Common Misconceptions About Personal Data Protection Law
Is anonymized data considered personal data?
No, anonymized data loses its status as personal data. The law defines “anonymization” as rendering personal data incapable of being associated with an identified or identifiable person, even when combined with other data. Once anonymized, the data is no longer linked to any individual and cannot be used to identify them. Therefore, anonymized data is not considered personal data.
Does the consent obtained as proof of fulfilling the obligation to inform (clarification obligation) count as explicit consent?
The data controller is responsible for proving that the obligation to inform has been fulfilled. There is no specific form requirement for this proof. However, if the processing of personal data is based on explicit consent, the processes of fulfilling the obligation to inform and obtaining explicit consent must be carried out separately. For example, ticking an “I have read” box to prove the obligation to inform has been met does not imply that explicit consent has been obtained for the processing of personal data.
Is a biometric signature considered sensitive personal data?
Yes. Biometric data is defined as data that enables the unique identification of an individual based on their distinctive physical, physiological, and behavioral characteristics. A biometric signature is an example of such data, as it includes unique identifiers like pressure, writing angle, pen speed, and direction captured during the act of signing. Therefore, a biometric signature is also considered sensitive personal data.
If the data controller and the data processor are separate entities, how is liability determined under the Law?
In this case, both the data controller and the data processor will be jointly responsible. The data controller is required to take all necessary technical and administrative measures to prevent the unlawful processing and access to personal data and to ensure the security of the data. If the data is processed by another entity, the data controller is obliged to take these measures together with the data processor. Additionally, the data controller and data processors cannot disclose or use the personal data they have learned for unlawful purposes or for other purposes.
Can a request be made to the data controller via email?
Yes, however, according to the Communiqué on the Procedures and Principles of Application to the Data Controller, for requests to be made via email, the email address previously notified to the data controller and registered in their system must be used. When filing a complaint, it is important to include information and documents in the complaint petition that show the request was made through this email address.
Is anonymized data considered personal data?
No, anonymized data loses its status as personal data. The law defines “anonymization” as rendering personal data incapable of being associated with an identified or identifiable person, even when combined with other data. Once anonymized, the data is no longer linked to any individual and cannot be used to identify them. Therefore, anonymized data is not considered personal data.
Does the consent obtained as proof of fulfilling the obligation to inform (clarification obligation) count as explicit consent?
The data controller is responsible for proving that the obligation to inform has been fulfilled. There is no specific form requirement for this proof. However, if the processing of personal data is based on explicit consent, the processes of fulfilling the obligation to inform and obtaining explicit consent must be carried out separately. For example, ticking an “I have read” box to prove the obligation to inform has been met does not imply that explicit consent has been obtained for the processing of personal data.
Is a biometric signature considered sensitive personal data?
Yes. Biometric data is defined as data that enables the unique identification of an individual based on their distinctive physical, physiological, and behavioral characteristics. A biometric signature is an example of such data, as it includes unique identifiers like pressure, writing angle, pen speed, and direction captured during the act of signing. Therefore, a biometric signature is also considered sensitive personal data.
If the data controller and the data processor are separate entities, how is liability determined under the Law?
In this case, both the data controller and the data processor will be jointly responsible. The data controller is required to take all necessary technical and administrative measures to prevent the unlawful processing and access to personal data and to ensure the security of the data. If the data is processed by another entity, the data controller is obliged to take these measures together with the data processor. Additionally, the data controller and data processors cannot disclose or use the personal data they have learned for unlawful purposes or for other purposes.
Can a request be made to the data controller via email?
Yes, however, according to the Communiqué on the Procedures and Principles of Application to the Data Controller, for requests to be made via email, the email address previously notified to the data controller and registered in their system must be used. When filing a complaint, it is important to include information and documents in the complaint petition that show the request was made through this email address.
SubscribeYou can subscribe to stay updated on the shared blogs.
Turkish
