Things to Know About Personal Data
The Law on the Protection of Personal Data (KVKK) numbered 6698 was published in the Official Gazette on March 24, 2016 and entered into force. The purpose of this law is to set out the rules that should not be taken into account in the processing of personal data and in ensuring the confidentiality of private life. In doing so, it is essential to protect fundamental rights and freedoms. According to the law, every natural and legal person who collects, processes and organizes personal data has certain obligations.
After the KVKK entered into force, certain definitions began to gain importance for individuals or institutions within the scope of the law. In this context, “What is personal data?”, “Who is the contact person?”, “Who is the contact person?” Questions like these are often asked. In addition, the data controller and its obligations specified in the law are another matter of curiosity.
What is Personal Data?
The definition of personal data in KVKK is "any information relating to an identified or identifiable natural person". In this context, in order for an information to be considered as personal data, it must have certain characteristics. This information must first belong to a real person. Information belonging to legal entities is not considered within the scope of personal data. In addition, the identity of the person to whom the information belongs is certain; that is, it must be distinguishable from other people in the society. However, although the identity of the person in question is not yet certain, the fact that his identity may be determined in the future puts this information in the category of personal data.
Another important issue regarding personal data is the expression "all kinds of information" specified in the law. At this point, it is understood that the limit regarding personal data is kept as wide as possible. In other words, the purpose here should be evaluated not only as the privacy of private life, but also as the whole of personal interests. In this respect, all kinds of written and visual content, sound recordings and any similar data belonging to a person are classified as personal data.
Who is the Data Controller? What Are Their Responsibilities?
The definition of data controller in KVKK is as follows: Real or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. As can be understood from this definition, for what purpose a personal data will be collected; Persons who decide when, where and how to process it are considered as data controllers. Also, at this point, it is worth noting that both natural and legal persons can be data controllers. Any legal responsibility arising from the processing of personal data belongs to the relevant natural or legal person.
No distinction is made between legal entities that are data controllers. In other words, all public and private sector organizations, associations and foundations, trade s, professional chambers, universities, companies etc. can be considered as data controllers. The data controller is primarily responsible for ensuring the confidentiality of personal data and determining the method and purpose of processing this data.
Who is the Contact Person?
The contact person is the person appointed by the legal person who is the data controller in accordance with the KVKK and is responsible for communication between the data controller and the related person. Likewise, it is also responsible for the communication between the Personal Data Protection Authority and the data controller. However, at this point, it should be noted that the contact person is not responsible for the sanctions and liabilities before the law, and in such cases, the responsibility rests with the represented legal entity.
Although the liaison person has certain duties and responsibilities, the legal responsibilities of the legal person responsible for the yield remain unchanged. When registering with the Data Controllers Registry (VERBIS), the data controller must also indicate the information of the contact person he/she has appointed.
Who is the Contact Person?
In the KVKK, the person concerned is defined as "the real person whose personal data are processed". In the law, the processing conditions of the personal data of the data subject are specified in detail. As stated in paragraph 1 of Article 5 of the Law, personal data cannot be processed without the explicit consent of the person concerned. Likewise, it is not possible to transfer it to another place without the consent of the person concerned. But there are some exceptions to this. The scope of these is also written in detail in the law. For example,
• expressly stipulating the disclosure of relevant data in laws,
• failure to declare consent due to actual impossibility,
• the obligation to process personal data in the case of a contract,
• legal responsibilities of the data controller
Issues such as these remove the obligation to obtain explicit consent from the data subject in the processing of personal data.
A personal data can be d and destroyed by the data officer at the request of the data subject. Or it is also possible to anonymize the data upon request. The legal framework on these issues is also drawn with the principles contained in the laws.