TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce and Yiğit Aktimur, YAZICIOGLU Legal
3.2 Interaction of Data Regulation and Data Protection There are no specific data regulations on IOT providers, data holders, and data processing services; general rules apply. 3.3 Rights and Obligations Under Applicable Data Regulation Due to the absence of a standalone regulation specifically addressing the use of IOT and data processing services, general obligations outlined in the DP Law apply insofar as these services involve the processing of personal data. Accordingly, the obligations applicable to provid - ers of IOT services and data processing services may vary depending on their role as a control - ler or processor in data processing. Obligations established by the DP Law are predominantly imposed on controllers, who determine the pur - pose and means of processing personal data. Key obligations are outlined below. • Registering with the Registry of Controllers (VERBIS): Controllers who meet specific crite - ria must register with VERBIS. To register with VERBIS, controllers based outside Türkiye are also required to appoint a representative to act on their behalf before the DPA and data subjects. Additionally, they must designate a “contact person” responsible for submitting information to VERBIS and facilitating com - munication between the DPA and controllers. (a) Controllers required to register with VER - BIS must also maintain a data process - ing inventory and implement a Personal Data Retention and Destruction Policy, as outlined in the By-Law on the Disposal of Personal Data. • Providing privacy notices: Controllers are obligated to inform data subjects about the
processing of their personal data, includ - ing any transfers to third parties. The Com - munique on Obligation to Inform outlines the minimum information to be included in privacy notices. Additionally, based on DPA decisions, privacy notices are expected to clearly specify the types of personal data (and/or categories), the purposes of process - ing, the legal basis for processing, and the methods used for data collection. • Implementing technical and administrative measures: Controllers must implement appro - priate technical and organisational measures to prevent unlawful processing and unauthor - ised access, as well as to ensure the protec - tion of personal data. • Addressing data subject requests: Control - lers must promptly address requests from data subjects (and no later than 30 days). If the request is rejected, the response is insufficient, or there is no response within the timeframe, data subjects can file a complaint with the DPA within 30 days of receiving the response or 60 days from the application date. • Notifying the DPA of data breaches: In the event of a data breach, controllers must notify the DPA immediately and within 72 hours of becoming aware of the breach, where pos - sible. Additionally, controllers must inform affected data subjects as soon as possible, providing them with the necessary details regarding the breach and potential risks to their personal data. Furthermore, a controller’s accountability extends to its processing activities and those of its processors. Per the DP Law, controllers are jointly responsible for ensuring that proces - sors implement the necessary technical and administrative measures while processing data on their behalf. Therefore, in practice, proces -
482 CHAMBERS.COM
Powered by FlippingBook