The rights of data subjects

The Turkish Data Protection Law gives data subjects the following rights:

1. Right to be informed

Regardless of the legal basis of data processing, data controllers are obliged to inform the data subjects when collecting personal data in respect of the minimum mandatory content outlined below (Article 10 of the Data Protection Law):

• the identity of the data controller and its representative, if any;
• the purpose of personal data processing;
• the recipients to whom the personal data can be transferred, and the purpose of the transfer;
• the methods and legal reasons of collection of personal data; and
• the data subject’s rights under Article 11 of the Data Protection Law.

2. Right to access

Data subjects are entitled to request the following from the data controller (Article 11 of the Data Protection Law):

• information about whether their personal data has been processed;
• if personal data has been processed, the information about such data and processing;
• information about the purpose for the data processing and whether the data was used for this purpose;
• information about the identities of natural or legal persons whom the data is transferred to;
• correction, erasure, or removal of the personal data;
• if data is transferred, that the data controller advise the recipient about correction, erasure, and removal of the personal data;
• objection to any negative consequence of their data being analysed exclusively through automated systems; and
• compensation where a data subject suffers any damage due to the illegal processing of their data.

The KVKK has issued the Application Communiqué which regulates the methods and procedures to lodge a request with data controllers. Accordingly, data controllers should respond to requests lodged by data subjects within 30 days. The Application Communiqué also provides for a processing fee of TRY 1 for each page which may be charged for responses exceeding ten pages, or the cost of the alternative data recording medium.

The Board published a decision numbered 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here). The Board clarified the periods for filing complaints to the Board and applying to data controllers. Accordingly, the following principles apply when calculating application periods:

• if the data controller fails to respond within 30 days, the data subject has 60 days to apply to the Board, starting from the date of its application to the data controller;
• if the data controller responds within 30 days, the data subject can file a complaint with the Board no later than 30 days after such response; and
• if the data controller responds after the 30 days period has lapsed, the data subject can file a complaint with the Board no later than 60 days following the date of application to the data controller, which complaint may be submitted immediately upon expiration of the 30 days period, whether or not a response has been received from the data controller.

3. Right to rectification

Personal data has to be processed accurately and must be kept up to date. In line with this principle, data subjects are entitled to request for rectification from the data controllers, in case of contrary practice.

4. Right to erasure

Data controllers are obliged to erase, destruct, or anonymize the personal data in the event that the reasons for which it was processed are no longer valid or upon the demand of the data subject (Article 7 of the Data Protection Law).

5. Right to object/opt-out

Data subjects do not have a broad right to object under the Data Protection Law. The right to object will not be sufficient to stop processing activities if there is a legal justification for data processing. However, if the legal basis’s goal is exceeded, the data subject can utilize his or her right to object to stop processing activities that go beyond the legal basis’s purpose, such as legitimate interest. Furthermore, data subjects have the right to cancel their consent and have data processing based on their express consent halted at any time.

In addition to above-stated perspective of the Data Protection Law, there is an alternative legislation regulating the In addition to the above-mentioned perspective of the Data Protection Law, there is another piece of legislation that governs data subjects’ right to object/opt-out in the context of electronic commerce. Personal data gathered from a consumer can only be used and shared with third parties with the consent of the customer, according to Electronic Commerce Law No. 6563. As a result, in order to use personal data for marketing purposes, the consent of the data subject, who is a consumer, must be obtained.

The same legislation entitles the consumers/data subjects to use their right to object/opt-out. Data controllers, Consumers/data subjects have the right to object/opt-out under the same regulation. Data controllers who are also functioning as service providers are required to include their contact information in commercial electronic communications so that recipients can exercise their opt-out rights. Opt-out notification must be offered through the same communication channel as the commercial electronic message was received, and it must be simple and free of charge. A national and centralized commercial electronic communication management system has been built in accordance with the Regulation on Commercial Electronic Communication (and its revisions). The consumers or data subjects may use their right to object/opt-out through this system (or through the system designed by the relevant service provider).

6. Right to data portability

Unlike the GDPR, the Data Protection Law does not provide the right to portability for data subjects. Under the Data Protection Law, data subjects are not entitled to have their personal data transmitted directly from one controller to another.

7. Right not to be subject to automated decision-making

The Data Protection Law does not provide a blanket right to be free of automated decision-making systems. The processing limits and rights of data subjects must be assessed in light of other legal obligations under Data Protection Law, such as the legal basis’s aim. However, data subjects have the right to object to any detrimental consequences of their data being analyzed exclusively through automated methods under Article 11(1)(g) of the Data Protection Law. Please keep in mind that data subjects can exercise this right if there is a negative consequence.