Public Announcement on Fulfilment of Obligation to Inform
Within the framework of Law No. 6698 on the Protection of Personal Data, secondary legislation regarding the Law and decisions made by the Personal Data Protection Board, the data controllers have a number of obligations. One of these obligations is obligation to inform specified in the Article 10 of the Law.
As well as obligation to inform is a responsibility for the data controllers; it is also a right for the natural persons whose data are processed. Obligation to inform, which means that the data subject is informed regarding processed personal data, is an essential condition for the personal data processing to be performed in accordance with the law.
Fulfilment of obligation to inform is not an obligation on a request of data subject. In addition, the data controller shall fulfil the obligation to inform in each of the cases where the data subject’s explicit consent or any other personal data processing conditions exist when processing personal data. Since the obligation to inform is an obligation that must be fulfilled in any case, regardless of both explicit consent and other personal data processing conditions listed in the Law.
As a result of the evaluation made on the information and documents conveyed to the Authority by the relevant data controllers upon the for notices and complaints made to our Authority or other documents that are foreseen to be examined and investigated by the Board;
It has been determined that there are deficiencies and violations of the legislation such as;
- That the informing is not done by the data controller during the obtaining personal data from the data subject, it is done afterwards or not at all,
- That the content of the informing does not cover the issues listed in the Article 10 of the Law No. 6698,
- That in the informing, the purpose of personal data processing is not limited, specific, explicit or legitimate to the processing activity, statements expressing that personal data may be processed for other purposes which are likely to come to the agenda in the future are used,
- That “Legal reason”, which is one of the minimum elements of informing, and “purpose of processing” are used in the same sense or there is no place for legal reason,
- That understandable, clear and plain language is not used in the texts used for informing, information that are general, suitable for misunderstanding, incomplete, misleading data subjects and wrong are included,
- That in the informing process, the purpose of transfer and the group or groups of transmitters are not sufficiently covered,
- That the informing texts are “privacy policies” or “data processing policies”, which have the characteristics of general data processing documents for the data controller,
- That informing texts are not presented on a platform that can be easily accessed by the data subjects,
- That when a layered approach to inform is preferred, before the data subjects are directed to another channel for detailed information, in the first stage, basic information is not presented, appropriate ways and methods for accessing detailed information are not followed, data subjects are generally directed to privacy policies or data processing policies,
- That explicit consent and informing are presented together under the same title in the same text or platform,
- That the confirmation regarding that the informing has been made is requested and the service is not provided if the consent is not given.
Due to the mentioned deficiencies and violations of the legislation, the data controllers should pay particular attention to the following issues while fulfilling their obligation to inform in order not to face the sanctions specified in the Law:
a) The proof of fulfilment of the obligation to inform belongs to the data controller.
b) The obligation to inform should be fulfilled by the data controller or the persons authorized by the data controller during the obtaining personal data from the data subject.
c) The informing to be made within the scope of the obligation to inform shall include “the identity of the controller and of his representative, if any, the purpose of data processing, to whom and for what purposes the processed data may be transferred, the method and legal reason of collection of personal data which are included in the Article 10 of the Law and the rights of data subject specified in the Article 11 of the Law”
d)According to the Communiqué On Principles and Procedures To Be Followed in Fulfilment of the Obligation to Inform published in the Official Gazette dated 10.03.2018; in cases where personal data are not obtained directly from data subjects due to actual impossibility or inaccesbility of the data subject, the obligation to inform shall be fulfilled within a reasonable time following the obtainment of the personal data or at the first instance of communication in case personal data are used to communicate with the data subject; and at the time of the first transfer of personal data at the late
e)The personal data to be disclosed during the fulfilment of the obligation to inform should be specific,clear, legitimate, and limited to the purposes for the processing activity. Statements expressing that personal data may be processed for other purposes which are likely to come to the agenda in the future should not be used.
f) Clear, plain language should be used in the texts when fulfilling the obligation to inform. In addition, general, ambiguous, incomplete, misleading and false information should not be included.
g) "Processing purpose" and "legal reason" are the separate elements that should be included in the information to be made while fulfilling the obligation to inform and it should be noted that with the statement "legal reason" of collecting data it is referred that the personal data are processed based on which processing conditions specified in the Articles 5 and 6 of the Law.
h) Privacy policies or data processing policies, which are not limited to the processing activity and which have the characteristics of general data processing documents for the data controller, should not be used as informing texts.
i) Attention should be paid to make the informing easily accessible and noticeable, and methods that would make it difficult for the data subjects to access the informing should not be used.
j) In cases where the transfer of personal data are transferred, the purpose of the transfer and the group of recipients to whom the transfer is made should also be included in the informing.
k) If a layered approach to inform is preferred, it should be ensured that the basic information (for example, the identity of the data controller and the purpose of the data processing) is presented in the first stage and that the directed text has limited content for the processing activity before the data subjects are directed to another channel for detailed information.
In this context, it is necessary to act in accordance with the Law No. 6698, Communiqué On Principles And Procedures To Be Followed In Fulfilment Of The Obligation To Inform, Board Decisions published on the website of the Authority and the Guide on Fulfilment of Obligation to Inform prepared by our Authority while fulfilling the obligation to inform.
Respectfully announced to the public.