Türkiye ve Dünyada
DÜNYADA ve AB'DE KVK
New Zealand Privacy Bill (20.03.2018)
Click here for "Privacy Bill of New Zealand"
"Much has changed in the world since the Law Commission reported in 2011. New Zealand’s once world leading privacy law has slipped behind developments in a number of jurisdictions we compare ourselves to. Better privacy and data protection regulation is a growing trend in OECD countries which include Britain, Canada and Singapore. Australia has already reformed its Privacy Act and in Europe, the General Data Protection Regulation (GDPR) is set to take effect in May this year.
The new Bill includes moves in that direction by:
- empowering my office to issue a compliance notice in the event of a breach of the Act;
- empowering my office to issue a determination when a person has requested access to personal information and has been refused; and
- the introduction of mandatory reporting of harmful privacy breaches – bringing New Zealand into line with international best practice."
Click here for more information.
Data Protection Act (2000)
The Austrian Data Protection Act (Datenschutzgesetz 2000; DSG 2000, Federal Law Gazette I No. 165/1999) came into effect on 1 January 2000. In implementation of the Directive on Data Protection 95/46/EC, the act provides for a fundamental right to privacy with respect to the processing of personal data which entails the right to information, rectification of incorrect data and removal of unlawfully processed data. It regulates the pre-conditions for the lawful use and transfer of data, including mandatory notification and registration obligations with the Data Protection Commission. Furthermore, it provides for judicial remedy in case of breach of its provisions.
The 'Privacy Law' of December 1992 is intended to protect citizens against the abusive use of personal data. The law defines the rights and duties of both the data subject and the processor. It moreover provides legal basis for the creation of an independent body in charge of overseeing the correct use of personal data, namely the Commission for the Protection of Privacy. Since its promulgation, this law has been significantly modified in 1998 in order to transpose the EU Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Directive 95/46/EC). This law is now available in its ‘consolidated version’ dated August 2007.
In addition, it is worth noting that a specific law containing provisions relating to spamming was adopted on 24 August 2005, so as to transpose the related article of the EU Directive 2002/58/EC on privacy and electronic communications (the ‘ePrivacy Directive’).
Adopted in January 2002 and last amended in October 2016, the Law for Protection of Personal Data has been modelled on the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It applies to the protection of individuals with regard to the processing of personal data, granting them the right to access and correct information held about them by public and private bodies. It defines lawful grounds for the collection, storage and processing of the personal data of individuals. Application of the Act is overseen by the Commission for Personal Data Protection, an independent supervisory authority.
Law on Personal Data Protection (NN 106/12)
The Law on Personal Data Protection was adopted in June 2003, implementing the relevant EU Directive (95/46/EC). It foresees that personal data may be transferred cross-border and processed in another jurisdiction, to the extent that this jurisdiction can ensure an adequate level of protection. The law was amended once on 20 October 2006 (NN 118/06), while the last amendment took place on 3 April 2008 (NN 41/08).
The 'Processing of Personal Data (Protection of Individuals) Law' (138(I)/2001) entered into force in November 2001, and was amended by Law 37(I)/2003. It is compliant to the acquis communitaire, and especially, the European Directive 95/46/EC on Data Protection. On 31 December 2007, the 'Retention of Telecommunication Data for Purposes of Investigation of Serious Criminal Offences Law' of 2007 (Law 183(I)/2007) was introduced harmonising Cypriot legislation with EU Directive 2006/24/EC of 15 March 2006. The law regulates the terms under which the retention of personal data for the purpose of crime investigation, detection and prosecution is legal.
Act on the Protection of Personal Data (2000, last amendment: 2011)
The Data Protection Act (No. 101/2000) was adopted in April 2000 with the aim to protect the citizens’ right to privacy. (Click HERE for Consolidated version of the Personal Data Protection Act) To this end, it regulates the rights and obligations regarding the processing of personal data and specifies the conditions under which personal data may be transferred to other countries. Furthermore, it allows individuals to access and correct their personal information held by public and private bodies. It is enforced by the Office for Personal Data Protection. It was last amended in 2011.
This act entered into force on 1 July 2000 in order to implement Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, allowing individuals to access their records held by public and private bodies. The Act, which was amended in 2007, is enforced by the Datatilsynet (Data Protection Agency). Other laws regulating the processing of personal information by the public sector include the Public Administration Act of 1985, the Publicity and Freedom of Information Act of 1985, the Public Records Act of 1992 and the National Registers Act of 2000. These laws set out basic data protection principles and determine which data should be available to the public and which data should be kept confidential.
Providers of electronic networks and services are required to notify the competent body for eGovernment in cases of data breaches that have significant consequences on the provision of services or concern person-identifiable information. This legal requirement implements in part Directives 2009/140/EC and 2009/136/EC. The Act has been amended several times and amendments have been consolidated in the Amendment Act of 2014.
Act on Marketing Practices (2013)
In June 2003, an amendment to the Marketing Practices Act was adopted to implement the Directive on ‘privacy and electronic communications’ 2002/58/EC. This transposition entailed a change to Denmark's legal data protection framework on spam. According to the Directive, people who have already given their address to businesses can be spammed with advertisements for 'similar services' ('soft opt-in'), which the Danish legislation Act had not allowed until then. Amendments have been consolidated in the Consolidated Marketing Practices Act (2013).
Consumer Protection Act (2004)
This Act entered into force on 15 April 2004 and it regulates the offering and sale, or marketing in any other manner, of goods and services to consumers by traders. Furthermore, it determines the rights of consumers as the purchasers or users of goods or services, and provides for the organisation and supervision of consumer protection and liability for violations of this Act. Some minor amendments were included and entered into force on 1 January 2015 (proceedings and punishments for legal persons).
Personal Data Protection Act (1996)
The first Personal Data Protection Act (PDPA) entered into force on 19 July 1996. The Act was amended in 2003, to be made fully compliant with the EU Data Protection Directive 95/46/EC, and once again amended in January 2008. The Act protects the fundamental rights and freedoms of persons with respect to the processing of their personal data, in accordance with the right of individuals to obtain freely any information that is disseminated for public use.
The 2008 version of the Act introduced several changes. Firstly, the previous classification of personal data into three groups (non-sensitive personal data, private personal data and sensitive personal data) has been replaced by two data categories: (1) 'personal data' and (2) 'sensitive personal data', the latter being the sub-class under special protection. Secondly, all processed personal data are protected and registered by Chief processors (i.e. controllers) with the Data Protection Inspectorate, the data protection supervision authority. Moreover, the new PDPA Act extends all general principles applying to the processing of personal data and to the processing of the personal identification code (the unique number assigned to every Estonian citizen and resident).
From 1 January 2015 the Data Protection Inspectorate may submit reports concerning significant matters which have an extensive effect or need prompt settlement which become known in the course of supervision over compliance with the Act to the Constitutional Committee of the Riigikogu and the Legal Chancellor. The current version can be found in this web address.
This Regulation entered into force on 1 January 2008 and establishes the system of security measures for information systems used for processing the data contained in state and local government databases and for information assets related therewith. The system consists of the procedure for the specification of security measures and the description of organisational, physical and IT security measures to protect data. However, it is underlined that this Regulation does not apply to security of information systems processing state secrets.
Personal Data Act (1999)
The Personal Data Act, which came into force on 1 June 1999, replaced the Personal Data File Act of 1988, which was the first law concerning data protection in Finland, aiming at preventing violations of integrity at all stages of data processing. The functional objective was to promote the development of and compliance with good data processing practices. The main principles of the protection of privacy remained largely unchanged in the 1999 Act. It accommodates the constitutional reform and the EU Data Protection Directive (95/46/EC). The basic rights and freedoms of individuals are even more strongly emphasised in the processing of personal data. It is overseen and enforced by the Data Protection Ombudsman. Other legal documents contain special provisions regarding the processing of personal data. The Act on the Openness of Government Activities (1999) controls access to public registers. The protection of privacy in electronic communications is also regulated by the Information Society Code (2014).
The Law on ‘Informatics and Liberty’ was adopted on 6 January 1978. The Law provides a legal framework for the use of identifiers in databases and the processing of personal data by public and private sector organisations. The Law created a National Commission for Informatics and Liberty (CNIL), which is in charge of overseeing its implementation and observance. The CNIL also has an advisory role in the planning of administrative data systems. The Law on Informatics and Liberty was amended by law no. 2004-801 of 6 August 2004 implementing the EU Data Protection Directive (95/46/EC).
Law on Personal Data Protection (2005, 2008)
Harmonisation of legislation in the area of personal data protection has been one of the government’s priority activities since 2002. A new law on personal data protection, amended to include EC recommendations, was drafted in 2004, adopted on 25 January 2005 and modified to comply fully with the European Directive 95/46/EC in 2008 (Official Gazette no. 7/2005 and 103/2008). The law represents a 'lex generalis' in the area of data protection in the country.
According to the law, personal data shall be: fairly and lawfully processed; collected for specified, explicit and legitimate purposes; processed in a manner which is consistent and proportionate with these purposes; accurate and complete; kept for no longer than the necessary time frame for fulfilling the above mentioned purposes. Further amendments to the law were made in 2010, 2011, 2014 and 2015.
Law on Electronic Management (2009)
The Law on Electronic Management (Official Gazette, no. 105, 21/08/2009), adopted on 21 August 2009, regulates the work of ministries and other government authorities in the exchange of data and documents in electronic format, in relation to the implementation of administrative services by electronic means. Seven bylaws were adopted in June 2010 to enable implementation, as well as that of electronic workflow procedures and electronic document exchanges. Those acts regulate issues such as environment and communication; certification of information systems; format and content of administrative services by electronic means such as electronic documents; standards and regulations for electronic communication; technical requirements; security of information systems; format and contentof administration of data bases and others.
Further amendments to the law were made in 2011.
Federal Data Protection Act (2003)
Germany has one of the strictest data protection laws in the European Union. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Law followed, which was replaced in 1990, amended in 1994 and 1997. An additional revision took place in August 2002 to align German legislation with the EU Data Protection Directive (95/46/EC). The general purpose of this law is 'to protect the individual against violations of his personal rights by handling person-related data.'
Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data was adopted in April 1997. It establishes the terms and conditions under which the processing of personal data is to be carried out so as to protect the fundamental rights and freedoms of natural persons and in particular their right to privacy. It also allows any person to obtain their personal information held by government departments or private entities. The law is enforced by the Hellenic Data Protection Authority. It is complemented by Law 2774/1999 on the Protection of Personal Data in Telecommunications, and by Law 3115/2003 that establishes the Hellenic Authority for the Information and Communication Security and Privacy in order to protect the secrecy of mailing, the free correspondence or communication in any possible way, as well as the security of networks.
Law 3471/2006 was adopted on 28/06/2006, revising Law 2472/1997, and intending to the enactment of preconditions with regard to the personal data processing and for the assurance of the confidentiality in telecommunications. Law 3471/2006 was amended by Law 3917/2011 and Law 4070/2012.
Law 3674/2008 sets out the obligations of the service provider for the security of telephone services. According to these provisions, the provider is responsible for security matters under the supervision of premises, facilities, connections and hardware systems and software. To this end the provider has an obligation to take appropriate technical and organisational measures and to use hardware and software that ensure the confidentiality of communications and the detection of breach, or attempted breach, of confidentiality of communications.
Act No. CXII of 2011. on Informational Self-determination and Freedom of Information (also available in English) is a combined Data Protection and Freedom of Information Act. This Act sets rules and safeguards the processing of personal data of public and private bodies. Its application is overseen by the National Data Protection and Freedom of Information Authority.
The Act on the Protection of Privacy as regards the Processing of Personal Data (No. 77/2000) was passed in 2000 and came into effect on 1 January 2001. The act implements the EC Data Protection Directive (95/46/EC) and deals with how the protective principle relates to data quality, and presents criteria for the legitimacy of data processing. The act applies to any automated processing of personal data and to manual processing of such data if it is, or is intended to become, a part of a file.
Data Protection Act (24.May.2018) NEW !
An Act to establish a body to be known as An Coimisiún um Chosaint Sonraí or, in the English language, the Data Protection Commission; to give further effect to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20161 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); to give effect to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 20162 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; to give further effect to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data done at Strasbourg on the 28th day of January 1981 and for those and other purposes to amend the Data Protection Act 1988; to provide for the consequential amendment of certain other enactments; and to provide for related matters.
Data Protection Strategy 2014 - 2016
The mission of the strategy is to protect the individual’s right to data privacy by enabling people to know, and to exercise control over, how their personal information is used, in accordance with the Data Protection Acts and related legislation.
The Data Protection Act of 1988 was amended in 2003 to ensure full compliance with the EU Data Protection Directive (95/46/EC).The aim of the Directive is to establish common standards of data protection across Member States in order to protect personal privacy and to ensure the smooth operation of the internal market, while ensuring adequate levels of data protection in countries outside the European Economic Area to facilitate and encourage international trade (Department of Justice and Law Reform). The Data Protection Commissioner oversees and enforces the Act.
Copyright and Related Rights Act (2000).
This Act affects a total reform of Irish copyright and related rights law, bringing it fully into line with the requirements of EU and international law in this area. It places Ireland among world leaders in terms of standards for copyright protection.
Data Protection Code (2004)
The Data Protection Code entered into force on 1 January 2004. It replaces the previous Data Protection Law (Law no. 675/1996), as well as a number of other legislative and regulatory provisions.
The Data Protection Code updates, completes and consolidates Italy's data protection legislation (1996) by introducing important innovations and conforming national legislation to European regulations, in particular the Data Protection Directive (95/46/EC) and the Directive on privacy and electronic communications (2002/58/EC).The code aims to strengthen the data protection rights of individuals, allowing them to exercise their rights and instigate proceedings more easily. The Code was lastly amended on 4 November 2010.
The Data Protection Commissioner ('Garante Privacy') is in charge of supervising and enforcing the application of the Data Protection Code. In an effort to simplify the complaint process, the Commissioner has published a complaints' form on its website.
Personal Data Protection Law (2000)
The Law on Personal Data Protection was adopted by Parliament on 23 March 2000. It is based on standard fair information practices and is fully compliant with the EU Data Protection Directive (95/46/EC). The aim of this Law is to protect the fundamental human rights and freedoms of natural persons, in particular the inviolability of private life with respect to the processing of personal data. Application of the Law is overseen by the State Data Inspectorate, which is also responsible for spam supervision.
The Information Technologies Security Law came into force on 1 February 2011. It aims to improve information technologies security by defining the key requirements for organisations to guarantee the security of essential electronic services. The law provides for the identification and protection of critical infrastructure, the establishment and organisation of an IT Security Incident Response Institution (national CERT), the determination of conduct in information technology security incidents, the setup of minimum security requirements for state and municipal institutions and the implementation of Directive 2009/140/EC by electronic communications service providers.
The Data Protection Act of 14 March 2002 provides for the rights and obligations of private individuals and State authorities, implementing into national law the EU Directive 95/46/EC on the protection of individuals concerning the processing of personal data and the free exchange of data. The Act (register number 235.1) was supplemented by two regulations in July 2002 (register number 235.11) and February 2006 (register number 235.111). The latter concerns the use of personal data by the police for cases related to terrorism, national security and crime prevention. In September 2008, the Parliament adopts a partial revision of the Data Protection Act bringing the law into line with EU agreements regarding the connection to European database systems, such as the Schengen Information System (SIS), or the Eurodac service. The revised law focuses on the independence of data protection from the Executive and underlines its main role in ensuring the protection of personal rights and the respect for privacy.
The law on Legal Protection of Personal Data was adopted on 11 June 1996 and last amended on 1 January 2009. Its main purpose is the protection of an individual’s right to privacy with regard to the processing of personal data. The law is fully compliant with the EU Data Protection Directive (95/46/EC).
Data Protection Act (2007)
The Data Protection Act, which implements Directive 95/46/EC regarding the protection of personal data of 2 August 2002 and which was amended by the law of 27 July 2007 governs the processing and use of personal data in Luxembourg.
The Data Protection Act of 2002 governs the processing and use of personal data, and goes beyond the framework of the EU Directive by covering not only natural, but also moral persons. It contains specific provisions on the processing of medical data by health services, the processing of personal data for surveillance purposes and in the workplace. The Data Protection Act applies to "data controllers" ("a natural or legal person, public authority, agency, or any other body which solely or jointly with others determines the purposes and methods of processing personal data") and "data processors" ("any natural or legal person, public authority, administrative body or other entity that processes personal data on behalf of the controller" excluding any of the data controller's employees).
The law also created a new data protection authority, the Commission nationale pour la protection des données (CNPD) in December 2002. The CNPD is an independent agency whose task is to regulate the processing of personal data in Luxembourg and ensure compliance with data protection regulations. The Data Protection Act has also provided for an online public data processing register, which makes it possible to check if an authority, company, association, professional, or self-employed worker is likely to hold information about an individual and if they have declared as much to the CNPD.
Processing of Personal Data in the Electronic Communications Sector Act (2011)
The 'Processing of Personal Data in the Electronic Communications Sector Act', which was adopted on 28 July, 2011 and which entered into force on 1 August, 2011, transposes the EU Directive on privacy and electronic communications (Directive 2009/136/EC) into Luxembourgish law and forms part of Luxembourg’s legislative 'telecom package' (cf. below). It aims at protecting the privacy of Internet users (including protection against unsolicited commercial communications or 'spam') and users of added value services, such as GPS. The National Commission for Data Protection (CNPD), which was created by the 2002 Data Protection Act, is competent for checking the legality of personal data processing.
Data Protection Act (2001)
The Data Protection Act was passed on 14 December 2001 and came fully into force in July 2003. It was introduced in order to render Maltese law compatible with EU Data Protection Directive (95/46/EC), even though Malta was not yet an EU Member State at that time, this was a prerequisite prior to joining the EU. It outlines principles of ‘good information/ data handling’ to guarantee the protection of personal information. Data Controllers, such as educational institutions, employers and banks, are obliged to inform individuals of the reasons for collecting information about them. Furthermore, individuals are to be assured that the data collected will not be used for any other reason than for the purpose it was collected and are granted rights of access to the personal information held by the data controller. The Act provides grounds for processing “personal data” but makes special provision for processing “sensitive personal data”, a sub-set of personal data, in very specific stipulated circumstances.
Regulation 2016/679/EU will eventually supersede this Act on the protection of natural living persons with regard to the processing of personal data and on the free movement of such data, generally known as the General Data Protection Regulation. This Regulation will come into force in its entirety in all EU Member States from 25 May 2018.
Personal Data Protection Act (2000)
The EU Data Protection Directive (95/46/EC) adopted in 1995 regulates the processing of personal data within the European Union. The Dutch Personal Data Protection Act was adopted by the Dutch Parliament in July 2000 and came into force on 1 September 2001. It sets the rules for recording and using personal data, and ensured the transposition in Dutch law of the European Directive. The Act is overseen and enforced by the Data Protection Authority (DPA).
The EU General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data better known as the General Data Protection Regulation is repealing the Directive 95/46/EC. The regulation will enter into force on 25 May 2018.
Personal Data Act (2000)
The purpose of Act No. 31 of 14 April 2000 relating to the processing of personal data (Personal Data Act) is to protect natural persons from violation of their right to privacy through the processing of personal data. It ensures that personal data is processed in accordance with fundamental respect for the right to privacy, including the need to protect personal integrity and private life, and that personal data is of adequate quality. This Act transposes the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data into Norwegian law.
The regulations on the processing of personal data (Personal Data Regulations) were laid down by the Royal Decree of 15 December 2000 pursuant to Act No. 31 of 14 April 2000 on the processing of personal data (Personal Data Act), as amended on 23 December 2003.
The Act on the Protection of Personal Data was adopted on 29 August 1997 and has been amended a few times so far. This Act follows the rules established by European Union's Directive 95/46/EC on the protection of individuals with regard to the processing of personal data. The Inspector General for the Protection of Personal Data supervises the observance of the Act. In case of breach of the provisions on personal data protection, the Inspector General, ex officio, or upon a motion of a person concerned, by means of an administrative decision, shall order to restore the proper legal state.
The Regulation focuses on how to share copies of electronic documents and forms under conditions of safety. Accordingly, it clarifies the form of official certification of receipt of electronic documents by the recipient, the ways to safely share electronic copies of documents and safety conditions for forms and templates of shared documents. It has been amended twice so far.
Law no. 41/2004, of 18 August transposes into national law Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, except for Article 13 which concerns unsolicited communications. This legislation applies to the processing of personal data within the context of publicly available electronic communications services and networks, while complementing the provisions of Law no. 67/98 of 26 October (Law on the Protection of Personal Data). Its provisions shall ensure protection of the legitimate interests of subscribers who are legal entities to the extent that such protection is consistent with their nature.
The law allows individuals to access and correct personal information held by public or private bodies. It was complemented by recent additions such as Law no. 55, (OJ. no. 244/23.03.2005), which ratifies the Additional Protocol to The Convention for the Protection of Individuals with regard to automatic processing of personal data, referring to control authorities and cross-border data flow. Furthermore, a National Supervisory Authority for Personal Data Processing was established in 2005 by Law no. 102/2005 (O.J. no. 391/09.05.2005). All of the data protection files previously kept by the Ombudsman have now been handed over to the Authority, which supervises and controls the legality of the personal data processing under Law no. 677/2001.
This Law on the processing of personal data and the protection of privacy in the electronic communications sector replaced Law no. 676 of 21 November 2001 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector. It closely follows Directive 2002/58/EC on personal data processing and privacy protection in the electronic communications sector.
The National Security Authority is working on drafting the Act on Cyber Security to comprehensively cover cyber and information security, introduce basic security requirements and other measures critical for coordinating the protection of information, communication and management systems. At the same time, the European NIS Directive on network and information security is being transposed into the Slovak legislative.
This legislation (1 July 2013) implements the principles set in the EU's Data Protection Directive (95/46/EC). Under this Act, individuals can Access and correct personal informationheld by public and private bodies. The Act is enforced by the Office for Personal
Data Protection. This Act regulates:
- a) Protecting the rights of natural persons against wrongful interference with their private life in connection with the processing of their personal data
- b) Rights, duties and liability in connection with personal data processing
- c) Establishment of the scope of the powers and organisation of the Office for Personal Data Protection of the Slovak Republic.
The Personal Data Protection Act (Official Gazette of the Republic of Slovenia No. 94/07), currently applicable, was adopted in July 2004 and came into force on 1 January 2005. It replaced a previous version, adopted in 1999, and transposed the EU Directive 95/46/EC on data protection into Slovenian Law.
The main goal of the Act is to prevent illegal and unwarranted violations of personal privacy in the course of data-processing, and to ensure the security of personal databases and their use. Until 1 January 2006, the Inspectorate for Personal Data Protection was in charge of overseeing the application of the Act. Since then, such responsibility has been transferred to the Information Commissioner (Information Commissioner Act, adopted in December 2005). The last amendment of the Personal Data Protection Act was performed in 2013.
The Organic Law 15/1999 of 13 December 1999 on the Protection of Personal Data brought Spanish law in line with the EU Data Protection Directive 95/46/EC.
This law regulates the processing of personal data in the public and private sectors. It grants citizens with the right to access and correct their personal information in the records held by public and private bodies. Personal information may only be used or disclosed to a third party with the consent of the individual, and only for the purposes that it was collected. Additional protections are provided for sensitive data. The Law is enforced by the Spanish Data Protection Agency.
The resolution of this Instruction from the 7 October 2016, establishes the conditions for the gathering and communication of data about the status of security. This will allow to know the main variables regarding the security of the information from the systems included in the scope of the National Security Framework. Moreover, it will help to elaborate a general profile for the state of cybersecurity in the public sector.
The resolution of this Instruction from 13 October 2016, establishes the criteria and procedure to determine the compliance with the National Security Framework and determines the mechanism to obtain and publish the declaration of compliance and security credentials.,.
The article 17 of the new Law 39/2015 on the Common Administrative Procedure Public Administration, states that each administration shall implement a single Digital Archive System for the long term preservation of documents belonging to resolved procedures. The article also requires the application of adequate security and privacy protection measures as required by the NSS and law on data protection.
Personal Data Act (1998)
The Personal Data Act came into force on 24 October 1998. The Personal Data Act was adopted to bring Swedish law into compliance with the requirements of the EU Data Protection Directive 95/46/EC, which aims to prevent the violation of personal integrity in the processing of personal data. The Act lists certain fundamental requirements concerning the processing of personal data. These demands include, inter alia, that personal data may only be processed for specific, explicitly stated and justified purposes and if the person registered gives his/her consent. Exemptions to this rule include the exercise of official powers, or the fulfilment of a legal obligation by the controller of personal data. In many areas of the administration there are special registry laws to supplement or replace the provision in the Personal Data Act.
The Act, approved on 19 June 1992 and entered into force on 1 July 1993, aims to protect the privacy and the fundamental rights of persons when their data is processed. It applies to the processing of data pertaining to natural persons and legal entities by federal bodies and private persons.
For the first time in Switzerland, the public and private sectors are subject to the same rules. In the public sector, the Act only covers the activities of authorities at federal level. However, the majority of Swiss cantons have introduced similar legislation to govern public sector data collection and processing in their respective localities. The Swiss law was granted adequacy approval by the EU in 2000.
The Federal Council’s update of the Ordinance on Data Protection entered into force on 1 November 2016. The ordinance envisages that certain procedures and products used for processing personal data can be better certified and thereby data protection can be improved.
This Ordinance regulates the technical, organisational and procedural requirements concerning the evidential value and control of data and information (electronic data) produced electronically or in a comparable manner in accordance with Articles 122–124 of the VAT Ordinance (VATO) of 27 November 2009.
Turkish Constitution (1982)
Section 5 of the 1982 Turkish Constitution is entitled, 'Privacy and Protection of Private Life'. Article 20 of the Turkish Constitution addresses the issue of 'Privacy of the Individual’s Life', and states: "Everyone has the right to demand respect for their private and family life. Privacy of individual and family life cannot be violated. Unless there exists a decision duly passed by a judge in cases explicitly defined by law…neither the person nor the private papers, nor belongings of an individual shall be searched nor shall they be seized". With the 2010 amendment of the Constitution, citizens are granted the right to request the protection of their personal data. They have the right to be informed about their own personal data, accessing these data, requesting to be corrected or deleted and learning whether it has been used for the purposes that the data were obtained in the first place. Thus individual data can be processed only as foreseen by the law or with the consent of the person, as mentioned in Article 22.
After the 2010 amendment of the Constitution, citizens are granted the right to request protection of their personal data. Hereinafter, individual data can be processed only in the circumstances envisaged in the law or with the express consent of the person. According to the regulation, relevant procedures and principles will be codified by law, namely the ‘Law on Protection of Personal Data’, which was published in the Official Gazette on 7 April 2016 numbered 29677.
This law regulates the conditions of processing and transfer of the personal data, rights and obligations, obligations of the data supervisor or the related person regarding data security to the institution and the board of the protection of the personal data.
The By-Law, which was adopted on 5 November 2008, identifies the obligations of operators with respect to ensuring security of electronic communications networks. It covers the principles and basis of measures to be taken in order to eliminate the risks stemming from threats and vulnerabilities with the aim of ensuring physical data, hardware-software and personnel security. It explicitly states that personal information processing and protection of privacy are not under its scope.
The By-Law on the Personal Information Processing and Privacy in the Telecommunications Sector was adopted on 6 February 2004 to define the procedures and principles related to guaranteeing personal information processing and protection of privacy in the telecommunications sector.
Turkey became party to the Council of Europe Convention on Cybercrime (CETS No. 185), adopted in order to ensure international cooperation combating with cybercrimes efficiently. Subsequent to making legislation for the protection of personal data, approval studies of Conventions No. 108 and 181 aiming at the protection of individuals in case of processing these data to an automatic operation, will be launched.
*** Click HERE for all legislation
about Personal Data Protection in Turkey ***
Digital Economy Act (2010)
The Act concerns the online infringement of copyright. It creates a system which aims to increase the ease of tracking down and suing persistent infringers, and after a minimum of one year permit the introduction of 'technical measures' to reduce the quality of, or potentially terminate those infringers' Internet connections. It furthermore creates a new ex-judicial process to handle appeals.
Data Protection Act (1998)
The Data Protection Act 1998 received Royal Assent in July 1998 and came into force on 1 March 2000, giving effect to the EU Data Protection Directive (95/46/EC). It lays down rules for the way organisations have to treat personal data and information that apply to paper-based and electronic records. These rules are mandatory for all organisations that hold or process personal data, in the public as well as the private and voluntary sectors. The Act contains eight data protection principles, which state that all data has to be: processed fairly and lawfully; obtained and used only for specified and lawful purposes; adequate, relevant and not excessive; accurate, and where necessary, kept up to date; kept for no longer than necessary; processed in accordance with an individual's rights; kept secure; and transferred only to countries that offer adequate protection.