Personal Data Protection Service

PROTECTION OF PERSONAL DATA

There are serious imprisonment and fines for companies that do not comply with the procedures and principles in the Law on the Protection of Personal Data (KVK Law) No. 6698, which entered into force on 07.04.2016. The penalty for not complying with the law regarding the recording, processing, transfer and destruction of data can be between 1 and 6 years in prison, and a fine of between 5,000 and 1,000,000 TL for failure to fulfill the obligations set forth in the law. Companies are required to complete their work on compliance with the law as soon as possible.

The Law on Protection of Personal Data No. 6698, which was adopted on 24.03.2016 and published in the Official Gazette No. 29677 on 07.04.2016, protects the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and for this purpose, the obligations of the parties processing personal data, and aims to regulate the procedures and principles to be followed. The law covers the processing of personal data belonging to natural persons and includes regulations regarding natural and legal persons who process this data (automatically or not) as part of a registration system.

What is personal data according to the law?

Personal data is any information relating to an identified or identifiable natural person. For example, name, surname, TR ID number, place of birth, date of birth, address, phone number, e-mail address, IP number, resume, etc. In addition, data related to race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data of individuals are defined as special categories of personal data.

These data are collected and processed when you are in the hospital, hotel, traveling, enrolling in school, filling out a discount card form in stores or applying for a new job. Companies process the personal data of many parties, from customers to employees, from dealers to business partners. The law governs the receipt, recording, storage, modification, use, transfer, etc. of all personal information and defines all kinds of transactions as the processing of personal data.

In order to fulfill the duties assigned by this law, the Personal Data Protection Authority, which has administrative and financial autonomy and is a public legal entity, has been established.

What kind of regulations exist in the law regarding personal data processes?

We can group the regulations of the law on personal data under three processes:

• Processing Personal Data: When collecting personal data, companies should inform the relevant persons about the purpose for which this data will be processed, to whom and for what purpose, the method and legal reason for data collection, and their rights in the law, and obtain their explicit consent. According to the law, it is clearly stipulated in the laws, the protection of life and body integrity, the information being made public by the person, etc. It is possible to process personal data without seeking explicit consent for reasons.
• Transfer of Personal Data: The explicit consent of the person concerned must be obtained during the transfer process. Many aspects, such as availability of adequate protection for transfer abroad, international conventions, country reciprocity, etc. must be taken into consideration.
• Deletion of Personal Data: After the processing of personal data, this information should be deleted, destroyed or anonymized when the reason for the processing disappears or when the relevant person requests it.

How will companies manage these processes?

Companies, as the “Data Controller”, who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system, must register to the VERBIS (Data Controllers’ Registry) maintained by the Personal Data Protection Board. It should be complied with the “Information (Lighting) Obligations” determined in the Law. In order to prevent unlawful processing and access of personal data and to ensure its preservation, it is obliged to take all kinds of technical and administrative measures to ensure the appropriate level of security, and to carry out or have the necessary audits done. In addition, regulations regarding applications and complaints regarding personal data have been defined in the law.

What is the penalty for not obeying the law?

Recording, transferring, disseminating or seizing personal data unlawfully, not destroying it even though it is expired or when it should be destroyed, will be punished with prison sentences ranging from 1 to 6 years according to the relevant articles of the Turkish Penal Code.

A fine of between 5,000 and 1,000,000 TL may be imposed for misdemeanors about providing information to the relevant persons, ensuring data security, and in the investigation of complaints and objections.

How do we help companies as Güreli?

We provide consultancy and auditing services to companies with our expert team on the protection of personal data. We have three different scopes of work:

• We can establish the KVK Management System together with the company.
• We provide consultancy and support the company while establishing the KVK Management System.
• We conduct audits, evaluate the maturity of the established KVK Management System, and report the deficiencies.

What is the Güreli method in KVK Law compliance studies?

• Analysis of current situation
  • Personal data inventory
  • Processes related to personal data
  • organizational structure
  • Contract inventory
• Alignment of Processes
  • Classification of personal data
  • Alignment of data processing processes
  • Alignment of data transfer processes
  • Alignment of data destruction processes
  • Updating contracts
  • Establishment/adaptation of application, complaint, objection processes
• Data security
  • Logical security
  • physical security
  • Risk management
  • Change management
• Organizational Alignment
  • Selecting the contact person
  • Registration to the Data Controllers Registry (VERBIS)
  • Creation of relevant job descriptions
  • Creating the Personal Data Management process
  • Training of KVK compliance team and contact person
  • Harmonization of internal control and audit processes
  • Ensuring corporate awareness and training throughout the company