Obligations of Data Controller?
What is Data Controller?
In the Personal Data Protection Law No. 6698 (“PDPL”), the data controller is defined as “the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system”. In this article, the obligations foreseen for the data controller within the scope of PDPL will be discussed.
What are the Obligations of a Data Controller?
Considering a data controller’s position in the context of data protection and processing under the PDPL, it can be said that a data controller is an important actor. Accordingly we can list the obligations of a data controller as follows:
- Obligation to Inform
- Ensuring Data Security
- Notifying the Institution
- Registration to the Registry
- Answering the Applications
- Fulfillment of the Board Decision
What is the Obligation to Inform?
This is an obligation which is related to transparency. Within the scope of this obligation, the data controller is under the obligation to specify on what legal basis, for what purpose and by whom the data is processed, stored or transferred.
What is the Obligation to Ensure Data Security?
This is one of the most important obligations of the data controller and one of the most comprehensively regulated in PDPL. The data controller will be jointly and severally responsible for the implementation of the necessary practices to ensure data security, if it processes the data on its own behalf or on behalf of another person.
The data controller is under the obligation to ensure the protection of personal data, to prevent unlawful processing of data and unlawful access to data. Under these responsibilities, it should ensure that the necessary inspections are carried out.
What is the Obligation to Notify the Institution?
The data controller should notify the Personal Data Protection Board if personal data is obtained illegally.
What is the Registry Obligation?
The registry that data controllers need to register before starting to process the data is the Data Controllers Registry Information System. At VERBIS, data controllers are obliged to declare the data they process.
What is the Obligation to Answer the Applications?
Data subjects, those whose data is processed or those who have shared their data have the right to receive information about the activities related to the processing of their data and may make a request for this. The data controller is under the obligation to answer the questions of the relevant person(s) after this request.
What is the Obligation to Fulfill the Board Decision?
If the complaints made on behalf of the data controller or the violations detected by the Board are examined by the Board and the data controller decides to correct these violations, the data controller is under the obligation to fulfill this decision.
For more information please do not hesitate to contact us from here
The content of this information note is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
If you have any questions, please contact us