All members of the Data Protection Board (“Board”) of the Data Protection Authority (“Authority”) have been appointed as at 7 January 2017 and they held their first meeting in the past week.
As stated in our previous Law-Now publications (7 April 2016 and 6 October 2016), the Law No. 6698 on the Protection of Personal Data (“Data Protection Law” or “DPL”) published in the Official Gazette on 7 April 2016 and in force as at the reference date, however, regulatory bodies have yet to be structured in compliance with the DPL. According to article 19 of the DPL, the Authority shall be established as a public legal entity, which has administrative and financial autonomy, and the Authority shall consists of the Board and the presidency. The decision making organ of the Authority is the Board.
As per Article 21 of the Data Protection Law, the Board shall perform and use its duties and authorities assigned by the DPL and other legislation, independently and under its own responsibility. The same provision states that the board consists of nine (9) members.
Duties of the Board
Article 22 of the Data Protection Law sets out the duties and authorizations of the Board, while Article 23 of the DPL defines the working principles of the Board.
Pursuant to the Article 22 of the DPL, the Board shall
a. ensure that personal data is processed in accordance with the fundamental rights and freedoms of persons;
b. decide on the complaints of those who claim that their rights related to personal data are violated;
c. carry out reviews in subjects within its area of duty, upon request or ex officio, when being informed of a claim of violation, as to whether or not personal data was processed in accordance with the laws and if necessary to take temporary measures regarding the issue;
d. determine the adequate measures which are required to process special categories of personal data;
e. maintain the Data Controllers’ Registry;
f. issue the necessary regulatory procedures in areas relating to the duties of the Board and the functioning of the Authority;
g. make regulatory transactions in order to determine the obligations regarding data safety;
h. make regulatory transactions with respect to the duties, authorities and liabilities of the data controllers and their representatives;
i. decide on the administrative sanctions foreseen in this Law;
j. submit opinions about legislation drafts which are prepared by other institutions and agencies and include provisions on personal data;
k. decide on the strategic plan and determine the aims and purposes, the service quality standards and the performance criteria of the Authority;
l. discuss and decide on the annual budget prepared in accordance with the strategic plan and aims and purposes of the Authority;
m. approve and publish reports drafted and prepared on the performance, financial status, annual activities of the Authority and other necessary subjects;
n. discuss and decide on proposals regarding the purchase, sale and leasing of immovable; and
o. perform other tasks assigned by laws.
Since all the members of the Board have been appointed it is expected that the Authority will be established in the near future.
The Electoral System of the Board
Five (5) members of the Board shall be elected by the Turkish Grand National Assembly, two (2) members shall be elected by the Council of Ministers, and two (2) members shall be elected by the President of Turkish Republic.
In relation to the foregoing, the first five (5) members of the Board were appointed by the Turkish Grand National Assembly, published in the Official Gazette number 29850 on 7 October 2016 with the decision number 1129.
The two (2) members were appointed and published in the Official Gazette number 29920 on 16 December 2016 with the decision numbers 2016/103 and 2016/104.
The last two (2) members were appointed and published in the Official Gazette number 29941 on 7 January 2016 with the decision number 1135.