The informative document, published by the Personal Data Protection Authority (“Authority”), addresses common mistakes frequently made in complaints and notifications submitted to the Personal Data Protection Board (“Board”) in accordance with the Personal Data Protection Law numbered 6698 (“DP Law”) and the Communiqué on the Principles and Procedures for the Application to the Data Controller (“Communiqué”). The purpose is to share these mistakes with the public and to inform data subjects so they can correctly submit their complaints and notifications to the Board.

The main issues highlighted in the document are:

  • Failure to Exhaust the Application Route to the Data Controller: Complaints to the Board must first be directed to the data controller; otherwise, complaints are rejected for not meeting procedural requirements.
  • Lack of Stamp on Power of Attorney: Applications made through an attorney without a stamp or with an unstamped power of attorney are not accepted.
  • Incomplete or Untimely Submission of Power of Attorney Copies: The power of attorney must be complete, legible, and current at the time of the complaint to the Board.
  • Lack of Information and Documents Related to the Application Method: Applications to the data controller must be made using methods specified in the Communiqué, with necessary information and documents proving the correct method used.
  • Use of Non-Registered Email Addresses for Applications: When applying to the data controller via an email address other than a KEP address, the email address used must have been previously notified to the data controller and must be definitively registered in the data controller’s system.
  • Exceeding Legal Time Limits: Complaints must be made within the timeframes specified in DP Law articles 13 and 14; otherwise, they are rejected for procedural non-compliance.
  • Lack of Proof of Submission: To verify that the application has been delivered to the data controller and to assess whether the complaint has been made in accordance with the timeframes specified in KVKK, it is necessary to provide documents proving that the application has been notified. Additionally, the data controller must indicate the date on which the application was received.
  • Omission of Data Controller’s Response in the Petition: If the data controller has responded, the response must be included with the petition.
  • Unclear Dates on Petitions and Documents: Dates on documents must be clear and understandable.
  • Lack of Supporting Information and Documents: The petition must include information and documents that substantiate and verify the claims made in the complaint or notification.
  • Failure to Specify the Subject of the Complaint in the Petition: The subject and request of the complaint or notification must be clearly and legibly stated.
  • Missing Name, Surname, Signature, and Address in the Petition: Written applications to the Board must include the complainant’s name, surname, signature, and residential or workplace address.
  • Complaints Made by Unauthorized Persons: Complaints must be made by the data subject or their authorized representative.
  • Incomplete Information and Documents in Applications to the Data Controller: When submitting a written application to the data controller, it must include a signature. If the application is made through a power of attorney, a copy of the power of attorney must be included. The signature must not be missing in written applications.
  • Missing Mandatory Information in Applications: Applications must include name, surname, national ID number, nationality, passport number or identity number for foreigners, residential or workplace address, email address, phone and fax numbers, and the subject of the request.
  • Applications to KEP Address Using Standard Email: Applications to the KEP address must be made using a KEP address.
  • Failure to Check the Data Controller’s Website: On the data controller’s website, the data controller may specify the methods to be followed for applications, either in the privacy notice or in another section related to personal data. Following these specified methods ensures that the application is properly submitted to the data controller. Additionally, applications made using the general “contact form” on the data controller’s website are not considered valid applications in accordance with DP Law and the Communiqué.
  • Requests Concerning Data Protection for Legal Entities: Requests concerning data protection for legal entities are not covered by DP Law.
  • Requests Concerning Data Protection for Deceased Persons: Requests concerning data protection for deceased persons are not covered by DP Law.

You can access the document “Common Mistakes in Complaints and Notifications Submitted to the Board” via this link. (Only available in Turkish)