Common Misconceptions About Personal Data Protection Law
Can a natural or legal person be both a data controller and a data processor?
Yes, it is possible. For instance, a cloud computing company acts as a data controller concerning the personal data it holds about its own employees, while it is considered a data processor regarding the data it holds on behalf of its clients as part of the services it provides. Therefore, depending on the activities performed, a natural or legal person may simultaneously act as both a data controller and a data processor.
Is anonymized data considered personal data?
No, anonymized data can no longer be regarded as personal data. The law defines “anonymization” as the process of rendering personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data. Since anonymized data cannot be linked to a real person, it cannot be considered personal data.
Is explicit consent subject to any form requirement?
The law does not specify any form requirement for obtaining explicit consent. What matters is that the explicit consent meets the elements set forth in the law and can be proven. Therefore, explicit consent may be obtained orally, in writing, electronically, or in a physical environment. The burden of proof regarding the acquisition of explicit consent rests with the data controller.
Can the data subject only apply to the data controller on their own behalf?
Yes, pursuant to Article 11 of the Law, the data subject, as a rule, has the right to apply to the data controller solely concerning matters related to themselves.
Can the data subject find out whether third parties are processing their personal data by applying to the data controller?
Yes, pursuant to Article 11 of the Law, “Each person has the right to request the data controller about him/her; to learn whether his/her personal data is processed or not, (…) to know the third parties to whom his personal data is transferred within the country or abroad.” Therefore, the data subject has the right to know the third parties to whom their personal data has been transferred by the data controller, provided that it concerns their own data.
Can a natural or legal person be both a data controller and a data processor?
Yes, it is possible. For instance, a cloud computing company acts as a data controller concerning the personal data it holds about its own employees, while it is considered a data processor regarding the data it holds on behalf of its clients as part of the services it provides. Therefore, depending on the activities performed, a natural or legal person may simultaneously act as both a data controller and a data processor.
Is anonymized data considered personal data?
No, anonymized data can no longer be regarded as personal data. The law defines “anonymization” as the process of rendering personal data incapable of being associated with an identified or identifiable natural person, even when matched with other data. Since anonymized data cannot be linked to a real person, it cannot be considered personal data.
Is explicit consent subject to any form requirement?
The law does not specify any form requirement for obtaining explicit consent. What matters is that the explicit consent meets the elements set forth in the law and can be proven. Therefore, explicit consent may be obtained orally, in writing, electronically, or in a physical environment. The burden of proof regarding the acquisition of explicit consent rests with the data controller.
Can the data subject only apply to the data controller on their own behalf?
Yes, pursuant to Article 11 of the Law, the data subject, as a rule, has the right to apply to the data controller solely concerning matters related to themselves.
Can the data subject find out whether third parties are processing their personal data by applying to the data controller?
Yes, pursuant to Article 11 of the Law, “Each person has the right to request the data controller about him/her; to learn whether his/her personal data is processed or not, (…) to know the third parties to whom his personal data is transferred within the country or abroad.” Therefore, the data subject has the right to know the third parties to whom their personal data has been transferred by the data controller, provided that it concerns their own data.
SubscribeYou can subscribe to stay updated on the shared blogs.
Turkish
