Personal Data Protection Law no. 6698 (“Law”) defines the data subject as the natural person whose personal data are processed (“data subject”). Everyone has the constitutional right to respect for his or her private and family life, as well as the protection of personal data concerning him or her.
Data subjects may directly appeal to the court or use other legal remedies to exercise their right to the protection of personal data. The available legal remedies comprise (i) making a request to the data controller as described in article 13 of the Law, and (ii) filing a complaint with the Personal Data Protection Board (“Board”) as outlined in articles 14 and 15 of the Law.
The Law establishes a multi-step procedure for personal data protection requests. Data subjects must first make a request to the data controller to exercise their rights. They cannot file a complaint with the Board before exhausting this remedy. However, a data subject has the right to directly appeal to the judiciary for breach of rights without first applying to the data controller. A direct request to the data controller is only required if the matter is to be referred to the Board at a later stage.
Request to the Data Controller:
Pursuant to article 11 of the Law, the data subject has the right to request to the data controller about him/her;
- to learn whether his/her personal data are processed or not,
- to demand for information as to if his/her personal data have been processed,
- to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
- to know the third parties to whom his personal data are transferred in country or abroad,
- to request the rectification of the incomplete or inaccurate data, if any,
- to request the erasure or destruction of his/her personal data,
- to request reporting of the operations for the rectification, erasure or destruction of personal data to third parties to whom his/her personal data have been transferred,
- to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
- to claim compensation for the damage arising from the unlawful processing of his/her personal data.
Depending on the nature of the data subject’s request, the data controller must respond to it as soon as possible or within thirty days. Data subjects may file a complaint with the Board if their requests are denied, the response is inadequate, or they do not receive a timely response. While making a request to the data controller is required, filing a complaint is optional. Therefore, the data subject whose request is either implicitly or explicitly denied can submit a complaint to the Board or immediately appeal to the court.
Complaint:
Data subjects who have their requests denied, find the response inadequate or do not receive a timely response may file a complaint with the Board. The data subject is legally obliged to make a request to the data controller prior to submitting a complaint.
The data subject may file a complaint with the Board within thirty days after having the response of the data controller, or, in any case, within sixty days of the request date. The complaint is deemed to have been refused if the Board does not respond within 60 days. If the Board responds within this timeframe, the decision is notified to the data subject and the data controller. The data controller must implement this decision without delay and no later than 30 days after being notified.
