Preparation of data inventory
According to Regulation on Data Controller Registry (the “Regulation”), data controllers who are required to register with VERBİS (the data controllers’ registry system) must keep a data inventory, and upload the required information on VERBİS based on this inventory. According to the Regulation, the minimum content that the inventory must include is as follows:
Data controllers should first determine the processes of all their business units. Then, activities within the scope of such processes, type of documents containing personal data, and the personal data within such documents must be specified.
The type of data, i.e. whether data is sensitive data, must also be evaluated during this part of preparation.
Purpose of data processing and legal reasons
1. Legal reason
According to the data protection legislation, regular non-sensitive data can be processed, if explicit consent of the data subject is received or, in the absence of the explicit consent, if:
- processing is explicitly provided by the laws,
- processing of personal data of the parties to a contract is necessary, provided that it is directly related to the conclusion or fulfilment of that contract,
- processing is mandatory for the controller to fulfil its legal obligations,
- the data is made manifestly public by the data subject,
- processing is mandatory for the establishment, exercise or protection of any right, or
- processing is mandatory for the legitimate interests of the data controller, provided that such processing will not violate the fundamental rights and freedoms of the data subjects.
Different rules apply to processing of sensitive data if there is no explicit consent. Accordingly, sensitive data excluding those relating to health and sexual life can be processed without explicit consent only under the conditions set out by the laws. Personal data relating to health and sexual life may only be processed, without explicit consent of the data subject, by persons under a confidentiality obligation or by authorized institutions and organizations for the purposes of protection of public health, protective medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.
The purpose of processing must be determined by the data controller for each data. For example: identity information can be processed for information safety, employee satisfaction, audit, training, finance and accounting, human resources etc.
Receivers / receiver of groups of personal data
Data controller must set out the receiver or receiver groups to which data is transferred, such as business partners, shareholders, affiliates, suppliers, state institutions and organizations.
Groups of data subjects
Data controllers must determine persons and groups of which data controller processes data, such as suppliers, employees, candidate employees, shareholders/partners, etc.
Maximum time to keep the data for data processing purposes
Personal data must be kept as long as it is required to fulfill the purpose for which data was collected and processed. Data controllers must specify how long they are required to keep personal data, different time frames may apply to different types of data.
Data that is anticipated to be transferred abroad
Personal data, including sensitive data, can be transferred abroad upon receipt of explicit consent from the data subject. In the absence of an explicit consent, if one of the exceptions to the consent requirement exists (please see above), and
1. If the country that the data will be transferred is one of the white list countries, deemed to have an adequate protection and approved by the Data Protection Authority (the “DPA”), or
2. If the data controller in Turkey and the data controller/processor in the recipient country guarantee an adequate level of protection in writing and such undertaking is approved by the DPA, then the data can be transferred abroad without explicit consent. Since the white list countries are not specified yet, data controllers may only transfer personal data by entering into such an undertaking. The DPA published on its website the minimum content for controller-controller and controller-processor undertakings.
Technical and administrative measures
Data controllers must take technical and administrative measures to keep data safe and secure. There is no exhaustive list of measures and can include preparation of personal data inventory, relevant corporate policies, data transfer agreements etc. as administrative measures and technical measures can include those applicable to user account management, network security, application security, encrypting, penetration tests etc.