| Following enactment of Data Protection Law with no 6698 (“Law”), Data Protection Authority (“Authority”) has started to render its decisions on particular issues related to data security for explanatory purposes. In this respect, the Authority has made explanations for access authorization of company employees through its principle decision with the date of 31.05.2018, with the decision number of 2018/63 and which is announced at the Official Gazette dated 04.07.2017 (“Decision”). |
|
|
| With the Decision, the Authority has indicated that it is against Article 12/1 of the Law to processing personal data and/or sharing these information with third parties by company employees, who have access to personal data due to their position and task at the data controller company, by way of exceeding their authorizations and misconducting. |
|
|
| Additionally, the Authority has acknowledged that data controller companies should take all the required technical and administrative precautions in order to prevent such kind of unlawful activities in this regard. |
|
|
| In line with the explanations above, companies’ business processes and purpose of personal data processing must be determined and access authorization of company employees should be defined within this context. |
|
|
| Please contact us if you have any queries. |
Contributing Advisors
