June

Germany's Conference of Independent Federal and State Data Protection Authorities have released a pair of documents to help companies comply with Article 30 of the EU General Data Protection Regulation "Records of processing activities"

The two "Model Processing Records" are designed to help both controllers and processors in their data processing procedures to ensure compliance with Article 30 of the GDPR.  The DSK also published "Guidelines for Article 30 Processing Records," a resource containing information on what German DPAs expect when the GDPR goes into effect, covering topics such as language, cross-references to other internal documents, and a recommendation to keep a list of internal policy documents.

Recent technologies can be helpful in detecting or preventing the loss of company property, improving the productivity of employees and protecting the personal data for which the data controller is responsible, but with it also comes a significant privacy and data protection risk.  Companies should consider conducting an assessment concerning the balance between the legitimate interest of the employer to protect its business and the privacy of the employees.  

Article 88 of the General Data Protection Regulation (GDPR) provides that European Union (EU) member states may provide for more specific rules to ensure protection. Employers must inform employees on the existence of any monitoring systems and, where online tools are used to process personal data, should consider enabling employees to designate certain private spaces to which he or she may not gain access under any circumstances.

Naz Degirmenci (Associate Attorney) and Zeynep Ünlü (Senior Managing Counsel) at BTS & Partners, discuss how Turkey's supplementary regulation to the Data Protection Law specifies the types of information that must be included by a data subject.  They also discuss the content to be provided by a data controller when responding to a subject access request (SAR), and the time limit for the data controller to respond to an SAR. In addition, they note how the Regulation provides that SARs be submitted in Turkish, and how fees can be charged.

Degirmenci and Ünlü recommend that organizations appoint a contact person regarding data protection issues that internal governance procedures be prepared with regard to the handling of SARs as well as retention policies.