Prior to the Amendment Law, personal data could mostly be transferred abroad with the explicit consent of the data subject, as the other legal grounds specified in the legislation were either not available or not applicable. Since the Law's enactment in 2016, the fact that the Board had not yet established a list of countries providing adequate protection had significantly limited and complicated the practice of cross-border data transfer. This situation made obtaining…
»
Pursuant to Article 16 of the Law, data controllers who meet certain criteria are obliged to register with the Data Controllers’ Registry ("VERBIS"). The procedures and principles regarding the VERBIS system, which is open to the public, are determined by the "Regulation on the Data Controllers Registry" dated December 30, 2017 ("VERBIS Regulation").
With the Board's decisions dated 2018, various professional groups, associations, foundations and political parties were…
»
With the rapid expansion of the use of artificial intelligence (AI) and its integration into all areas of life, it has become essential to establish a legal framework that regulates the safe and ethical development, distribution and use of AI systems, considering the complexity and unique characteristics of this technology.
In addition to promoting the safe, transparent, and human rights-respecting development of AI technologies, and aiming to protect the safety, rights, and…
»
Cookies play a crucial role in personalizing and improving the user experience in the digital world. Although the use of cookies contributes greatly to personalizing the internet experience and remembering users’ online preferences, this process has also raised various privacy and data protection concerns. One of the biggest concerns regarding the processing of personal data through cookies is that users are often unaware of this process or that sufficient transparency is not…
»
The Law requires data controllers to notify the Board and the data subject as soon as possible after becoming aware of the data breach. In its decision dated January 24, 2019 and numbered 2019/19 ("Decision"), the Board clarified the rules and procedures to be followed in data breach cases.
The Board adopted the approach of the GDPR in terms of the timing of breach notifications and explained that the phrase "as soon as possible" in the Law must be interpreted as within 72…
»
Pursuant to the Law, the Board has the authority to impose administrative sanctions. It has been regulated that the Board may impose administrative fines for non-compliance with the obligation of disclosure, obligations related to data security, failure to comply with the decisions issued by the Board, violations of the obligation to register and notify the Data Controllers’ Registry, or non-compliance with the notification obligation regarding standard contracts. In addition…
»
