Datenschutzgesetz

  1. Home
  2. Datenschutzgesetz

PERSONAL DATA PROTECTION LAW

Law Number : 6698

Date of Ratification : 24/3/2016

ARTICLE 1 – (1) The purpose of this Law is to protect fundamental rights and freedoms of persons, particularly the right to privacy, with respect to processing of personal data and to set forth obligations, principles and procedures which shall be binding upon natural or legal persons who process personal data.


ARTICLE 2 – (2) The provisions of this Law shall apply to natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.

 

Definitions

ARTICLE 3 – (1) For the purposes of this Law:

(a) “Explicit consent” means freely given, specific and informed consent,

(b) “Anonymization” means rendering personal data impossible to link with an identified or identifiable natural person, even through matching them with other data,

(c) “President” means President of the Personal Data Protection Authority,

(c.) “Data subject” (natural person concerned) means the natural person, whose personal data are processed,

(d) “Personal data” means any information relating to an identified or identifiable natural person

  1. e) “Processing of personal data” means any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof,

(f) “Board” means the Personal Data Protection Board,

(g) “Authority” means the Personal Data Protection Authority,

(g.) “Data Processor” means the natural or legal person who processes personal data on behalf of the data controller upon its authorization,

(h) “Data filing system” means the system where personal data are processed by being structured according to specific criteria,

(i) “Data Controller” means the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system.


Processing of Personal Data

ARTICLE 4 – (1) Personal data shall only be processed in compliance with procedures and principles laid down in this Law or other laws.

(2) The following principles shall be complied within the processing of personal data:

  1. a) Lawfulness and fairness
  2. b) Being accurate and kept up to date where necessary.
  3. c) Being processed for specified, explicit and legitimate purposes.

c.) Being relevant, limited and proportionate to the purposes for which they are processed.

  1. d) Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

 

Conditions for processing personal data

ARTICLE 5 - (1) Personal data shall not be processed without explicit consent of the data subject.

(2) Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

  1. a) It is expressly provided for by the laws.
  2. b) It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  3. c) Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.

c.) It is necessary for compliance with a legal obligation to which the data controller is subject.

  1. d) Personal data have been made public by the data subject himself/herself.
  2. e) Data processing is necessary for the establishment, exercise or protection of any right.
  3. f) Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

 

Conditions for processing of Special categories of personal data:

Article 6 – (1) Personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data are deemed to be special categories of personal data.

(2) It is prohibited to process special categories of personal data without explicit consent of the data subject.

(3) Personal data, except for data concerning health and sexual life, listed in the first paragraph may be processed without seeking explicit consent of the data subject, in the cases provided for by laws. Personal data concerning health and sexual life may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.

(4) Adequate measures determined by the Board shall be also taken while processing the special categories of personal data

 

Erasure, destruction or anonymization of personal data

ARTICLE 7 – (1) Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.

(2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.

(3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.

 

Transfer of personal data

ARTICLE 8 – (1) Personal data shall not be transferred without explicit consent of the data subject.

(2) Personal data may be transferred without seeking explicit consent of data subject upon the existence of one of the conditions provided for in:

  1. a) the second paragraph of Article 5,
  2. b) the third paragraph of Article 6, provided that sufficient measures are taken.

(3) The Provisions of other laws relating to transfer of personal data are reserved.

 

Transfer of personal data abroad

ARTICLE 9 - (1) Personal data shall not be transferred abroad without explicit consent of the data subject.

(2) Personal data may be transferred abroad without explicit consent of data subject upon the existence of one of the conditions referred to in Article 5(2) and Article 6(3) of the Law and if in the country where personal data are to be transferred;

(a) Adequate protection is provided.

(b) Adequate protection is not provided, upon the existence of commitment for adequate protection in writing by the data controllers in Turkey and in the relevant foreign country and authorisation of the Board.

(3) The Board determines and announces the countries with adequate protection.

(4) The Board shall decide whether there is adequate protection in the foreign country and whether such transfer is permitted under the sub-paragraph (b) of second paragraph, by evaluating the followings and by receiving the opinions of relevant institutions and organizations, where necessary:

  1. a) the international conventions to which Turkey is a party,
  2. b) the state of reciprocity relating to data transfer between the requesting country and Turkey,
  3. c) the nature of the data, the purpose and duration of processing regarding each concrete, individual case of data transfer,

c.) the relevant legislation and its implementation in the country to which the personal data are to be transferred,

  1. d) the measures committed by the data controller in the country to which the personal data are to be transferred,

(5) Without prejudice to the provisions of international agreements, in cases where interest of Turkey or the data subject will seriously get harmed, personal data, may only be transferred abroad upon the authorisation to be given by the Board after receiving the opinions of relevant public institutions and organizations.

(6) The Provisions of other laws relating to the transfer of personal data abroad are reserved.

Comments are closed.

Ihr Tor zur globalen Spitzenmedizin!

Vivendo Medical verpflichtet sich, Patienten mit erstklassigen medizinischen Einrichtungen und erfahrenen Gesundheitsdienstleistern aus der ganzen Welt zu verbinden.

+90 544 971 84 83

[email protected]