What is LPPD?

Conditions of Processing of Personal Data Under LPPD

Although under Article 5(1) of LPPD, the data subject's explicit consent is mandatory for processing personal data, personal data processing may also be allowed when one of the following conditions are established:

• It is clearly provided for by the laws.
• It is mandatory for the protection of life or physical integrity of the person or any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
• Processing of personal data belonging to the parties of a contract is necessary, provided that it is directly related to the conclusion or fulfillment of that contract.
• The controller must be able to perform his legal obligations.
• The data concerned is made available to the public by the data subject himself.
• Data processing is mandatory for the establishment, exercise, or protection of any right.
• It is compulsory for the controller's legitimate interests, provided that this processing shall not violate the data subject's fundamental rights and freedoms.

Rights of Data Subjects

Under Article 11 of LPPD, the law grants rights to data subjects that they can exercise under this law. These rights are as follows:

• The right to be informed about the processing of their personal data
• The right to request information if their personal data is processed
• The right to know the purpose of data processing and whether this data is used for the intended purposes
• The right to know the third parties to whom their personal data is transferred at home or abroad
• The right to request the rectification of incomplete or inaccurate data
• The right to request the erasure of their personal data under the conditions laid down in Article 7 of LPPD
• The right to object to the processing of personal data, exclusively by automated decision-making systems
• The right to request compensation for the damage arising from the unlawful processing of their personal data.

Obligations of Data Controller

• Under Article 10 of LPPD, the data controller must inform the data subject in every situation where their data is processed.
• The data controller must also erase, destroy, or anonymize personal data if the data subject demands it despite the data being processed under LPPD's provisions. In this regard, the Board has issued an Regulation on the Erasure,
• Destruction and Anonymizing of Personal Data (published in the Official Gazette dated October 28, 2017, numbered 30224).
• Under Article 13, the data subject may apply in writing to the Controller, demanding the implementation of their rights mentioned in Article 11 of LPPD or through any other means specified by the Board.
• According to Article 14 of LPPD the data subject may file a complaint with the Board within 30 days following the date the data subject becomes aware of the data controller’s response and 60 days of receipt at most.

Transfer of Personal Data to Third Parties

• For the transfer of personal data inside Turkey, according to Article 8 of LPPD, personal data can only be transferred with the data subject's explicit consent. To transfer the personal data without the data subject's explicit consent, LPPD stipulates the same conditions as mentioned in Article 5(2) and 6(3) of the LPPD for processing personal data.
• Under Article 9 of LPPD, cross-border transfer of personal data may take place once one of the following conditions are met:
  • Explicit consent of the data subject
  • Personal data may also be transferred abroad if one of the following conditions are established:
  • Approved country by the Board as "Adequate Country" along with the existence of conditions mentioned in Article 5(2) and 6(3) of LPPD.
  • An adequate country must have a sufficient level of protection.
  • If the Board does not approve the country as "Adequate Country," then data controllers in Turkey and abroad commit in writing to provide an adequate level of protection, and the Board has authorized this transfer where the existence of the circumstances referred to in Article 5(2) and Article 6(3) of LPPD.

Obligations to Register to Data Controllers’ Registry

Under Article 16 of LPPD, natural persons or legal persons who process personal data must enroll in the Data Registry of Controllers before taking any steps to process personal data. Application for enrolling must be made with a notification containing the following essentials:

• Identity and address of the controller and of their representative
• Purposes for which the personal data will be processed
• Explanations about the group of personal data subjects as well as about the data categories belonging to them
• Recipients or groups of recipients to whom the personal data may be transferred
• Personal data which is envisaged to be transferred abroad
• Measures taken for the security of personal data
• Maximum period of time required for the purpose of the processing of personal data.

Requirements of Data Security

• Pursuant to Article 12 of LPPD, it is the responsibility of the Data controller to ensure the retention of personal data, prevention of unlawful processing of personal data, and prevention of unlawful access to personal data.
• All necessary organizational and technical measures should be taken by the controller to fulfill the obligation stated under LPPD. Turkey has issued a Personal Data Security Guide to clarify the technical and organisational measures for the secure processing of personal data.