COMMUNIQUÉ ON THE PROCEDURES AND PRINCIPLES OF
OBLIGATION TO INFORM DATA SUBJECTS
Purpose and Scope
ARTICLE 1 – (1) The purpose of this Communiqué is to determine the procedures and principles to be complied with according to the (obligation to inform) duty of clarification, which has to be fulfilled by data controllers or those authorized by them as per Article 10 of the Law on Protection of Personal Data numbered 6698 and dated March 24, 2016.
Base
ARTICLE 2 – (1) This Communiqué has been prepared based upon Article 22 paragraph one, subparagraphs (e) and (g) of the Law on Personal Data Protection numbered 6698.
Definitions
ARTICLE 3 – (1) In this Communiqué;
a) Recipient Group means the real person or legal entity category, to which the personal data are transmitted by the data controller,
b) Related person means the real person, whose data is being processed,
c) Law means the Law on Personal Data Protection numbered 6698 and dated March 24, 2016,
ç) Board means the Board of Personal Data Protection,
d) Authority means the Authority of Personal Data Protection,
e) Register means the Register of Data Controllers kept by the Head of Authority,
f) Data Registry System means any media where the personal data is kept after being processed via fully or partially automatic means or non-automatic means provided that it is part of a data registry system,
g) Data Controller means a real person or legal entity that determines the purposes and means of data processing and is responsible for the constitution and management of the data registry system,
ğ) Data Controller’s Representative means a legal entity residing in Turkey or a citizen of Turkish Republic that is authorized for minimum representation of data controllers not residing in Turkey for matters in Article 11 paragraph 2 of the Regulation on Register of Data Controllers published in the Official Gazette dated December 30, 2017 and numbered 30286.
(2) The definitions in the Law shall apply to any terms that are not defined in this Communiqué.
Scope of the duty of clarification
ARTICLE 4 – (1) According to Article 10 of the Law; when obtaining personal data, data controllers or those authorized by them must inform the related persons. When fulfilling this liability, the information by data controllers or those authorized by them must include at least the following:
a) The identity of the data controller and his/her representative,
b) The purpose of processing the personal data,
c) To whom and for what purpose the personal data will be transferred,
ç) Method and legal reason of personal data collection,
d) Other rights of the related person as listed in Article 11 of the Law.
Procedure and principles
ARTICLE 5 – (1) A data controller or those authorized by him/her must comply with the following procedures and principles when fulfilling the duty of clarification by using physical means or electronic media such as verbal, written, voice record, call centre:
a) The duty of clarification must be fulfilled with whenever the personal data is processed depending on the explicit consent of the related person or other requirements for processing as specified in the Law.
b) When the purpose of personal data processing is changed, the duty of clarification must be fulfilled for such purpose before the activity of data processing.
c) If the personal data is being processed for different purposes in different departments of the data controller, the duty of clarification must be fulfilled separately for each department.
ç) If it is obligatory to register the data with the Register, the information to be provided to the related person according to the duty of clarification must be compatible with those provided to the Register.
d) The fulfilment of the duty of clarification does not depend on the request of the related person.
e) The burden of proving the fulfilment of the duty of clarification is on the data controller.
f) If the activity of personal data processing is made based on the explicit consent, the duty of clarification and the explicit consent must be fulfilled separately.
g) According to the duty of clarification, the purpose of personal data processing must be specific, explicit and legitimate. When fulfilling the duty of clarification, the statements should not be general and ambiguous. Any statement implying that the personal data could be processed for other purposes that could possibly come up in the future must be avoided.
ğ) Information to the related person according to the duty of clarification must be made by using an intelligible, explicit and plain language.
h) The term “legal reason” in Article 10 paragraph 1 subparagraph (ç) of the Law is to show which processing requirement in Articles 5 and 6 of the Law was based upon to process the personal data within the scope of the duty of clarification. The legal reason must be explicitly specified when fulfilling the duty of clarification.
ı) Within the scope of the duty of clarification, the purpose of personal data transmission and the recipient groups to which the data will be transmitted must be specified.
i) Within the scope of the duty of clarification, it must be explicitly specified by which method the personal data was obtained, out of the fully or partially automatic means or non-automatic means provided that it is part of a data registry system.
j) When fulfilling the duty of clarification, misinformation and information that could mislead the related person must be avoided.
The duty of clarification when the personal data cannot be obtained from the related person
ARTICLE 6 – (1) If the personal data cannot be obtained from the related person, the duty of clarification must be fulfilled;
a) in a reasonable period of time after obtaining the personal data,
b) when the related person is first contacted, if the personal data is to be used for communication purposes,
c) no later than the first transmission of the personal data, if the personal data is to be transmitted.
Effectiveness
ARTICLE 7 – (1) This Communiqué enters into force on the date it is published.
Enforcement
ARTICLE 8 – (1) The provisions of this Communiqué are enforced by the Head of the Authority of Personal Data Protection.