KVKK Liability Consultancy, With the increase in data circulation speed and abuse of data dominance, Personal Data owners have the constitutional right to request the protection of their Personal Data, to be informed about the Personal Data processed about them, to access, rectify or request deletion of this data, and to learn whether the Personal Data is protected. used for processing. protected fundamental rights and freedoms.
KVKK Liability Consultancy
With the Law No. 6698 on the Protection of Personal Data entered into force on April 7, 2016, the secondary legislation was published in the Official Gazette and entered into force in a short time.
There are very important changes waiting for companies with the Personal Data Protection Law. When evaluated together with similar international standards and laws; With the KVKK, it is aimed to prevent problems such as unlimited random personal data collection in case of unauthorized disclosures, violation of personal rights through uncontrolled disclosures or abuse. Together with the framework principles and articles in the law, the rules that companies must comply with are determined and in case of violation of these rules, criminal and legal sanctions may be encountered.
Within the scope of the Personal Data Protection Law, we provide support with our expert team on legal, administrative and technical measures in various fields.
What is Personal Data?
Personal Data is grouped as Personal Data and Sensitive Personal Data (Sensitive Data).
Personal Data: It means all kinds of information related to an identified or identifiable natural person such as name, surname, date of birth, place of birth, telephone number, e-mail address, license plate, social security number, passport number. .
Special Quality Personal Data (Sensitive Data): The person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, clothing, association, foundation or union membership, health, sexuality Data on life, criminal convictions and security measures and biometric data are special personal data.
Who Does KVKK Protect?
The provisions of the Law on the Protection of Personal Data apply to natural persons whose personal data are processed and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system.
What are the Conditions Regarding the Processing of Personal Data?
“KVKK”, which is the abbreviation of the sentence “Personal Data Protection Law”, is also an institution that started its activities for the purpose of operating and monitoring the processes of the aforementioned law. After the active implementation of “KVKK”, serious steps were taken and it was kept under strict controls.
“The first draft of the Law on the Protection of Personal Data was published in the Official Gazette on April 7, 2016 after a long wait and entered into force as of this date. Since this date, serious steps have been taken especially for the protection of the fundamental rights and freedoms of individuals. From the processing of data to the privacy of private life, many transactions are secured.
Conditions for Processing Personal Data: Personal data cannot be processed without explicit consent of the person concerned. However, in the presence of at least one of the following conditions, it is possible to process personal data without seeking the explicit consent of the data subject:
- Explicitly stipulated by law.
- The person who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity is compulsory for the protection of himself or someone else’s life or bodily integrity.
- It is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract.
- It is mandatory for the data controller to fulfill its legal obligation.
- The person concerned has been made public by himself.
- Compulsory data processing for the establishment, exercise or protection of a right.
- It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.
Conditions for the processing of Special Categories of Personal Data: The person’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other belief, disguise and dress, association, foundation or union Membership, health, sexual life, criminal conviction and security measures and biometric data are special personal data. These data cannot be processed without taking adequate measures determined by the Personal Data Protection Board and without the explicit consent of the person.
What are the Rights of the Related Person within the Scope of KVKK?
To learn whether the personal data subject to data has been processed, to request information if it has been processed, to learn the purpose of processing and to know third parties for the transfer of some personal data within the country and abroad, to request the correction of personal information, incomplete or incorrect processing , whether they have the right to request the deletion or destruction of the data, to whom the personal data has been transferred to the third parties for notification of the transactions made on the personal data, to object to the emergence of a result against the person by analyzing the processed data, in case of damage due to the unlawful processing of the personal data to claim compensation for damage.
What are the Obligations of the Data Controller under KVKK?
The natural or legal persons responsible for the data of the data subject and the persons who process these data with the decisions of the Data Controller have obligations within the scope of KVKK. In the Law, Data Controller is defined as “the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system”.
The most basic obligation of the data controller is the obligation to inform. According to the disclosure obligation, the data controller has to provide some information to the person concerned during the acquisition of personal data. These;
- Identity of the data controller and its representative, if any,
- The purpose for which personal data will be processed,
- To whom personal data can be transferred and for what purpose
- Method and legal reason for collecting personal data,
- 11. other rights listed in the article. The person concerned should be aware of every situation where his data is processed and should be informed about it.
Liability Regarding Data Security
According to the KVK Law, the data controller is responsible for the following items regarding data security:
- To prevent the unlawful processing of personal data,
- To prevent unlawful access to personal data,
- To ensure the protection of personal data.
In order to fulfill these obligations, the data controller is required to take all kinds of measures and audits regarding the operation of the law. If personal data is processed by another person on behalf of the data controller, both persons are responsible for security. Both the data controller and the data processor may not share or use the data other than for processing purposes after the task has ended. If the data has been obtained by third parties, this should be reported to the relevant persons as soon as possible.
Registration Obligation in the Data Controllers Registry
Data controllers must register with the Data Controllers Registry (VERBIS) in order for data controllers to be shared with the public and thus for the right to protect personal data to be exercised more effectively. In this system, information about data processing activities is kept as a record. The application for registration with VERBIS includes the following information:
- Identity and address information of the data controller,
- The purpose for which personal data will be processed,
- Explanations about the data subject group and the data categories of these persons,
- Recipients or groups of recipients to whom personal data can be transferred,
- Personal data intended to be transferred to foreign countries,
- Measures taken for personal data security,
- Maximum time required for the purpose for which personal data is processed.
Obligation of Responding to Applications Made by Relevant Persons
Data controllers are obliged to finalize the requests sent to them by the relevant persons regarding the implementation of the law within thirty days at the latest. The data controller must notify the relevant person of the positive or negative response to this request. If the person concerned receives a refusal, he can file a complaint with the Board within thirty days from the date he learned the answer. This process, which is usually free, can also be paid for when necessary.
Obligation to Fulfill Board Decisions
If the Board determines the existence of a violation or becomes aware of the alleged violation as a result of the examination to be carried out upon the complaint, it decides that there is no violation and notifies the relevant parties of the decision. the law will be corrected by the data controller. The data controller is obliged to fulfill this decision without delay and within thirty days at the latest from the date of notification.
KVKK Compliance Process
Within the scope of the Law on Protection of Personal Data No. 6698, we provide support with our expert team on legal, administrative and technical measures in various fields.
Kocaeli Erdin Law Office carries out compliance projects in order to ensure full and complete compliance with the Law for its clients within the framework of the personal data protection legislation, especially the “Personal Data Protection Law” No. 6698, and we provide services to ensure that the personal data processing processes are carried out in accordance with the law.
Personal Data Inventory: Personal data processing inventory is the information that shows for what purposes, what kind of personal data, for what period of time, in which ways and with which persons, if any, the data controller processes and shares.
Registration with VERBIS: As a result of examining data processing processes and removing personal data inventories, the obligation to register with the Data Controllers Registry (VERBIS) is fulfilled.
Clarification Text: An Enlightenment Text is prepared and published in order to inform the persons held by the personal data companies and/or who are required to keep this data, for what purpose and for how long they keep which data, who keeps them for what purpose and in what way. responsible for the data, how long they keep it.
Data Processing Policies: Personal Data Storage and Disposal Policy and other implementation guidelines should be prepared for data controllers who need to register with the Data Protection Registry.
Explicit Consent: In accordance with the legislation, personal data can only be processed with the explicit consent of the data owner, in accordance with the law, for a specific purpose and period, only by clarification.
Administrative and Technical Measures: It is the responsibility of the data controller to take all kinds of administrative and technical measures in order to process the data in accordance with the law, to store it in safe environments and to prevent unlawful access.