The Personal Data Protection Authority (“Authority”) issued a public announcement on 23 March 2020. With the public announcement is published, it aimed to eliminate the question marks on how the periods stipulated under the Personal Data Protection Law No. 6698 (“Law”) shall operate during the Covid-19 outbreak.
In this statement, Personal Data Protection Board (“Board”) shall take into account the operational application of the data controller in case of any delay in compliance with the periods regarding the complaint, notice and data breach notification issued within the scope of the Law. To explain it more precisely, the Board shall consider the extraordinary conditions that we are in for each application or data breach notification, in terms of evaluating the time that data controllers are obliged to comply with.
When we examine this announcement of the Authority, it is obvious that it shall be more flexible about the periods stipulated in Law. However, it shall be kept in mind that the discretionary power in the matter is in the Board. When using this discretion, the operational factors in which the data controller is involved shall take into account by Board the extent to which the Covid-19 virus process is affected.
Another issue that arouses curiosity is whether the obligation to register to the Data Controllers Registry, which was postponed with the announcement published on 27 December 2019, shall also be postponed.
In this respect, it is essential to follow the public announcements and regulations in the right way to elaborate on how Authority shall go to the terms stipulated in the Law.