2020 KVKK & GDPR January Newsletters Headings

2020 KVKK & GDPR January Newsletter Decision Summaries of the Month

• A Penalty Fine of TL 100.000 Imposed by the Board on The Data Breach Realized In a Bank
• Decision Regarding Publishing News on the Sensitive Personal Data of the Relevant Person by a Newspaper
• Decision Regarding the Request for Opinion About Sharing the Candidate Points on the Website Without Obtaining Consent
• Republic of Türkiye Ministry of Health Published an Announcement about Verbis
• Online Complaint Module Has Been Put into Service for Data Subjects
• Change of Application in Notification of Personal Data Breach to the Board
• Penalty Fine Imposed to Archiving of Former Employee Personal Mails by the Hungarian DPA
• A Fine of EUR 11.5 in Italy for Promotional Telemarketing Activities
• Exeltis İlaç Sanayi ve Ticaret A.Ş. – Data Breach Notification
• Penalty Fine Imposed to a Pharmacy in London Due to Careless Storage of Patient Data
• Yahoo – Data Breach Notification

2020 KVKK & GDPR January Newsletters Information Guide

Administrative Measures: Disclosure Obligation and Explicit Consent

Disclosure is to inform data subjects by the data controller, or the person authorized, during the acquisition of the data as a rule, by using the data in a physical or electronic environment such as verbal, written, voice recording, call center. Explicit consent is a declaration of positive will about a particular subject, based on information and announced with free will.

Technical Measure: Keeping a log

According to the Article 12/1 of the Law on the Protection of Personal Data ("KVKK"), data controllers are obliged to take all necessary technical and administrative measures to prevent personal data from being processed unlawfully, to prevent personal data from being illegally accessed and to ensure that personal data are kept in accordance with the law. These measures are elaborated in the Personal Data Security Guide published by the Authority and specified during the notification to VERBIS.

2020 KVKK & GDPR January Newsletters Legislation Analysis

Article 5 of KVKK: Conditions for Processing of Personal Data

1. Personal data cannot be processed without the explicit consent of the data subject.
2. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
• it is clearly provided for by the laws.
• it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
• processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
• it is mandatory for the controller to be able to perform his legal obligations.
• the data concerned is made available to the public by the data subject himself.
• data processing is mandatory for the establishment, exercise or protection of any right.
• it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.