Turkey’s Personal Data Protection Board has announced further details about the content and method of disclosures and declarations which data controllers must make while collecting personal data. Such declarations can be made in a range of methods, provided they are in clear, plain and simple language. Notably, disclosures must be made every time personal data is processed, regardless of the data subject’s request and any legislative exceptions which may apply related to obtaining explicit consent.

Data controllers (or their authorized representatives) must make certain disclosures and declarations to data subjects when collecting personal data (Article 10 of Data Protection Law number 6698; “Law“). Declarations should include at least:

  • The data controller’s identity, as well as its representative (if any).
  • The purposes for processing personal data.
  • The persons to whom processed personal data might be transferred and the purposes for this.
  • The method and legal basis for collecting personal data.
  • The data subject’s rights.

The Communiqué on Procedures and Principles regarding the Data Controller’s Obligation to Inform (“Communiqué”) was published in Official Gazette number 30356 on 10 March 2018, entering into effect on the same date.

The Communiqué outlines further details about the declarations which must be made under Article 10 of the Law:

  • Declarations can be made by using physical or electronic mediums, including oral and written methods, voice recordings, as well as call centers.
  • Declarations must be made every time personal data is processed. The obligation does not depend on the data subject’s request and applies regardless of whether any exceptions to explicit consent apply under the Law.
  • If the purpose for processing personal data changes, the data subject must be informed about the new purpose before the data is processed.
  • Data collectors bear the burden of proving they have met obligations to inform data subjects.
  • If different parts of the data collector’s business process personal data for different purposes, the data subject should be informed separately for each business unit.
  • If personal data is processed based on explicit consent from the data subject, the declaration and obtaining explicit consent must be performed separately.
  • If a party is required to register with the Data Controller’s Registry, the information stated during the declaration must comply with the information disclosed to the Data Controller’s Registry.
  • The purpose for processing personal data stated in the declaration must be specific, clear and legitimate. Statements shouldn’t be ambiguous or general. Expressions which create the perception that personal data could be processed for other purposes which arise should not be used.
  • The declaration should be made in a clear, plain and simple language.
  • The declaration should specify which processing basis under Article 5 and 6 of the Law applies.
  •  The persons to which receiver groups the processed personal data might be transferred should be identified, along with the purposes for processing personal data.
  • The declaration must clearly state which method is used when processing personal data. Methods can be partially or completely automatic/non-automatic, provided it is a part of the data recording system.
  • Incomplete, misleading, or incorrect information should be avoided while making the declaration.
  • If personal data is obtained from a party other than the data subject:|
    • The declaration must be made to the data subject within a reasonable period after obtaining the personal data.
    • If the personal data will be used to communicate with the data subject, the declaration should be made during the initial communication.
    • If personal data will be transferred, the declaration must be made to the data subject at the time of the first transfer of personal data, at the very latest.

Please see this link for full text of the Communiqué (only available in Turkish).