Personal Data Protection Law

PERSONAL DATA PROTECTION LAW Law Number: 6698 Date of Adoption: 24/3/2016 Published in Official Gazette: Date: 7/4/2016, Issue: 29677 Published in Düstur: Series: 5, Volume: 57 PART ONE Purpose, Scope and Definitions Purpose ARTICLE 1 - (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, particularly the privacy of private life, in the processing of personal data and to regulate the obligations and procedures and principles to be followed by natural and legal persons who process personal data. Scope ARTICLE 2 - (1) The provisions of this Law apply to natural persons whose personal data are processed and to natural and legal persons who process such data in completely or partially automatic ways or in non-automatic ways provided that they are part of any data recording system. Definitions ARTICLE 3 - (1) In the application of this Law: a) Explicit consent: Consent that is informed, specific to a particular subject, and expressed by free will, b) Anonymization: Making personal data unable to be associated with an identified or identifiable natural person in any way, even when matched with other data, c) President: President of the Personal Data Protection Authority, ç) Data subject: The natural person whose personal data is processed, d) Personal data: Any information relating to an identified or identifiable natural person, e) Processing of personal data: Any operation performed on data such as obtaining, recording, storing, preserving, altering, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data in completely or partially automatic ways or in non-automatic ways provided that they are part of any data recording system, f) Board: Personal Data Protection Board, g) Authority: Personal Data Protection Authority, ğ) Data processor: Natural or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller, h) Data recording system: Recording system in which personal data are structured and processed according to specific criteria, ı) Data controller: Natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. PART TWO Processing of Personal Data General Principles ARTICLE 4 - (1) Personal data can only be processed in accordance with the procedures and principles provided for in this Law and other laws. (2) The following principles must be observed in the processing of personal data: a) Being in accordance with law and rules of honesty. b) Being accurate and up-to-date when necessary. c) Being processed for specific, explicit and legitimate purposes. ç) Being related, limited and proportionate to the purpose for which they are processed. d) Being preserved for the period provided for in the relevant legislation or necessary for the purpose for which they are processed. Conditions for Processing Personal Data ARTICLE 5 - (1) Personal data cannot be processed without the explicit consent of the data subject. (2) In case of the existence of one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject: a) Being explicitly provided for in laws. b) Being necessary for the protection of the life or physical integrity of the person who is unable to express his consent due to factual impossibility or whose consent is not legally valid, or of another person. c) Being necessary for the processing of personal data belonging to the parties of a contract, provided that it is directly related to the establishment or performance of a contract. ç) Being necessary for the data controller to fulfill his legal obligation. d) Being made public by the data subject himself. e) Data processing being necessary for the establishment, exercise or protection of a right. f) Data processing being necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject. Conditions for Processing Special Categories of Personal Data ARTICLE 6 - (1) Data concerning persons' race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or trade union membership, health, sexual life, criminal convictions and security measures, and biometric and genetic data are special categories of personal data. (2) (Repealed: 2/3/2024-7499/33 art.) (3) (Amended: 2/3/2024-7499/33 art.) Processing of special categories of personal data is prohibited. However, processing of this data is possible in case of: a) Existence of explicit consent of the data subject, b) Being explicitly provided for in laws, c) Being necessary for the protection of the life or physical integrity of the person who is unable to express his consent due to factual impossibility or whose consent is not legally valid, or of another person, ç) Being related to personal data made public by the data subject and being in accordance with the will of making public, d) Being necessary for the establishment, exercise or protection of a right, e) Being necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services by persons or authorized institutions and organizations under the obligation of confidentiality, and for the planning, management and financing of health services, f) Being necessary for the fulfillment of legal obligations in the fields of employment, occupational health and safety, social security, social services and social assistance, g) Being directed towards current or former members and affiliates of foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, or towards persons who are in regular contact with these organizations and formations, provided that they are in accordance with the legislation and purposes to which they are subject, limited to their field of activity and not disclosed to third parties. (4) In the processing of special categories of personal data, it is also mandatory to take sufficient measures determined by the Board. Deletion, Destruction or Anonymization of Personal Data ARTICLE 7 - (1) Although processed in accordance with this Law and other relevant legal provisions, in case the reasons requiring their processing disappear, personal data shall be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject. (2) Provisions in other laws regarding the deletion, destruction or anonymization of personal data are reserved. (3) Procedures and principles regarding the deletion, destruction or anonymization of personal data shall be regulated by regulation. Transfer of Personal Data ARTICLE 8 - (1) Personal data cannot be transferred without the explicit consent of the data subject. (2) Personal data can be transferred without seeking the explicit consent of the data subject in case of the existence of one of the conditions specified in: a) Second paragraph of Article 5, b) Third paragraph of Article 6, provided that adequate measures are taken. (3) Provisions in other laws regarding the transfer of personal data are reserved. Transfer of Personal Data Abroad ARTICLE 9 - (Amended: 2/3/2024-7499/34 art.) (1) Personal data can be transferred abroad by data controllers and data processors in case of the existence of one of the conditions specified in Articles 5 and 6 and the existence of an adequacy decision regarding the country, sectors within the country or international organizations to which the transfer will be made. (2) The adequacy decision is given by the Board and published in the Official Gazette. The Board takes the opinion of relevant institutions and organizations when it deems necessary. The adequacy decision is evaluated at least every four years. The Board may change, suspend or revoke the adequacy decision with prospective effect as a result of the evaluation or in other cases it deems necessary. (3) When making an adequacy decision, the following matters are primarily taken into consideration: a) The situation of reciprocity regarding personal data transfer between the country, sectors within the country or international organizations to which personal data will be transferred and Turkey. b) The relevant legislation and practice of the country to which personal data will be transferred and the rules to which the international organization to which personal data will be transferred is subject. c) The existence of an independent and effective data protection authority in the country to which personal data will be transferred or to which the international organization is subject, and the existence of administrative and judicial remedies. ç) The status of the country or international organization to which personal data will be transferred being a party to international conventions or member of international organizations related to the protection of personal data. d) The status of the country or international organization to which personal data will be transferred being a member of global or regional organizations of which Turkey is a member. e) International conventions to which Turkey is a party. (4) In the absence of an adequacy decision, personal data can be transferred abroad by data controllers and data processors in case of the existence of one of the conditions specified in Articles 5 and 6, provided that the data subject has the possibility to exercise his rights and apply to effective legal remedies in the country to which the transfer will be made, and one of the following appropriate safeguards is provided by the parties: a) The existence of an agreement that is not an international convention between public institutions and organizations abroad or international organizations and public institutions and organizations in Turkey or professional organizations with the status of public institutions, and permission for transfer by the Board. b) The existence of binding corporate rules that include provisions on the protection of personal data, which companies within the enterprise group engaged in joint economic activity are obliged to comply with and which are approved by the Board. c) The existence of a standard contract announced by the Board, which includes matters such as data categories, purposes of data transfer, recipients and recipient groups, technical and administrative measures to be taken by the data recipient, additional measures taken for special categories of personal data. ç) The existence of a written undertaking containing provisions that will ensure adequate protection and permission for transfer by the Board. (5) The standard contract is notified to the Authority by the data controller or data processor within five business days from its signing. (6) In the absence of an adequacy decision and in case none of the appropriate safeguards provided for in the fourth paragraph can be provided, data controllers and data processors can transfer personal data abroad on an incidental basis only in case of the existence of one of the following situations: a) The data subject giving explicit consent to the transfer, provided that he is informed about possible risks. b) The transfer being necessary for the performance of a contract between the data subject and the data controller or for the implementation of pre-contractual measures taken upon the request of the data subject. c) The transfer being necessary for the establishment or performance of a contract to be made between the data controller and another natural or legal person for the benefit of the data subject. ç) The transfer being necessary for a superior public interest. d) The transfer of personal data being necessary for the establishment, exercise or protection of a right. e) The transfer of personal data being necessary for the protection of the life or physical integrity of the person who is unable to express his consent due to factual impossibility or whose consent is not legally valid, or of another person. f) Making transfer from a registry open to the public or persons with legitimate interests, provided that the conditions required to access the registry in the relevant legislation are met and requested by a person with legitimate interests. (7) Subparagraphs (a), (b) and (c) of the sixth paragraph do not apply to public law activities of public institutions and organizations. (8) The safeguards contained in this Law are also ensured and the provisions of this article are applied for subsequent transfers of personal data transferred abroad by data controllers and data processors and transfers to international organizations. (9) Personal data can be transferred abroad only with the permission of the Board, taking the opinion of the relevant public institution or organization, in cases where Turkey's or the data subject's interests would be seriously harmed, without prejudice to international convention provisions. (10) Provisions in other laws regarding the transfer of personal data abroad are reserved. (11) Procedures and principles regarding the implementation of this article shall be regulated by regulation. PART THREE Rights and Obligations Data Controller's Obligation to Inform ARTICLE 10 - (1) During the obtaining of personal data, the data controller or the person authorized by him is obliged to inform the data subjects about: a) The identity of the data controller and his representative, if any, b) The purpose for which personal data will be processed, c) To whom and for what purpose the processed personal data can be transferred, ç) The method and legal reason for collecting personal data, d) Other rights listed in Article 11. Rights of the Data Subject ARTICLE 11 - (1) Everyone has the right to apply to the data controller and: a) Learn whether personal data concerning him is processed, b) Request information about this if his personal data has been processed, c) Learn the purpose of processing personal data and whether they are used in accordance with their purpose, ç) Know the third parties to whom personal data are transferred domestically or abroad, d) Request correction if personal data are processed incompletely or incorrectly, e) Request deletion or destruction of personal data within the framework of the conditions provided for in Article 7, f) Request that the operations performed in accordance with subparagraphs (d) and (e) be notified to third parties to whom personal data have been transferred, g) Object to the emergence of a result against the person solely through the analysis of processed data by automated systems, ğ) Request compensation for damage suffered due to unlawful processing of personal data. Obligations Regarding Data Security ARTICLE 12 - (1) The data controller is obliged to take all necessary technical and administrative measures to ensure an appropriate level of security in order to: a) Prevent unlawful processing of personal data, b) Prevent unlawful access to personal data, c) Ensure the preservation of personal data. (2) In case personal data are processed by another natural or legal person on behalf of the data controller, the data controller is jointly responsible with these persons for taking the measures specified in the first paragraph. (3) The data controller is obliged to conduct or have conducted necessary audits in his institution or organization to ensure the implementation of the provisions of this Law. (4) Data controllers and data processors cannot disclose personal data they learn to others in violation of the provisions of this Law and cannot use them for purposes other than processing. This obligation continues even after they leave their duties. (5) In case processed personal data are obtained by others through illegal means, the data controller notifies this situation to the interested party and the Authority as soon as possible. The Authority may announce this situation on its website or in another way it deems appropriate when necessary. PART FOUR Application, Complaint and Data Controllers Registry Application to Data Controller ARTICLE 13 - (1) The data subject communicates his requests regarding the application of this Law to the data controller in writing or through other methods determined by the Board. (2) The data controller concludes the requests in the application as soon as possible and at the latest within thirty days free of charge according to the nature of the request. However, if the transaction requires an additional cost, the fee in the tariff determined by the Board may be charged. (3) The data controller accepts the request or rejects it by explaining the reason and notifies his response to the data subject in writing or electronically. If the request in the application is accepted, the data controller fulfills the necessary action. If the application results from the data controller's fault, the fee charged is refunded to the interested party. Complaint to the Board ARTICLE 14 - (1) In case of rejection of the application, finding the given response insufficient or not responding to the application within the deadline; the data subject can file a complaint with the Board within thirty days from the date he learned of the data controller's response and in any case within sixty days from the date of application. (2) The complaint procedure cannot be resorted to without exhausting the application procedure under Article 13. (3) The right of compensation according to general provisions of those whose personality rights are violated is reserved. Procedures and Principles of Investigation Upon Complaint or Ex Officio ARTICLE 15 - (1) The Board conducts necessary investigation upon complaint or when it learns of an allegation of violation ex officio in matters within its scope of duty. (2) Reports or complaints that do not meet the conditions specified in Article 6 of the Law No. 3071 dated 1/11/1984 on the Use of the Right of Petition are not taken into consideration. (3) Except for information and documents of state secret nature; the data controller is obliged to send the information and documents requested by the Board in connection with the investigation subject within fifteen days and to provide the opportunity for on-site investigation when necessary. (4) Upon complaint, the Board examines the request and gives a response to the concerned parties. If no response is given within sixty days from the date of complaint, the request is deemed rejected. (5) As a result of investigation upon complaint or ex officio, if the existence of violation is understood, the Board decides that the illegalities it determines should be remedied by the data controller and notifies the concerned parties. This decision is implemented immediately and at the latest within thirty days from notification. (6) As a result of investigation upon complaint or ex officio, if it is determined that the violation is widespread, the Board makes a principle decision on this matter and publishes this decision. The Board may also take the opinions of relevant institutions and organizations if it deems necessary before making a principle decision. (7) The Board may decide to stop data processing or transfer of data abroad in case of irreparable or impossible damages and obvious illegality. Data Controllers Registry ARTICLE 16 - (1) Under the supervision of the Board, a Data Controllers Registry is kept publicly by the Presidency. (2) Natural and legal persons who process personal data are obliged to register with the Data Controllers Registry before starting data processing. However, taking into account objective criteria such as the nature and number of personal data processed, data processing arising from law or the situation of transfer to third parties to be determined by the Board, the Board may make exceptions to the obligation to register with the Data Controllers Registry. (3) The application for registration with the Data Controllers Registry is made with a notification containing the following matters: a) Identity and address information of the data controller and his representative, if any. b) The purpose for which personal data will be processed. c) Explanations about the data subject group and groups and data categories belonging to these persons. ç) Recipients or recipient groups to which personal data can be transferred. d) Personal data intended to be transferred to foreign countries. e) Measures taken regarding personal data security. f) The maximum period necessary for personal data to be processed for their purpose. (4) Changes occurring in the information given according to the third paragraph are immediately notified to the Presidency. (5) Other procedures and principles regarding the Data Controllers Registry shall be regulated by regulation. PART FIVE Crimes and Misdemeanors Crimes ARTICLE 17 - (1) For crimes related to personal data, the provisions of Articles 135 to 140 of the Turkish Penal Code No. 5237 dated 26/9/2004 are applied. (2) Those who do not delete personal data or make them anonymous in violation of the provision of Article 7 of this Law are punished according to Article 138 of Law No. 5237. Misdemeanors ARTICLE 18 - (1) Administrative monetary fines are imposed as follows for those who violate this Law: a) From 5,000 Turkish liras to 100,000 Turkish liras for those who do not fulfill the obligation to inform provided for in Article 10, b) From 15,000 Turkish liras to 1,000,000 Turkish liras for those who do not fulfill the obligations regarding data security provided for in Article 12, c) From 25,000 Turkish liras to 1,000,000 Turkish liras for those who do not implement the decisions given by the Board according to Article 15, ç) From 20,000 Turkish liras to 1,000,000 Turkish liras for those who act contrary to the registration and notification obligation to the Data Controllers Registry provided for in Article 16, d) (Added: 2/3/2024-7499/35 art.) From 50,000 Turkish liras to 1,000,000 Turkish liras for those who do not fulfill the notification obligation provided for in the fifth paragraph of Article 9. (2) (Amended: 2/3/2024-7499/35 art.) Administrative monetary fines provided for in subparagraphs (a), (b), (c) and (ç) of the first paragraph are applied to data controllers, and the administrative monetary fine provided for in subparagraph (d) is applied to data controllers or data processors who are natural persons and private law legal persons. (3) (Added: 2/3/2024-7499/35 art.) Lawsuits can be filed in administrative courts against administrative monetary fines imposed by the Board. (4) In case the actions listed in the first paragraph are committed within public institutions and organizations and professional organizations with the status of public institutions, upon notification by the Board, disciplinary action is taken against civil servants and other public officials working in the relevant public institutions and organizations and those working in professional organizations with the status of public institutions according to disciplinary provisions and the result is notified to the Board. PART SIX Personal Data Protection Authority and Organization Personal Data Protection Authority ARTICLE 19 - (1) The Personal Data Protection Authority, which has administrative and financial autonomy and legal personality under public law, has been established to carry out the duties assigned by this Law. (2) The Authority is related to the minister to be assigned by the President. (3) The headquarters of the Authority is in Ankara. (4) The Authority consists of the Board and the Presidency. The decision-making body of the Authority is the Board. Duties of the Authority ARTICLE 20 - (1) The duties of the Authority are: a) To follow, evaluate and make recommendations on applications and developments in legislation within its field of duty, to conduct or have conducted research and examinations. b) To cooperate with public institutions and organizations, civil society organizations, professional organizations or universities on matters within its field of duty when needed. c) To monitor and evaluate international developments related to personal data, to cooperate with international organizations on matters within its field of duty, to participate in meetings. ç) To submit the annual activity report to the Presidency, the Human Rights Investigation Commission of the Turkish Grand National Assembly. d) To perform other duties assigned by laws. Personal Data Protection Board ARTICLE 21 - (1) The Board performs and exercises the duties and powers assigned to it by this Law and other legislation independently under its own responsibility. No organ, authority, body or person can give orders and instructions, make recommendations or suggestions to the Board regarding matters within its field of duty. (2) The Board consists of nine members. Five members of the Board are elected by the Turkish Grand National Assembly, four members by the President. (3) To be a member of the Board, the following conditions are required: a) Having knowledge and experience in matters within the Authority's field of duty. b) Having the qualifications specified in sub-subparagraphs (1), (4), (5), (6) and (7) of subparagraph (A) of the first paragraph of Article 48 of the Civil Servants Law No. 657 dated 14/7/1965. c) Not being a member of any political party. ç) Having completed at least four years of undergraduate higher education. d) (Repealed: 2/7/2018-KHK-703/163 art.) (4) (Repealed: 2/7/2018-KHK-703/163 art.) (5) The Turkish Grand National Assembly makes the election of Board members with the following procedure: a) For the election, candidates are nominated at twice the number of members to be determined in proportion to the number of members of political party groups, and Board members are elected by the General Assembly of the Turkish Grand National Assembly from among these candidates, taking into account the number of members per political party group. However, in political party groups, no discussion can be made and no decision can be taken on who to vote for in elections to be held in the Turkish Grand National Assembly. b) The election of Board members is held within ten days after the candidates are determined and announced. Joint ballot papers are prepared in separate lists for candidates nominated by political party groups. Votes are cast by marking the special place opposite the names of candidates. Votes exceeding the number of members to be elected to the Board from the quotas of political party groups determined according to the second paragraph are deemed invalid. c) Provided that there is a quorum for decision, candidates equal to the number of vacant memberships who receive the most votes in the election are elected. ç) Two months before the end of the term of office of members; in case of vacancy in memberships for any reason, elections are held in the same way within one month from the date of vacancy or if the Turkish Grand National Assembly is in recess on the date of vacancy, from the end of the recess. In these elections, the distribution of vacant memberships to political party groups is made taking into account the number of members elected from the political party group quotas in the first election and the current proportion of political party groups. (6) For members elected by the President, forty-five days before the end of the term of office of one of the members or in case the duty ends for any reason, the situation is notified to the Presidency by the Authority within fifteen days. The election of new members is held one month before the expiration of the term of office of members. In case of vacancy in these memberships for any reason before the expiration of the term of office, the election is held within fifteen days from the notification. (7) The Board elects the President and Vice President among its members. The President of the Board is also the president of the Authority. (8) The term of office of Board members is four years. Members whose term expires can be re-elected. The person elected in place of a member whose duty ends for any reason before the expiration of the term of office completes the remaining term of the member he replaces. (9) Elected members take an oath before the First Presidency Board of the Court of Cassation saying "I swear on my honor and dignity that I will perform my duty in accordance with the Constitution and laws, with complete impartiality, honesty, equity and sense of justice." Applications to the Court of Cassation for oath are considered urgent matters. (10) Board members cannot take any official or private duty other than the execution of their official duties in the Board unless based on a special law, cannot be administrators in associations, foundations, cooperatives and similar places, cannot engage in trade, cannot engage in freelance professional activities, cannot act as arbitrators and experts. However, Board members can make scientific publications, give lectures and conferences in a way that does not interfere with their main duties and can receive copyright fees and lecture and conference fees arising from these. (11) Investigations regarding crimes alleged to be committed by members due to their duties are conducted according to the Law No. 4483 dated 2/12/1999 on the Trial of Civil Servants and Other Public Officials, and investigation permission for them is given by the President. (12) In disciplinary investigation and prosecution regarding Board members, the provisions of Law No. 657 are applied. (13) Board members cannot be dismissed from their duties for any reason before their terms expire. The membership of Board members ends with a Board decision in the following cases: a) It is subsequently understood that they do not meet the conditions required for election, b) The final conviction decision given for crimes committed in relation to their duties, c) It is definitively determined by a health board report that they cannot perform their duties, ç) It is determined that they do not attend their duties without permission, excuse and continuously for fifteen days or a total of thirty days in a year, d) It is determined that they do not attend a total of three Board meetings without permission and excuse in a month, or a total of ten Board meetings in a year. (14) Those elected to Board membership have their relations with their previous duties severed during their service in the Board. Those who were public officials when elected to membership, provided they do not lose the conditions for entering civil service, are appointed to a position appropriate to their acquired rights by the authority authorized to make appointments within one month if their term of office ends or they request to leave their duty and apply to their former institutions within thirty days. Until the appointment is realized, the Authority continues to pay all kinds of payments they receive. Those who were not working in a public institution and were elected to membership and whose duty ends as described above continue to be paid all kinds of payments they receive by the Authority until they start any duty or job, and the payment to be made by the Authority to those whose membership ends in this way cannot exceed three months. The time they spend in the Authority is considered as spent in their previous institutions or organizations in terms of personal and other rights. Duties and Powers of the Board ARTICLE 22 - (1) The duties and powers of the Board are: a) To ensure that personal data are processed in accordance with fundamental rights and freedoms. b) To decide on complaints of those who claim that their rights related to personal data have been violated. c) To examine whether personal data are processed in accordance with laws in matters within its field of duty upon complaint or when it learns of an allegation of violation ex officio and to take temporary measures when necessary. ç) To determine adequate measures required for the processing of special categories of personal data. d) To ensure the maintenance of the Data Controllers Registry. e) To make necessary regulatory transactions on matters related to the Board's field of duty and the Authority's functioning. f) To make regulatory transactions to determine obligations regarding data security. g) To make regulatory transactions regarding the duties, powers and responsibilities of the data controller and representative. ğ) To decide on administrative sanctions provided for in this Law. h) To give opinions on draft legislation prepared by other institutions and organizations and containing provisions related to personal data. ı) To decide on the Authority's strategic plan, to determine its aims and objectives, service quality standards and performance criteria. i) To discuss and decide on the budget proposal prepared in accordance with the Authority's strategic plan and aims and objectives. j) To approve and publish draft reports prepared on the Authority's performance, financial situation, annual activities and needed matters. k) To discuss and decide on proposals regarding real estate purchase, sale and rental. l) To perform other duties assigned by laws. Working Principles of the Board ARTICLE 23 - (1) The President determines the meeting days and agenda of the Board. The President can call the Board to extraordinary meetings when necessary. (2) The Board meets with at least six members including the president and makes decisions with the absolute majority of the total number of members. Board members cannot abstain from voting. (3) Board members cannot participate in meetings and voting related to matters concerning themselves, their blood relatives up to the third degree and in-laws up to the second degree, their adopted children and their spouses even if the marriage bond between them has ended. (4) Board members cannot disclose secrets belonging to interested parties and third parties that they learn during their work to anyone other than authorities legally authorized in this matter and cannot use them for their own benefit. This obligation continues even after they leave their duties. (5) Matters discussed in the Board are recorded in minutes. Decisions and dissenting opinion reasons, if any, are written within at most fifteen days from the decision date. The Board announces the decisions it deems necessary to the public. (6) Unless otherwise decided, discussions in Board meetings are confidential. (7) The Board's working procedures and principles, writing of decisions and other matters shall be regulated by regulation. President ARTICLE 24 - (1) The President, as the president of the Board and the Authority, is the highest superior of the Authority and organizes and executes Authority services in accordance with legislation, the Authority's aims and policies, strategic plan, performance criteria and service quality standards, and ensures coordination between service units. (2) The President is responsible for the general management and representation of the Authority. This responsibility includes the duties and powers of organizing, executing, supervising, evaluating and announcing Authority work to the public when necessary. (3) The duties of the President are: a) To manage Board meetings. b) To ensure the notification of Board decisions and the announcement of those deemed necessary by the Board to the public and to monitor their implementation. c) To appoint the Vice President, department heads and Authority personnel. ç) To give final form to proposals coming from service units and submit them to the Board. d) To ensure the implementation of the strategic plan, to establish human resources and working policies in line with service quality standards. e) To prepare the Authority's annual budget and financial statements in accordance with determined strategies, annual aims and objectives. f) To ensure coordination for the Board and service units to work harmoniously, efficiently, disciplined and orderly. g) To conduct the Authority's relations with other organizations. ğ) To determine the duty and authority area of personnel authorized to sign on behalf of the Authority President. h) To perform other duties related to the Authority's management and functioning. (4) In the absence of the Authority President, the Vice President acts as deputy to the President. Formation and Duties of the Presidency ARTICLE 25- (1) The Presidency consists of the Vice President and service units. The Presidency fulfills the duties listed in the fourth paragraph through service units organized as department presidencies. The number of department presidencies cannot exceed seven. (2) A Vice President is appointed by the President to assist in duties related to the Institution. (3) The Vice President and department heads are appointed by the President from among those who are graduates of at least four-year higher education institutions and have served in public service for ten years. (4) The duties of the Presidency are as follows: a) Maintaining the Data Controllers Registry. b) Carrying out the office and secretarial operations of the Institution and the Board. c) Representing the Institution through lawyers in lawsuits and enforcement proceedings where the Institution is a party, following up on lawsuits or having them followed up, and providing legal services. ç) Carrying out personnel affairs of Board members and those working in the Institution. d) Performing duties assigned to financial service and strategy development units by laws. e) Ensuring the establishment and use of information systems for the execution of the Institution's work and operations. f) Preparing draft reports on the Board's annual activities or on needed topics and presenting them to the Board. g) Preparing the Institution's strategic plan draft. ğ) Determining the Institution's personnel policy, preparing and implementing personnel career and training plans. h) Carrying out personnel appointment, transfer, discipline, performance, promotion, retirement and similar procedures. ı) Determining ethical rules that personnel must follow and providing necessary training. i) Carrying out all kinds of procurement, rental, maintenance, repair, construction, archive, health, social and similar services needed by the Institution within the framework of the Public Financial Management and Control Law No. 5018 dated 10/12/2003. j) Maintaining records of movable and immovable property belonging to the Institution. k) Performing other duties assigned by the Board or the President. (5) Service units and their working procedures and principles are determined by regulation put into effect by the President of the Republic upon the Institution's proposal, in accordance with the field of activity, duties and authorities specified in this Law. Personal Data Protection Specialists and Assistant Specialists ARTICLE 26- (1) Personal Data Protection Specialists and Personal Data Protection Assistant Specialists may be employed in the Institution. Those appointed to Personal Data Protection Specialist positions within the framework of the additional 41st article of Law No. 657 are granted a one-time one-grade promotion. Provisions Regarding Personnel and Personnel Rights ARTICLE 27- (1) Institution personnel are subject to Law No. 657 except for matters regulated by this Law. (2) Financial and social benefits payments made to equivalent personnel determined under the additional 11th article of Decree Law No. 375 dated 27/6/1989 are paid to the Board President and members and Institution personnel under the same procedures and principles. Those payments to equivalent personnel that are not subject to tax and other legal deductions are also not subject to tax and other deductions under this Law. (3) The Board President and members and Institution personnel are subject to the provisions of subparagraph (c) of the first paragraph of Article 4 of the Social Insurance and General Health Insurance Law No. 5510 dated 31/5/2006. The Board President and members and Institution personnel are considered equivalent to the personnel determined as equivalent in terms of retirement rights. For those appointed to Board President and member positions while insured under subparagraph (c) of the first paragraph of Article 4 of Law No. 5510, whose duties end or who request to leave these positions, the service periods in these positions are taken into account in determining their acquired pension rights, grades and steps. For those who fall under the scope of provisional Article 4 of Law No. 5510 during these duties, the periods in these duties are considered as periods requiring position allowance and representation allowance payments. For those appointed to Board President and member positions while insured under subparagraph (a) of the first paragraph of Article 4 of Law No. 5510 in public institutions and organizations, severing ties with their previous institutions and organizations does not require payment of severance pay or end-of-service compensation. In such cases, the service periods requiring severance pay or end-of-service compensation are combined with the service periods as Board President and Board member and are considered as periods for which retirement bonus will be paid. (4) Civil servants and other public officials working in public administrations within central government scope, social security institutions, local administrations, administrations affiliated with local administrations, local administration unions, revolving fund organizations, funds established by laws, organizations with public legal personality, organizations with more than fifty percent public ownership, state economic enterprises and public economic organizations and their affiliated partnerships and establishments can be temporarily assigned to the Institution with the consent of their institutions, and judges and prosecutors with their own consent, provided that their salaries, allowances, all kinds of raises and compensations and other financial and social rights and benefits are paid by their institutions. The Institution's requests in this regard are prioritized by the relevant institutions and organizations. Personnel assigned in this way are considered on paid leave from their institutions. While on leave, their civil service relations and personnel rights continue, and these periods are also counted in their promotion and retirement, and their promotions are made on time without need for additional procedures. The periods that those assigned under this article spend in the Institution are considered as spent in their own institutions. The number of those assigned in this way cannot exceed ten percent of the total number of Personal Data Protection Specialist and Personal Data Protection Assistant Specialist positions, and the assignment period cannot exceed two years. However, in case of need, this period can be extended in one-year periods. (5) The position titles and numbers for personnel to be employed in the Institution are shown in the attached table (I). Subject to not exceeding the total number of positions and limited to position titles included in the annexed tables of the Decree Law No. 190 dated 13/12/1983 on General Position and Procedures, making title and grade changes, adding new titles and canceling vacant positions are done by Board decision. SEVENTH SECTION - Miscellaneous Provisions Exceptions ARTICLE 28- (1) The provisions of this Law do not apply in the following cases: a) Processing of personal data by natural persons within the scope of activities completely related to themselves or their family members living in the same residence, provided that they are not given to third parties and obligations regarding data security are complied with. b) Processing of personal data for purposes such as research, planning and statistics by making them anonymous for official statistics. c) Processing of personal data for artistic, historical, literary or scientific purposes or within the scope of freedom of expression, provided that they do not violate national defense, national security, public safety, public order, economic security, privacy of private life or personality rights or constitute a crime. ç) Processing of personal data within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations authorized by law to ensure national defense, national security, public safety, public order or economic security. d) Processing of personal data by judicial authorities or enforcement agencies in relation to investigation, prosecution, trial or execution procedures. (2) Subject to being appropriate and proportionate to the purpose and basic principles of this Law, Articles 10 regulating the data controller's obligation to inform, 11 regulating the rights of the data subject except for the right to request compensation for damages, and 16 regulating the obligation to register in the Data Controllers Registry do not apply in the following cases: a) Personal data processing is necessary for crime prevention or criminal investigation. b) Processing of personal data made public by the data subject themselves. c) Personal data processing is necessary for the performance of supervisory or regulatory duties by competent and authorized public institutions and organizations and public professional organizations based on legal authority, and for disciplinary investigation or prosecution. ç) Personal data processing is necessary for the protection of the State's economic and financial interests regarding budget, tax and financial matters. The Institution's Budget and Revenues ARTICLE 29- (1) The Institution's budget is prepared and adopted according to the procedures and principles determined in Law No. 5018. (2) The Institution's revenues are as follows: a) Treasury aid to be made from the general budget. b) Revenues obtained from movable and immovable property belonging to the Institution. c) Donations and aid received. ç) Revenues obtained from the evaluation of revenues. d) Other revenues. Amended and Added Provisions ARTICLE 30- (1) (Related to Law No. 5018 dated 10/12/2003 and incorporated in its place.) (2) to (5) - (Related to Law No. 5237 dated 26/9/2004 and incorporated in its place.) (6) (Related to the Basic Law on Health Services No. 3359 dated 7/5/1987 and incorporated in its place.) (7) (Related to the Decree Law No. 663 dated 11/10/2011 on the Organization and Duties of the Ministry of Health and Its Affiliated Organizations and incorporated in its place.) Regulation ARTICLE 31- (1) Regulations regarding the implementation of this Law are put into effect by the Institution. Transitional Provisions PROVISIONAL ARTICLE 1- (1) Within six months from the publication date of this Law, Board members are selected according to the procedure envisaged in Article 21 and the Presidency organization is established. (2) Data controllers are obliged to register in the Data Controllers Registry within the period determined and announced by the Board. (3) Personal data processed before the publication date of this Law are brought into compliance with the provisions of this Law within two years from the publication date. Personal data found to be contrary to the provisions of this Law are immediately deleted, destroyed or made anonymous. However, consents lawfully obtained before the publication date of this Law are considered compliant with this Law if no contrary declaration of will is made within one year. (4) The regulations envisaged in this Law are put into effect within one year from the publication date of this Law. (5) Within one year from the publication date of this Law, a senior executive is designated in public institutions and organizations to ensure coordination regarding the implementation of this Law and is notified to the Presidency. (6) The first elected President, Second President and two members determined by lot serve for six years; the other five members serve for four years. (7) Until a budget is allocated to the Institution: a) The Institution's expenses are covered from the Prime Ministry budget. b) All necessary support services such as buildings, vehicles, equipment, furniture and hardware are provided by the Prime Ministry for the Institution to perform its services. (8) Secretarial services are performed by the Prime Ministry until the Institution's service units become operational. PROVISIONAL ARTICLE 2- (Added: 28/11/2017-7061/120 art.) (1) Among graduates of political science, economic and administrative sciences, economics, law and business administration faculties providing at least four-year undergraduate education, electronics, electrical-electronics, electronics and communication, computer, information systems engineering departments of engineering faculties, or domestic and foreign higher education institutions whose equivalence is accepted by the Higher Education Council; those who have been appointed to positions in the central organizations of institutions related to the titles specified in paragraph (11) of section (A) of the "Common Provisions" section of Article 36 of Law No. 657 through special professional competitive examination and after certain-term in-service training and a special qualification examination, and have served in these positions for at least two years excluding unpaid leave periods, and those in academic staff positions, can be appointed as Personal Data Protection Specialists within one year from the effective date of this article, provided that they have scored at least seventy points in the Foreign Language Knowledge Level Determination Exam and are under forty years of age as of the appointment date. The number of those to be appointed in this way cannot exceed fifteen. PROVISIONAL ARTICLE 3- (Added: 2/3/2024-7499/36 art.) (1) The first paragraph of Article 9 before being amended by the Law that created this article continues to be applied together with the amended version of the article until 1/9/2024. (2) Applications pending in criminal magistrate courts as of 1/6/2024 continue to be handled by these courts. Entry into Force ARTICLE 32- (1) Of this Law: a) Articles 8, 9, 11, 13, 14, 15, 16, 17 and 18 enter into force six months after publication, b) Other articles enter into force on the publication date. Execution ARTICLE 33- (1) The Council of Ministers executes the provisions of this Law.