Terminology

Any information relating to an identified or identifiable natural person. This includes name, identification number, email address, IP address, location data, and similar information.

Example: Name, surname, national ID number, email address, IP address

Also known as: Şahsi Veri, Bireysel Veri

Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, sexual orientation, genetic data, biometric data, and criminal conviction data.

Also known as: Hassas Veri, Sensitive Data

Data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and data concerning sex life.

Example: Health report, biometric data, criminal conviction records

Also known as: hassas veri, sensitive data

The natural or legal person which determines the purposes and means of processing personal data and is responsible for establishing and managing the data filing system.

Example: Company, institution, association, foundation

Also known as: Kontrolör

A natural or legal person who processes personal data on behalf of the data controller based on the authority given by the controller.

Example: Cloud service provider, payroll company, marketing agency

Also known as: İşleyici

An identified or identifiable natural person whose personal data is being processed. Only natural persons can be data subjects under data protection law.

Also known as: Veri Sahibi

A freely given, specific, informed and unambiguous indication of the data subject's wishes. Consent cannot be obtained through silence or pre-ticked boxes.

Example: Ticking a consent box, written declaration, electronic signature

Also known as: Onay, Muvafakat

Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure or destruction.

Also known as: Veri İşleme

Data Controllers Registry Information System. The official registry in Turkey where data controllers are required to register with the Personal Data Protection Authority.

Example: Companies registering with VERBİS

Also known as: Veri Sorumluları Sicili

Processing necessary for the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject.

Also known as: Yasal Çıkar

Processing necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.

Also known as: Sözleşme Gereği

Processing necessary for compliance with a legal obligation to which the controller is subject.

Also known as: Hukuki Yükümlülük

Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Also known as: Kamusal Görev

The right of the data subject to obtain information about whether their personal data is being processed and to request information about such processing.

Also known as: Erişim Hakkı

The right of the data subject to obtain the rectification of inaccurate personal data and to have incomplete data completed.

Also known as: Güncelleme Hakkı

The right of the data subject to obtain the erasure of personal data. Also known as the 'Right to be Forgotten' under GDPR.

Also known as: Unutulma Hakkı, Right to be Forgotten

The right of the data subject to object to the processing of their personal data, particularly for direct marketing purposes.

Also known as: Karşı Çıkma Hakkı

The right to receive personal data in a structured, commonly used and machine-readable format and to transmit that data to another controller.

Also known as: Taşınabilirlik

The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects the data subject.

Also known as: Profilleme

The obligation of the data controller to inform data subjects about: controller identity, processing purposes, recipients, collection method, legal basis, and their rights.

Also known as: Bilgilendirme Yükümlülüğü

Implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage.

Also known as: Bilgi Güvenliği

The obligation to notify the supervisory authority within 72 hours of becoming aware of a personal data breach, and to communicate to data subjects if the breach is likely to result in a high risk to their rights and freedoms.

Also known as: İhlal Bildirimi

The obligation for controllers and processors to maintain records of processing activities under their responsibility.

Also known as: İşleme Faaliyetleri Kaydı

The process of removing or modifying personal data so that the data subject is no longer identifiable, even when combined with other data.

Also known as: Kimliksizleştirme

Processing personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information kept separately.

Also known as: Pseudonymization, Rumuz Kullanma

The process of encoding data using cryptographic algorithms so that only authorized parties can access it.

Also known as: Kriptolama

An approach to systems engineering which takes privacy into account throughout the whole engineering process from the outset.

Also known as: Mahremiyet Odaklı Tasarım

The principle that products and services should be configured with the highest privacy settings by default.

Also known as: Default Privacy

A decision by the competent authority that a third country ensures an adequate level of protection for personal data transfers.

Also known as: Yeterli Koruma Kararı

Pre-approved contractual clauses for transferring personal data to countries without an adequacy decision.

Also known as: Model Sözleşme

Internal rules adopted by multinational companies for international transfers of personal data within the corporate group, approved by the supervisory authority.

Also known as: BCR

The transfer of personal data to recipients outside the country. Requires explicit consent or adequate safeguards under data protection law.

Also known as: Uluslararası Aktarım

The independent administrative authority responsible for regulating and supervising personal data protection in Turkey.

Also known as: KVKK Kurumu, Kurum

The decision-making body of the Personal Data Protection Authority, authorized to make decisions, regulations and impose administrative sanctions.

Also known as: Kurul

An independent public authority responsible for monitoring and enforcing the application of GDPR in the member state.

Also known as: Veri Koruma Otoritesi, DPA

An independent European body composed of representatives of national data protection authorities, ensuring consistent application of GDPR.

Also known as: EDPB

Financial penalty imposed by the supervisory authority for violations of data protection law. Under GDPR, fines can reach up to €20 million or 4% of global annual turnover.

Also known as: Para Cezası

A designated expert who advises on data protection matters and monitors compliance with data protection regulations within an organization.

Also known as: DPO, Kişisel Verileri Koruma Sorumlusu

A systematic assessment conducted before high-risk processing activities to identify and mitigate risks to individuals' rights and freedoms.

Also known as: DPIA, Etki Değerlendirmesi

The principle that personal data collected should be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

Also known as: En Az Veri İlkesi

The principle that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.

Also known as: Amaçla Sınırlılık

The principle that personal data must be accurate and, where necessary, kept up to date. Inaccurate data must be erased or rectified without delay.

Also known as: Doğruluk İlkesi

The principle that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.

Also known as: Saklama Sınırlaması

The principle that the controller is responsible for, and must be able to demonstrate compliance with, data protection principles.

Also known as: Sorumluluk İlkesi

Processing of children's personal data requires special protection. GDPR sets a consent age of 16 for information society services, though member states may lower this to 13.

Also known as: Çocuk Verileri

Small text files placed on users' devices by websites. May contain personal data and require a cookie policy and explicit consent.

Also known as: Cookie, Web Çerezi

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Also known as: Veri İhlali, Data Breach

A natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who are authorized to process personal data under the direct authority of the controller or processor.

Also known as: Dış Taraf

A contract between a data controller and data processor that specifies the terms and conditions of data processing and security measures.

Also known as: DPA, Veri İşleyici Sözleşmesi

A document that explains to data subjects how their personal data is processed. Used to fulfill the transparency obligation.

Also known as: Privacy Policy, Gizlilik Politikası

The right of the data subject to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.

Also known as: Onay İptali

The marking of stored personal data with the aim of limiting their processing in the future, at the request of the data subject.

Also known as: İşleme Kısıtlaması