PERSONAL DATA PROTECTION LAW
Law Number _cc781905-5cde-3194-bb3b-136bad5cf358c315359cf375cf5cf5cf5cf5cf5cf5cf5cf5cf58375cdecf7819055cf58d__cc781905-5cde-3194-bb3b-136bad5cf58358dcc1365358d375cf136558d36359cf375358d -5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b-36bad5cf58d_ _cc781905-5cde-3194-bb3b-136bad5cf58cfcc783194cf58cde__cc7819__-f58cdec-3194-bb3b-136bad5cf58cf58d__cc7819__-f3355cdecc783194cf583cde-3194-bb3b-136bad5cf58cf831365359cc783194cf583cc783194cf58d -3194-bb3b-136bad5cf58d_ : 6698
Date of Acceptance _cc781905-5cde-3194-bb3b-136bad5cf_58d58-cc13655cf359cf58359cf375cf375cf5cf5cf5cf5cf375cf5835943434353 -5cde-3194-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b-36bad5cf58d_ _cc781905-5cde-3194-bb3b-136bad5cf58cfcc783194cf58cde__cc7819__-f58cdec-3194-bb3b-136bad5cf58cf58d__cc7819__-f3355cdecc783194cf583cde-3194-bb3b-136bad5cf58cf831365359cc783194cf583cc783194cf58d -3194-bb3b-136bad5cf58d_ _cc781905cf58d__cc781905cde-3194-bb3b-136bad5cf58d_ _cc781905cf58d__cc781905ccdecde__ccc781905ccde-3194cf58-36593bb3bb3b-136bad5cf58d__cc781905ccdecde__cc781905cc394cf58-136594bb359c-cc781903 -bb3b-136bad5cf58d_ _cc781905cf58d_ _cc781905cf58d__cc781905cf313365cf313365cf31363593b-bb31905cf31975c-bb31905cf3593
Published in R.Gazete _cc781905-5cf58d__cc781905-5cde-3194b-136bad5cf313594cf58d__cc781905-5cde-3194b-13353153594cf58d__bc31531594cc1958cdebb3135943 -136bad5cf58d_ : Date: 7/4/2016 Issue :_dec58b-781905-26963
Yayımlandığı Düstur _cc781905 -5cde-3194-bb3b-136bad5cf58d_ _cc781994_- 5cdeb-cc781994_- 5cde- bb3b-136bad5cf58d_ _cc781905cf58d__cc781905-5cde-3194__cb-136bad5cf58d_ _cc781905cf58d__cc781905cf31339c-bb531-5903 136bad5cf58d_ _cc781905- 5cde-3194-bb3b-136bad5cf58d__cc781905-5cde-31 94-bb3b-136bad5cf58d_ _cc781905-5cde-3194-bb3b-3194-bb3b-136bad5cf58d_ _cc781905-ccf58d__cc781905-ccde__f58c781905-bb3b-136bad5cf58d__cc781905-ccde__f58c7819053 bb3b-136bad5cf58d_ _cc781905cf58d_ _ _cc781905cde_cc781905cde_cc781905cf1365cf31365cb-bb31365bdcf31559cbd57359bbd31365bd
Purpose, Scope and Definitions
ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data, and the procedures and principles to be followed.
ARTICLE 2- (1) The provisions of this Law apply to natural persons whose personal data are processed and natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system. applied about.
ARTICLE 3- (1) In the implementation of this Law;
a) Explicit consent: Consent on a specific subject, based on information and expressed with free will,
b) Anonymization: Making personal data impossible to associate with an identified or identifiable natural person under any circumstances, even by matching with other data,
c) Chairman: Chairman of the Personal Data Protection Authority,
ç) Relevant person: The real person whose personal data is processed,
d) Personal data: Any information relating to an identified or identifiable natural person,
e) Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, of personal data fully or partially automatically or non-automatically provided that it is a part of any data recording system. All kinds of operations carried out on the data such as bringing, classifying or preventing its use,
f) Board: Personal Data Protection Board,
g) Institution: Personal Data Protection Authority,
ğ) Data processor: The natural or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
h) Data registration system: The registration system in which personal data is processed and structured according to certain criteria,
ı) Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system,
Processing of Personal Data
ARTICLE 4- (1) Personal data can only be processed in accordance with the procedures and principles stipulated in this Law and other laws.
(2) The following principles must be complied with in the processing of personal data:
a) Compliance with the law and honesty rules.
b) Being accurate and up-to-date when necessary.
c) Processing for specific, explicit and legitimate purposes.
ç) Being connected, limited and restrained with the purpose for which they are processed.
d) To be kept for the period required by the relevant legislation or for the purpose for which they are processed.
Terms of processing personal data
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the person concerned.
(2) In case of existence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:
a) It is clearly stipulated in the laws.
b) It is compulsory for the protection of the life or physical integrity of the person or another person, who is unable to express his consent due to actual impossibility or whose consent is not legally recognized.
c) It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) The person concerned has been made public by himself.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Conditions for the processing of special categories of personal data
ARTICLE 6- (1) People's race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, clothing, membership in associations, foundations or unions, health, sexual life Data on criminal convictions and security measures, as well as biometric and genetic data are special personal data.
(2) Processing of sensitive personal data without the explicit consent of the person concerned is prohibited.
(3) Personal data other than health and sexual life listed in the first paragraph may be processed without seeking the explicit consent of the person concerned, in cases stipulated by the laws. Personal data related to health and sexual life are only for the purpose of protecting public health, performing preventive medicine, medical diagnosis, treatment and care services, planning and managing health services and financing, by persons or authorized institutions and organizations under the obligation of secrecy without seeking the explicit consent of the person concerned. can be processed.
(4) In the processing of sensitive personal data, it is also obligatory to take adequate measures determined by the Board.
Deletion, destruction or anonymization of personal data
ARTICLE 7- (1) Despite the fact that it has been processed in accordance with the provisions of this Law and other relevant laws, personal data is deleted, destroyed, or destroyed by the data controller ex officio or upon the request of the data subject, in case the reasons for processing disappear or is made anonymous.
(2) Provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved.
(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by a regulation.
Transfer of personal data
ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the person concerned.
(2) Personal data;
a) In the second paragraph of Article 5,
b) Provided that adequate measures are taken, in the third paragraph of Article 6,
In case of existence of one of the conditions specified, it can be transferred without seeking the explicit consent of the person concerned.
(3) Provisions in other laws regarding the transfer of personal data are reserved.
Transfer of personal data abroad
ARTICLE 9- (1) Personal data cannot be transferred abroad without the explicit consent of the person concerned.
(2) Personal data, the existence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6, and in the foreign country to which the personal data will be transferred;
a) The availability of adequate protection,
b) In the absence of sufficient protection, the data controllers in Turkey and in the relevant foreign country undertake in writing to provide adequate protection and the Board has permission,
may be transferred abroad without seeking the explicit consent of the person concerned, provided that the
(3) Countries with adequate protection are determined and announced by the Board.
(4) The Board shall determine whether there is sufficient protection in the foreign country and whether a permit will be granted pursuant to subparagraph (b) of the second paragraph;
a) International conventions to which Turkey is a party,
b) The reciprocity of data transfer between the country requesting personal data and Turkey,
c) Regarding each concrete personal data transfer, the nature of the personal data, the purpose and duration of its processing,
ç) The relevant legislation and practice of the country to which the personal data will be transferred,
d) Measures undertaken by the data controller in the country to which personal data will be transferred,
and, if needed, by taking the opinion of the relevant institutions and organizations.
(5) Personal data may be transferred abroad with the permission of the Board, only after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the person concerned would be seriously harmed, without prejudice to the provisions of international conventions.
(6) Provisions in other laws regarding the transfer of personal data abroad are reserved.
Rights and Obligations
The obligation to inform the data controller
ARTICLE 10- (1) During the acquisition of personal data, the data controller or the person authorized by him, to the relevant persons;
a) Identity of the data controller and its representative, if any,
b) For what purpose the personal data will be processed,
c) To whom and for what purpose the processed personal data can be transferred,
ç) Method and legal reason for collecting personal data,
d) Other rights listed in Article 11,
responsible for providing information.
Rights of the person concerned
ARTICLE 11- (1) Everyone, by applying to the data controller;
a) Learning whether personal data is processed or not,
b) If personal data has been processed, requesting information about it,
c) Learning the purpose of processing personal data and whether they are used in accordance with its purpose,
ç) To know the third parties to whom personal data is transferred in the country or abroad,
d) Requesting correction of personal data in case of incomplete or incorrect processing,
e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
f) Requesting notification of the transactions made pursuant to subparagraphs (d) and (e) to third parties to whom personal data has been transferred,
g) Objecting to the emergence of a result against the person himself by analyzing the processed data exclusively through automated systems,
ğ) To request the compensation of the damage in case of loss due to unlawful processing of personal data,
Obligations regarding data security
ARTICLE 12- (1) Data controller;
a) To prevent the unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) To ensure the protection of personal data,
must take all necessary technical and administrative measures to ensure the appropriate level of security for the purpose.
(2) In case the personal data is processed by another real or legal person on his behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.
(3) The data controller is obliged to carry out or have the necessary inspections carried out in his own institution or organization in order to ensure the implementation of the provisions of this Law.
(4) Data controllers and data processors cannot disclose the personal data they have learned to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after they leave office.
(5) In case the processed personal data is obtained by others unlawfully, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its own website or by any other method it deems appropriate.
Application, Complaint and Data Controllers Registry
Application to data controller
ARTICLE 13- (1) The person concerned submits his requests regarding the implementation of this Law to the data controller in writing or by other methods to be determined by the Board.
(2) The data controller concludes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
(3) The data controller accepts the request or rejects it by explaining its reason and notifies the relevant person in writing or electronically. In case the request in the application is accepted, the data controller fulfills its requirements. In case the application is caused by the fault of the data controller, the fee collected is returned to the relevant person.
complaint to the board
ARTICLE 14- (1) In cases where the application is rejected, the answer given is insufficient or the application is not answered in due time; The person concerned may file a complaint with the Board within thirty days from the date of learning the reply of the data controller and in any case within sixty days from the date of application.
(2) Pursuant to Article 13, no appeal can be made before the remedy has been exhausted.
(3) The right to compensation according to the general provisions of those whose personal rights are violated is reserved.
Procedures and principles of examination upon complaint or ex officio
ARTICLE 15- (1) The Board, upon complaint or ex officio, in case it learns about the alleged violation, makes the necessary examination on the matters falling under its jurisdiction.
(2) Notifications or complaints that do not meet the conditions specified in Article 6 of the Law on the Use of the Right to Petition dated 1/11/1984 and numbered 3071 shall not be examined.
(3) Except for information and documents that are in the nature of state secrets; The data controller is obliged to send the information and documents requested by the Board regarding the subject of examination within fifteen days and to enable on-site examination when necessary.
(4) Upon the complaint, the Board examines the request and gives an answer to the relevant parties. If no response is received within sixty days from the date of the complaint, the request is deemed to have been rejected.
(5) In the event that the existence of a violation is understood as a result of the examination made upon the complaint or ex officio, the Board decides that the illegalities it detects will be corrected by the data controller and notifies them to the relevant parties. This decision shall be fulfilled without delay and within thirty days at the latest, following the notification.
(6) If it is determined that the violation is widespread as a result of the examination made upon the complaint or ex officio, the Board takes a principle decision on this issue and publishes this decision. The Board may also take the opinions of relevant institutions and organizations, if it needs it, before taking a decision in principle.
(7) The Board may decide to suspend the processing of data or the transfer of data abroad, in the event that irreparable or impossible damages arise and there is a clear violation of the law.
Data Controllers Registry
ARTICLE 16- (1) Under the supervision of the Board, a Data Controllers Registry is kept open to the public by the Presidency.
(2) Natural and legal persons who process personal data must register with the Data Controllers Registry before starting data processing. However, the Board may make an exception to the obligation to register in the Data Controllers Registry, taking into account the objective criteria to be determined by the Board, such as the nature and number of the processed personal data, the legal origin of the data processing or the transfer to third parties.
(3) The application for registration in the Data Controllers Registry is made with a notification containing the following:
a) Identity and address information of the data controller and its representative, if any.
b) The purpose for which personal data will be processed.
c) Explanations about the data subject group and groups and the data categories of these persons.
ç) Recipient or recipient groups to whom personal data can be transferred.
d) Personal data intended to be transferred to foreign countries.
e) Measures taken regarding personal data security.
f) The maximum period required for the purpose for which personal data is processed.
(4) Changes in the information given pursuant to the third paragraph shall be immediately notified to the Presidency.
(5) Other procedures and principles regarding the Data Controllers Registry shall be regulated by regulation.
Offenses and Misdemeanors
ARTICLE 17- (1) In terms of crimes related to personal data, the provisions of Articles 135 to 140 of the Turkish Penal Code dated 26/9/2004 and numbered 5237 are applied.
(2) Contrary to the provision of Article 7 of this Law; Those who do not delete or anonymize personal data are punished according to Article 138 of the Law No. 5237.
ARTICLE 18- (1) This Law;
a) From 5,000 Turkish liras to 100,000 Turkish liras for those who fail to fulfill their obligation to inform in Article 10,
b) From 15,000 Turkish liras to 1,000,000 Turkish liras for those who fail to fulfill their obligations regarding data security stipulated in Article 12,
c) From 25,000 Turkish liras to 1,000,000 Turkish liras for those who fail to fulfill the decisions given by the Board pursuant to Article 15,
ç) From 20,000 Turkish liras to 1,000,000 Turkish liras for those who violate the obligation to register and notify in the Data Controllers Registry stipulated in Article 16,
administrative fine is imposed.
(2) Administrative fines stipulated in this article are applied to natural persons who are data controllers and legal entities of private law.
(3) In the event that the actions listed in the first paragraph are committed within the body of public institutions and organizations and professional organizations in the nature of public institutions, upon the notification to be made by the Board, in accordance with the disciplinary provisions regarding the civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations with the quality of public institutions. action is taken and the result is reported to the Board.
Personal Data Protection Authority and Organization
Personal Data Protection Authority
ARTICLE 19- (1) In order to fulfill the duties assigned by this Law, the Personal Data Protection Authority, which has administrative and financial autonomy and is a public legal entity, has been established.
(2) The institution is related to the minister appointed by the President. (1)
(3) The headquarters of the institution is in Ankara.
(4) The Institution consists of the Board and the Presidency. The decision body of the institution is the Board.
Duties of the institution
ARTICLE 20- (1) The duties of the institution are as follows:
a) To follow the practices and developments in the legislation, to make evaluations and suggestions, to make or have researches and examinations done, in terms of its field of duty.
b) To cooperate with public institutions and organizations, non-governmental organizations, professional organizations or universities on matters falling within its scope of duty, if needed.
c) To monitor and evaluate international developments related to personal data, to cooperate with international organizations on matters falling within its field of duty, to attend meetings.
ç) Presenting the annual report to the Presidency, the Human Rights Investigation Commission of the Turkish Grand National Assembly (…) (2) sumak._cc781905-5cde-3194-bb3b-136d_bad5cf 2)
d) Fulfilling other duties assigned by law.
Personal Data Protection Board (3)
ARTICLE 21- (1) The Board independently fulfills and uses its duties and powers given by this Law and other legislation under its own responsibility. No organ, authority, authority or person can give orders, instructions, recommendations or suggestions to the Board regarding the subjects falling within its scope of duty.
(2) The Board consists of nine members. Five members of the Board are elected by the Turkish Grand National Assembly and four members are elected by the President. (3)
(3) In order to become a member of the Board, the following conditions are sought:
a) To have knowledge and experience in the field of duty of the institution.
b) To have the qualifications specified in sub-paragraphs (1), (4), (5), (6) and (7) of sub-paragraph (A) of the first paragraph of article 48 of the Civil Servants Law dated 14/7/1965 and numbered 657.
c) Not to be a member of any political party.
d) To have completed at least four years of higher education at the undergraduate level.
d) (Repealed: 2/7/2018-KHK-703/163 art.)
(1) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase “with the Prime Ministry” in this paragraph has been replaced with “with the minister to be appointed by the President”.
(2) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase “and to the Prime Ministry” in this paragraph has been repealed.
(3) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase “the President with two members and the Council of Ministers with two members” in the second paragraph of this article has been changed as “the President with four members”.
(4) (Repealed: 2/7/2018-KHK-703/163 art.)
(5) The Turkish Grand National Assembly elects members to the Board in the following manner:
a) For the election, two times the number of members to be determined in proportion to the number of members of the political party groups are nominated, and the members of the Board are elected by the General Assembly of the Turkish Grand National Assembly, based on the number of members per each political party group. However, political party groups cannot negotiate and decide on whom to vote in the elections to be held in the Turkish Grand National Assembly.
b) The election of the members of the Board is made within ten days after the candidates are determined and announced. For the candidates nominated by political party groups, a combined ballot paper is drawn up as separate lists. Votes are cast by marking the special place opposite the names of the candidates. Votes given more than the number of members to be elected to the Board from the quotas of political party groups determined according to the second paragraph shall be deemed invalid.
c) Provided that there is a quorum for the decision, the candidate who receives the most votes in the election will be elected as many as the number of vacant memberships.
ç) Two months before the end of the term of office of the members; In case of a vacancy in the membership for any reason, elections are held with the same procedure within one month from the date of vacancy or if the Turkish Grand National Assembly is in recess, after the end of the recess. In these elections, the distribution of vacant memberships to political party groups is made by considering the number of members selected from the quota of political party groups in the first election and the current ratio of political party groups.
(6) In the event that one of the members elected by the President (…) (1) expires forty-five days before the end of the term of office or for any reason, the situation ends fifteen days. Within the next day, the Authority is notified to the Presidency (…)(1) . One month before the expiry of the term of office of the members, a new member is elected. If there is a vacancy in these memberships for any reason before the expiry of the term, an election is held within fifteen days as of the notification. (1)
(7) The Board elects the Chairman and the Deputy Chairman from among its members. The Chairman of the Board is also the Chairman of the Institution.
(8) The term of office of the members of the Board is four years. A member whose term has expired can be re-elected. The person elected to replace the member whose term of office expires for any reason, completes the remaining term of the member for which he was elected.
(9) The elected members, before the First Presidency Board of the Supreme Court of Appeals, said, “I swear on my honor and dignity that I will fulfill my duty in accordance with the Constitution and the laws, with full impartiality, honesty, fairness and justice.” they take an oath. An application for an oath to the Supreme Court is considered a hasty job.
(1) With Article 163 of Decree Law No. 703 dated 2/7/2018, the phrases “or the Council of Ministers” and “or the Prime Ministry to be submitted to the Council of Ministers” were removed from the text of the article.
(10) Unless based on a special law, the members of the Board cannot take on any official or private duties other than carrying out their official duties in the Board, cannot be a manager in associations, foundations, cooperatives and similar institutions, engage in trade, engage in self-employment activities, act as arbitrators and experts. However, the members of the Board may publish for scientific purposes, give lectures and conferences, and receive the royalties arising from these, as well as the tuition and conference fees, without hindering their primary duties.
(11) Investigations regarding the crimes alleged to have been committed by members due to their duties are carried out in accordance with the Law on Prosecution of Civil Servants and Other Public Officials numbered 4483, dated 2/12/1999, and the permission to investigate them is given by the President._cc781905 -5cde-3194-bb3b-136bad5cf58d_(1)
(12) The provisions of Law No. 657 shall be applied in the disciplinary investigation and prosecution to be made against the members of the Board.
(13) Board members cannot be dismissed for any reason before their term expires. Board members;
a) It is later understood that they do not meet the requirements for being elected,
b) The finalization of the sentence of conviction for the crimes they have committed in relation to their duties,
c) It is definitively determined by the medical board report that they cannot fulfill their duties,
ç) It is determined that they did not continue their duties without permission, excuse and uninterrupted for fifteen days or for a total of thirty days in a year,
d) It is determined that they did not attend a total of three Board meetings in a month without permission and an excuse, and a total of ten meetings in a year,
In such cases, their membership ends with the decision of the Board.
(14) Those who are elected as members of the Board are dismissed from their previous duties as long as they serve in the Board. Provided that they do not lose the conditions for entry to civil service, those who are elected to membership while they are public servants are appointed to a suitable position within one month by the competent authority in case their term of office expires or they apply to their former institutions within thirty days. Until the appointment is made, all kinds of payments they receive are continued to be paid by the Institution. All kinds of payments they receive are continued to be paid by the Institution until they start any duty or job, and the payment to be made by the Institution to those whose membership is terminated in this way cannot exceed three months. The time they spent in the Institution is deemed to have been spent in their previous institution or organization in terms of their personal and other rights.
Duties and powers of the board
ARTICLE 22- (1) The duties and powers of the Board are as follows:
a) To ensure that personal data is processed in accordance with fundamental rights and freedoms.
b) To decide on the complaints of those who claim that their rights regarding personal data have been violated.
(1) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase "Prime Minister" in this paragraph was changed to "President".
c) Upon complaint or ex officio, upon learning of the alleged violation, to examine whether personal data are processed in accordance with the law and to take temporary measures when necessary.
ç) To determine the adequate measures sought for the processing of sensitive personal data.
d) To ensure that the Data Controllers Registry is kept.
e) To carry out the necessary regulatory actions regarding the duties of the Board and the functioning of the Agency.
f) To take regulatory action in order to determine the obligations regarding data security.
g) To take regulatory action regarding the duties, powers and responsibilities of the data controller and its representative.
ğ) To decide on the administrative sanctions stipulated in this Law.
h) To express an opinion on the legislative drafts prepared by other institutions and organizations and containing provisions regarding personal data.
i) The Institution; to decide on the strategic plan, to determine its goals and objectives, service quality standards and performance criteria.
i) To discuss and decide on the budget proposal prepared in accordance with the strategic plan and objectives and targets of the Institution.
j) To approve and publish the draft reports prepared on the performance, financial situation, annual activities and needed issues of the institution.
k) To discuss and decide on the proposals regarding the purchase, sale and lease of immovable property.
l) Fulfilling other duties assigned by law.
Working principles of the board
ARTICLE 23- (1) The Chairman determines the meeting days and agenda of the Board. The President may call the Board for an extraordinary meeting when necessary.
(2) The Board convenes with at least six members, including the chairman, and takes decisions with the absolute majority of the total number of members. Board members cannot vote abstaining.
(3) Board members; They cannot participate in meetings and voting on matters concerning themselves, their relatives by blood up to the third degree and in-laws up to the second degree, their adopted children and their spouses even if the marriage ties between them have been terminated.
(4) The members of the Board cannot disclose the secrets they learn about the relevant persons and third parties during their work to anyone other than the authorities authorized by law, and cannot use them for their own benefit. This obligation continues even after they leave office.
(5) The matters discussed in the Board are recorded in the minutes. Decisions and grounds for dissenting votes, if any, are written within fifteen days at the latest from the date of the decision. The Board announces to the public the decisions it deems necessary.
(6) Unless otherwise agreed, discussions at Board meetings are confidential.
(7) Working procedures and principles of the Board, writing of decisions and other issues are regulated by regulation.
ARTICLE 24- (1) The Chairman, as the Chairman of the Board and the Institution, is the highest supervisor of the Institution and organizes and executes the Institution's services in accordance with the legislation, the Institution's objectives and policies, strategic plan, performance criteria and service quality standards. and provides coordination between service units.
(2) The President is responsible for the general management and representation of the Institution. This responsibility covers the duties and authorities of arranging, executing, supervising, evaluating the works of the Institution and making it known to the public when necessary.
(3) The duties of the President are:
a) To conduct the meetings of the Board.
b) To ensure that the decisions of the Board are communicated and those deemed necessary by the Board are announced to the public, and to monitor their implementation.
c) To appoint the Vice President, the heads of departments and the Institution personnel.
ç) To present the suggestions coming from the service units to the Board by giving their final shape.
d) Ensuring the implementation of the strategic plan, creating human resources and working policies in line with service quality standards.
e) To prepare the annual budget and financial statements of the Institution in accordance with the determined strategies, annual goals and targets.
f) To ensure coordination in order for the Board and service units to work in a harmonious, efficient, disciplined and orderly manner.
g) To carry out the relations of the institution with other institutions.
ğ) To determine the area of duty and authority of the personnel authorized to sign on behalf of the President of the Institution.
h) To perform other duties related to the management and operation of the Institution.
(4) In the absence of the President of the Institution, the Vice President shall deputize for the President.
Composition and duties of the Presidency
ARTICLE 25- (1) Presidency; It consists of the Vice President and service units. The Presidency fulfills the duties listed in the fourth paragraph through service units organized as departments. The number of department heads cannot exceed seven.
(2) A Vice President is appointed by the President to assist him in his duties regarding the Institution.
(3) Vice President and heads of departments; are appointed by the President from among those who have graduated from at least four years of higher education and have served in public service for ten years.
(4) The duties of the Presidency are as follows:
a) Keeping the Data Controllers Registry.
b) To carry out the bureau and secretariat operations of the Institution and the Board.
c) To represent the Institution through lawyers in lawsuits and enforcement proceedings to which the Institution is a party, to follow up the cases or to have them made, and to carry out legal services.
ç) To carry out the personnel procedures of the members of the Board and those working in the Institution.
d) To perform the duties assigned to the financial services and strategy development units by law.
e) To ensure the establishment and use of the information system in order to carry out the business and transactions of the Institution.
f) To prepare draft reports on the annual activities of the Board or on the issues needed and submit them to the Board.
g) To prepare the strategic plan of the institution.
ğ) To determine the personnel policy of the institution, to prepare and implement the career and training plans of the personnel.
h) To carry out the appointment, transfer, discipline, performance, promotion, retirement and similar transactions of the personnel.
ı) To determine the ethical rules to be followed by the personnel and to provide the necessary training.
i) To carry out all kinds of purchasing, rental, maintenance, repair, construction, archive, health, social and similar services required by the Institution within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003.
j) To keep the records of the movable and immovable properties of the Institution.
k) To perform other duties assigned by the Board or the President.
(5) Service units and the working procedures and principles of these units are determined by a regulation put into effect by the President upon the proposal of the Institution in accordance with the field of activity, duties and powers specified in this Law. (1)
Personal Data Protection Specialist and assistant specialists
ARTICLE 26- (1) Personal Data Protection Specialist and Assistant Personal Data Protection Specialist can be employed in the Institution. Among these, those who are appointed to the Personal Data Protection Specialist staff within the framework of additional article 41 of the Law No. 657 are subject to a one-time promotion.
Provisions regarding personnel and personal rights
ARTICLE 27- (1) Institution personnel are subject to Law No. 657, except for the issues regulated by this Law.
(2) The payments made within the scope of financial and social rights to the Chairman and members of the Board and to the personnel of the Institution determined in accordance with the additional article 11 of the Decree-Law dated 27/6/1989 and numbered 375 are paid within the framework of the same procedures and principles. Those who are not subject to tax and other legal deductions from payments made to peer personnel are also not subject to tax and other deductions according to this Law.
(3) The Chairman and members of the Board and the personnel of the Institution are subject to the provisions of subparagraph (c) of the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510, dated 31/5/2006. The Chairman and members of the Board and the personnel of the Institution are considered equivalent in terms of retirement rights with the personnel determined as precedent in cc781905-5cde-3194-bb3b-136bad5cf58d_da. Article 4 of Law No. 5510
(1) With the Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase “Decision of the Council of Ministers” in this paragraph was changed to “By the President”.
Among those appointed to the Chairman and membership of the Board while insured within the scope of subparagraph (c) of the first paragraph, the terms of service spent in these duties of those whose duties have ended or who wish to leave these duties shall be taken into account in the determination of their earned rights, pensions, degrees and levels. Among these, the periods spent in these duties of those who fall under the scope of the temporary article 4 of the Law No. 5510 are considered as the period for which office compensation and representation compensation must be paid. In public institutions and organizations, those who are insured within the scope of subparagraph (a) of the first paragraph of Article 4 of the Law No. 5510 and who are appointed as the Chairman and members of the Board, dismissing their relations with the previous institutions and organizations do not require the payment of severance pay or termination indemnity. The service periods for which severance pay or termination indemnity must be paid for those in this situation are combined with the term of service as the Chairman of the Board and the Board membership, and the retirement bonus is considered as the period to be paid.
(4) Public administrations within the scope of central government, social security institutions, local administrations, administrations affiliated to local administrations, unions of local administrations, organizations with revolving funds, funds established by law, institutions with public legal personality, institutions with more than fifty percent of the capital owned by the public, economic state enterprises and state economic institutions and their subsidiaries and institutions, with the consent of other public servants institutions, judges and prosecutors may be temporarily assigned to the Institution with their consent, provided that salaries, allowances, all kinds of raises and compensations and other financial and social rights and aids are paid by their institutions. . The requests of the institution in this regard are primarily finalized by the relevant institutions and organizations. Personnel assigned in this way are deemed to be on paid leave from their institutions. As long as these personnel are on leave, their civil service and personal rights continue, these periods are also taken into account in their promotion and retirement, and their promotions are made on time without the need for any further action. The time spent in the Institution by those assigned under this article shall be deemed to have been spent in their own institutions. The number of those appointed in this way cannot exceed ten percent of the total number of Personal Data Protection Specialist and Personal Data Protection Assistant Specialist, and the duration of the assignment cannot exceed two years. However, in case of need, this period can be extended in periods of one year. (1)
(5) The titles and numbers of the personnel to be employed in the Institution are shown in the attached table (I). Not to exceed the total number of staff, but limited to the staff titles included in the tables attached to the Decree-Law on General Staff and Procedure No. 190 and dated 13/12/1983, making changes in titles and degrees, adding new titles and canceling vacant positions are made by the decision of the Board.
ARTICLE 28- (1) The provisions of this Law do not apply in the following cases:
a) Processing of personal data by real persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and that the obligations regarding data security are complied with.
(1) With the 119th article of the Law No. 7061 dated 28/11/2017, the phrase "consent of the judges and prosecutors themselves" has been added after the phrase "consent of other public officials institutions".
b) Processing personal data for purposes such as research, planning and statistics by making them anonymous with official statistics.
c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations that have been authorized by law to ensure national defense, national security, public safety, public order or economic security.
d) Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution proceedings.
(2) In accordance with the purpose and basic principles of this Law, Article 10, which regulates the obligation of disclosure of the data controller, Article 11, which regulates the rights of the data subject, with the exception of the right to demand the compensation of the damage, and Article 16, which regulates the obligation to register in the Data Controllers Registry, shall not be applied in the following cases:
a) The processing of personal data is necessary for the prevention of crime or for criminal investigation.
b) Processing of personal data made public by the person concerned.
c) If personal data processing is required by the authorized and authorized public institutions and organizations and professional organizations in the nature of public institutions, for the execution of supervisory or regulatory duties and for disciplinary investigation or prosecution, based on the authority given by the law.
ç) The processing of personal data is necessary for the protection of the economic and financial interests of the State with regard to budget, tax and financial matters.
Institution's budget and revenues
ARTICLE 29- (1) The budget of the institution is prepared and accepted in accordance with the procedures and principles determined in the Law No. 5018.
(2) The revenues of the institution are as follows:
a) Treasury aids to be made from the general budget.
b) Revenues from movable and immovable properties belonging to the Institution.
c) Donations and aids received.
ç) Incomes from the evaluation of their income.
d) Other income.
Amended and added provisions
ARTICLE 30- (1) (It is related to Law No. 5018 dated 10/12/2003 and has been replaced.)
(2) to (5) - (Related to Law No. 5237 of 26/9/2004 and has been replaced.)
(6) (Related to the Health Services Basic Law No. 3359 dated 7/5/1987 and has been replaced.)
(7) (Related to the Decree-Law on the Organization and Duties of the Ministry of Health and its Affiliates, dated 11/10/2011 and numbered 663 )
ARTICLE 31- (1) Regulations regarding the implementation of this Law shall be put into effect by the Authority.
PROVISIONAL ARTICLE 1- (1) Within six months following the publication of this Law, Board members are elected in accordance with the procedure set forth in Article 21 and the Presidency organization is formed.
(2) Data controllers must register with the Data Controllers Registry within the period determined and announced by the Board.
(3) Personal data processed before the date of publication of this Law shall be brought into compliance with the provisions of this Law within two years from the date of publication. Personal data that are found to be in violation of the provisions of this Law are immediately deleted, destroyed or anonymized. However, consents obtained in accordance with the law before the publication date of this Law shall be deemed to be in accordance with this Law, unless a declaration of intent is made to the contrary within one year.
(4) The regulations stipulated in this Law shall be put into effect within one year following the publication of this Law.
(5) Within one year from the date of publication of this Law, a senior manager shall be appointed and notified to the Presidency in order to ensure coordination regarding the implementation of this Law in public institutions and organizations.
(6) First elected President, Second President and two members determined by lot for six years; the other five members serve for four years.
(7) Until the budget is allocated to the Institution;
a) The expenses of the Institution are met from the budget of the Prime Ministry.
b) All necessary support services such as buildings, tools, equipment, furnishings and equipment are provided by the Prime Ministry in order for the Institution to perform its services.
(8) Secretariat services are carried out by the Prime Ministry until the service units of the Agency become operational.
PROVISIONAL ARTICLE 2- (Added:28/11/2017-7061/120 art.)
(1) From political sciences, economics and administrative sciences, economics, law and business faculties that provide at least four years of undergraduate education, from the electronics, electrical-electronics, electronics and communication, computer, information systems engineering departments of engineering faculties or their equivalence by the Higher Education Council. from those who graduated from accepted higher education institutions in Turkey and abroad; He was appointed to the cadres of the central organizations of the institutions related to the titles specified in the subparagraph (11) of the paragraph (A) of the section titled "Common Provisions" of the article 36 of the Law No. 657, after a certain period of in-service training and a special proficiency exam, entered with a special competitive exam for the profession. Those who have been in the positions for at least two years excluding unpaid leave periods and those who have been in the positions of faculty members, provided that they have received at least seventy points from the Foreign Language Proficiency Exam and have not attained the age of forty as of the date of appointment, within one year from the date of entry into force of this article. They can be appointed as Data Protection Specialists. The number of those to be appointed in this way cannot exceed fifteen.
ARTICLE 32- (1) This Law;
a) Six months after the publication of Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18,
b) Other articles on the date of publication,
enters into force.
ARTICLE 33- (1) The provisions of this Law are executed by the Council of Ministers.