On June 26, 2020, the Personal Data Protection Authority ("DPA") issued an announcement regarding the notice requirement. In its investigations, the DPA identified that data controllers had certain deficiencies and non-compliances in fulfilling the notice requirement. The DPA noted that data controllers must be particularly vigilant about certain matters when fulfilling the notice requirement to avoid administrative sanctions.
The DPA's full announcement is available online here (in Turkish).
According to Article 10 of the Law on the Protection of Personal Data ("Law"), data controllers must inform data subjects about any personal data they process about them (i.e. notice requirement). Accordingly, data controllers must comply with the Law, the Communiqué on Procedures and Principles in Fulfilling the Notice Requirement, the DPA's guidelines, the Personal Data Protection Board's ("Board") decisions, and the following matters:
- The notice requirement must be fulfilled during the collection of personal data. The burden of proof regarding the fulfillment of the notice requirement lies with the data controller.
- Privacy notices must contain, at minimum, the information listed under Article 10 of the Law (the identity of data controller or its representative; the processing purposes; the recipients of the personal data; the purposes of the data transfer; methods of collecting personal data; legal ground for processing; and the rights of the data subject).
- If personal data cannot be obtained directly from the data subject due to a physical impossibility or inaccessibility of the data subject, the notice requirement must be fulfilled within a reasonable time after the collection of personal data.
- If personal data will be used to contact the data subject, the notice requirement must be fulfilled at the time of first contact. If the personal data will be transferred, the notice requirement must be fulfilled at the time of the first transfer.
- When explaining the processing purpose, data controllers must avoid using any wordings that may give the impression that personal data may be processed for other possible purposes in the future.
- Privacy notices must not contain general, ambiguous, incomplete, misleading and inaccurate information.
- The processing purpose and legal grounds for processing are separate elements. The legal grounds for processing that must be included in the privacy notices mean the processing conditions under Articles 5 and 6 of the Law.
- General privacy policies or data processing policies that are not limited to a specific processing activity must not be used as privacy notices.
- Privacy notices must be easily accessible and visible. Any methods that may make data subjects' access to the privacy notice difficult must not be used.
- If personal data will be transferred, the purpose of the transfer as well as the recipients or recipient groups must be included in the privacy notice.
- If layered privacy notices are used, the first layer notice must contain fundamental information such as the identity of the data controller and the purpose of the processing. Second layer notices, which provide detailed information on processing, must be limited to the relevant processing activity.
The DPA may impose administrative fines on data controllers that fail to fulfill notice requirement according to the Law. In this respect, all data controllers must review their processes in accordance with the Board's recent announcement.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.