NEWSLETTER-2019-metin

274 NEWSLETTER 2019 A data controller is obliged to inform the data subjects of the identification of the controller and his representative, if any; the pur- pose of the data processing; the details of data transfer, the method and legal reason for the collection of personal data, as well as other rights specified in the Law. The data controller is required to take all nec- essary technical and administrative measures to provide a sufficient level of security in order to prevent unlawful processing of personal data and unlawful access to personal data, and to ensure the retention of personal data. Moreover, if the reasons for processing the data are extinguished, any relating personal data must be deleted, destroyed or anonymized automatically, or upon the request of a related person by the data controller. In order to fulfill these obligations, the data con- troller may install a system to monitor the personal data process, peri- odically. The data controller is obliged to conclude the applications of the data subjects within a maximum period of 30 days, to register with the Data Controllers’ Registry (“Registry”), to prepare a personal data inventory, to assign a contact person, and to notify unlawful data pro- cessing activities of the data subjects and the Board, within the context of the legislation. More detailed information regarding obligations of the data controller is stated in the Guideline of Rights and Obligations within the Law which was issued by the Authority 2 . Data Processor In accordance with paragraph (e) of Article 3, data processing is any operation performed concerning personal data, such as the col- lection, recording, storage, retention, alteration, re-organization, dis- closure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially, through automatic means or, provided that the process is a part of any data registry system, through non-automatic means. Even the storage of the data on a hard disk drive, compact disk, flash memory, or in a file without further processing, are considered to be data processing. A data processor is a real person or a legal entity, outside the organization of the data controller, who processes personal data on 2 Please see https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/37fa799d- 818b-4654-bca0-3be8e5d88ddf.pdf (Access date: 19.09.2019).