PERSONAL DATA PROTECTION LAW Law Number: 6698 Date of Adoption: 24/3/2016 Official Gazette Published: Date: 7/4/2016 Number: 29677 Published Code: Arrangement: 5 Volume: 57 CHAPTER ONE Purpose, Scope and Definitions Purpose ARTICLE 1- (1) The purpose of this Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations of real and legal persons processing personal data and the procedures and principles to be followed. Scope ARTICLE 2 - (1) The provisions of this Law apply to natural persons whose personal data are processed, and to natural and legal persons who process these data fully or partially by automatic or non-automatic means, provided that they are part of any data recording system. Definitions ARTICLE 3- (1) In the implementation of this Law; a) Explicit consent: Consent regarding a specific subject, based on information and declared with free will, b) Anonymization: Making personal data unable to be associated with an identified or identifiable natural person in any way, even by matching it with other data, c) President: Personal Data. d) Person concerned: The natural person whose personal data is processed, d) Personal data: Any information regarding an identified or identifiable natural person, e) Processing of personal data: Processing of personal data wholly or partially automated or any data recording All kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing its use by non-automatic means, provided that it is part of the system, f) The Board: Personal Data Protection Board, g) Institution: Personal Data Protection Authority, g) Data processor: Real or legal person who processes personal data on behalf of the data controller based on the authority given by the data controller, h) Data recording system: The recording system in which personal data is structured and processed according to certain criteria, i) Data controller: Refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system. CHAPTER TWO Processing of Personal Data General principles ARTICLE 4- (1) Personal data can only be processed in accordance with the procedures and principles set forth in this Law and other laws. (2) It is mandatory to comply with the following principles in the processing of personal data: a) Compliance with the law and the rules of honesty. b) Being accurate and up to date when necessary. c) Processing for specific, clear and legitimate purposes. ç) Being related to the purpose for which they are processed, limited and proportionate. d) To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed. Conditions for processing personal data ARTICLE 5- (1) Personal data cannot be processed without the explicit consent of the relevant person. (2) It is possible to process personal data without the express consent of the relevant person if one of the following conditions exists: a) It is clearly provided for by law. b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity. c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract. ç) It is mandatory for the data controller to fulfill its legal obligation. d) It has been made public by the person concerned. e) Data processing is mandatory for the establishment, exercise or protection of a right. f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned. Conditions for processing special personal data ARTICLE 6 - (1) Person's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and attire, association, foundation or union membership, health, sexual life, criminal conviction and data regarding security measures and biometric and genetic data are special personal data. (2) It is prohibited to process special personal data without the explicit consent of the person concerned. (3) Personal data other than health and sexual life listed in the first paragraph may be processed without the explicit consent of the relevant person in cases stipulated by law. Personal data regarding health and sexual life can only be used by persons under the obligation of confidentiality or authorized institutions and organizations for the purpose of protecting public health, preventive medicine, medical diagnosis, execution of treatment and care services, planning and management of health services and their financing, without the express consent of the relevant person. can be processed. (4) In the processing of special categories of personal data, it is also essential to take adequate measures determined by the Board. Deletion and destruction of personal data