What is the Turkish Law on the Protection of Personal Data (KVKK)?
New technological developments have led to some significant changes in our lives. These changes are especially evident as rules and laws on privacy and security issues, which are one of the basic human rights. Today, both public institutions and private sector organizations can access various information belonging to thousands of people within the scope of the work done. As a result of the rapid developments in information technologies, this information obtained can be easily processed and transmitted.
This inevitable transformation has incorporated the Turkish Law on the Protection of Personal Data into our lives to meet the requirements of institutions regarding privacy and security.
Before the entry into force of the KVKK, the rules for the protection of personal data in Turkey were determined by the Turkish Penal Code, the Constitution, and other relevant legislation. The Law on Personal Data Protection (PDP) is the first law that entered into force on April 7, 2016, and regulates the protection of personal data in Turkey and determines the legal obligations that institutions and persons processing personal data must comply with.
Data security and protection are regulated by a single provision in the Constitution of the Republic of Turkey and various provisions of the Turkish Penal Code.
What data are protected within the scope of KVKK?
Personal data is defined as any kind of information related to certain or identifiable natural persons. Turkey’s data protection legislation also includes personal data in special categories such as race, ethnicity, political opinion, philosophical belief, religion, sect or other beliefs, disguise, association, foundation, or trade membership. Trade unions, health data, information about sexual life, previous criminal convictions and security measures, as well as biometric and genetic data are protected under the KVKK.
Who does KVKK apply to?
KVKK applies to all data controllers and data processors who process the data collected in Turkey. This includes organizations based in Turkey, as well as foreign individuals or legal entities that process the personal information of Turkish data owners.
The main difference between KVKK and GDPR (General Data Protection Regulation in European Union Law) is that within the scope of KVKK, data officers are required to register with VERBIS, the Data Officers Registration Information System of KVKK. Registration with VERBIS is mandatory for all data officers before they start processing the data of people residing in Turkey. After registering with VERBIS, data checks record the data processing activities in which they are involved.
To register with VERBIS and start processing personal data, organizations must first appoint a representative of the data controller, who must be a Turkish Legal Entity or a Turkish Natural Person. During registration, they are also expected to submit a Data Processing Inventory that identifies the categories of data owners, the types of data they process, their purpose, legal basis, and the technical and administrative measures an organization takes to comply.
Failure to register with VERBIS may result in administrative fines or restriction of the controller’s data processing activities.
If a country has a level of data protection that is considered adequate by the KVKK or undertakes in writing to provide an adequate level of protection in a way that data controllers have previously approved, the international transfer of personal data is allowed with the explicit consent of the data subject.
Although these provisions are like the provisions of the GDPR, the KVKK also allows the Personal Data Protection Agency to prohibit the transfer of data across borders, even if the explicit consent of the relevant person has been obtained, if it takes into account the interests of Turkey or the protection of data.
Data officers are obliged to notify KVKK using the Data Breach Notification Form provided by KVKK within 72 hours after being notified of a data breach. The reasons for any delay should also be sent along with the forms. Affected data owners should also be notified of the violation, but no specific time frame has been specified for this.
Within the scope of the same decision, KVKK also stipulated that data officers should prepare a Data Breach Response Plan that should identify a contact person to be contacted in the event of a data breach. This person will be the primary point of contact and will be responsible for assessing the consequences of any violations that may occur.
Data officers who do not comply with the requirements of the KVKK face administrative fines of up to about 1.5 million TL depending on the severity of the violation. The value of penalties is increased every year based on revaluation values published in the Official Gazette by the Tax Procedure Code Communiqués.