NEWSLETTER-2020-metin
397 PERSONAL DATA PROTECTION law. Within this scope, the recourse relationship between the data controller and the data processor is reserved. • Data Protection Officer and Data Protection Representa- tive: There are two differing concepts that are not regulated in the KVKK, but are stipulated to be assigned in the presence of the conditions specified in the GDPR. These concepts are data protection officer (“DPO”) and data protection repre- sentative (“DPR”). Pursuant to Article 37 of the GDPR, it is compulsory to designate a DPO in cases where i) the proces- sing is carried out by a public authority or body, except for courts acting in their judicial capacity; ii) the core activities of the controller or the processor consist of processing ope - rations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or iii) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9, or personal data relating to criminal convictions and offences referred to in Article 10. Similarly, pursuant to Article 27 of the GDPR, data controllers who are not resident/established in the EU are obliged to designate a DPR who is resident/ established in any of the EU countries, except for in cases where i) the data processing is rare, and this rare processing does not include large scale processing of sensitive personal data, or ii) the controller is a public authority or body. • Data Protection Impact Assessment: It is stipulated under the Article 35 of the GDPR that the Data Protection Impact Assessment (“DPIA”) shall be realized in case of i) a syste- matic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or simi - larly and significantly affect the natural person; ii) proces- sing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or iii) a systematic monitoring of a publicly accessible area on a lar -
Made with FlippingBook
RkJQdWJsaXNoZXIy MjUzNjE=