To top To top
  | 

KİŞİSEL VERİLERİN KORUNMASI YASASI

PERSONAL DATA PROTECTION LAW INTERIOR ORDER
 
Article 1. Short Name
 
SECTION ONE
General Rules
Article 2. Commentary
Article 3. Purpose
Article 4. Scope
 
SECTION TWO
Processing of Personal Data
Article 5. Principles to be Applied When Processing Personal Data
Article 6. Legal Processing
Article 7. Processing of Sensitive Data
Article 8. Notice to Chairman
Article 9. Merge of Personal Data File Systems
Article 10. Data Protection Officer
 
SECTION THREE
Data Transfer and Confidentiality
Article 11. Data Transfer to Other Countries
Article 12. Confidentiality and Security of Processing
 
 
SECTION FOUR
Rights of the Person Subject to the Information
Article 13. Obligation to Inform
Article 14. Right of Access
Article 15. Right to Objection
Article 16. Exercise of Access and Objection Rights
Article 17. Processing for Direct or Indirect Marketing
Article 18. Right to Compensate
Article 19. Confidentiality Obligation of Controller and Processor
 
 
SECTION FIVE
Formation, Authority and Duties of the Personal Data Protection Board
Article 20. Personal Data Protection Board
Article 21. Formation of the Board
Article 22. Qualifications of Chairman and Members of the Board
Article 23. Duties and Powers of the Chairman of the Board
Article 24. Term of Office and Re-Appointment of the Chairman and Members of the Board 
Article 25. Board Chairman and Members that Cannot Become a Member of Political Party Organs
Article 26. Vacancy of Board Presidency or Membership
Article 27. Meetings of the Board
Article 28. Duties of the Board
Article 29. Revenues, Budget, Final Accounts and Audit of the Board
Article 30. Full Time Work of the Chairman and Allowances of the Chairman and Members of the Board
Article 31. Execution of Board Services and Status of Board Personnel
Article 32. Rules Regarding Personnel
Article 33. Confidentiality Obligation of Chairman, Members and Personnel of the Board
Article 34. Complaint Application
 
SECTION SIX
Offenses and Punishments
Article 35. Administrative Fines
Article 36. Offenses and Punishments
 
SECTION SEVEN
Provisional and Final Rules
Article 37. Authority to Make Regulations Regarding Licenses and Fees
Provisional Article 1. Adjusting the Current Situation to Law
Article 38. Executive Authority
Article 39. Entry into Force
 
89/2007
 
PERSONAL DATA PROTECTION LAW
 
The Assembly of the Turkish Republic of Northern Cyprus makes the following Law:
 
Short Name 1. This Law is named as Personal Data Protection Law.
 
 
SECTION ONE
General rules
 
Commentary
2. Unless the text requires otherwise in this Law:
"Prime Minister" refers to the Prime Minister of the Turkish Republic of Northern Cyprus.
"Chairman" refers to the Chairman of the Personal Data Protection Board established with Article 20 of the Law
"Person subject to information" means real person that information belongs to and whose identity is known or can be determined directly or indirectly, especially on the basis of his identity number or one or more factors of his physical, physiological, mental, economic, cultural, political or social identity .
"Merge" refers to the processing of data in a filing system that allows it to be combined with data held by another controller or controllers, or data held by the same controller for another purpose.
State" refers to Turkish Republic of Northern Cyprus.
“Sensitive data” refers to personal data that reveal racial or ethnic origin, political views, religious or other beliefs, or reveal issues regarding sexual orientation, health or sexual life, or criminal investigation.
"Processor" means the person who processes personal data on behalf of the data collector.
"Processing" or "Processing of personal data", means is implementation of one, few or all transactions regarding collection, recording, processing, storage, deletion, evaluation, use, adaptation or modification, suspending, termination of all personal data by using any method and tools.
"Personal data" refers to all information about an identified or identifiable person.
"Personal data file system" refers to a collection of personal data that is retained in a central or distributed system based on functional or geographical principles and can be accessed by certain methods. "Controller" refers to the Public Institutions and Organizations and real and legal entities, individually or together with others, determine the purposes and methods of processing personal data, that have both the right and authority to establish, operate and audit the personal data file system. "Board" means Personal Data Protection Board established in accordance with Article 20 of this Law.
"Institution and Organization" means general and annexed budget departments, Ministries, local administrations, universities and their stable and revolving funds, state economic enterprises, public and private banks, high boards, autonomous, impartial institutions and organizations, independent regulatory institutions and organizations, the boards, professional organizations that qualify as public institutions, unions, associations and foundations
"Third party" refers to any person other than the subject, controller and processor.
 
Purpose
3. The purpose of this Law is to determine the principles and procedures on protection of personality, fundamental rights and freedoms in keeping personal data subject to processing and the processing and transfer of personal data that constitutes or is planned to constitute a part of a filing system, through automatic or non-automatic methods and means, either completely or partially.
 
Scope
4. The provisions of this Law apply to persons of whom personal data are subject to processing, and to institutions or organizations that process such data, as well as to real and legal entities.
However, personal data processed by real persons for the purpose of transferring to others for commercial or professional benefit and for their own use are out of the scope of this Law.
 
SECTION TWO
Processing of Personal Data 
Principles to be Applied When Processing Personal Data
 
5. (1) While processing personal data, the controller is obliged to comply with the following principles:
(A) Collecting and processing personal data in a legal and fair way,
(B) Collecting personal data for specific, clear and legitimate purposes and processing in accordance with these purposes and not being processed through ways that are incompatible with such purposes,
(C) Personal data being accurate and updated when necessary, (Ç) While ensuring that the purposes of collecting and
processing personal data are fulfilled, at the discretion of the Chairman, the data are not kept for any longer than necessary in a form that may allow identification of the data owner.
However, in case the end of this period, the Chairman comes to the conclusion that rights of the person subject to information or third parties are not affected, preservation of personal data for historical, scientific or statistical purposes may be decided with a reasoned decision.
(2) Controller is obliged to terminae personal data that have been collected or continued to be processed in violation of the provisions specified in paragraph (1) above. In case Chairman determines that the rules of paragraph (1) have been violated either ex officio or upon a complaint, he/she orders the suspension of collecting or processing and termination of personal data that have been collected or processed.
However, in case preservation of such data for historical or scientific purposes is deemed necessary by the Chairman of the National Archive Board established by the Law of the National Archives and Research Department (Establishment, Duties and Working Principles), Chairman may allow them to be kept in the National Archive.
 
15/1990
22/1994
84/2007 
 
Legal processing
 
6. Personal data can be processed if the subject of the information gives his/her consent without causing any doubt.
However, personal data may also be processed without the consent of the subject in the following cases:
(1) Processing is necessary to fulfill the legal obligation to which the controller is subject to,
(2) Processing is necessary to fulfill the legal obligation to which the controller is subject to or upon the request of the person subject to information, in order to take action before becoming a party to the contract,
(3) Processing is necessary for the protection of the vital interests of the person subject to the information,
(4) Processing is necessary for the performance of a task in the public interest or the exercise of public authority vested in the controller or a third party to whom the data was transmitted.
(5) Processing is necessary for legitimate interests pursued by the controller or the third party to whom the data is transmitted, except where the rights, interests and fundamental freedoms of the subject matter prevail.
 
 
Processing of Sensitive Data
 
7. (1) Collecting and processing of sensitive data is prohibited.
However, in cases where the subject of the information has the express consent or the person subject to the information is incapable of giving consent, Sensitive data may be collected and processed if it is necessary for the protection of one's own or another person's vital interests, or in case results derive from a legal obligation.
(2) Sensitive data on health are out of the scope of the prohibition specified in paragraph (1) above. Such data may be collected or processed by individuals or institutions that provide healthcare services as a profession and have confidentiality obligations or are subject to the relevant codes of conduct.
(3) Sensitive data collected and processed in accordance with the provisions of paragraph (1) and (2) above can only be transmitted to third parties upon consent of the person subject to information.
(4) The Council of Ministers, upon the recommendation of the Board in line with a decision to be taken unanimously, may take decisions on making regulations on the processing of sensitive data with the purpose of public interest.
 
 
Notification

8. (1) Controller shall   notify   the   Chairman   in   writing   about   the establishment and operation of a personal data filing system or the initiation of processing.
 
To Chairman
(2) Controller shall include the following points in the aforementioned notification specified in paragraph (1) above:
(A) Full name, professional name or title and address. If the controller is not resident in the Turkish Republic of Northern Cyprus, in addition, he shall indicate the full name, professional name or title and address of his representative in the Turkish Republic of Northern Cyprus. 
(B) The address where the personal data filing system is located or where the basic equipment required for processing is placed,
(C) Explanation of the purpose of processing the data that is processed or planned to be processed or included or planned to be included in the personal data filing system,
(Ç)   Explanation of the category or categories of persons subject to information,
(D) Data categories that are processed or planned to be processed or included or planned to be included in the personal data filing system,
(E) The period which the controller will carry out the processing or preserve the filing system,
(F) Recipients or categories of recipients to whom controller transmits or may transmit data,
(G) Recommended data transmission for third countries and the purpose,
(Ğ) Basic features of the system and measures regarding the security of the filing system or processing.
(3) In case processing or filing system is in one of the categories with special rules determined by the Chairman for processing, Controller makes a notification to the Chairman confirming that the processing will be performed according to these specific rules or that the filing system will be maintained in line with such rules. These specific rules especially determine the form and content of the notice.
(4) The information specified in paragraph (2) above is recorded in the "Filing Systems and Transactions Registry" kept by the Chairman.
(5) Any change in the information regarding paragraph (2) above is notified to the Chairman by Controller in writing and without delay.
(6) The controller is deemed to be exempted from the notification obligation stipulated in paragraph (1) above in the following cases:
(A) With the condition that the processing is performed only for the purposes related to the work and data subject has been notified in advance, necessary for the performance of a legal obligation or execution of a contract,
(B) In case the processing concerns customers or suppliers ofmthe controller, provided that the data are not transferred or transmitted to third parties,
(a) In the implementation of this clause, with the condition that the transmission or communication is made by any law or court order, courts and public authorities are not considered as"third party".
(b) Insurance companies for any type of insurance, pharmaceutical companies, data supply companies and financial institutions such as banks and credit card providers are not exempt from the notification obligation.
(C) With the condition that the processing is carried out by a community, association, company or political party, with the consent of the members and the data is not transferred or transmitted to third parties, in case they contain data on their members, if a notification is made to their members for the purposes of the above-mentioned community, association, company or political parties, the members; courts and public authorities are not considered as third parties if the notification is made by the relevant legislation or court order.
(Ç) With the condition that processing is subject to the medical confidentiality of the controller or other confidentiality required by the relevant legislation or codes of conduct and that data are not transferred or communicated to third parties, in cases it is performed by doctors or other healthcare providers and contains medical information; where processing is performed within the scope of programs related to telemedicine operations or the provision of medical services through a network, clinics, hospitals, health care centers, recovery and detoxification centers, insurance funds and insurance companies and controllers of personal data are not exempt from notification obligation.
(D) In case Controller adheres to the confidentiality requirements stipulated by the relevant law and the data is necessary and directly linked to the requests of its clients, provided that it is not sent or transmitted to third parties, in case processing is made by lawyers and concerns the provision of legal services to their clients.
 
 
MergeMerge of Personal Data File Systems
 
9. style="white-space:pre"> (1) T(1) The merging of personal data file systems is permitted only under the conditions specified in Article 6 of this Law, and when the merge is for an important public interest.
(2) Each merge is notified to the Chairman by a joint application
made by the controller or controllers who will combine two or more personal data file systems.
(3) (A) Even one of the file systems to be merged contains sensitive data, or if sensitive data is exposed as a result of the merge or if a single code number is used for the merging to be made merge is possible only with the "Merge License" given by the Board in return of a fee.
(B) The merge license is issued only after obtaining the controllers' opinion on filing systems and shall include the following points:
(a) style="white-space:pre"> Why the merge is necessary,
(b) The category of personal data the merge relates to,
(c) The period of time the merge is permitted and
(ç) All kinds of terms and conditions put forward to protect the rights and freedoms of the subject and third parties, especially the privacy rights.
(C) The mThe merge license can be renewed upon the application of the controllers.
(4) The applications specified in the paragraph (2) above and the copies of the "Merge License" are included in the Merger Registry kept by the Chairman.
 
 
Data Protection Officer>
 
10. (1) Each institution and organization that processes personal data is obliged to assign at least one personnel to protect the data they have been processing.
(2)   Data Protection Officer monitors and supervises the processing and protection of personal data in the institution in conformity with the information requested by the controller within the framework of this Law.
 
 
SECTION THREE
Data Data Transfer and Confidentiality
Transfer of Data to other Countries
 
11. style="white-space:pre"> (1) The transfer of data processed or intended to be processed toother countries in accordance with the provisions of this Law is only possible with the "Transfer License" to be given by the Board in return of a fee. The Board issues such license only if the country concerned provides proper level of protection. While issuing the "Transfer License", the nature of the data, the purpose and duration of the processing, the general and special principles of the law, the principles of behavior and security measures for the protection of the data and the level of protection in the country of origin, the tool the data is transmitted and the final destination are taken into consideration.
(2) Transfer of personal data to a country that does not provide an adequate level of protection is permitted only if one or more of the following conditions are met:
(A) The person subject to the information gives consent to the transfer provided that it is collected without any doubt and not contrary to the law or accepted moral values.
(B) Transfer is necessary under the following conditions:
(a) ProteProtection of the vital interests of the person subject to the information or
(b) For the completion of a contract concluded between the person subject of information and the controller or controller and a third party for the benefit of the person or fulfilling the provisions of contract or
(c) style="white-space:pre"> For the implementation of pre-contractual measures to be made between the subject of information and the controller, upon the request of person subject to information.
(C) In case transfer is necessary due to the significant public interest, especially due to the fulfillment of the provisions of the contract on cooperation with the public authorities of the other country or the transfer is legally necessary for these reasons.
(Ç) The transfer being necessary to establish, assert and defend legal claims before a court.
(D) The transfer is made from a public registration center that provides information to the public in accordance with the relevant law and is open to the public or to anyone with a legitimate interest, with the condition that access to the registration center is legally available.
(3) The Board may allow the transfer of data to a country that does not provide proper level of protection if the controller has provided adequate guarantees of protection of private and fundamental rights and those rights and guarantees derive from appropriate contractual provisions.
 
 
Confidentiality And Security of Processing
 
12. (1) Processing of data is confidential. This transaction is only performed by the controller, processor or persons acting under the authority of the processor, and only upon the instructions received from the controller.
(2) To perform processing, the controller shall select persons who have appropriate qualifications, provide sufficient assurance in terms of technical knowledge, and have personal credibility to respect confidentiality.
(3) Controller shall take appropriate institutional and technical measures to ensure confidentiality and protection against against unintentional or unlawful damage to data, unintentional loss, alteration, transmission or access to unauthorized persons and any other illegal processing. These measures shall ensure security in the processing process and have the nature to meet the risks that may appear in data processing.
(4) The CThe Chairman may give instructions from time to time regarding the security of data and the necessary protection measures for data in each category, taking into account technological developments.
(5) If the processing is performed by a processor on behalf of controller not under his/her control, the assignment of the processing task shall be made in writing. The assignment shall ensure that the processor performs the processing solely on the instruction of the controller and assumes the other obligations contained in this section.
 
SECTION FOUR>
RightRights of the Person Subject to the Information
Obligation to ınform
 
13. style="white-space:pre"> (1) At the stage of collecting personal data from the person subject to information, controller is obliged to provide at least the following information appropriately and clearly, if the person subject to information has not subject deceived yet:
(A) Identity of himself and his representative, if any,
(B) Purpose of processing.
(2) The controller is also obliged to inform the person subject of information on the following issues:
(A) Recipients of data and recipient categories,
(B) Existence of the right to access and correct data, and
(C) If this data is necessary, provided that the data is processed securely, whether the person subject of the information is legally obliged to help, and if so, the consequences of her refusal.
(3) (A) In case the information is received from third parties, the person subject to the information will be informed in accordance with paragraph (1) above, during the registration of the information or at the stage where the information is expected to be transmitted to third parties, if he/she has not yet been informed.
(B) In case the processing is performed especially for statistical and historical purposes or for scientific research, if it is impossible to inform the person subject to information or disproportionate effort is required to inform person subject to information or if the transmission of information is possible by another law, the rules of paragraph (A) above shall not apply with the condition that permission of the Chairman is obtained in all cases.
(4) Obligation to inform in accordance with paragraphs (1), (2) and
(3) above regarding the collection of personal data, upon the application of the controller and the decision of the Chairman, may be partially or completely ignored for the purpose of defense of the state, national needs or national security, or for the prevention, detection, investigation and prosecution of criminal offenses.
(5) Without prejudice to the rights of the person subject to information referred to in Articles 14 and 15 of this Law and on the condition that the right to privacy and family life have not been violated, there is no obligation to notify if the collecting performed only for journalistic purposes.
  
 
Right to Access>
 
14. (1) Everyone has the right to know whether their personal data has been processed or not. Therefore, the controller shall reply to him/her in writing.
(2) PersoPerson subject to information has the right to ask questions to the
Controller and get answers on below mentioned issues:
(A) style="white-space:pre"> (a) All personal data that have been processed, including their source,
(b) The purpose of the processing, person or persons that receive such information or categories of information subject to processing,
(c) Progress in processing since previous information.
(B) Correction, deletion or blocking of data, especially processing not performed in accordance with the provisions of this Law due to inaccuracies and deficiencies.
(C) Unless it is impossible and does not require disproportionate effort, notification of any correction, deletion or blocking made in accordance with subparagraph
(B) to third parties.
(3) In case controller does not respond within thirty days of submission of the application or the response is deemed unsatisfactory, the person subject to information has the right to apply to the Board. The Board gives decision on this subject.
(4) The person subject to information may exercise right of access with the help of an expert.
(5) Health-related data are notified to the person subject to information through the doctor.
(6) The controller, with the decision of the Board, may limit, delay or reject the subject person to be informed in cases:
(A) It is clearly stipulated in the special law,
(B) An outstanding public benefit, especially necessary for the protection of internal and external security of the State,
(C) Providing information makes it difficult to achieve the purpose of an administrative or criminal investigation Board also informs the reason for these to the person concerned in writing.
 
 
Right to Object
 
15. (1)&n(1)    The person subject to the information has the right to object to the processed,being processed or planned to be processed data at any time for legitimate reasons regarding his/her particular situation. The objection is made in writing to the controller and shall include a request for taking or not taking an action such as correction, temporary withdrawal from use, blocking, refusal from transmission or deletion, non-processing and deletion. The controller shall respond to these objections in writing within fifteen working days following the submission of the request. The response shall include reasons for the transaction or the reasons why the request shall not be fulfilled. If the objections are rejected, the response shall be transmitted to the Board.
(2) In case controller does not respond within the determined time or the response is deemed unsatisfactory, the person subject to information has the right to apply to the Board and request an examination of the objection. Board gives the decision on the subject. In case person subject of the information is at a high risk of victimization and finds the appeals reasonable and the processing continues, Chairman may immediately order suspension of processing until a final decision on the appeal is delivered.
 
 
Exercise of Rights to Access and Object>
 
16. AccesAccess and objection rights are exercised by submitting the application to the controller. Access to the data by using the right of access of the person shall be in return of a fee specified in the clause (2) of Article 37 of this Law. In case the controller or the Board finds the request for correction or deletion of the data is proper, controller is obliged to provide the applicant with a corrected version of the processing in question, in understandable language, without delay and free of charge.
 
Processing for Direct or Indirect Marketing>
 
17. (1) P(1) Personal data cannot be used directly or indirectly by anyone for the purpose of marketing the goods or services unless person subject to information gives written consent to the controller.
(2) If the controller still wishes to use personal data due to the purposes specified in paragraph (1) above, to obtain the consent of the subject person, he / she may use the name and address of the subject person, provided that the information is obtained from public sources.
 
 
Right to Compensate>
 
18. Unless the controller proves that he/she is not responsible for the incident causing the damage, he/she shall indemnify the person subject to the information damaged by the violation of any provisions of this Law.
  
 
 
Confidentiality Obligation of Controller and Processor>
 
19. The controllers and processors shall not transmit or disclose the data of the persons they have learned within the framework of this Law to anyone other than the person or authorities they are legally allowed to transmit. These obligations of the aforementioned persons continue after they leave the office.
 
 
 
SECTISECTION FIVE
Formation, Authority and Duties of the Personal Data Protection Board 
Personal Data Protection Board
 
20. style="white-space:pre"> Within the framework of the protection of personal data and the processing of personal data, a Personal Data Protection Board has been established with legal personality, administrative and financial autonomy that is, responsible for supervising and monitoring the implementation of the provisions regarding the protection of individuals.
  
 
Formation of Board>
 
21. (1) The Board consists of eleven members including a Chairman and ten members;
(2) (A) The Chairman of the Board is appointed by the President and the appointment procedure is approved by the Assembly.
(B) AfterAfter Chairman of the Board is appointed by the President, the issue is submitted to the Presidency of the Assembly for the approval of the Assembly.
(C) The Presidency of the Assembly of the Republic conveys the matter to the Legal and Political Affairs Committee to evaluate the appointment process. The Legal and Political Affairs Committee examines whether the person appointed as the Chairman of the Board has the qualifications stipulated in the 22nd Article of this Law and submits to the General Assembly a Report containing the results of the evaluation.
(Ç) If the report is accepted in the General Assembly, voting is initiated. Voting is performed in accordance with the provisions of Article 163 of the Internal Regulation of the Assembly of the Republic.
  
O.G.Annex IV section II Date:11.12.1985 No:107
A.E.11>
O.G AnnexIV Section II Date:7.2.1986 No: 13
A.E.2
O.G Annex IV Section II Date:19.10.1993 No: 109 A.E.21
O.G Annex IV Section II Date:17.10.2006 No: 171 A.E.32
  
(D) The absolute majority of the total number of members is sought for approval. In case the required majority is not achieved, a second round of voting is held and the absolute majority of the members attending the meeting is considered sufficient for approval in this round.
(3) style="white-space:pre"> (A) Other members of the Board consist of the following persons:
(a) Two members to be appointed by the Assembly of the Republic,
(b) Two members to be appointed by the Council of Ministers upon the proposal of the Prime Minister, one of whom will be among the members of the Public Net Supreme Council formed by the Decree of the Council of Ministers,
(c) One member to be appointed by the Union of Bar Associations, the Cyprus Turkish Chamber of Commerce, the Cyprus Turkish Chamber of Industry, the Union of the Cyprus Turkish Engineers and Architects and the Cyprus Turkish Medical Association and
(ç) A member to be appointed among the academicians by the Higher Education Planning, Auditing and Accreditation and Coordination Board.
 
(B)   (a)    For the appointment to be made by the Assembly of the Republic to the Board, every political party with a group in the Assembly shall nominate deputies as candidates. In addition, those who want to be candidates directly can apply for candidacy.
(b) The rules regarding the determination of the members to be appointed to the Board by the Assembly of the Republic shall be made within the framework of the Internal Regulation of the Assembly.
(c) The Presidency of the Assembly of the Republic submits the files regarding those deputies who are nominated by political party groups or deputies who want to be a candidate directly, to the Legal and Political Affairs Committee to evaluate whether the candidates have the qualifications stipulated in Article
22 below. The Committee prepares a Report containing the evaluation results and submits it to the General Assembly.
(ç) The election is held on the unified ballot paper and within the framework of the Article 163 of the Internal Regulation of the Assembly of the Republic and then appointment procedures are performed.
 
 
Qualifications of Chairman and Members of the Board
 
22. (1) The fThe following qualifications are sought for persons to be appointed as the Chairman and member of the Board:
(A) Being a citizen of the Turkish Republic of Northern Cyprus,
(B) style="white-space:pre"> Being graduated from a university or equivalent college,
(C) Not to be banned from public rights,
(Ç) Not to be sentenced to more than one year of imprisonment or to be convicted of bribery, theft, fraud, extortion, rape, fraudulent bankruptcy and similar disgraceful crimes, even if they have been pardoned,
(D) Not being dismissed from public service due to disciplinary offense.
(2) In addition to the qualifications stipulated in paragraph (1) above, the person to be appointed as the Chairman of the Board requires the following qualifications:
(A) Having worked for at least ten years in a public service or a job at responsible position other than public service, or
(B) Having completed a postgraduate education at the doctoral level and worked for at least five years in public service or at responsible position at a job other than public sector.
  
 
Duties and Authorities of the Chairman>
 
23. The dThe duties and authorities of the Chairman of the Board are as follows:
of the Board (1) To represent the Board in the country and abroad and to manage Board meetings,
(2) To ensure that the powers granted to the Board by this Law are used and the services required by the duties are carried out,
(3) style="white-space:pre"> To monitor and inspect the work of the Board personnel and to take the necessary measures to increase their efficiency,
(4) To ensure the preparation and implementation of the budget and final accounts of the Board and to act as the supervisor of the Board's budget,
(5) Ensuring that the tools, equipment and devices required for the service are purchased in accordance with the Board decisions,
(6) To fulfill other duties assigned to him/her by this Law and to exercise the powers.
 
 
TermsTerms of Missions of the Chairman and members of the Board and Reassignment
24. (1) The term of office of the Chairman and members of the Board is four years.
(2) In the event of a vacancy in the Board Chairman or membership pursuant to Article 26 of this Law, Vacant Presidency or membership shall be filled within one month starting from the date of discharge within the framework of article 21 of this Law. Appointment of the new member will be made from the same quota of the vacant membership. In the case of vacancies at the Presidency of the Board or the memberships appointed by the Assembly of the Republic on a date coinsides with the holiday period of Assembly of the Republic, Approval or assignment is realized within one month following the end of the holiday.
(3) style="white-space:pre"> The person elected to the vacant Board Presidency or membership completes the term of the Board Chairman or member for whom he has been elected.
(4) Until the new Chairman and members are appointed, the duty of the former Chairman and members continues.
However, the office of the Chairman and members dismissed in accordance with subparagraph (Ç) of paragraph (1) of Article 26 of this Law shall not continue.
(5) The Chairman or member of the Board, whose term of office has expired, may be re-appointed.
  
 
Board Chairman and Members that Cannot Become a Member of Political Party Organs>
 
25. Those appointed as Chairman or members of the Board cannot take office in the organs of political parties, starting from the date of their appointment.
  
 
Vacancy of Board Presidency or Membership
 
26. style="white-space:pre"> (1) ChairChairmanship and membership of the Board becomes vacant in the following cases:
(A) In case of death or resignation of the Chairman or member of the Board,
(B) In case one or more of the qualifications stipulated in Article 22 of this Law is lost, 
(C) Failure to attend three consecutive meetings without an excuse,
(Ç) In case of dismissal by the appointing authority or institution; In case the Chairman of the Board is dismissed by the President, this action shall be approved by the General Assembly of the Assembly. In this case, the absolute majority of the members attending the meeting is sought for the approval of the action.>
(2) Due to this Article, The Chairman notifies the vacant membership in writing to the President, the Presidency of the Assembly of the Republic, the Council of Ministers, the Union of Bar Associations, the Cyprus Turkish Chamber of Commerce, the Cyprus Turkish Chamber of Industry, the Cyprus Turkish Union of Engineers and Architects, the Cyprus Turkish Medical Association and Higher Education Planning, Supervision, Accreditation and Coordination Board. The aforementioned notification is made by the oldest member of the Board in case the Board Presidency becomes vacant.
 
 
Meetings of the Board
 
27. (1) The Board meetings are chaired by the Chairman, in his absence, by the oldest member.
(2) In board meetings, the meeting quorum is the absolute majority of the total number of members, and the decision quorum is the absolute majority of those attending the meeting. If the acceptance and rejection votes are equal, the matter put to the vote is deemed rejected. Abstention votes are included in the meeting quorum and are not taken into account in terms of the decision quorum.
(3) Board decisions are taken through open voting.
(4) The continuously working Board convenes at least once a month. When considered necessary, the Board may convene extraordinarily upon the request of the Chairman or by at least four members. The date, time and agenda of ordinary and extraordinary meetings are determined by the Chairman and announced to the members in writing.
(5) Board members cannot participate in decisions regarding complaints on the institutions they represent or a party to.
  
 
Duties of the Board>
  
28. The duties of the board are as follows: 
(1) To provide advice and suggestions on issues related to the processing of personal data and to bring these to the attention of the public at its discretion, if necessary, to prepare draft regulations on these issues and submit them to the Council of Ministers for approval; to set standards and to publish a notification regarding them.
(2) style="white-space:pre"> To give instructions for the implementation of the protective rules regarding processing of personal data.
(3) To isTo issue the licenses stipulated in this Law.
(4) To decide on the complaints of those who claim that their personal rights are violated due to the processing of personal data by controllers, In doing so, to investigate and audit the legitimacy of such data processing, to inform the applicants about all relevant procedures.
(5) style="white-space:pre"> To give consent that there is legally equivalent protection in the other country regarding data transfer to such other countries.
(6) To inspect a file ex officio or upon a complaint. In this context, it has the right to access personal data and collect all kinds of data, including all kinds of confidential data other than the data subject to privacy between the lawyer and the client. Exceptionally, it cannot access details of those whose names are recorded in files held for reasons of national security or specific serious crimes. The supervision is carried out by the employee appointed by the Board for this purpose. Chairman of the Board shall attend personally at an inspection based on a file held for national security reasons. The procedure for supervision is determined by a regulation prepared by the Board, proposed by the Prime Ministry and approved by the Council of Ministers.
(7) To prepare the annual duty report for the previous calendar year. The report also includes suggestions for necessary changes in the relevant legislation, if necessary.
(8) To bring any matter contrary to the provisions of this Law to the attention of the competent authorities.
(9) To employ the personnel in line with the provisions of the Law for the fulfillment of duties and exercising the powers stipulated by the Law.
(10) To cooperate with equivalent boards or institutions established in other countries in terms of fulfilling the duties.
 
 
Revenues, Budget, Final Accounts and Audit of the Board
 
29. (1) Here Here are the revenues of the Board:
(A) The fee stipulated in the regulation to be made in accordance with Article 37 of this Law to be obtained in return for the "Merge License" and "Transfer License" that will be granted by the Board.
(B) style="white-space:pre"> Allowance to be included in the General Budget,
(C) All kinds of aid and donations to the Board, (Ç) Other income.
(2) Unless it is approved by the Assembly of the Republic and entered into force, expenditure shall not be made from the budget of the Board.
HowevHowever, in case new fiscal year budget law does not enter into force for any reason, until the new fiscal year budget law enters into force, 1/12 of the appropriations foreseen in the expense tables linked to the previous year's budget law can be applied monthly and the collection of revenues can be continued.
(3) The fiscal year of the Board is the calendar year that begins on January 1 and ends on December 31.
(4) style="white-space:pre"> (A) The income and expenses of the Board are indicated in the budget of the Board.
(B) The budget of the Board is prepared by the Board at least three months before the beginning of each financial year and sent to the Council of Ministers by the Prime Ministry and submitted to the Assembly of Republic by the Council of Ministers.
(5) (A) The budget of the Board is subject to inspection of Court of Accounts.
(B) B(B) Budget final accounts are submitted for the approval of the Assembly of the Republic within six months after the end of each fiscal year, together with the declaration of conformity of the Court of Accounts.

Full Time Work of the Chairman and Allowances of the Chairman and Members of the Board
30. style="white-space:pre"> (1)&n(1)   (A)    The Chairman of the Board functions full time and shall not engage in any other job during his term of office.
(B) The monthly allowance determined by the Council of Ministers, provided that it is not less than the top level of the scale 18A, is paid to the Chairman of the Board.
(C) style="white-space:pre"> If the Chairman of the Board is appointed from among the public officials, the salary of the public official in his original staff shall be complemented by the amount determined by the Council of Ministers in accordance with subparagraph (B) of this paragraph. However, this allowance is not taken into account for retirement purposes. In case the term of office expires or is dismissed, the Chairman will be reinstated to former position together with previous scale. In such cases, the time spent as Chairman is considered as the actual service period for the purposes of retirement and in-office level increase. In case term of office of the Chairman of the Board appointed from outside the public service expires or is dismissed within the term of office, he/she will be dismissed from the Board.
(2) Attendance fee is paid to members of the Board to be determined by the Council of Ministers for each meeting day they give service.
  
 
Execution of Board Services and Status of Board Personnel>
 
31. (1) A(1) An office is established for Chairman and the members for undertaking the services within the framework of power and authority assigned to them by the Law.
(2) It is essential that the personnel to be employed in the office are employed and contracted within the framework of the Labor Law. The number of staff cannot exceed 10 persons, including 1 Coordinator, 1 Lawyer, 3 Information / Document Manager, 2 Auditing Officers, 1 Financial Affairs Officer, 1 Secretary, 1 Chamberman / driver.

22/1992
30/1993>
25/2000
51/2002
15/2004
  
 
Rules Regarding Personnel>
 
32. (1) PersoPersonnel are employed by the Board and their terms of service are specified in their contracts.
(2) The wages to be paid to the personnel are given according to the levels and degrees determined by the Council of Ministers and are shown in the Board's Budget every year.
 
 
Confidentiality Obligation of Chairman, Members and Personnel of the Board>
 
33. The Chairman of the Board, its members and any personnel working at the Board cannot disclose the secrets of the concerned parties and third parties during their work and supervision to anyone other than the legally authorized offices and cannot use them for their own benefit.
This obligation continues even after they leave the office.
  
  
Complaint Application
 
34. style="white-space:pre"> Complaints arising from the implementation of the provisions of this Law are made to the Board with an application. The Board is obliged to examine the complaints and give a written reply to the relevant person within 30 days.
 
 
SECTISECTION SIX
Crimes and Punishments
Administrative fines
 
35. style="white-space:pre"> (1) Of thOf this Law,
(A) 1,000 YTL (Thousand New Turkish Lira) for those who do not fulfill their obligations in the 5th, 6th and 8th, 13th, 14th and 15th Articles;
(B) style="white-space:pre"> Those who do not fulfill the obligations specified in Articles 11 and 17, 2,000 YTL (Two Thousand New Turkish Liras);
(C) 3,000 YTL (Three Thousand New Turkish Liras) for those who do not fulfill the obligations specified in articles 7 and 12;
AdminAdministrative fine shall apply.
(2) Administrative fines indicated in paragraph (1) above are imposed and communicated by the Board. These decisions of the Board can be appealed to the Supreme Administrative Court. Administrative fines are paid within one month from the date the application period expires if the Supreme Administrative Court is not applied, and if an application is made to the Supreme Administrative Court, fine is paid within one month after the final decision is notified to the applicant.
(3) The fines imposed by the Board in accordance with this Article are collected in accordance with the Law on Collection of Public Receivables.
 
48/1977>
28/1985
31/1988
31/1991
23/1997
54/1999
35/2035/2005
 
 
Crimes and Punishments>
 
36. (1)    Anyone interfering with or owning a file containing personal data, or deleting, modifying, damaging, destroying, processing, transmitting and transferring the data, or causing the data to be handled by unauthorized parties or allowing such persons to own the data, or using the data in any condition will be deemed as committed a crime and in case of conviction, he/she may be sentenced to a fine of up to 15,000 YTL (Fifteen Thousand New Turkish Liras) or a prison sentence of up to five years or both.
(2) Those who act against the provisions stipulated in articles 19and 33 of this Law will commit a crime and may be fined up to 10,000 YTL (Twenty Thousand New Turkish Liras) in case of convictions.
(3) Those who prevent or disallow the inspection by the Board or the personnel to be appointed pursuant to the paragraph (6) of Article 28 of this Law without a legal justification shall deemed as committed a crime and if they are convicted, they may be fined up to 10,000 YTL (Ten Thousand New Turkish Liras).
 
 
SECTION SEVEN
ProviProvisional and Final Rules
Authority to Make Regulations Regarding Licenses and Fees
37. (1) The fee to be paid for the "Merge License" and "Transfer License" and the rules regarding the form and procedure to be implemented while granting the license and
(2)   The fee to be paid for access to information stipulated in Article 16 of this Law,
are arranged through a by-law prepared by the Board, proposed by the Prime Ministry and approved by the Council of Ministers. The fee to be determined shall not be less than five per thousand of the monthly minimum wage and cannot exceed the monthly minimum wage.

Provisional Article Adjusting the Current Situation to Law Executive Authority
 
1. Public institutions or organizations and real and legal entities that process personal data are obliged to adapt their situation to the provisions of this Law within six months from the date of announcement by the Board.
38. style="white-space:pre"> This Law is executed by the Prime Minister on behalf of the Council of Ministers.
 
Entry into Force
 
39. This Law enters into force when published in the Official Gazette.