Through the Law on Protection of Personal Data, which was adopted by the General Assembly of the Turkish Grand National Assembly on 24^th March, 2016 and entered into force by being published in the Official Gazette, dated 7^th April, 2016 and with No. 29677, it is aimed to prevent the violation of personal rights as a result of “unlimited and random collection of personal data, making them accessible to unauthorized persons, disclosing them or incorrect use or misuse of these personal data” (The Law on Protection of Personal Data in 100 Questions *). This law, which aims to protect fundamental rights and freedoms, basically aims to protect individuals and to prevent negative situations that may be caused by random collection and transfer of data.

What Does the Law on Protection of Personal Data Mean for Individuals?

Technological innovations, especially the Internet, have significantly changed life and is continuing to do so. At this point, many transactions made in the cyber world bring the processing of personal data in its train. The law on the protection of personal data (LPPD), which was adopted in the beginning of the year of 2016, enables many personal information, from identity numbers to their photographs, to be secured.

Personal data is defined as a concept specific to natural persons in the relevant law. In this context, not only identity information such as name, surname, date of birth, place of birth, but also all information that makes the person directly or indirectly identifiable such as the individual's phone number, motor vehicle license plate, social security number, passport number, CV, photograph, image and sound records, fingerprints, e-mail address, hobbies, preferences, people with whom they interact, group memberships, family information, health information, are deemed as personal data. With this law, it is mandatory that private or public institutions, which want to process this data, obtain approval from the relevant person.

The types of personal data are also included in the document titled “100 Soruda Kişisel Verilerin Korunması Kanunu (the Law on Protection of Personal Data in 100 Questions)”  prepared by the Personal Data Protection Authority, which ensures the implementation of the Law on Protection of Personal Data:

        What is Private Quality (Sensitive) Personal Data?

        Private quality personal data are defined as data that may cause the person, to whom the data belongs, to become victims or be exposed to discrimination in the event that those data are learned by others. These data are clearly defined in the Law on Protection of Personal Data and other data, apart from these, are not deemed as private. When the announced list is examined, it can be seen that this definition includes the data regarding race, ethnicity, political opinion, philosophical belief, sect or other beliefs, appearance, membership of association, foundation or union, health, sexual life, criminal conviction and security measures, and data of biometric and genetic.

        Your Personal Health Data Is Valuable

        Health data is undoubtedly one of the most common one in the status of private quality data. These data, which are defined as all kinds of data regarding the physical and mental health of the person and the information about the health service provided to the person, include information such as analysis results, previously experienced diseases and medications used. Since these data are of private nature, it is essential that permission of the person be obtained separately so as to process this kind of data.

        What Should Be Done in Case of a Data Breach?

        The law receives two types of notifications / complaints in case of any data breach. The first of these is that the company or institution responsible for data protection notifies this breach to the Personal Data Protection Authority through the relevant panel. This notification can be made public by the Authority to warn individuals whose data may have been obtained.

        The second situation is that a notification is made by directly the original owner of the data. Individuals who realize that their data are being used without permission can submit their complaints about the issue through the address of sikayet.kvkk.gov.tr or the E-State Portal. However, there are two important points to pay attention here. The first is that the complaint is to be made directly by the owner of the data (no agent or guardian is accepted). And the second is the necessity that the complaint must be made to the company or institution, to be complained, prior to the Personal Data Protection Authority. The institution accepts the related application if there is no response from the company or institution, or if it is thought that the request regarding the complaint is not met. In order to check this, it requests a copy of the correspondence made with the relevant company or institution.

For further detailed information, you can visit; https://www.kvkk.gov.tr/