KVKK CLARIFICATION TEXT
The information text containing the rights and obligations regarding the Law on the Protection of Personal Data and the full text of the relevant law are below.
INFORMATION TEXT INCLUDING RIGHTS AND OBLIGATIONS REGARDING THE LAW ON THE PROTECTION OF PERSONAL DATA
General Surgery Specialist Op. Dr. Gülden Ballı has the title of "data controller" within the scope of the Personal Data Protection Law No. 6698 in terms of personal data regarding our clients, patients and other third parties.
With this "Clarification Text", it is aimed to inform the clients, patients, and third parties about the personal data management activities carried out by Op. Dr. Gülden Ballı and to obtain their explicit consent for the following situations.
Personal Data:
Personal data means information belonging to a natural person whose identity can be identified or who can be identified from the data we have or have access to.
Op. Dr Gulden Balli;
- www.guldenballi.com.tr When you visit and use the website and / or mobile applications, when you use electronic commerce or one of the services, your personal data may be collected verbally, in writing or electronically through all digital channels such as questions, messages, telephone calls sent to the website. When you create an account, share company information and personal information, www.guldenballi.com.tr, when you fill out any form on . tr, when you create an account, when you buy or sell goods and services, when you participate in dispute resolution, when you receive offers, when you fill out or provide our contact form, when you contact us or other users regarding our services and participate in surveys, when you purchase services with your explicit consent and when your personal data is transferred to us by natural or legal persons with whom you consent to the sharing of your personal data, it can be collected automatically or non-automatically provided that it is part of our data recording system, in which case you are deemed to have given explicit consent and
- www.guldenballi.com.tr Appointment bookings made by using the Make Online Appointment, calendar software service on the website and/or via the call centre, telephone numbers,
- www.guldenballi.com.tr registration, search, correspondence (whatsapp, telephone, messaging, etc.) and transactions made on the website and/or mobile application,
- www.guldenballi.com.tr With all kinds of membership carried out by using and saving your information in any field on the website, information entry by clients and patients or 3rd parties and / or information entries that Op. Dr. Gülden Ballı uses / will use to follow up the data and past status of the client and patient www.guldenballi.com.tr collects personal data electronically by automatic or non-automatic means, primarily but not limited to this page.
As Op. Dr. Gülden Ballı, we would like to state with this "Clarification Text" that it fulfils its duty of care not only in medical interventions and its field of activity, but also in the security of personal data.
As a doctor and data controller, we hereby declare that the personal data of customers, patients and clients, consumers and all third parties, including employees or employee candidates, who benefit from our products and services, and all those who have a relationship with Op Dr. Gülden Ballı are processed in accordance with the Constitution of the Republic of Turkey and international conventions on human rights to which our country is a party, and the Law No. 6698 on the Protection of Personal Data ("KVKK"), in particular, in accordance with the relevant legislation, and that the necessary care is taken by receiving services and training from professional consultants.
Valuable www.guldenballi.com.tr website visitor, one of the purposes of this disclosure text is to fulfil the disclosure obligation imposed by Article 10 of the Law No. 6698 on the Protection of Personal Data (Personal Data Protection Law) regarding the use of personal data obtained and/or received from third parties during the use of the relevant website. In addition www.guldenballi.com.tr It is information about the collection methods, processing purposes, legal reasons and rights of personal data collected by the doctor regarding the use of the website or entered by the visitors with their explicit consent.
Unless you have your explicit consent, your data will not be used for purposes other than the purpose and will not be shared or transferred to third parties, at home and abroad, except for legal obligations and official institutions and organisations.
Sharing your personal data with Op. Dr. Gülden Ballı and the company affiliated to her in order to carry out its activities and increase the quality of service provided requires your explicit consent. Your explicit consent is deemed to have been given and accepted by the fulfilment of one of the above-mentioned works and transactions by you.
Purposes of Processing Your Personal Data:
- Providing Services - Providing health services you request or other services deemed necessary, carrying out commercial activities,
- Providing You Access to Our Site - Providing access to our website or mobile applications,
- Patient Registration Agreement - Any text signed in order to fulfil the rights and obligations arising from the Patient Registration Agreement or any other contract we have signed with you or our policy texts, to ensure the establishment of a contract for the sale of goods and services between users and to ensure that shopping takes place and to mediate the realisation of your payment transactions,
- Dispute Resolution - Determining the right holder, making notifications, resolving disputes that have been or may be referred to the judiciary,
- Preventing Tax Evasion - To prevent tax evasion in line with state policy and national interests,
- Promotion, Marketing and Business Development Activities - To promote, advertise and market our services or goods and services offered through the website, to improve our website and services, to make our website easier to use and to improve our services, to develop strategies, business models and to conduct market research and to submit reports to the competent authorities upon request,
- Providing a personalised experience - When you register on the website, you will be able to log in more easily and quickly, track your service purchases and sales, report suspicious transactions, and create a document that you can submit to the authorities when necessary,
- Examination and Treatment Risk Determination - To determine the risks of use of drugs or similar substances, to prepare for the operation, to determine the risk of surgery or anaesthesia, to provide internet, transaction security, to prevent transactions that may involve fraudulent or illegal activities, to take necessary measures to ensure that you can use our services safely, to detect, prevent or investigate activities that constitute fraud or fraud, constitute a breach of security or are suspicious or illegal, to protect public health, preventive medicine, medical diagnosis, In cases where you have shared your health data with your explicit consent for the purposes of carrying out treatment and care services, planning and management of health services and financing, recommending services according to your health data, patient follow-up, obtaining the necessary information for examination, confirming your identity, protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing, planning and management of the internal functioning of our clinics and other facilities and daily operations, drug supply, informing you about the appointment in case you make an appointment, performing risk management and quality improvement activities, fulfilling legal and regulatory requirements, confirming your relationship with institutions contracted with hospitals and medical centres or providing financial reconciliation with these institutions regarding the health services provided to you, sharing the information requested with private insurance companies within the scope of financing health services, invoicing for our services, sharing the information requested with the Ministry of Health and relevant public institutions and organisations in accordance with the relevant legislation, Taking all necessary technical and administrative measures within the scope of data security of the systems and applications of our hospitals and medical centres, analysing your use of health services and storing your health data in order to develop and improve the health services we provide to you, providing the necessary information in line with the requests and audits of regulatory and supervisory institutions and official authorities, maintaining information about your health data that must be kept in accordance with the relevant legislation, contacting you,
- Communication - To contact you regarding our Services, to provide customer service, to carry out personalised advertising and marketing using tracking technologies and profiling methods,
- Cookies - With your explicit consent, in addition to the information you have shared with us, by using tracking technologies (cookies, web beacons, etc.).By using tracking technologies (cookies, web beacons, etc.) as well as the information you have shared with us, direct marketing, online behavioural advertising and location-based advertising based on profiles created by using information obtained by tracking behaviour such as pages viewed, links clicked and advertisements of third parties or full geographical location information, to meet the requests of the competent authorities, We collect, use and store all records and documents that will be the basis of the transaction in electronic (internet/mobile etc.) or paper media; to comply with the information storage, reporting and information obligations stipulated by the legislation, competent institutions and other authorities, to ensure the smooth functioning of our services, to fulfil legal obligations, to comply with the provisions of the legal regulations in force that require data processing in accordance with the applicable laws.
Your Personal Data processed, your personal data of special nature, especially your health data, and your personal data of general nature may be processed by the Doctor in connection with the purposes specified in this article, including but not limited to the following and in a measured manner: The processed personal data are as follows:
Your identity details,
Contact Details,
Accounting Information,
Private Insurance Information,
Social Security Institution (SSI) Data,
Your Health Information: All kinds of health data obtained during or as a result of the execution of medical diagnosis, treatment and care services, including but not limited to patient medical reports, diagnostic data, biometric and genetic data, laboratory results, test results, examination data, appointment information, prescription information,
Customer relationship management: Questionnaires filled out by patients, letters of thanks and complaints, satisfaction results, etc., which you use to evaluate the doctor,
Information obtained through cookies on the website,
Demographic Data: Date of birth, age, marital status, educational status, occupation, interests, preferred language,
Location Data: It covers our use of data related to the precise or approximate location of users in order to provide better service to them. Location data, which is extracted from GPS data and IP and port addresses, is used when the user wants to search for content around his/her location while using mobile applications or the website and if the user gives permission with his/her explicit consent,
Payment Data: Subscriber invoice and payment information, invoices sent to customers and receipt samples of payments received from customers, payment number, invoice number, invoice amount, invoice cut-off date,
Content Data: Similar data such as membership information, notification description, solution description, satisfaction, notification reason, customer note, subscription renewal date, error content reported by users, interim notification status, interim notification, search reason,
Survey Answers: Personal data processed by me, through the website or call centre, responses to periodic surveys organised by the relevant personnel and forms,
Your health data and other personal data that you send or notify us via the website, e-mail or any other means,
Your personal data obtained and processed in accordance with the relevant legislation may be transferred to the Doctor's physical archives and / or information systems and kept both in digital and physical environment.
Transfer of Your Personal Data: Your personal data may be shared with our solution partners or business partners, service providers, financial institutions, legally authorised public institutions and organisations, law enforcement and judicial authorities who undertake that they have taken the necessary measures in accordance with Law No. 6698 in order to ensure that we achieve the above-mentioned objectives. Such sharing is carried out in accordance with the personal data processing conditions stipulated in Article 8 titled "Transfer of personal data" and Article 9 titled "Transfer of personal data abroad" of the Law on the Protection of Personal Data. In this context, your personal data is transferred only with your explicit consent or in the presence of another legal reason regulated in the Personal Data Protection Law and listed below. In addition, when your personal data is shared with third parties specified in this article, it will be shared only to the extent necessary and within the scope of its relevance, and necessary inquiries are made by the shared third parties to ensure that the data in question has the protection stipulated by the Personal Data Protection Law No. 6698.
Legal Reasons for Processing Your Personal Data:
We always process your personal data based on one of the legal grounds set out in Articles 5 and 6 of the Law on the Protection of Personal Data. The legal grounds we rely on in this context:
Explicitly stipulated in the laws: In cases where your personal data is processed due to a provision in the laws, this legal reason is based on this legal reason. This reason is also referred to as "fulfilment of legal obligations".
Obligation for the protection of life or physical integrity: This legal ground is relied upon in cases where the consent cannot be explained due to actual impossibility or is deemed legally invalid, and in cases where the processing of data is mandatory for the protection of the life or physical integrity of the data subject or another person.
Fulfilment of a legal obligation: In cases where the processing of your personal data is mandatory for us to fulfil a legal obligation, this legal reason is relied on.
Being made public by the person concerned: This legal ground is relied upon in cases where you voluntarily share your personal data with the public or social media. Establishment, exercise or protection of a right: In cases where the processing of your personal data is mandatory for the establishment, exercise or protection of a right, this legal ground is based on this legal ground. Sharing your information openly with everyone on social media or similar platforms.
Performance of a Contract: In cases where the processing of your personal data is directly related to the establishment or performance of a contract, this legal ground is relied on. It is necessary for the establishment of a contract or the provision of our relevant health services to you.
Being compulsory for our legitimate interests, provided that it does not harm your fundamental rights and freedoms: In cases where the processing of your personal data is necessary for the execution of our commercial activities, but such processing does not harm your fundamental rights and freedoms, this legal reason is based on this legal reason. This reason may constitute the basis of some or all of our processing activities that we carry out for "Promotion and marketing", "Improving our Site and Services", "Providing personalised experience" and "Ensuring Internet, transaction security, preventing transactions that may include fraudulent or illegal activities," "fulfilling our company policies and objectives".
Explicit Consent: This legal reason is relied upon in cases where you have explicitly consented to the processing of your personal data. In the absence of any of the above legal grounds, we process your personal data only with your explicit consent. In cases where you have given explicit consent, you can withdraw your explicit consent at any time.
Personal Data Retention Period:
I will keep the personal data you share with me for the period required for the purpose for which the data are processed in order for you to make the best use of my services, within the framework of the conditions specified in this clarification text and in order to fulfil my obligations arising from the law. It is possible to make a request within your rights under Article 11 of Law No. 6698 regarding the periods.
Your rights under Article 11 of the Law: Regarding the data we collect, your data; To learn whether your data are processed or not, To request information about them if they are processed, To learn the purpose of processing and whether they are used in accordance with their purpose, To know who they are if they are shared with third parties at home or abroad, To request correction in case of incomplete or incorrect processing, In case the reasons requiring their processing disappear, You have the right to request the deletion or destruction of your processed data, In case your data is deleted or corrected upon your request, to request notification of the transactions to third parties to whom personal data is transferred, To object to the occurrence of a result against you in cases where it is analysed exclusively through automated systems, You have the right to demand compensation for the damage in case you suffer damage due to unlawful processing.
If you want to use these rights, please contact us; Kültür Mah. Talatpaşa Bulv. No:1 K: 3 D: 6 Alsancak Konak/İZMİR address in writing or by using registered electronic mail (KEP) address, secure electronic signature, mobile signature or your e-mail address that you have previously notified us and registered in our system, info@guldenballi.com.tr e-mail address or 0232 202 20 22.
PERSONAL DATA PROTECTION LAW
Law Number: 6698
Acceptance Date : 24/3/2016
Published in the Official Gazette: Date: 7/4/2016 Number : 29677
Published in Düstur: Order: 5 Volume: 57
PART ONE
Purpose, Scope and Definitions
Objective
ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, in particular the right to privacy, in the processing of personal data and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.
Scope
ARTICLE 2- (1) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural and legal persons who process such data wholly or partially by automatic means or by non-automatic means provided that they are part of any data recording system.
Definitions
ARTICLE 3- (1) In the implementation of this Law;
- a) Explicit consent: Consent related to a specific subject, based on information and expressed with free will,
- b) Anonymisation: Making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even by matching with other data,
- c) President: The President of the Personal Data Protection Authority, ç) Relevant person: The natural person whose personal data is processed,
- d) Personal data: Any information relating to an identified or identifiable natural person,
- e) Processing of personal data: All kinds of operations performed on personal data such as obtaining, recording, storing, retaining, modifying, reorganising, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data by fully or partially automatic means or by non-automatic means provided that they are part of any data recording system,
- f) Board: Personal Data Protection Board,
- g) Institution Personal Data Protection Authority,
ğ) Data processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller,
- h) Data recording system: The recording system in which personal data are structured and processed according to certain criteria,
ı) Data Controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
PART TWO
Processing of Personal Data
General principles
ARTICLE 4- (1) Personal data may only be processed in accordance with the procedures and principles stipulated in this Law and other laws.
(2) The following principles must be complied with in the processing of personal data:
- a) Compliance with the law and good faith.
- b) Being accurate and, where necessary, up to date.
- c) Processing for specific, explicit and legitimate purposes.
ç) Being relevant, limited and proportionate to the purpose for which they are processed.
- d) To be kept for the period stipulated in the relevant legislation or required for the purpose for which they are processed.
Conditions for processing personal data
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the data subject.
(2) In the presence of one of the following conditions, without seeking the explicit consent of the person concerned
processing of personal data is possible:
- a) Explicitly stipulated in the laws.
- b) It is necessary for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility or whose consent is not legally valid.
- c) Provided that it is directly related to the conclusion or performance of a contract, it is necessary to process personal data of the parties to the contract.
ç) It is mandatory for the data controller to fulfil its legal obligation.
- d) it has been publicised by the person concerned.
- e) Data processing is mandatory for the establishment, exercise or protection of a right.
- f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Conditions for processing special categories of personal data
ARTICLE 6- (1) Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, membership to associations, foundations or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data are sensitive personal data.
(2) Processing of special categories of personal data without the explicit consent of the data subject is prohibited.
(3) Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the data subject in cases stipulated by law. Personal data relating to health and sexual life may only be processed without the explicit consent of the data subject by persons under the obligation of confidentiality or authorised institutions and organisations for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and financing.
(4) In the processing of special categories of personal data, it is also required to take adequate measures determined by the Board.
Deletion, destruction or anonymisation of personal data
ARTICLE 7- (1) Although it has been processed in accordance with the provisions of this Law and other relevant laws, personal data shall be deleted, destroyed or anonymised by the data controller ex officio or upon the request of the data subject if the reasons requiring its processing disappear.
(2) The provisions of other laws regarding the deletion, destruction or anonymisation of personal data are reserved.
(3) The procedures and principles regarding the deletion, destruction or anonymisation of personal data shall be regulated by a regulation.
Transfer of personal data
ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the data subject.
(2) Personal data;
- a) In the second paragraph of Article 5,
- b) provided that adequate precautions are taken, in the third paragraph of Article 6,
If one of the specified conditions exists, it may be transferred without seeking the explicit consent of the person concerned.
(3) The provisions of other laws regarding the transfer of personal data are reserved.
Transfer of personal data abroad
ARTICLE 9- (1) Personal data cannot be transferred abroad without the explicit consent of the data subject.
(2) Personal data shall be transferred to the foreign country to which the personal data will be transferred in the presence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6;
- a) Adequate protection,
- b) In the absence of adequate protection, it may be transferred abroad without seeking the explicit consent of the data subject, provided that the data controllers in Turkey and the relevant foreign country undertake an adequate protection in writing and the Board's authorisation is obtained.
(3) Countries with adequate protection shall be determined and announced by the Board.
(4) The Board shall decide whether there is adequate protection in the foreign country and whether an authorisation pursuant to subparagraph (b) of paragraph 2 shall be granted;
- a) International conventions to which Turkey is a party,
- b) the reciprocity status regarding data transfer between the country requesting personal data and Turkey,
- c) For each concrete personal data transfer, the nature of the personal data and the purpose and duration of processing,
ç) The relevant legislation and practice of the country to which the personal data will be transferred,
- d) It evaluates the measures undertaken by the data controller in the country to which the personal data will be transferred and decides, if necessary, by taking the opinion of the relevant institutions and organisations.
(5) Without prejudice to the provisions of international conventions, personal data may be transferred abroad only with the permission of the Board by obtaining the opinion of the relevant public institution or organisation in cases where the interests of Turkey or the person concerned would be seriously damaged.
(6) The provisions of other laws regarding the transfer of personal data abroad are reserved.
PART THREE
Rights and Obligations Disclosure obligation of the data controller
ARTICLE 10- (1) During the acquisition of personal data, the data controller or the person authorised by him/her shall provide the data subjects with the following information
- a) Identity of the data controller and its representative, if any,
- b) The purpose for which personal data will be processed,
- c) To whom and for what purpose the processed personal data may be transferred, ç) The method and legal reason for collecting personal data,
- d) other rights listed in Article 11. Rights of the person concerned
ARTICLE 11- (1) Everyone may, by applying to the data controller;
- a) To learn whether personal data is being processed,
- b) Request information if personal data has been processed,
- c) To learn the purpose of processing personal data and whether they are used in accordance with their purpose,
ç) To know the third parties to whom personal data are transferred domestically or abroad,
- d) Correction of personal data in case of incomplete or incorrect processing
Don't ask,
- e) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
- f) To request notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data are transferred,
- g) To object to the emergence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
ğ) In case of damage due to unlawful processing of personal data, it has the right to demand compensation for the damage.
Obligations regarding data security
ARTICLE 12- (1) Data controller;
- a) To prevent unlawful processing of personal data,
- b) To prevent unlawful access to personal data,
- c) To ensure the preservation of personal data,
must take all necessary technical and administrative measures to ensure the appropriate level of security.
(2) In the event that personal data are processed by another natural or legal person on his/her behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.
(3) The data controller is obliged to carry out or have carried out the necessary audits in its own institution or organisation in order to ensure the implementation of the provisions of this Law.
(4) Data controllers and data processors may not disclose the personal data they have learnt to others in violation of the provisions of this Law and may not use them for purposes other than processing. This obligation shall continue even after their resignation.
(5) In case the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.
SECTION FOUR
Application, Complaint and Data Controllers Registry Application to the data controller
ARTICLE 13- (1) The data subject shall communicate his/her requests regarding the implementation of this Law to the data controller in writing or by other methods to be determined by the Board.
(2) The data controller shall finalise the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
(3) The data controller accepts the request or rejects it by explaining the reason and notifies the relevant person in writing or electronically. If the request in the application is accepted, the data controller shall fulfil the requirement. In case the application is caused by the error of the data controller, the fee charged shall be refunded to the data subject.
Complaint to the Board
ARTICLE 14- (1) In cases where the application is rejected, the response is found insufficient or the application is not responded in due time; the data subject may file a complaint to the Board within thirty days from the date of learning the response of the data controller and in any case within sixty days from the date of application.
(2) A complaint cannot be filed before exhausting the remedy pursuant to Article 13.
(3) Those whose personal rights are violated shall be entitled to compensation in accordance with general provisions.
Procedures and principles of examination upon complaint or ex officio
ARTICLE 15- (1) The Board, upon a complaint or ex officio if it learns of an alleged violation, shall conduct the necessary investigation on the matters falling within its jurisdiction.
(2) Notices or complaints that do not fulfil the conditions specified in Article 6 of the Law on the Exercise of the Right to Petition dated 1/11/1984 and numbered 3071 shall not be examined.
(3) Except for the information and documents that are state secrets; the data controller is obliged to send the information and documents requested by the Board regarding the subject of the examination within fifteen days and to provide the opportunity for on-site examination when necessary.
(4) Upon the complaint, the Board shall examine the request and give a reply to the relevant parties. If no reply is given within sixty days from the date of the complaint, the request shall be deemed rejected.
(5) If, as a result of the examination made upon complaint or ex officio, it is found that there is a breach, the Board decides that the data controller shall remedy the breaches of law and notifies the relevant parties. This decision shall be fulfilled without delay and within thirty days at the latest following the notification.
(6) If it is determined that the violation is widespread as a result of the examination made upon a complaint or ex officio, the Board shall take a principle decision on this matter and publish this decision. The Board may also take the opinions of the relevant institutions and organisations, if necessary, before taking a decision in principle.
(7) The Board may decide to suspend data processing or transfer of data abroad in case of irreparable or impossible damages arising and in case of a clear violation of the law.
Data Controllers Registry
ARTICLE 16- (1) Under the supervision of the Board, the Data Controllers Registry shall be kept publicly by the Presidency.
(2) Natural and legal persons who process personal data are obliged to register with the Data Controllers' Registry before starting data processing. However, the Board may make exceptions to the obligation to register with the Data Controllers' Registry by taking into account objective criteria to be determined by the Board, such as the nature and number of personal data processed, the lawfulness of the data processing or the status of transfer to third parties.
(3) The application for registration in the Data Controllers Registry shall be accompanied by a notification containing
It is done:
- a) Identity and address information of the data controller and its representative, if any.
- b) The purpose for which personal data will be processed.
- c) Explanations on the data subject group or groups of persons and the data categories belonging to these persons.
ç) Recipients or recipient groups to whom personal data may be transferred.
- d) Personal data foreseen to be transferred to foreign countries.
- e) Measures taken regarding personal data security.
- f) The maximum period required for the purpose for which personal data are processed.
(4) Changes in the information provided pursuant to the third paragraph shall be immediately notified to the Presidency.
(5) Other procedures and principles regarding the Data Controllers Registry shall be regulated by a regulation.
SECTION FIVE
Crimes and Misdemeanours
Offences
ARTICLE 17- (1) The provisions of Articles 135 to 140 of the Turkish Criminal Code dated 26/9/2004 and numbered 5237 shall apply to offences relating to personal data.
(2) Those who do not delete or anonymise personal data in violation of Article 7 of this Law shall be punished according to Article 138 of the Law No. 5237.
Misdemeanours
ARTICLE 18- (1) This Law;
- a) From 5.000 Turkish Liras to 100.000 Turkish Liras for those who fail to fulfil the disclosure obligation stipulated in Article 10,
- b) 15.000 Turkish Liras to 1.000.000 Turkish Liras for those who fail to fulfil the obligations regarding data security stipulated in Article 12,
- c) 25.000 Turkish Liras to 1.000.000 Turkish Liras for those who fail to fulfil the decisions taken by the Board pursuant to Article 15 hereof,
ç) Those who violate the obligation to register and notify the Data Controllers Registry stipulated in Article 16 shall be imposed an administrative fine from 20.000 Turkish Liras to 1.000.000.000 Turkish Liras.
(2) Administrative fines stipulated in this Article shall be imposed on natural persons and private legal entities who are data controllers.
(3) In the event that the acts listed in the first paragraph are committed within public institutions and organisations and professional organisations having the characteristics of public institutions, upon notification by the Board, disciplinary action shall be taken against the civil servants and other public officials working in the relevant public institutions and organisations and those working in professional organisations having the characteristics of public institutions in accordance with the disciplinary provisions and the result shall be notified to the Board.
SECTION SIX
Personal Data Protection Authority and Organisation Personal Data Protection Authority
ARTICLE 19- (1) In order to fulfil the duties assigned by this Law, the Personal Data Protection Authority has been established with administrative and financial autonomy and public legal personality.
(2) The institution is associated with the minister appointed by the President. (1)
(3) The headquarters of the Agency is in Ankara.
(4) The Agency shall consist of the Board and the Presidency. The decision-making body of the Agency is the Board.
Duties of the Organisation
ARTICLE 20- (1) The duties of the Agency are as follows:
- a) To follow the practices and legislative developments, to make evaluations and recommendations, to carry out or have carried out researches and analyses in line with its field of duty.
- b) In case of need, to cooperate with public institutions and organisations, non-governmental organisations, professional organisations or universities in matters within its field of duty.
- c) To monitor and evaluate international developments related to personal data, to cooperate with international organisations on issues within its field of duty, and to participate in meetings.
ç) To submit the annual activity report to the Presidency of the Republic of Turkey, the Human Rights Inquiry Commission of the Grand National Assembly of Turkey (...) (2) (2)
- d) To fulfil other duties assigned by law.
Personal Data Protection Board (3)
ARTICLE 21- (1) The Board shall fulfil and exercise its duties and powers assigned by this Law and other legislation independently and under its own responsibility. No body, authority, authority or person may give orders or instructions to the Board, or make recommendations or suggestions with respect to the matters falling within the scope of its duties.
(2) The Board shall consist of nine members. Five members of the Board shall be elected by the Grand National Assembly of Turkey and four members shall be elected by the President. (3)
(3) The following conditions are sought for becoming a member of the Board:
- a) To have knowledge and experience in the subjects within the field of duty of the institution.
- b) the first paragraph of Article 48 of the Civil Servants Law No. 657 dated 14/7/1965
To have the qualifications specified in subparagraphs (1), (4), (5), (6) and (7) of paragraph (A).
- c) Not being a member of any political party.
ç) To have at least four years of higher education at undergraduate level. d) (Repealed: 2/7/2018-KHK-703/163 Art.)
-----------------
(1) Pursuant to Article 163 of the Decree Law no. 703 dated 2/7/2018 and numbered 703, the phrase "with the Prime Ministry" in this paragraph has been amended as "with the minister appointed by the President".
(2) With Article 163 of the Decree Law no. 703 dated 2/7/2018 and numbered 703, the phrase "and the Prime Ministry" in this subparagraph has been abrogated.
(3) With Article 163 of the Executive Decree no. 703 dated 2/7/2018, the phrase "two members of the President and two members of the Council of Ministers" in the second paragraph of this Article has been amended as "four members of the President".
(4) (Repealed: 2/7/2018-KHK-703/163 art.)
(5) The Grand National Assembly of Turkey shall elect members to the Board by the following procedure:
- a) Two times the number of members to be determined in proportion to the number of members of the political party groups shall be nominated for election and the members of the Board shall be elected from among these candidates by the General Assembly of the Grand National Assembly of Turkey on the basis of the number of members per political party group. However, political party groups shall not discuss or decide on who to vote for in the elections to be held in the Grand National Assembly of Turkey.
- b) The election of the members of the Board shall be held within ten days after the nomination and announcement of the candidates. For the candidates nominated by the political party groups, a combined ballot paper shall be prepared as separate lists. Votes shall be cast by marking the special place opposite the names of the candidates. Votes cast more than the number of members to be elected to the Board from the quotas of political party groups determined according to the second paragraph shall be deemed invalid.
- c) Provided that there is a quorum, the candidate who receives the highest number of votes in the election shall be elected as many as the number of vacant memberships.
d) Two months before the expiry of the term of office of the members; in case of a vacancy in the membership for any reason, elections shall be held by the same procedure within one month following the date of the vacancy or, if the Grand National Assembly of Turkey is in recess on the date of the vacancy, within one month following the end of the recess. In these elections, the distribution of the vacant memberships among political party groups shall be made by taking into account the number of members elected from the quota of political party groups in the first election and the current ratio of political party groups.
(6) Forty-five days before the expiry of the term of office of one of the members elected by the President (...)(1) or in case of termination of office for any reason, the situation shall be notified to the Presidency (...)(1) by the Agency within fifteen days. One month before the expiry of the term of office of the members, new members shall be elected. In case of a vacancy in these memberships for any reason before the expiry of the term of office, an election shall be held within fifteen days following the notification. (1)
(7) The Board shall elect the Chairman and the Second Chairman from among its members. The Chairman of the Board is also the Chairman of the Agency.
(8) The term of office of the Board members is four years. The member whose term expires may be re-elected. The person elected to replace a member whose term of office expires for any reason before the expiry of his/her term of office shall complete the remaining term of the member he/she was elected to replace.
(9) The elected members shall take an oath in the presence of the First Presidency Board of the Court of Cassation as follows: "I swear on my honour and integrity that I will fulfil my duty in accordance with the Constitution and laws, with complete impartiality, honesty, fairness and justice." The application to the Court of Cassation for oath shall be considered as urgent business.
----------------
(1) With Article 163 of the Decree Law no. 703 dated 2/7/2018 and numbered 703, the phrases "or the Council of Ministers" and "or to the Prime Ministry to be submitted to the Council of Ministers" in this paragraph have been removed from the text of the article.
(10) Unless provided by a special law, the members of the Board may not assume any official or private duties other than the execution of their official duties in the Board, act as managers in associations, foundations, cooperatives and similar organisations, engage in commerce, engage in self-employment, act as arbitrators and experts. However, the members of the Board may publish scientific publications, give lectures and conferences, and receive royalties and lecture and conference fees arising therefrom in a manner not to interfere with their primary duties.
(11) Investigations regarding the offences alleged to have been committed by the members due to their duties shall be conducted in accordance with the Law on the Prosecution of Civil Servants and Other Public Officials dated 2/12/1999 and numbered 4483, and the President shall grant the permission to investigate them. (1)
(12) The provisions of Law No. 657 shall apply to the disciplinary investigation and prosecution of the members of the Board.
(13) Board members cannot be dismissed for any reason before the expiry of their terms. Board members;
- a) It is subsequently realised that they do not meet the requirements for election,
- b) Finalisation of the conviction decision given against them due to the offences committed in relation to their duties,
- c) It is conclusively determined by a medical board report that they cannot fulfil their duties,
ç) It is determined that they have been absent from their duties without permission, excuse and without interruption for fifteen days or for a total of thirty days in a year,
- d) If it is determined that they do not attend a total of three meetings of the Board within one month and ten meetings of the Board within one year without permission or excuse, their membership shall be terminated by the decision of the Board.
(14) Those elected as members of the Board shall be dismissed from their previous duties as long as they serve in the Board. Those who were elected as members while they were public officers shall be appointed by the appointing authority within one month to a position in accordance with their merit, provided that they do not lose the conditions for entering the civil service, upon the expiry of their term of office or upon their request to resign from office and their application to their former institutions within thirty days. Until the appointment is made, the Agency shall continue to pay all kinds of payments they have been receiving. The Agency shall continue to pay all kinds of payments to those who are not employed in a public institution, who are elected as a member and whose membership is terminated as mentioned above, until they start any duty or employment, and the payment to be made by the Agency to those whose membership is terminated in this way cannot exceed three months. The periods they spent at the Agency shall be deemed to have been spent at their previous institutions or organisations in terms of their personal and other rights.
----------------
(1) With Article 163 of the Decree Law no. 703 dated 2/7/2018 and numbered 703, the phrase "Prime Minister" in this paragraph has been changed to "President".
Duties and powers of the Board
ARTICLE 22- (1) The duties and powers of the Board are as follows:
- a) To ensure that personal data is processed in accordance with fundamental rights and freedoms.
- b) To decide on the complaints of those who claim that their rights regarding personal data have been violated.
- c) To examine whether personal data are processed in accordance with the laws on matters falling within its field of duty upon complaint or ex officio upon learning of the alleged violation and to take temporary measures in this regard when necessary.
ç) To determine the adequate measures required for the processing of special categories of personal data.
- d) To ensure that the Data Controllers Registry is kept.
- e) To take the necessary regulatory actions on matters related to the Board's field of duty and the functioning of the Agency.
- f) To take regulatory action to determine the obligations regarding data security.
- g) To take regulatory action regarding the duties, authorities and responsibilities of the data controller and its representative.
ğ) To decide on administrative sanctions stipulated in this Law.
- h) To give opinions on draft legislation prepared by other institutions and organisations and containing provisions on personal data.
ı) To decide on the strategic plan of the Institution, to determine its aims and objectives, service quality standards and performance criteria.
- i) To discuss and decide on the budget proposal prepared in accordance with the strategic plan, aims and objectives of the institution.
- j) To approve and publish the draft reports prepared on the performance, financial status, annual activities of the Organisation and the required issues.
- k) To discuss and decide on proposals for the purchase, sale and lease of immovable property.
- l) To fulfil other duties assigned by law.
Working principles of the Board
ARTICLE 23- (1) The President shall determine the meeting days and agenda of the Board. The President may call the Board for an extraordinary meeting when necessary.
(2) The Board convenes with at least six members including the chairman and takes decisions with the absolute majority of the total number of members. Board members may not abstain from voting.
(3) Members of the Board may not participate in meetings and voting on matters concerning themselves, their relatives by blood up to the third degree and by in-laws up to the second degree, their adopted children and their spouses even if the marriage bond between them has been cancelled.
(4) The members of the Board may not disclose the secrets of the relevant persons and third parties, which they have learnt during the course of their duties, to anyone other than the authorities authorised by law in this respect and may not use them for their own benefit. This obligation shall continue even after their resignation from office.
(5) The matters discussed in the Board shall be recorded in minutes. Decisions and the reasons for dissenting votes, if any, shall be written down within fifteen days at the latest as of the date of the decision. The Board shall publicise the decisions it deems necessary.
(6) Unless otherwise agreed, discussions at the Board meetings are confidential.
(7) The working procedures and principles of the Board, drafting of resolutions and other matters shall be regulated by a regulation.
President
ARTICLE 24- (1) The President, as the chairman of the Board and the Agency, is the highest authority of the Agency and organises and executes the services of the Agency in accordance with the legislation, the objectives and policies, strategic plan, performance criteria and service quality standards of the Agency and ensures coordination among service units.
(2) The President is responsible for the general management and representation of the Agency. This responsibility covers the duties and powers of organising, conducting, supervising, evaluating and, when necessary, announcing the activities of the Agency to the public.
(3) The duties of the President are as follows:
- a) To manage the Board meetings.
- b) To ensure the notification of the Board decisions and public announcement of those deemed necessary by the Board and to monitor their implementation.
- c) To appoint the Vice President, heads of departments and the personnel of the Agency. ç) To finalise the proposals received from the service units and submit them to the Board.
- d) To ensure the implementation of the strategic plan, to establish human resources and labour policies in line with service quality standards.
- e) To prepare the annual budget and financial statements of the Organisation in accordance with the determined strategies, annual goals and objectives.
- f) To ensure the coordination of the Board and service units to work in a harmonious, efficient, disciplined and organised manner.
- g) To carry out the relations of the institution with other organisations.
ğ) To determine the duties and authority of the personnel authorised to sign on behalf of the President of the Agency.
- h) To fulfil other duties related to the management and functioning of the Institution.
(4) In the absence of the President of the Agency, the Second President shall deputise the President.
Formation and duties of the Presidency
ARTICLE 25- (1) The Presidency shall consist of the Vice President and service units. The Presidency shall perform the duties listed in the fourth paragraph through service units organised as departments. The number of departments may not exceed seven.
(2) The President shall appoint a Vice President to assist him/her in his/her duties related to the Agency.
(3) The Vice President and heads of departments shall be appointed by the President from among the persons who have graduated from at least four-year higher education institutions and have been in public service for ten years.
(4) The duties of the Presidency are as follows:
- a) Keeping the Data Controllers Registry.
- b) To carry out the office and secretariat operations of the Agency and the Board.
- c) Representing the Agency through lawyers in lawsuits and execution proceedings to which the Agency is a party, pursuing or having the lawsuits pursued, and carrying out legal services.
ç) To carry out the personnel procedures of the members of the Board and those working at the Agency.
- d) To perform the duties assigned to financial service and strategy development units by law.
- e) To ensure the establishment and use of the information system in order to carry out the business and operations of the Agency.
- f) To prepare and submit to the Board draft reports on the annual activities of the Board or on the required issues.
- g) To prepare the draft strategic plan of the organisation.
ğ) To determine the personnel policy of the institution, to prepare and implement the career and training plans of the personnel.
- h) To carry out the appointment, transfer, discipline, performance, promotion, retirement and similar procedures of the personnel.
ı) To determine the ethical rules to be followed by the staff and to provide the necessary training.
- i) To carry out all kinds of procurement, leasing, maintenance, repair, construction, archive, health, social and similar services required by the Agency within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003.
- j) To keep records of movable and immovable belonging to the institution.
- k) To perform other duties assigned by the Board or the Chairman.
(5) The service units and the working procedures and principles of these units shall be determined by a regulation to be put into effect by the President upon the proposal of the Agency in accordance with the field of activity, duties and powers set forth in this Law. (1)
-----------------
(1) With Article 163 of the Decree Law no. 703 dated 2/7/2018 and numbered 703, the phrase "by the Council of Ministers" in this paragraph has been changed to "by the President".
Personal Data Protection Expert and assistant experts
ARTICLE 26- (1) The Agency may employ Personal Data Protection Experts and Assistant Personal Data Protection Experts. Those appointed to the position of Personal Data Protection Expert within the framework of additional article 41 of the Law no. 657 shall be promoted by one degree for one time only.
Provisions on personnel and personal rights
ARTICLE 27- (1) The personnel of the Agency shall be subject to the Law No. 657 except for the matters regulated by this Law.
(2) The payments made to the Chairman and members of the Board and the personnel of the Agency within the scope of financial and social rights to the equivalent personnel determined pursuant to the additional article 11 of the Decree Law dated 27/6/1989 and numbered 375 shall be paid within the framework of the same procedures and principles. Payments made to equivalent personnel which are not subject to tax and other legal deductions shall not be subject to tax and other deductions according to this Law.
(3) The Chairman and members of the Board and the personnel of the Agency shall be subject to the provisions of subparagraph (c) of the first paragraph of Article 4 of the Social Security and General Health Insurance Law dated 31/5/2006 and numbered 5510. The Chairman and members of the Board and the personnel of the Agency shall be considered equivalent to their counterparts in terms of pension rights. While being insured within the scope of subparagraph (c) of the first paragraph of Article 4 of the Law No. 5510, the service periods of those who are appointed as the Chairman and members of the Board and whose duties are terminated or who request to leave these duties are taken into consideration in determining the earned right salary, degrees and grades. The service periods of those who are included in the scope of the provisional article 4 of the Law No. 5510 during these duties shall be considered as the period for which office compensation and representation compensation should be paid. Those who are appointed as the Chairman and members of the Board while being insured in public institutions and organisations within the scope of subparagraph (a) of the first paragraph of Article 4 of the Law No. 5510, shall not be entitled to severance pay or termination indemnity if they are dismissed from their previous institutions and organisations. The service periods for which severance pay or end-of-employment indemnity should be paid to such persons shall be combined with their service periods as the Chairman of the Board and Board membership and shall be considered as the period for which retirement bonus will be paid.
(4) In public administrations within the scope of central government, social security institutions, local administrations, administrations affiliated to local administrations, local administration unions, revolving fund institutions, funds established by laws, institutions with public legal personality, institutions with more than fifty percent of their capital owned by the public, Civil servants and other public officials employed in economic state enterprises and state economic organisations and their affiliated partnerships and establishments may be temporarily assigned to the Agency with the consent of their institutions, and judges and public prosecutors may be temporarily assigned to the Agency with their own consent, provided that their salaries, allowances, all kinds of increases and compensations and other financial and social rights and benefits are paid by their institutions. The requests of the Agency in this regard shall be concluded by the relevant institutions and organisations with priority. Personnel assigned in this way shall be deemed to be on leave with salary from their institutions. As long as these personnel are on leave, their civil service and personal rights shall continue, and these periods shall be taken into account in their promotion and retirement, and their promotions shall be made in due time without the need for any further action. The periods spent in the Agency by those assigned within the scope of this article shall be deemed to have been spent in their own institutions. The number of those appointed in this manner shall not exceed ten per cent of the total number of Personal Data Protection Expert and Assistant Personal Data Protection Expert positions and the term of appointment shall not exceed two years. However, in case of need, this period may be extended in one-year periods. (1)
(5) The cadre titles and numbers of the personnel to be employed in the Agency are shown in the annexed table no. (I). Changing the title and grade, adding new titles and cancellation of vacant positions shall be made by the Board decision, provided that it is limited to the titles of the staff in the annexed tables of the Decree Law on General Staff and Procedure dated 13/12/1983 and numbered 190, provided that it does not exceed the total number of staff.
SECTION SEVENTH
Miscellaneous Provisions
Exceptions
ARTICLE 28- (1) The provisions of this Law shall not apply in the following cases:
- a) Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that personal data are not disclosed to third parties and the obligations regarding data security are complied with.
- b) Processing of personal data for purposes such as research, planning and statistics by anonymising them with official statistics.
- c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public safety, public order, economic security, privacy of private life or personal rights or does not constitute a crime.
ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organisations entrusted and authorised by law to ensure national defence, national security, public safety, public order or economic security.
- d) Processing of personal data by judicial authorities or enforcement authorities in relation to investigation, prosecution, judgement or execution proceedings.
(2) Provided that it is appropriate and proportionate to the purpose and basic principles of this Law, Article 10 regulating the data controller's obligation to inform, Article 11 regulating the rights of the data subject, except for the right to claim compensation for the damage, and Article 16 regulating the obligation to register with the Data Controllers Registry shall not apply in the following cases:
--------------------------------------
(1) With Article 119 of the Law No. 7061 dated 28/11/2017, the phrase "other public officials with the consent of their institutions" was added after the phrase "and judges and prosecutors with their own consent" in this paragraph.
- a) Processing of personal data is necessary for the prevention of crime or criminal investigation.
- b) Processing of personal data made public by the data subject himself/herself.
- c) Personal data processing is necessary for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution by public institutions and organisations and professional organisations in the nature of public institutions, which are authorised and empowered based on the authority granted by law.
ç) Personal data processing is necessary for the protection of the economic and financial interests of the State in relation to budget, tax and financial matters.
Budget and revenues of the organisation
ARTICLE 29- (1) The budget of the Agency shall be prepared and adopted in accordance with the procedures and principles set out in the Law No. 5018.
(2) The revenues of the Institution are as follows:
- a) Treasury aids from the general budget.
- b) Revenues obtained from movable and immovable property belonging to the Institution.
- c) Donations and aids received.
ç) Revenues obtained from the utilisation of its revenues.
- d) Other income.
Amended and added provisions
ARTICLE 30- (1) (Related to Law No. 5018 dated 10/12/2003 and inserted hereinafter)
(2) to (5) - (related to the Law dated 26/9/2004 and numbered 5237 and inserted instead)
(6) (Relating to the Basic Law on Health Services dated 7/5/1987 and numbered 3359 and is hereby replaced)
(7) (Related to the Decree Law on the Organisation and Duties of the Ministry of Health and its Affiliated Institutions dated 11/10/2011 and numbered 663 and inserted in its place)
Regulation
ARTICLE 31- (1) Regulations regarding the implementation of this Law shall be enacted by the Authority.
Transitional provisions
TEMPORARY ARTICLE 1- (1) Within six months following the publication date of this Law, the members of the Board shall be elected in accordance with the procedure stipulated in Article 21 and the organisation of the Presidency shall be established.
(2) Data controllers are obliged to register to the Data Controllers Registry within the period determined and announced by the Board.
(3) Personal data processed before the publication date of this Law shall be brought into compliance with the provisions of this Law within two years following the publication date. Personal data found to be in violation of the provisions of this Law shall be immediately deleted, destroyed or anonymised. However, consents obtained in accordance with the law before the publication date of this Law shall be deemed to be in compliance with this Law, unless a contrary declaration of will is made within one year.
(4) The regulations stipulated in this Law shall be put into force within one year following the date of publication of this Law.
(5) Within one year as of the date of publication of this Law, a senior manager shall be determined in public institutions and organisations to ensure coordination regarding the implementation of this Law and notified to the Presidency.
(6) The first elected President, the Second President and two members determined by lot shall serve for six years; the other five members shall serve for four years.
(7) Until the budget is allocated to the institution;
- a) The expenses of the Institution shall be covered from the budget of the Prime Ministry.
- b) All necessary support services such as buildings, tools, equipment, furnishings and equipment shall be provided by the Prime Ministry in order for the Agency to fulfil its services.
(8) Secretariat services shall be performed by the Prime Ministry until the service units of the Agency become operational.
TEMPORARY ARTICLE 2- (Additional: 28/11/2017-7061/120 Art.)
(1) Graduates of faculties of political sciences, economics and administrative sciences, economics, law and business administration, faculties of engineering, electronics, electrical-electronics, electronics and communication, computer, information systems engineering departments of faculties of engineering, or higher education institutions in Turkey or abroad whose equivalence is accepted by the Council of Higher Education, who have at least four years of undergraduate education; those who have been appointed to the positions belonging to the central organisations of the institutions related to the titles specified in subparagraph (11) of paragraph (A) of subparagraph (A) of the section titled "Common Provisions" of Article 36 of the Law No. 657 titled "Common Provisions" and who have been in these positions for at least two years, excluding periods of leave without pay, and those who are in faculty member positions, Provided that they have obtained at least seventy points from the Foreign Language Proficiency Placement Examination and have not turned forty years old as of the date of appointment, they may be appointed as Personal Data Protection Specialist within one year from the effective date of this article. The number of those to be appointed in this way cannot exceed fifteen.
Enforcement
ARTICLE 32- (1) This Law;
- a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 six months after the date of publication,
- b) Other articles shall enter into force on the date of its publication.
Execution
ARTICLE 33- (1) The provisions of this Law shall be executed by the Council of Ministers.