The Personal Data Protection Authority (“Authority”) has published the second study on frequently asked questions and misconceptions about the Law on the Protection of Personal Data No. 6698 (“PDP Law”) and its implementation.

Although the PDP Law and the secondary legislation have created the necessary legal ground, practical questions regarding the implementation of the legislation come to the fore.

In this direction, the Authority has included many questions that are frequently asked and have practical importance for the implementation and the answers to these questions in "Misconceptions-2".

Here are some significant questions and answers included in this guide:
 

• Can a one particular personal data processing activity be carried out based on more than one processing condition stipulated in the PDP Law?

There may be more than one personal data processing condition while performing personal data processing activities. However, since obtaining explicit consent from the data subject while there is one of the data processing conditions other than explicit consent will mean misleading and misdirecting the data subject, personal data processing cannot be carried out based on the other processing conditions together with the explicit consent condition.
 

• Is it illegal in all cases to require explicit consent for the provision of a service?

In case personal data is processed on the basis of the "explicit consent" processing condition, the explicit consent to be obtained from the data subjects must bear all the elements of "related to a specific subject, being informed, with free will". Within this context, explicit consent must be provided with the free will of the data subject and making it mandatory as a prerequisite for a service provision would not be in accordance with the law as a rule.

However, due to the nature of an individual case, where the processing activity can only be carried out by obtaining explicit consent from the data subject, obtaining explicit consent from the data subject may not constitute a violation of the PDP Law in this case.
 

• Should the obligation to inform be fulfilled by the data controller itself in all cases?

According to the PDP Law, the obligation to inform must be fulfilled by the data controller or the person authorized by the data controller during the collection of personal data. For example, it is possible for the data processor to fulfill the obligation to inform on behalf of the data controller in case it is authorized by the data controller.
 

• In the event that the data controller cannot yet clearly determine the issues in the “personal data breach notification form” regarding a data breach, should the data controller notify the Authority immediately regarding this data breach?

It is obligatory for data controllers to notify the Authority regarding a data breach as soon as possible (within 72 hours). In the event that the issues in the personal data breach notification form cannot be determined or detected clearly, the violation must still be notified to the Authority as soon as possible (within 72 hours) with the information available, and additional information must be submitted to the Authority as soon as it is determined or detected without delay in the ongoing process.
 

To read in detail all the questions and answers in the " Misconceptions -2":

https://kvkk.gov.tr/SharedFolderServer/CMSFiles/d077b665-66b6-4615-975a-249f93e084ba.pdf