2019 KVKK & GDPR October Newsletters Headings
2019 KVKK & GDPR October Newsletter Decision Summaries of the Month
- Facebook was fined to 1.600.000 ₺ by the Personal Data Protection Authority
- A tourism agency was fined to 500.000 ₺ due to lack of technical & administrative measures
- S Şans Oyunları was fined to 180.000 ₺ by personal data protection authority
- Board's decision on VERBIS obligation for branches & Liaison offices
- The keypoints on data breach notification has been announced
- 400.000 Euro fine was imposed for Personal Data Breach in Greece
- EDS Enjeksiyon Dök. San. Tic. A.Ş. – Data Breach Notification
- Premierdc Veri Merkezi A.Ş. – Data Breach Notification
- Changes made in penal legislations
2019 KVKK & GDPR October Newsletters Information Guide
The Term "Residency"
Certain criteria have been announced by the Board with the decision no. 2018/88 regarding the declaration of companies to the Data Controllers' Registry (VERBIS obligation). Accordingly, in order to determine whether or not VERBIS obligation exists; if yes, to determine on which date the obligation starts, it has to be found out which of these criteria is met.
The topic of "being resident" is important to define the scope of Personal Data Protection Law ("KVKK") and EU General Data Protection Regulation ("GDPR"). As stated in the Article 3 of the GDPR, "...the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union...", it is emphasized to include the persons within the Union to be protected under the regulation.
2019 KVKK & GDPR October Newsletters Legislation Analysis
Article – 12 Obligations Concerning Data Security
Obligations of data controller, DCR and contact person Article: 11
With the Article 12 of the Law No. 6698 on the Protection of Personal Data ("Law"), the framework of the technical and administrative measures to be taken by the data controller regarding data security has been regulated. In accordance with paragraph 1 of the relevant article, the data controller is obliged to prevent unlawful processing of personal data, to prevent unlawful access to personal data and to protect the personal data. To ensure these, the data controller should take the technical and administrative measures required; keep the system, documents, software and applications used within the scope of these measures up to date. Where third parties also play a role in taking the measures, the data controller is obliged to inform them, as well. This term is discussed in the paragraph 2 of the relevant article in the following provision which is regulated as "If the personal data is processed by another natural or legal person on his or her behalf, the data controller is jointly responsible for taking the measures mentioned in the first paragraph.” Accordingly, the data processor and the persons who process data on the basis of the authority given by the data controller are jointly responsible. At this point, the data controller has an obligation to audit whether the data processor has taken the necessary measures or not.