These are the data that have been disclosed to the public by the data subject in any way, and for which the data subject has the intention to make it public. The mere fact that a person's personal data is placed in a location where everyone can see it does not make it public. For personal data to be considered public, the data subject must wish for it to be made public.
If personal data has been made public by the data subject, can the data controller process this personal data for any purpose?
No, they cannot. Personal data made public by the data subject may only be processed in line with the purpose of the data subject’s act of making it public. Therefore, in every data processing activity, the data subject’s intention to make the data public must be evaluated. For example, if a person lists their car for sale on a website and shares their contact information there, that information may only be used for the purpose of purchasing the car or obtaining information about the listing. Using such personal data for any other purpose would constitute a violation of the Law.
Is it lawful under the Law to process personal data based on consent obtained during a purchase, such as ‘I consent to the processing and sharing of my personal data’?
No, it is not. If explicit consent is required for the processing of personal data, such consent must meet the conditions of being ‘related to a specific subject’, based on informed decision’, and ‘freely given’. A statement such as ‘I consent to the processing and sharing of my personal data’ does not relate to a specific subject, and since it is unclear which data will be processed and with whom it will be shared, it cannot be considered as valid explicit consent.
Under what conditions should personal data be deleted, destroyed, or anonymized?
If all conditions for the processing of personal data, as set out in the relevant articles of the Law, cease to exist, the personal data must be deleted, destroyed, or anonymized by the data controller, either ex officio or upon the request of the data subject. All actions taken regarding the deletion, destruction, or anonymization of personal data must be recorded, and these records must be retained for at least three years, excluding other legal obligations.
Can personal data be processed only if explicit consent is obtained from the data subjects?
No, although explicit consent is one of the legal grounds for processing personal data, it is not the only condition that legitimizes data processing. The Law provides other legal bases for data processing, and if one of these conditions is met, personal data may be processed without the explicit consent of the data subject. Therefore, when a data processing activity is considered, the other legal grounds specified in the Law should be examined first, and explicit consent should only be sought if none of those conditions apply.
What does it mean for personal data to be public?
These are the data that have been disclosed to the public by the data subject in any way, and for which the data subject has the intention to make it public. The mere fact that a person's personal data is placed in a location where everyone can see it does not make it public. For personal data to be considered public, the data subject must wish for it to be made public.
If personal data has been made public by the data subject, can the data controller process this personal data for any purpose?
No, they cannot. Personal data made public by the data subject may only be processed in line with the purpose of the data subject’s act of making it public. Therefore, in every data processing activity, the data subject’s intention to make the data public must be evaluated. For example, if a person lists their car for sale on a website and shares their contact information there, that information may only be used for the purpose of purchasing the car or obtaining information about the listing. Using such personal data for any other purpose would constitute a violation of the Law.
Is it lawful under the Law to process personal data based on consent obtained during a purchase, such as ‘I consent to the processing and sharing of my personal data’?
No, it is not. If explicit consent is required for the processing of personal data, such consent must meet the conditions of being ‘related to a specific subject’, based on informed decision’, and ‘freely given’. A statement such as ‘I consent to the processing and sharing of my personal data’ does not relate to a specific subject, and since it is unclear which data will be processed and with whom it will be shared, it cannot be considered as valid explicit consent.
Under what conditions should personal data be deleted, destroyed, or anonymized?
If all conditions for the processing of personal data, as set out in the relevant articles of the Law, cease to exist, the personal data must be deleted, destroyed, or anonymized by the data controller, either ex officio or upon the request of the data subject. All actions taken regarding the deletion, destruction, or anonymization of personal data must be recorded, and these records must be retained for at least three years, excluding other legal obligations.
Can personal data be processed only if explicit consent is obtained from the data subjects?
No, although explicit consent is one of the legal grounds for processing personal data, it is not the only condition that legitimizes data processing. The Law provides other legal bases for data processing, and if one of these conditions is met, personal data may be processed without the explicit consent of the data subject. Therefore, when a data processing activity is considered, the other legal grounds specified in the Law should be examined first, and explicit consent should only be sought if none of those conditions apply.
SubscribeYou can subscribe to stay updated on the shared blogs.
Turkish
