REGISTER LOGIN

Information Note of the Turkish Personal Data Protection Authority on the Personal Data Processing Conditions Provided for by the Laws

04.03.2024
DL Attorneys at Law

Hande Çağla Yılmaz co-authored this article.

The Turkish Personal Data Protection Authority ("Authority") published "Information Note on the Personal Data Processing Conditions Provided for by the Laws” on the "expressly provided for by the laws" personal data processing condition regulated under the Article 5/2-a of the Turkish Personal Data Protection Law ("PDPL") on the official website of the Authority on 12/02/2024.

In the first part, the Authority stated that if there is a provision for the processing of personal data in the law or secondary regulations, Article 5/2-a of the PDPL will be relied upon. For example, the preparation of a personnel file by the employer (processing of the employee's identity data) in accordance with Article 75 of the Turkish Labor Law No. 4857 may be considered within this scope. Also, the Authority stated that no literal interpretation should be made regarding the term "expressly” stated under the Article 5/2-a of the PDPL, otherwise the processing condition would have a very limited application area. In this context, payment of wages in accordance with the Article 8 of the Turkish Labor Law No. 4857 (processing of the employee's bank account number, marital status, dependents, whether his/her spouse is working, social security number information, etc.) is given as an example.

In the second part, the Authority stated that the personal data processing conditions of “necessary for compliance with a legal obligation to which the data controller is subject” in the Article 5/2-ç of the PDPL and “expressly provided for by the laws” in the Article 5/2-a PDPL are regulated together in the Article 6/1-c of the EU General Data Protection Regulation (“GDPR”). Regarding the evaluation of whether the data processing activity is a legal obligation of the data controller, the Authority, by giving an example from the Guide[1] prepared by the Irish Data Protection Authority; stated that, in line with the principles of transparency and accountability, the data controller should evaluate whether the processing is “necessary” to comply with the obligation in question. In addition, the personal data processing requirement under GDPR 6/1-c may be based on law or also on secondary regulation was emphasized.

You can find the Information Note here (in Turkish).

[1] Guidance Note on Legal Basis for Processing Personal Data

This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

Popular Articles on Data Protection & Privacy

Kişisel Verileri Koruma Kurulunun 2023/134 Sayılı Kararı Doğrultusunda Tiktok Hakkında 1.750.000 TL İdari Para Cezası Uygulanmasına Karar Verildi
Data Protection & Privacy 2023 Guide for Turkey - 2
Data Protection & Privacy 2023 Guide for Turkey - 1
Epic Games, Çocuk Mahremiyeti İhlalleri ve İstenmeyen Ücretlerle İlgili FTC İddiaları Üzerine 520 Milyon Dolar Ödeme Yapacak
Guide to Direct Marketing Using Live Calls Published By ICO

Latest Insights from DL Attorneys at Law

Kişisel Verileri Koruma Hukuku Güncel Gelişmeler Nisan 2024
Veri Koruması İçin Yöntemler: Anonimleştirme ve Psödönimleştirme Hakkında Bir İnceleme
Safeguarding Data: A Review of Anonymization and Pseudonymization
The Importance of Personal Data Protection Law Within the Scope of ESG
ÇSY Kapsamında Kişisel Verilerin Korunması Hukukunun Önemi
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent