Amendments to Turkish Banking Law No. 5411 in February 2020 introduced important provisions regarding how banks handle confidential customer data. Based on these provisions, the Banking Regulation and Supervision Agency introduced a secondary regulation that was finalized in March, the Regulation on Banks’ Information Technology and Electronic Banking Services. This regulation contains binding provisions related to data processing and transferring of bank…
»
Within the scope of the fight against the Covid-19, the provisional article 13, which was added to the Turkish Commercial Code ("TCC") on April 16, 2020, brought some restrictions on the dividend distribution rights of equity companies until 30 September 2020 and the exemptions regarding the companies covered by the regulation, the procedures and principles in relation to the practice were determined by the Communiqué issued by the Ministry of Commerce ("Ministry") and…
»
Pursuant to Article 16 of the Data Protection Law, an obligation to register in the Data Controllers Registry has been introduced for data controllers.
In 2018, the Board issued decisions granting exemptions from registration obligation to certain professional groups, associations and political parties. The Board also granted a general exemption to local data controllers that have less than 50 employees, and actively less than TRY 25 million on their balance sheets.
Data…
»
The Data Protection Law requires data controllers to notify the relevant data subject and the Board as soon as possible when being made aware of such data breach. In its decision dated January 24, 2019 and numbered 2019/9, the Board clarified the rules and procedures to be applied in data breach incidents.
The Board takes the GDPR approach in terms of timing of breach notifications, and clarified that the term of “as soon as possible” must be interpreted as 72 hours of…
»
Sensitive and non-sensitive personal data can be transferred abroad if the explicit consent of the data subject is obtained.
Furthermore, other legal grounds will also apply to the transfer of personal data to the foreign country. However, the destination country must have “sufficient protection” in order to conclude the transfer abroad based on legal grounds (except for having obtained explicit consent). A list of jurisdictions that provide sufficient protection is to be…
»
Sensitive and non-sensitive personal data can be transferred to third parties if the explicit consent of the data subject is obtained, or if one of the additional legal grounds is applicable for such transfer.
The Data Protection Law does not provide a definition for a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially in relation to transfers between data…
»
