Obligations Taken Under The Law On Protection Of Personal Data (LPPD)

Developments in the IT world have brought the danger of unauthorized access to personal data

It is possible to access personal data with a little effort with today’s information technology. The commercial life is now faster, more efficient and results-oriented for entrepreneurs who realize the ease of this. Is the situation secure enough? Now if it is necessary to ask a question; Is it legal to be able to access personal data so easily and to be able to reach a large number of users at the same time? In particular, while many personal data can be exchanged through social media profiles, how will all this data be protected? Like many other information, after the transfer of personal data to the digital world, the need to control the roaming and transmission of data have emerged. As a matter of fact, developments in the IT world have put the risk of breach of many fundamental rights and freedoms, creating the risk of access to personal data by unauthorized persons. For this reason, the need to obtain, record, transfer and protect personal data within the framework of certain rules has emerged. In this context, with the entry into force of the LPPD became the agenda of the company executives who became responsible.

Personal data is defined in the LPPD as any information relating to the identified or identifiable real person


The protection of personal data is guaranteed by the regulation made in article 20 of the Constitution. In articles 135 et al. of the TPC No. 5237, the unlawful acquisition, recording or disclosure of personal data is criminally sanctioned. Privacy act No. 6698 was adopted on 24.03.2016 and entered into force by being published in the Official Gazette on 07.04.2016 In addition, within the scope of LPDD, the Personal Data Protection Authority, which has administrative and financial autonomy and has a public legal personality, has been established. Although the provisions of the LPPD are in force, the Institution has foreseen a certain transition period for the obligation to enter the Personal Data Protection Authority Data Officers Registry Information System (VERBİS) as stipulated in the law. With the latest change:

– The deadline for registering with VERBİS for data managers with an annual number of employees more than 50 or an annual financial balance sheet of more than TL 25 million and all data manager’s resident abroad has been extended to June 30, 2020

– The number of employees who are less than 50 per year and the total annual financial balance is less than TRY 25 million and the period of time for the registration of the real or legal persons whose main activity is special personal data processing to VERBIS has been extended to 30 September 2020

– The deadline for the registration of the public institutions and organizations to VERBIS has been extended to 31 December 2020. However, the provisions of the law and sanctions are already again in force and there is no transition process except for registration with VERBİS.


Personal data is defined in the LPPD as any information relating to the identified or identifiable real person. The person’s; information providing a definitive diagnosis, such as first and last name, date of birth and place of birth; concrete data expressing its physical, economic and social identity are covered. In addition, information that enables the person to be identified as a result of being associated with any record, such as identification, tax number, and qualifications such as the person’s e-mail address, telephone number, picture, image, voice recordings and fingerprints, are also evaluated as of personal data. The processing of personal data is defined as any process performed on data such as obtaining, storing, storing, changing, rearranging, transferring, taking over or using information completely or partially automatically or non-automatically provided that it is part of any data recording system. In addition to the general personal data, the LPPD is also issued special data. Information about security measures with biometric and genetic data of people with respect to race, ethnicity, political thought, philosophical belief, religion, sect or other beliefs, appearance and clothing, membership to an association, foundation or trade union, medical condition, sexual life, criminal conviction are the personal data. The acquisition of this data by others is considered as data that a person may be discriminated against positively or negatively. Therefore, more stringent conditions have been introduced for the protection of relevant data.

Processing of personal data refers to transactions such as obtaining, recording, storing, modifying, reorganizing, transferring information in whole or in part automated or non-automatic means


At LPPD, those responsible for protecting and processing data are arranged separately and the obligations that must be fulfilled in the processing of personal data have been uploaded to the data manager. The data officer shall determine the purposes and means of processing personal data, the real or legal person responsible for the establishment and management of the data registration system, and the data processor shall, on its behalf, refers to the real or legal person who processes the data. The data officer has many obligations under LPPD and the most important are as follows:

– Obligation to Obtain and Clarify Consent: The data officer or authorized person at the time of obtaining personal data shall be liable to the persons concerned in such a way that the identity of the data manager is obliged to provide information about the purpose for which personal data will be processed, to whom it can be transferred for what purpose, the method and legal reason for collecting personal data.

– Data Security Obligations: The data officer must take all technical and administrative measures to prevent unlawful processing and access of personal data and to ensure the protection of the data.

– Responding to Applications submitted by Related Persons: Anyone may apply to the data manager in accordance with their rights under article 11th of the LPPD regarding whether their personal data has been processed. The data officer must answer the applications.

– Obligation to Register with data managers: Real and legal persons who process personal data must register with VERBIS before they can process data.


The judicial and administrative sanctions faced by real persons and legal entities in case of non-fulfilment of the obligations set out in LPPD are regulated under the heading of “Misdemeanours in Article 18 of the LPPD. In case of violations requiring imprisonment, LPPD refers to the Turkish Penal Code. It should be noted in particular that the data officer who is the subject of these sanctions and who is responsible for the data in the companies is the corporate entity itself. Consequently, the sanctions envisaged under the LPPD will arise directly on the company. Consequently, in order to avoid any sanctions, the fulfilment of the requirements of the LPPD without delay should be one of the priorities of the companies.

Elmadağ Attorneys and Counsellors Atty. Dr. Ramazan Arıtürk – Atty. Güniz Çiçek

Leave a Comment

Your email address will not be published.

Start typing and press Enter to search