Protection Of Personal Data

The Law no 6698 on Protection of Personal Data (KVK) which came into force on 07.04.2016 stipulates significant imprisonment and fines for those companies that fail to comply with the procedures and principles. The penalty of failure to comply with the law regarding the recording, processing, transferring and disposing of data is 1 to 6 year imprisonment and the failure to comply with the liabilities stipulated by this law is 5.000 to 1.000.000 TL fine. Companies must as soon as possible complete all their relevant activities to ensure compliance with this law.

The Law no 6698 on Protection of Personal Data which was adopted on 24.03.2016 and published in the Official Journal on 07.04.2016 under number 29677 aims to protect fundamental rights and freedoms of individuals including confidentiality of private life in the processing of personal data and establishes the procedures and principles to be respected as well as the liabilities of the parties that process such personal data. The Law covers the processing of personal data of natural persons, and contains the provisions for natural persons and legal entities that process such data (whether automatic or not) as a part of a recording system. 

What does personal data mean according to the law?

Personal data is all types of information that belongs to an identified or identifiable natural person. For instance; first name, last name, Turkish ID Number, place of birth, date of birth, address, telephone number, e-mail address, IP number, resume etc. Also the data about race, ethnicity, political opinion, philosophical belief, religion, sect or other believes, clothes, membership to associations, foundations or unions, health, sexual life, conviction of people as well as data about security measures and biometrical and genetical data is described as special personal data

Such data is collected and processed in hospitals, hotels, travels, during enrollments for schools, filling in discount card form in stores or making an application for a new job. Companies process personal data of many parties including their clients, employees and business partners. The law describes all operations such as collection, recording, storage, change, use and transfer of all personal data as processing of such personal data.

In order to fulfill the duties granted by this law, the Personal Data Protection Authority, which was administrative and financial autonomy and which has legal public entity, was founded.

What kinds of provisions are there in the law regarding personal data processes?

We can categorize the provisions in the law regarding personal data under three processes:                                                       

a) Processing of Personal Data: When companies collect personal data, they must explain to the relevant individuals, the purpose of processing such data, to whom and for what purpose such data may be disclosed, method and legal reason for data collection and the rights of such individuals as granted by the law, and must seek for their explicit consent. According to law, it is possible to process personal data without seeking for explicit consent, to the extent clearly prescribed by laws, for the purpose of protecting life and body, disclosure of the data by the holder of such data, etc.

b) Transferring of Personal Data: The explicit consent of the relevant individual must be obtained. For transferring data abroad, many factors such as availability of sufficient protection, international conventions,  country reciprocity etc. must be taken into consideration.

c) Deleting of Personal Data: Such data must be deleted, destroyed or rendered anonymous after processing such personal data, after the 

disappearance of the reason for processing or upon request of the concerned individual.

How will the companies manage these processes?

Companies must designate a natural person or legal entity that is responsible for establishing the reasons and methods of processing personal data and founding and managing a data recording system and must register this person in Data Responsible Persons Registry to be maintained by the Personal Data Protection Law. They must comply with the ‘Liabilities to Provide Information’ as stipulated in the law. They must take all technical and administrative measures required to achieve security level for the purpose of preventing illegal processing and access of personal data and ensuring storage of such data and must conduct or have conducted all necessary inspections. Also, the law includes provisions regarding the applications and complaints for personal data.

What is the punishment of failure to comply with the law?

Illegal recording, disclosure, transfer, distribution or seizure of personal data or failure to destroy such data upon expiry of the period or failure to destroy it although it is mandatory to destroy is subject to imprisonment in the range of 1 to 6 years according to the relevant articles of the Turkish Penal Law.

The crimes that might be committed in relation with the failure to provide information to the relevant parties or failure to ensure data security as well 

as reviews regarding complaints and objections are subject to 5.000 to 1.000.000 TL fine.

How do we help companies as Güreli?

We provide companies with consulting and audit services through our specialized team in terms of protection of personal data. We have three separate working scopes:

·         We can personally establish the Personal Data Protection Management System together with the Company.

·         We can provide consulting services and support the Company in the establishment of the Personal Data Protection Management System.

·         We make audits, assess the conformity of the established Personal Data Protection Management System and prepare a report about deficiencies.

What is Güreli method in terms of compliance with the Personal Data Protection Law?

Due Diligence Analysis

·         Personal data inventory

·         Personal data-related processes

·         Organizational structure

·         Contract inventory

Alignment of Processes

·         Classification of personal data

·         Alignment of data processing steps

·         Alignment of data transfer processes

·         Alignment of data disposal processes

·         Updating contracts

·         Creating/alignment of applications, complaints and objection processes

Data security

·         Logical security

·         Physical security

·         Risk management

·         Change management

Organizational Compliance

  • Selection of contact person
  • Registration to the Registry of Data Controllers (VERBİS)
  • Creation of relevant job descriptions
  • Creation of Personal Data Management process
  • Training of the Personal Data Protection compliance team and contact person
  • Alignment of internal control and audit processes
  • Training throughout the company and ensuring corporate awareness