The Personal Data Protection Authority ("Authority") published the Communiqué on Procedures and Principles on Notice Requirement ("Notice Communiqué) and the Communiqué on Procedures and Principles for the Application to Data Controller ("Application Communiqué ") on the Official Gazette of March 10, 2018.
What Do the Communiqués Say?
The communiqués are based on Articles 10 and 13 of the Law No. 6698 on the Protection of Personal Data (the "Data Protection Law"), which detail the scope of data controllers' obligations in relation to notice requirements. Under the Notice Communiqué, the data controller or others authorized by the data controller must comply with certain rules when fulfilling the notice requirement by using physical or electronic media such as verbal, written, voice recording, or call center:
- independent from the conditions for processing personal data, the notice requirement must always be fulfilled;
- the data controller must prove that the notice requirement was fulfilled;
- if the personal data is processed based on the explicit consent of the data subject, the consent and notice requirements must be fulfilled separately; and
- the notice for data subjects must be executed in comprehensible, clear and plain language.
If personal data is not collected from the data subject, the notice requirement must be fulfilled (i) within a reasonable time after the collection of the personal data; (ii) during the first communication, if the personal data is intended for communication purposes with the data subject; and (iii) if the personal data is to be transferred, at the latest during the first transfer.
Under the Application Communiqué, data subjects are required to prepare their applications in Turkish. Application requests must be submitted in writing or through registered electronic mail, secure electronic signature, mobile signature or an e-mail address that was previously notified by the data subject to the data controller and registered in the data controller's system, or through software or application developed for the purpose of receiving such applications.
Additionally, the application and the response to the application must include certain information, including the identity of the data subject.
The Application Communiqué provides that if the data controller's response to the data subject's application is in writing, the response will be provided free of charge up to ten pages, and for a fee of TRY 1 per page for excess pages.
In addition, if the response is provided in a recording medium such as CD or a USB flash drive, the fee charged by the data controller cannot exceed the cost of the recording medium.
Pursuant to the Article 18 of the Data Protection Law, failure to fulfill the notice requirement is subject to an administrative fine from TRY 5,000 to 100,000.
It is also crucial for companies to establish a mechanism where the data subjects' applications can be submitted and requests can be responded in a timely manner. The lack of a communication mechanism may result in complaints to the Personal Data Protection Board.