Within the framework of the Law No. 6698 on the Protection of Personal Data (KVKK), the responsibilities of employers who are data controllers in the processing of personal data are becoming more and more important. The decisions of the Personal Data Protection Board emphasise the care that data controllers should take when processing personal data, the importance of keeping a data inventory and their obligations to respond to applications made to them.
Pursuant to Article 11 of the LPPD;
Everyone may, by applying to the data controller;
a) To learn whether personal data has been processed,
b) To request information if personal data has been processed,
c) To learn the purpose of processing personal data and whether it is used in accordance with its purpose,
ç) To know the third parties to whom personal data is transferred domestically or abroad,
d) To request correction of personal data in case of incomplete or incorrect processing,
e) To request the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
f) To request notification of the transactions made in accordance with subparagraphs (d) and (e) to third parties to whom personal data are transferred,
g) To object to the occurrence of a result to the detriment of the person himself/herself by analysing the processed data exclusively through automated systems,
ğ) In case of damage due to unlawful processing of personal data,
has the right to demand compensation for the damage.
Pursuant to Article 13 of the LPPD, the data subject may apply to the data controller in writing or by other methods determined by the Board in order to exercise his/her rights. The Personal Data Protection Board has determined the application methods with the ‘Communiqué on the Procedures and Principles of Application to the Data Controller’ published in the Official Gazette dated 10 March 2018 and numbered 30356. Accordingly, the application can be made
- In writing (by hand, by mail),
- Registered electronic mail (KEP) address,
- Secure electronic signature, mobile signature,
- Via the electronic mail address previously notified by the data subject and registered in the system.
The data controller is obliged to evaluate the application received from the data subject effectively and in accordance with the law and good faith. Pursuant to Article 13 of the LPPD, the data controller is obliged to finalise the application within 30 days at the latest.
The response should not be general and superficial and should include the requested information in a detailed and understandable manner. The fact that the response of the data controllers to the applications of the data subjects is general and superficial, and does not clearly reveal which data is processed and for what purpose, constitutes a violation of the principles of transparency and accountability.
In this context:
- Which personal data are processed,
- The purposes of processing this data,
- The legal basis of the data,
- To whom the data are transferred and
- Retention periods should be clearly stated.
It is important for data controllers to create a Data Inventory and keep this inventory up to date in order to be able to easily respond to the answer to be given. As a matter of fact, the inventory will already contain detailed information on the data subject to the application.
Among the basic principles regarding the processing of personal data specified in Article 4 of the LPPD are the principles of ‘compliance with the law and good faith’ and ‘processing for specific, explicit and legitimate purposes’. These principles require the data controller to be open and accountable in its data processing activities.
The care that data controllers should take in the processing of personal data of data subjects and the importance of the responsibility to keep a data inventory are clearly demonstrated by the penalties imposed for inadequate response to applications.
Data controllers must carry out the processing of personal data of data subjects in a transparent and accountable manner, keep data inventories in detail and in accordance with legal regulations, clearly determine the retention periods and respond to the applications of data subjects in detail.
It should be noted that failure to fulfil these responsibilities may result in administrative fines pursuant to Article 18 of the LPPD. In addition, necessary corrections should be made in data processing processes in line with the instructions given by the Board.
As a result, it is of great importance for data controllers to fulfil their responsibilities under the LPPD in order to avoid legal sanctions and to ensure the protection of employees’ personal data.
Director Lawyer Öykü Güldürmez
