used for the purpose of communication with the data subject, the obligation to inform the data subject during the first contact must be fulfilled. If the personal data is to be transferred, the disclosure obligation must be fulfilled at the latest, the first transfer of the personal data.
Similarities and Differences of Inform within the Scope of KVKK and GDPR
GDPR, General Data Protection Regulation, is translated into Turkish as Genel Veri Koruma Tüzüğü. KVKK is a law covering natural and legal persons in Turkey. The GDPR is a regulation in European Union law on data protection and privacy for individuals throughout the European Union and the European Economic Area. The purpose of the GDPR is for individuals to take control of their personal information and for companies within the EU to be harmonized with this regulation. Although the GDPR applies to members of the European Union, companies that work with companies in European Union member states, i.e. companies that process the data of European Union citizens, must also comply with this regulation.
The obligation to inform is one of the important rights of the persons also for GDPR.
The GDPR regulates the retention period, which is not regulated in the KVKK to be included in the disclosure text.
As in the KVKK and GDPR, the data subject may make some requests from the data controller or controller. However, in the GDPR, the data subject may request the restriction of the relevant processing activity.
According to Article 14 of the KVKK, the data subject may file a complaint to the Personal Data Protection Board in cases where the application is rejected, the response is found inadequate or the application is not responded to in due time. In the GDPR, "filing a complaint to a supervisory authority" is a right that must be included in the obligation to inform.
The KVKK does not regulate the DPO, "data protection officer". The GDPR, on the other hand, regulates both mandatory and discretionary appointment of this officer.
Exceptions to the Obligation to Inform
Article 28 of the KVKK is regulated under the title "Exemptions". According to this article, in some cases, the articles of the law do not apply. These situations are listed in the article. For the obligation to inform, a special regulation is made in paragraph 2.
Provided that it is in compliance with and proportionate to the purpose and fundamental principles of this Law, Article 10 regarding the data controller's obligation to inform, shall not be applied in the following cases:
- "It is necessary for the prevention of committing a crime or for crime investigation.
- It is carried out on the data which are made public by the data subject himself/herself.
- It is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorised public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law.
- It is necessary for protection economic and financial interests of State related to budget, tax and financial matters."
The Law has made the same provision for Article 11, which regulates the rights of the person concerned, but excludes the right to claim compensation for damages.
Conclusion
This article provides information about the obligation to inform, which has become increasingly important with the development of technology, and tries to evaluate it in terms of KVVK and GDPR. Privacy will become more and more important day by day and concepts related to personal data, such as the obligation to inform, will continue to evolve.
Should you have any queries or need further details, please contact us.
Notification!