KVKK

PERSONAL DATA PROTECTION LAW

Aim
ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of real and legal persons processing personal data and the procedures and principles to be followed.
Scope
ARTICLE 2- (1) The provisions of this Law apply to natural persons whose personal data are processed, and to natural and legal persons who process these data by fully or partially automatic or non-automatic means, provided that they are part of any data recording system.
Definitions
ARTICLE 3- (1) In the implementation of this Law;
a) Explicit consent: Consent regarding a specific issue, based on being informed and expressed with free will,
b) Anonymization: Making personal data impossible to associate with an identified or identifiable natural person in any way, even by matching it with other data,
c) President: President of the Personal Data Protection Authority,
c) Relevant person: The real person whose personal data is processed,
d) Personal data: Any information regarding an identified or identifiable natural person,
e) Processing of personal data: Obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available personal data by fully or partially automatic or non-automatic means provided that it is part of any data recording system. Any operation performed on data such as bringing, classifying or preventing its use,
f) Board: Personal Data Protection Board,
g) Institution: Personal Data Protection Authority,
g) Data processor: Real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller,
12302

h) Data recording system: The recording system in which personal data is structured and processed according to certain criteria,
i) Data controller: The natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system,
expresses.
SECOND PART
Processing of Personal Data
General principles
ARTICLE 4- (1) Personal data can only be processed in accordance with the procedures and principles set forth in this Law and other laws.
(2) It is mandatory to comply with the following principles in the processing of personal data:
a) Compliance with the law and the rules of honesty.
b) Being accurate and up to date when necessary.
c) Processing for specific, clear and legitimate purposes.
ç) Being related to the purpose for which they are processed, limited and proportionate.
d) To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Terms of processing of personal data
ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the relevant person.
(2) In case of one of the following conditions, it is possible to process personal data without the explicit consent of the relevant person:
a) It is clearly prescribed by law.
b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity.
c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
ç) It is mandatory for the data controller to fulfill its legal obligation.
d) It has been made public by the person concerned.
e) Data processing is mandatory for the establishment, exercise or protection of a right.
f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned.
Conditions for processing special personal data

ARTICLE 6- (1) Data regarding individuals’ race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and security measures. Biometric and genetic data are special personal data.
(2) It is prohibited to process special personal data without the explicit consent of the person concerned.
12303

(3) Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, without the express consent of the relevant person. can be processed.
(4) In the processing of special categories of personal data, it is also essential to take adequate measures determined by the Board.
Deletion, destruction or anonymization of personal data
ARTICLE 7- (1) Although personal data has been processed in accordance with the provisions of this Law and other relevant laws, if the reasons requiring processing are eliminated, personal data is deleted, destroyed or made anonymous by the data controller ex officio or upon the request of the relevant person.
(2) Provisions in other laws regarding deletion, destruction or anonymization of personal data are reserved.
(3) The procedures and principles regarding the deletion, destruction or anonymization of personal data are regulated by the regulation.
Transfer of personal data
ARTICLE 8- (1) Personal data cannot be transferred without the explicit consent of the relevant person.
(2) Personal data;
a) In the second paragraph of Article 5,
b) Provided that adequate precautions are taken, in the third paragraph of Article 6,
If one of the specified conditions is met, it may be transferred without the express consent of the relevant person.
(3) Provisions in other laws regarding the transfer of personal data are reserved.
Transfer of personal data abroad
ARTICLE 9- (1) Personal data cannot be transferred abroad without the express consent of the relevant person.
(2) Personal data is subject to the presence of one of the conditions specified in the second paragraph of Article 5 and the third paragraph of Article 6 and in the foreign country to which the personal data will be transferred;
a) Availability of adequate protection,
b) In case there is no adequate protection, the data controllers in Turkey and the relevant foreign country must undertake in writing to provide adequate protection and have the permission of the Board,
It may be transferred abroad without the express consent of the person concerned.
(3) Countries with adequate protection are determined and announced by the Board.
12304

(4) The Board decides whether there is sufficient protection in the foreign country and whether permission will be given in accordance with subparagraph (b) of the second paragraph;
a) International agreements to which Turkey is a party,
b) The reciprocity status regarding data transfer between the country requesting personal data and Turkey,
c) Regarding each concrete personal data transfer, the nature of the personal data and the purpose and duration of processing,
d) The relevant legislation and practice of the country to which personal data will be transferred,
d) Measures undertaken by the data controller in the country to which personal data will be transferred,
It evaluates and, if necessary, decides by taking the opinions of relevant institutions and organizations.
(5) Without prejudice to the provisions of international agreements, personal data may be transferred abroad only with the permission of the Board, after obtaining the opinion of the relevant public institution or organization, in cases where the interests of Turkey or the relevant person would be seriously harmed.
(6) Provisions in other laws regarding the transfer of personal data abroad are reserved.

THIRD PART
Rights and Obligations
Data controller’s obligation to inform

ARTICLE 10- (1) During the acquisition of personal data, the data controller or the person authorized by the data controller shall;
a) Identity of the data controller and his representative, if any,
b) For what purpose personal data will be processed,
c) To whom and for what purpose the processed personal data can be transferred,
ç) Method and legal reason for collecting personal data,
d) Other rights listed in Article 11,
is obliged to provide information on the subject.
Rights of the person concerned
ARTICLE 11- (1) Everyone can apply to the data controller and obtain information regarding himself/herself;
a) Learning whether personal data is processed or not,
b) Requesting information if personal data has been processed,
c) Learning the purpose of processing personal data and whether they are used for their intended purpose,
ç) Knowing the third parties to whom personal data is transferred domestically or abroad,
d) Requesting correction of personal data if they are incomplete or incorrectly processed,
12305

e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,
f) To request that the transactions carried out in accordance with paragraphs (d) and (e) be notified to third parties to whom personal data is transferred,
g) Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,
g) Requesting compensation for the damage in case of damage due to illegal processing of personal data,
has the rights.
Obligations regarding data security
ARTICLE 12- (1) Data controller;
a) To prevent unlawful processing of personal data,
b) To prevent unlawful access to personal data,
c) Ensuring the preservation of personal data,
It must take all necessary technical and administrative measures to ensure the appropriate level of security for this purpose.
(2) In case personal data is processed by another real or legal person on his/her behalf, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph.
(3) The data controller is obliged to carry out the necessary inspections or have them carried out in his own institution or organization in order to ensure the implementation of the provisions of this Law.
(4) Data controllers and data processors cannot disclose the personal data they have learned to anyone else, contrary to the provisions of this Law, and cannot use it for purposes other than processing. This obligation continues after they leave office.
(5) If the processed personal data is obtained by others through illegal means, the data controller shall notify the relevant person and the Board of this situation as soon as possible. If necessary, the Board may announce this situation on its own website or through another method it deems appropriate.
CHAPTER FOUR
Application, Complaint and Data Controllers Registry
Application to the data controller
ARTICLE 13- (1) The relevant person shall convey his/her requests regarding the implementation of this Law to the data controller in writing or by other methods determined by the Board.
(2) The data controller finalizes the requests in the application free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged.
(3) The data controller accepts the request or rejects it by explaining the reason and notifies the relevant person in writing or electronically of his/her response. If the request in the application is accepted, the necessary action will be taken by the data controller. If the application is due to the error of the data controller, the fee collected will be refunded to the relevant party.
12306

complaint to the board
ARTICLE 14- (1) In cases where the application is rejected, the response is found to be insufficient, or the application is not responded to within due time; The relevant person may file a complaint with the Board within thirty days from the date of learning the response of the data controller, and in any case within sixty days from the date of application.
(2) In accordance with Article 13, a complaint cannot be filed without exhausting the remedy.

(3) Those whose personal rights have been violated have the right to compensation in accordance with general provisions.
Procedures and principles of investigation upon complaint or ex officio
ARTICLE 15- (1) Upon complaint or upon learning of an alleged violation, the Board, ex officio, carries out the necessary investigation on matters within its field of duty.
(2) Notices or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 on the Exercise of the Right to Petition dated 1/11/1984 are not taken into consideration.
(3) Except for information and documents that are state secrets; The data controller is obliged to send the information and documents requested by the Board regarding the subject of examination within fifteen days and to enable on-site examination when necessary.
(4) Upon complaint, the Board examines the request and gives an answer to the relevant parties. If no response is given within sixty days from the date of complaint, the request is deemed rejected.
(5) If, as a result of the complaint or ex officio investigation, it is understood that there is a violation, the Board decides that the unlawfulness it detects will be remedied by the data controller and notifies the relevant parties. This decision shall be implemented without delay and within thirty days at the latest after notification.
(6) If, as a result of the complaint or ex officio investigation, it is determined that the violation is widespread, the Board takes a principle decision on this issue and publishes this decision. If necessary, the Board may also obtain the opinions of relevant institutions and organizations before taking a principle decision.
(7) The Board may decide to stop data processing or transfer of data abroad in case of irreparable or impossible damages and if there is a clear violation of the law.
Data Controllers Registry
ARTICLE 16- (1) A Data Controllers Registry is kept publicly available by the Presidency, under the supervision of the Board.
(2) Natural and legal persons who process personal data must register with the Data Controllers Registry before starting to process data. However, the Board may make an exception to the obligation to register in the Data Controllers Registry, taking into account objective criteria to be determined by the Board, such as the nature and number of personal data processed, whether the data processing arises from the law or whether it is transferred to third parties.
(3) Application for registration to the Data Controllers Registry is made with a notification containing the following:
a) Identity and address information of the data controller and his representative, if any.
b) For what purpose personal data will be processed.
12307

c) Explanations about the data subject group and groups and the data categories belonging to these persons.
d) Recipient or recipient groups to which personal data may be transferred.
d) Personal data intended to be transferred to foreign countries.
e) Measures taken regarding personal data security.
f) Maximum period required for the purpose for which personal data are processed.
(4) Changes in the information provided in accordance with the third paragraph are immediately notified to the Presidency.
(5) Other procedures and principles regarding the Data Controllers Registry are regulated by the regulation.

CHAPTER FIVE
Crimes and Misdemeanors
Crimes
ARTICLE 17- (1) In terms of crimes related to personal data, the provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 dated 26/9/2004 shall apply.
(2) Contrary to the provision of Article 7 of this Law; Those who do not delete or anonymize personal data are punished according to Article 138 of Law No. 5237.
Misdemeanors
ARTICLE 18- (1) Of this Law;
a) From 5,000 Turkish liras to 100,000 Turkish liras for those who do not fulfill the obligation to inform as stipulated in Article 10,
b) From 15,000 Turkish liras to 1,000,000 Turkish liras for those who do not fulfill the obligations regarding data security stipulated in Article 12,
c) From 25,000 Turkish liras to 1,000,000 Turkish liras for those who do not comply with the decisions made by the Board in accordance with Article 15,
ç) From 20,000 Turkish liras to 1,000,000 Turkish liras for those who act contrary to the obligation to register and notify the Data Controllers Registry as stipulated in Article 16,

Administrative fines are imposed.
(2) Administrative fines stipulated in this article are applied to real persons and private law legal entities who are data controllers.
(3) If the actions listed in the first paragraph are committed within public institutions and organizations and professional organizations with the nature of a public institution, upon the notification to be made by the Board, civil servants and other public officials working in the relevant public institution and organization and those working in professional organizations with the nature of a public institution will be subject to disciplinary provisions. The transaction is carried out and the result is reported to the Board.
12308

CHAPTER SIX
Personal Data Protection Authority and Organization
Personal Data Protection Authority
ARTICLE 19- (1) In order to fulfill the duties assigned by this Law, the Personal Data Protection Authority, which has administrative and financial autonomy and public legal personality, has been established.
(2) The institution is associated with the minister appointed by the President. (one)
(3) The headquarters of the institution is in Ankara.
(4) The Institution consists of the Board and the Presidency. The decision-making body of the institution is the Board.
Duties of the institution
ARTICLE 20- (1) The duties of the institution are as follows:
a) To follow the practices and developments in the legislation, to make evaluations and suggestions, to conduct research and investigations or to have them carried out, in accordance with its field of duty.
b) If necessary, to cooperate with public institutions and organizations, non-governmental organizations, professional organizations or universities on matters within its field of responsibility.
c) To monitor and evaluate international developments regarding personal data, to cooperate with international organizations on issues within its field of responsibility, and to participate in meetings.
d) To submit the annual activity report to the Presidency and the Human Rights Investigation Commission of the Turkish Grand National Assembly (…) (2). (2)
d) To fulfill other duties assigned by law.
Personal Data Protection Board (3)
ARTICLE 21- (1) The Board carries out and uses its duties and powers granted by this Law and other legislation independently, under its own responsibility. No organ, authority, authority or person can give orders, instructions, or make recommendations or suggestions to the Board regarding matters within its field of duty.
(2) The Board consists of nine members. Five members of the Board are elected by the Grand National Assembly of Turkey and four members are elected by the President. (3)
(3) The following conditions are required to become a member of the Board:
a) To have knowledge and experience on the subjects within the scope of duty of the institution.
b) To have the qualifications specified in subparagraphs (1), (4), (5), (6) and (7) of paragraph (A) of the first paragraph of Article 48 of the Civil Servants Law No. 657 dated 14/7/1965.
c) Not being a member of any political party.
d) Having received at least four years of higher education at undergraduate level.
d) (Repealed: 2/7/2018-KHK-703/163 art.)
–––––––––––––––––
(1) With Article 163 of Decree Law No. 703 dated 2/7/2018, the phrase “with the Prime Ministry” in this paragraph has been changed to “with the minister to be appointed by the President”.
(2) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase “and the Prime Ministry” in this paragraph has been abolished.
(3) With the 163rd article of the Decree Law No. 703 dated 2/7/2018, the phrase “two members of the President, two members of the Council of Ministers” in the second paragraph of this article has been changed to “four members of the President”.
12309

(4) (Repealed: 2/7/2018-KHK-703/163 art.)
(5) The Turkish Grand National Assembly elects members to the Board by the following procedure:
a) For the election, candidates are nominated twice as many as the number of members to be determined in proportion to the number of members of the political party groups, and the Board members are elected by the General Assembly of the Grand National Assembly of Turkey from among these candidates, based on the number of members in each political party group. However, political party groups cannot discuss or make decisions regarding who to vote for in the elections to be held in the Turkish Grand National Assembly.
b) The election of the members of the Board is made within ten days after the candidates are determined and announced. A combined ballot paper is prepared in the form of separate lists for the candidates nominated by the political party groups. Votes are cast by marking a special place next to the names of the candidates. political party

Votes cast in excess of the number of members to be elected to the Board from the quotas of the groups determined in accordance with the second paragraph are deemed invalid.
c) Provided that there is a quorum, the candidates who receive the most votes in the election are elected as many as the number of vacant seats.
ç) Two months before the end of the members’ term of office; In case of a vacancy in memberships for any reason, an election will be held using the same procedure within one month from the date of vacancy or, if the Turkish Grand National Assembly is in recess on the date of vacancy, from the end of the recess. In these elections, the distribution of vacant memberships to political party groups is made by taking into account the number of members elected from the quota of political party groups in the first election and the current ratio of political party groups.
(6) If one of the members elected by the President (…) (1) ends forty-five days before the end of his term of office or for any reason, the situation is notified to the Presidency (…) (1) by the Institution within fifteen days. New members are elected one month before the members’ term of office expires. If these memberships are vacated for any reason before the end of the term of office, an election will be held within fifteen days from the notification. (one)
(7) The Board elects the President and Vice-President from among its members. The Chairman of the Board is also the Chairman of the Institution.
(8) The term of office of the Board members is four years. A member whose term has expired can be re-elected. The person elected to replace the member whose term of office ends for any reason before the end of his term of office completes the remaining term of the member he was elected to replace.
(9) The elected members said before the First Presidency of the Supreme Court of Appeals: “I swear on my honor and dignity that I will fulfill my duty in accordance with the Constitution and the law, with complete impartiality, honesty, fairness and justice.” They swear as follows. Applications for oath to the Supreme Court are considered urgent matters.
––––––––––––––––
(1) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrases “or the Council of Ministers” and “or the Prime Ministry to be submitted to the Council of Ministers” in this paragraph have been removed from the text of the article.
12310

(10) Unless based on a special law, Board members cannot take on any official or private duties other than carrying out their official duties in the Board, cannot act as managers in associations, foundations, cooperatives and similar places, cannot engage in trade, engage in freelance activities, or serve as arbitrators or experts. However, Board members may publish for scientific purposes, give lectures and conferences, and receive copyrights and lecture and conference fees arising from these, in a way that does not disrupt their primary duties.
(11) Investigations into crimes alleged to have been committed by members due to their duties are carried out in accordance with the Law No. 4483 on the Trial of Civil Servants and Other Public Officials dated 2/12/1999, and permission to investigate them is given by the President. (one)
(12) The provisions of Law No. 657 shall apply in the disciplinary investigation and prosecution against Board members.
(13) Board members cannot be dismissed for any reason before their term expires. Board members;
a) It is later understood that they do not meet the necessary conditions to be elected,
b) The finalization of the conviction given against them for the crimes they committed in connection with their duties,
c) It is definitely determined by the medical board report that they cannot fulfill their duties,
ç) It is determined that they do not attend their duties without permission, without excuse and without interruption for fifteen days or a total of thirty days in a year,
d) It is determined that they have not attended a total of three Board meetings within a month without permission or excuse, and a total of ten Board meetings within a year,
In such cases, their memberships are terminated by the decision of the Board.
(14) Those who are elected as members of the Board shall be dismissed from their previous duties as long as they serve on the Board. Those who are elected to membership while they are public servants are appointed to a position appropriate to their acquired status within one month by the authority authorized to appoint them, provided that they do not lose the conditions for entering the civil service, if their terms of office expire or if they request to leave office and apply to their former institutions within thirty days. Until the appointment is made, all payments they receive will continue to be paid by the Institution. Those who are not working in a public institution and are elected as members but whose duties end as stated above, will continue to be paid by the Institution until they start any duty or job, and the payment to be made by the Institution to those whose memberships have ended in this way cannot exceed three months. The time they spend in the Institution is deemed to have been spent in their previous institution or organization in terms of their personal rights and other rights.
Duties and powers of the board

ARTICLE 22- (1) The duties and powers of the Board are as follows:
a) To ensure that personal data is processed in accordance with fundamental rights and freedoms.
b) To decide on the complaints of those who claim that their rights regarding personal data have been violated.

––––––––––––––––
(1) With Article 163 of Decree Law No. 703 dated 2/7/2018, the phrase “Prime Minister” in this paragraph has been changed to “President”.
12311

c) Upon complaint or upon learning of an alleged violation, to examine whether personal data is processed in accordance with the law on matters within its ex officio field of duty and to take temporary measures in this regard when necessary.
ç) To determine the adequate measures required for the processing of special personal data.
d) To ensure that the Data Controllers Registry is kept.
e) To carry out the necessary regulatory actions on matters related to the Board’s field of duty and the functioning of the Institution.
f) To take regulatory action to determine obligations regarding data security.
g) To take regulatory action regarding the duties, powers and responsibilities of the data controller and his representative.
g) To decide on the administrative sanctions stipulated in this Law.
h) To express opinions on draft legislation prepared by other institutions and organizations that contain provisions regarding personal data.
i) Institution; To decide on the strategic plan, determine the goals and objectives, service quality standards and performance criteria.
i) To discuss and decide on the budget proposal prepared in accordance with the strategic plan, goals and objectives of the institution.
j) To approve and publish draft reports prepared on the institution’s performance, financial situation, annual activities and required issues.
k) To discuss and decide on suggestions regarding the purchase, sale and rental of real estate.
l) To fulfill other duties assigned by law.
Working principles of the board
ARTICLE 23- (1) The President determines the meeting days and agenda of the Board. The President may call the Board to an extraordinary meeting when necessary.
(2) The Board meets with at least six members, including the chairman, and makes decisions by the absolute majority of the total number of members. Board members cannot abstain from voting.
(3) Board members; They cannot participate in meetings and votes on issues that concern themselves, their blood relatives up to the third degree, their in-law relatives up to the second degree, their adopted children, and their spouses even if the marriage bond between them has been terminated.
(4) Board members cannot disclose the secrets they learn about relevant parties and third parties during their work to anyone other than the legally authorized authorities and cannot use them for their own benefit. This obligation continues after they leave office.
(5) The matters discussed in the board are recorded in the minutes. Decisions and justifications for dissenting votes, if any, are written within fifteen days at the latest from the date of the decision. The Board announces to the public the decisions it deems necessary.
(6) Unless otherwise agreed, discussions at Board meetings are confidential.
(7) The working procedures and principles of the Board, the writing of decisions and other matters are regulated by the regulation.
12312

Minister
ARTICLE 24- (1) The President, as the head of the Board and the Institution, is the highest authority of the Institution and organizes and executes the Institution’s services in accordance with the legislation, the Institution’s objectives and policies, strategic plan, performance criteria and service quality standards and ensures coordination between service units.
(2) The President is responsible for the general management and representation of the Institution. This responsibility includes the duties and powers of arranging, carrying out, auditing, evaluating and, when necessary, announcing to the public the activities of the Institution.
(3) The duties of the President are as follows:
a) To conduct board meetings.
b) To ensure the notification of the Board’s decisions and the public announcement of those deemed necessary by the Board and to monitor their implementation.
c) To appoint the Vice President, department heads and Institution personnel.
d) To finalize the suggestions coming from the service units and present them to the Board.
d) To ensure the implementation of the strategic plan and to establish human resources and working policies in line with service quality standards.

e) To prepare the annual budget and financial statements of the Institution in accordance with the determined strategies, annual goals and objectives.
f) To ensure coordination in order for the board and service units to work in a harmonious, efficient, disciplined and orderly manner.
g) To carry out the relations of the institution with other organizations.
g) To determine the duties and authority areas of the personnel authorized to sign on behalf of the President of the Institution.
h) To carry out other duties regarding the management and operation of the Institution.
(4) In the absence of the President of the Institution, the Vice President acts as the President.
Formation and duties of the Presidency
ARTICLE 25- (1) Presidency; It consists of the Vice President and service units. The Presidency carries out the duties listed in the fourth paragraph through service units organized as departments. The number of department heads cannot exceed seven.
(2) A Vice President is appointed by the President to assist in his duties regarding the Institution.
(3) Vice President and department heads; He/she is appointed by the President from among individuals who have graduated from at least a four-year higher education institution and who have been in public service for ten years.
(4) The duties of the Presidency are as follows:
a) To keep the Data Controllers Registry.
b) To carry out the office and secretariat operations of the Institution and the Board.
c) To represent the Institution through lawyers in lawsuits and enforcement proceedings in which the Institution is a party, to pursue or prosecute the cases, and to provide legal services.
12313

ç) To carry out the personnel affairs of the Board members and those working in the Institution.
d) To carry out the duties assigned to financial service and strategy development units by law.
e) To ensure the establishment and use of the information system for the purpose of carrying out the business and transactions of the institution.
f) To prepare draft reports on the annual activities of the Board or on needed issues and submit them to the Board.
g) To prepare the draft strategic plan of the institution.
g) To determine the personnel policy of the institution, to prepare and implement the career and training plans of the personnel.
h) To carry out the appointment, transfer, discipline, performance, promotion, retirement and similar procedures of the personnel.
i) To determine the ethical rules to be followed by the personnel and to provide the necessary training.
i) To carry out all kinds of purchasing, leasing, maintenance, repair, construction, archive, health, social and similar services that the Institution needs within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003.
j) To keep records of movable and immovable properties belonging to the Institution.
k) To perform other duties assigned by the Board or the President.
(5) Service units and the working procedures and principles of these units are determined by the regulation put into effect by the President upon the proposal of the Institution, in accordance with the field of activity, duties and powers specified in this Law. (one)
Personal Data Protection Expert and assistant experts
ARTICLE 26- (1) Personal Data Protection Expert and Assistant Personal Data Protection Expert may be employed in the institution. Among these, those appointed to the Personal Data Protection Specialist position within the framework of additional article 41 of Law No. 657 are given a one-time promotion.
Provisions regarding personnel and personal rights
ARTICLE 27- (1) Institution personnel are subject to Law No. 657, except for the matters regulated by this Law.
(2) Payments made within the scope of financial and social rights to the Chairman and members of the Board and the personnel of the Institution, as well as to the equivalent personnel determined in accordance with the additional article 11 of the Decree Law No. 375 dated 27/6/1989, are paid within the framework of the same procedures and principles. Payments made to comparable personnel that are not subject to taxes and other legal deductions will not be subject to taxes and other deductions according to this Law.
(3) The Chairman and members of the Board and the staff of the Institution are subject to the provisions of subparagraph (c) of the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510 dated 31/5/2006. The Chairman and members of the Board and the staff of the Institution are considered equal to the personnel designated as peers in terms of retirement rights. Article 4 of Law No. 5510
–––––––––––––––––
(1) With Article 163 of the Decree Law No. 703 dated 2/7/2018, the phrase “by the decision of the Council of Ministers” in this paragraph has been changed to “by the President”.
12314

Among those who were appointed as Chairman and Members of the Board while they were insured within the scope of clause (c) of the first paragraph, these duties have ended or those who wish to leave these positions, their service periods in these positions are taken into account in determining the vested rights’ salaries, degrees and levels. The period spent in these duties by those who fall within the scope of the provisional article 4 of Law No. 5510 during their duties is considered as the period for which office compensation and representation compensation must be paid. In public institutions and organizations, those who are appointed as Chairman and Members of the Board while they are insured within the scope of subparagraph (a) of the first paragraph of Article 4 of Law No. 5510, shall not be required to be paid severance pay or end-of-employment compensation if their relations with their previous institutions and organizations are severed. The service periods for which severance pay or end-of-employment compensation must be paid for those in this situation are combined with the service periods spent as the Chairman of the Board and as a Board member and are evaluated as the period for which retirement bonuses will be paid.
(4) In public administrations within the scope of central government, social security institutions, local administrations, administrations affiliated with local administrations, local administration unions, organizations with revolving funds, funds established by law, organizations with public legal personality, organizations with more than fifty percent of their capital belonging to the public, economic state enterprises Civil servants and other public servants working in public economic institutions and their subsidiaries and institutions may be temporarily assigned to the Institution with the consent of their institutions, and judges and prosecutors may be temporarily assigned to the Institution, provided that their salaries, allowances, all kinds of raises and compensations and other financial and social rights and benefits are paid by their institutions. . The institution’s requests in this regard are primarily finalized by the relevant institutions and organizations. Personnel assigned in this way are considered to be on paid leave from their institutions. As long as these personnel are on leave, their civil service and personal rights continue, and these periods are also taken into account in their promotions and retirements, and their promotions are made in due time without the need for any other action. The periods spent by those appointed within the scope of this article in the Institution are deemed to have been spent in their own institutions. The number of those appointed in this way cannot exceed ten percent of the total number of Personal Data Protection Experts and Assistant Personal Data Protection Experts and the appointment period cannot exceed two years. However, if necessary, this period can be extended for one-year periods. (one)
(5) The job titles and numbers of the personnel to be employed in the institution are shown in the attached table (I). Changes in title and degree, addition of new titles and cancellation of vacant positions, provided that they are limited to the staff titles in the tables annexed to the Decree Law No. 190 on General Staff and Procedure dated 13/12/1983, not exceeding the total number of staff, are made by the decision of the Board.

CHAPTER SEVEN
Miscellaneous Provisions
exceptions
ARTICLE 28- (1) The provisions of this Law do not apply in the following cases:
a) Processing of personal data by natural persons within the scope of activities related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with.

_________________
(1) With the article 119 of Law No. 7061 dated 28/11/2017, the phrase “and judges and prosecutors, their own consent” has been added after the phrase “consent of other public officials and institutions” in this paragraph.
12315

b) Processing of personal data for purposes such as research, planning and statistics by anonymizing them with official statistics.
c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that it does not violate national defence, national security, public security, public order, economic security, privacy of private life or personal rights or constitute a crime.
d) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defence, national security, public security, public order or economic security.
d) Processing of personal data by judicial authorities or enforcement authorities regarding investigation, prosecution, trial or enforcement proceedings.

(2) Provided that it is in accordance with and proportionate to the purpose and basic principles of this Law, Article 10, which regulates the data controller’s obligation to inform, Article 11, which regulates the rights of the data subject, except for the right to request compensation for damage, and Article 16, which regulates the obligation to register in the Data Controllers’ Registry, do not apply in the following cases:
a) Processing personal data is necessary for the prevention of crime or criminal investigation.
b) Processing of personal data made public by the relevant person.
c) Processing of personal data is necessary for the execution of auditing or regulatory duties and disciplinary investigation or prosecution by public institutions and organizations and professional organizations that are public institutions, based on the authority granted by the law.
ç) Personal data processing is necessary to protect the economic and financial interests of the State regarding budget, tax and financial matters.
Budget and revenues of the institution
ARTICLE 29- (1) The budget of the institution is prepared and accepted in accordance with the procedures and principles determined in Law No. 5018.
(2) The income of the institution is as follows:
a) Treasury aid from the general budget.
b) Income obtained from movable and immovable properties belonging to the institution.
c) Donations and aid received.
ç) Income obtained from the evaluation of income.
d) Other income.
Amended and added provisions
ARTICLE 30- (1) (It is related to Law No. 5018 dated 10/12/2003 and has been replaced.)
(2) to (5) – (Related to Law No. 5237 dated 26/9/2004 and replaced by it.)
(6) (It is related to the Health Services Fundamental Law No. 3359 dated 7/5/1987 and has been replaced.)

12316

(7) (It is related to the Decree Law No. 663 on the Organization and Duties of the Ministry of Health and its Affiliated Organizations dated 11/10/2011 and has been entered in its place.)
regulation
ARTICLE 31- (1) Regulations regarding the implementation of this Law are put into effect by the Authority.
Transitional provisions
PROVISIONAL ARTICLE 1- (1) Within six months from the date of publication of this Law, Board members are elected according to the procedure stipulated in Article 21 and the Presidency organization is established.
(2) Data controllers must register with the Data Controllers Registry within the period determined and announced by the Board.
(3) Personal data processed before the publication date of this Law shall be brought into compliance with the provisions of this Law within two years from the publication date. Personal data that is found to be contrary to the provisions of this Law will be immediately deleted, destroyed or made anonymous. However, consents lawfully obtained before the publication date of this Law are deemed to be in compliance with this Law, unless a contrary declaration of intent is made within one year.
(4) The regulations stipulated in this Law shall come into force within one year from the date of publication of this Law.
(5) Within one year from the date of publication of this Law, a senior manager will be determined and reported to the Presidency to ensure coordination regarding the implementation of this Law in public institutions and organizations.
(6) The first elected President, the Second President and two members determined by lot shall serve for six years; The other five members serve for four years.
(7) Until the budget is allocated to the institution;
a) The expenses of the institution are covered by the Prime Ministry budget.
b) All necessary support services such as buildings, vehicles, equipment, furnishings and equipment are provided by the Prime Ministry in order for the institution to perform its services.
(8) Secretariat services are provided by the Prime Ministry until the service units of the institution become operational.
PROVISIONAL ARTICLE 2- (Added:28/11/2017-7061/120 art.)
(1) Graduates from political sciences, economics and administrative sciences, economics, law and business faculties that provide at least four years of undergraduate education, electronics, electrical-electronics, electronics and communications, computer and information systems engineering departments of engineering faculties, or their equivalents are determined by the Council of Higher Education. Graduates of accepted higher education institutions at home and abroad; After a certain period of in-service training and a special proficiency exam entered through a special competitive exam for the profession, they were appointed to the staff of the central organizations of the institutions related to the titles specified in subparagraph (11) of paragraph (A) of the section titled “Common Provisions” of Article 36 of Law No. 657. Those who have been in the position for at least two years, excluding the periods of unpaid leave, and those who are in the position of faculty member, must receive at least seventy points from the Foreign Language Proficiency Exam and be under the age of forty as of the date of appointment, within one year from the date of entry into force of this article. They can be appointed as Data Protection Experts. The number of those to be appointed in this way cannot exceed fifteen.

12317
Force
ARTICLE 32- (1) Of this Law;
a) Six months after the date of publication of the 8th, 9th, 11th, 13th, 14th, 15th, 16th, 17th and 18th articles,
b) Other articles on the date of publication,
comes into force.
Executive

ARTICLE 33- (1) The provisions of this Law shall be enforced by the Council of Ministers.