Av. Sevcen CAN & Av. Yasemin ÇORAK
Some rights and obligations related to personal data protection are regulated by The Law on the Protection of Personal Data (“LPPD” or “Law”) No. 6698. We evaluate the subject of rights and obligations in two different titles as “The Rights of Data Subject” and “The Obligations of Data Controller”. We have clarified the concepts of data subject and data controller in our previous article; (Please see…). In this article, the obligations of data controller will be explained.
The Obligations of Data Controller
1) Obligation to inform
Whilst collecting personal data, the controller or the person authorised by the controller is obliged to inform the data subjects about the following:
– The identity of the controller and of his representative, if any,
– The purpose of data processing;
– To whom and for what purposes the processed data may be transferred,
– The method and legal reason of collection of personal data,
– The data subject’s other rights referred to in this Law.
2) Obligation to ensure data security
The data controllers are obliged to take all necessary technical and administrative measures to provide a sufficient level of security in order to:
– Prevent unlawful processing of personal data,
– Prevent unlawful access to personal data,
– Ensure the retention of personal data.
Other than above;
– The data controller is obliged to conduct necessary inspections with the aim of implementing the provisions of this Law in his own institution or organization.
– The data controllers and processors shall not disclose the personal data that they learned to anyone in breach of this Law, shall not use such data for purposes other than processing. This obligation shall continue even after the end of their term.
– In case the processed datas are collected by other parties through unlawful methods, the controller shall notify the data subject and the Board within the shortest time.
3) Obligation to erase, destruct or anonymise of personal data
Despite being processed under the provisions of this Law and other related laws, personal data shall be erased, destructed or anonymized by the controller, ex officio or upon demand by the data subject or disappearance of reasons which require the process.
In cases where the reason of processing disappears, it is not necessary for the data subject to apply for erasure, destruction or anonymisation of personal data. Controller is obligated to erase, destruct or anonymise them.
4) Obligation to register to Data Controllers’ Registry
We will share detailed information regarding Data Controllers’ Registry and controller’s obligation to register in our another article.
In our next article, we will explain the rights of data subject (Please see…).