Personal Data Protection Q A Personal Data Protection

Personal Data Protection Q& A Personal Data Protection Law numbered 6698, regulating personal data processing published on 7 April 2016

Name/ Surname E-mail Address Physical Features ID Number PERSONAL DATA any information related to an identified or identifiable real person Phone Number Birth Date Photos & Videos CV Information

What is Sensitive Personal Data? According to article 6/1 of the Law, sensitive personal data means the data relating to: Sensitive Personal Data • Race • Ethnic Origin • Political Opinions • Health • Religion • Sexual life • Appearance and dressing • Membership of • Philosophical beliefs association, foundation or trade-union • Sect or other beliefs • Criminal conviction and • Biometrics and genetics security measures

What is Personal Data Processing? Personal Data Processing means all transactions made regarding personal data, such as: Recording Editing Organizing Making Accessible

RULE: Is it required to obtain explicit consent when processing personal data? According to article 5/1 and 6/2 of the Law, the personal data and sensitive personal data shall not be processed without obtaining the explicit consent of the data subject The Personal Data Protection Board (the «Board» ) has been established to oversee personal data processing

EXCEPTIONS: Processing of Personal Data Without Explicit Consent Pursuant to article 5/2 of the Law, for the following causes, Personal Data may be processed without obtaining explicit consent of the data subject when one of the below conditions exists: It is expressly permitted by any law It is necessary to protect the life or physical integrity of the data subject or another person where the data subject is physically or legally incapable of giving consent It is necessary to process the personal data of parties of a contract, provided that the processing is directly related to the execution or performance of the contract It is necessary for compliance with a legal obligation which the data controller is subject to The relevant information is revealed to the public by the data subject herself/himself It is necessary for the establishment, usage or protection of a right It is necessary for the legitimate interests of the data controller, provided that the fundamental rights and freedoms of the data subject are not harmed

EXCEPTIONS: Processing of Sensitive Personal Data Without Explicit Consent According to article 6/3 of the Law, personal data other than the data relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject if processing is permitted by any law. Personal data relating to health and sexual life may only be processed without obtaining the explicit consent of the data subject for purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment, and care services, planning and management of health services and financing by persons under the obligation of secrecy or authorized institutions and organizations

Who is Data Controller and Data Processor? Data Controller Data Processor the natural or legal person who determines the purposes and means of the processing of personal data, and who is responsible for establishment and management of the filing system the natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller

According to article 16 of the Law, Data Controllers Registry (the «Registry» ) shall be kept in a publicly available manner under the supervision of the Board The Law stipulates that the procedures and principles relating to the Data Controllers Registry shall be regulated by a regulation. Within this scope, the Draft Regulation regarding Data Controllers Registry (the «Controllers Regulation» ) has been published on 05. 2017 Data Controllers Registry Real and legal persons who process personal data shall be registered with the Data Controllers Registry before they start processing personal data The transactions which the data controllers will make with the Registry shall be performed via VERBİS (Data Registry Information System) As per article 13 of Controllers Regulation, the data controllers shall be obliged to pay registration fee to the Registry for the first registration and also for each year during the term which they are registered with the Registry

Data Controllers Registry As per article 7/2 of the Controllers Regulation, below information shall be recorded with the Registry and publicly: The identity of the data controller and if any, its representative The purposes for which personal data will be processed The group or groups of persons subject to the data and explanations regarding data categories belonging to these persons Recipient or groups of recipients to whom personal data may be transferred Personal data which is envisaged to be transferred abroad The registration date and the termination date of the validity of the registration As per the Controllers Regulation, Data Controllers must fulfill their obligation to get registered with the Registry before processing the personal data. The Data Controllers who were not obliged to be registered but became an obligor afterwards, shall be registered with the Registry within 30 days after they become an obligor The legal persons resident in Turkey shall fulfill their Data Controller obligations through the body which is authorized to represent and bind the legal person. For the legal persons who are not resident in Turkey, the Data Controller representative has been introduced by article 11 of the Controllers Regulation

Deletion, Destruction & Anonymization of Personal Data According to article 7 of the Law, when the reason(s) for processing the data are eliminated, related personal data must be deleted, destroyed or anonymised ex officio by the Data Controller or on request by a related person The Law stipulates that the procedures and principles relating to deletion, destruction and anonymization of personal data shall be set forth by a regulation Within this scope, the Draft Regulation regarding Deletion, Destruction & Anonymization of Personal Data (the «Deletion Regulation» ) has been published on 29. 05. 2017 The deleted data must not be reaccessible and the anonymized data must not be matchable with an identifiable person Persons who are obliged to get registered with the Data Controller Registry must prepare a personal data storage and destruction policy pursuant to the Deletion Regulation

Transferring of Personal Data According to articles 8 and 9 of the Law, the transfer of personal data to third parties and to foreign countries can only be made with the explicit consent of the data subject The consent of the data subject is not sought only in case of the existence of above mentioned conditions for the process of personal data (article 5/2) and sensitive data (article 6/3) Personal data may be transferred abroad without obtaining the explicit consent of the data subject if one of the conditions set forth in article 5/2 or article 6/3 exists and • If the foreign country to whom personal data will be transferred has an adequate level of protection, • In case there is no adequate level of protection, if the data controllers in Turkey and abroad undertake, in writing, to provide an adequate level of protection and the permission of the Board exists Save for the provisions of international agreements, in cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organizations

The identity of the data controller and if any, its representative The rights set forth under article 11 (next slide) Obligation to Inform The purposes for which personal data will be processed The Data Controller is obliged to inform the data subject regarding The method and legal cause of collection of personal data The persons to whom processed personal data might be transferred and the purposes of the same

Rights of the Concerned Person As per article 11 of the Law, the concerned person has the right to; a) Learn whether or not her/his personal data has been processed b) Request information as to processing if her/his data has been processed c) Learn the purpose of processing of the personal data and whether data is used in accordance with its purpose d) Know the third parties in the country or abroad to whom personal data have been transferred

d) Request rectification in case personal data are processed incompletely or inaccurately e) Request deletion or destruction of personal data within the framework of the conditions set forth under article 7 f) Request notification of the operations made as per paragraphs (d) and (e) to third parties to whom personal data have been transferred g) Object to occurrence of any result that is to detriment to her/him by means of analysis of personal data exclusively through automated systems h) Request compensation for the damages in case the person incurs damages due to unlawful processing of personal data by applying to the Data Controller

Pursuant to article 13 of the Law, the concerned person can file complaint applications and data controllers must answer these requests within a maximum period of 30 days The data controller may accept the request or reject the same by explaining the reason and notify its reply to the concerned person in writing or electronically Applications and Complaint As per article 14 of the Law, if the application is rejected, or replied insufficiently, or not replied in the mentioned period; the concerned person may file a complaint with the Board within 30 days following the date he/she receives the reply and, in any event, within 60 days following the date of application. Complaint remedy cannot be applied to without exhausting the application remedy set forth under article 13 of the Law.

Offenses & Penalties The crimes and administrative sanctions are provided under articles 17 and 18 of the Law. Under article 18 of the Law, such administrative sanctions are between the range of TRY 5, 000 and TRY 1, 000. Sanctions for different cases are regulated in detail under article 18 of the Law Articles between 135 and 140 of the Turkish Criminal Code numbered 5237 are still in force with regard to the offenses regarding the personal data along with these administrative sanctions.

Tel. : Fax : E-mail : +90 212 325 90 20 +90 212 325 90 23 info@gurlaw. com tevfik@gurlaw. com sena@gurlaw. com derya@gurlaw. com