Compliance Process On Turkish Personal Data Protection Law

What Should Be Done By The Companies In The Compliance Process On Personal Data Protection Law?

What is the Purpose of Turkish Personal Data Protection Law?


Personal Data Protection Law has been adopted in order to protect the basic rights and freedoms of persons, especially the privacy of private life, and to regulate the procedures and principles that will comply with the obligations of natural and legal persons who process personal data, in the processing of personal data.


What data is covered by the Turkish Personal Data Protection Law?


The provisions of the Law No. 6698 on the Personal Data Protection shall apply to natural persons whose personal data is processed, and to natural or legal persons who process this data in whole or in part automatically or in a non-automated manner, as part of any data recording system.


This includes companies that register and process the name, surname, mobile phone, e-mail, TR ID number, address, photo, photocopy of identity and other similar information of customers, dealers and employees.


Persons’ race, ethnic origin, political thought, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal convictions and security measures with data related to biometric and genetic data personal data are forbidden to process without the express consent of the person concerned.


Which companies are covered by the Turkish Data Protection Law?

Hotels, Shopping malls, Shopping Centers, Apartment Site Management companies, companies with customer loyalty card application, factories, cleaning and security personnel providing companies, factories, sales and marketing companies, agencies, private schools and universities, hospitals and medical centers, e-commerce companies, banks, payment and electronic money institutions, cargo companies, electricity, water, natural gas, telephone, internet, satellite television broadcasting subscription systems that work with the users are the companies that store, use and process personal data. These companies are required to align their systems with legislation.


Which departments of the companies are concerned with Turkish Data Protection Law?


The provisions of Turkish Data Protection Law concern not only the Board of Directors, the General Manager and the Assistant General Managers, the staff, Sales and Marketing Department managers and their staff, risk, Internal Audit, Quality, Compliance Department managers and their staff are closely related to the job descriptions of Turkish Data Protection Law.

When Did The Personal Data Protection Act And Regulations Come Into Force?

NO – REGULATION DATE OF OFFICIAL GAZETTE EFFECTIVE DATE
1 Law No 6698 Turkish Data Protection Law (Article1,2,3,4,5,6,7,10,12,19) 07.04.2016 – 29677 07.04.2016
2 Law No 6698 Turkish Data Protection Law

(Article 8,9,11,13,14,15,16,17,18)

07.04.2016 – 29677 07.10.2016
3 Regulation on deletion, destruction or anonymization of personal data 28.10.2017 – 30224 01.01.2018
4

Implementing Regulation on Data Officers

30.12.2017-30286 01.01.2018

What Are The Administrative Penalties For Those Who Fail To Fulfill Their Obligations Under Turkish Data Protection Law?

NO ACTION LEGAL BASE PENALTY
1

Those who do not fulfill the obligation to inform

Article18/1-a 5.000 TL – 100.000 TL
2 Those who do not fulfill the obligations regarding data security KVK madde 18/1-b 15.000 TL – 1.000.000 TL
3 Those who do not fulfill the decisions made by the Board KVK madde 18/1-c 25.000 TL – 1.000.000 TL
4 Those who do not fulfill the Obligation to register with the Data Controllers Registry and notification KVK madde 18/1-ç 20.000 TL – 1.000.000 TL

What Are The Penalties That Are Regulated Under  Turkish Penal Code To Be Imposed On Those Who Do Not Fulfill Their Obligations Under The Personal Data Protection Act?

In relation with the crimes regulated under the articles 134 to 141 of Turkish Penal Code numbered 5237 dated 26.09.2004 . In violation of Article 7 of Turkish Data Protection Law; those who do not delete, destroy or anonymization personal data shall be punished under Article 138 of Turkish Penal Code.

NO ACTION ARTICLE PENALTY
1

To record personal data unlawfully

Article 135/1 One to three years in prison
2 To unlawfully record personal data related to political, philosophical or religious views of people, their origins; moral tendencies, sexual life, health conditions or union links Article 135/2 One to three years in prison,

to be increased by half

3
To transfer personal data in violation of the law 		Article 136 Two to four years in prison
4
In the event that such offenses are committed by the public servant and his / her duty, by exploiting the abuse provided by a certain profession and art 		Article 137 The penalties given above shall be increased by half
5
Although the deadlines set by the laws have passed, those who are obliged to destroy the data in the system do not perform their duties 		Article 138/1 One to two years in prison

In the event that the subject of the offense is the data to be eliminated or destroyed according to the provisions of the Code of Criminal Procedure 		Article 138/2 The penalty to be imposed shall be doubled

What is the obligation of  Data Controller?

Article 12/1 of the Law No. 6698 on Turkish Data Protection Law;

“Data Controller” shall take all necessary technical and organizational measures for providing an appropriate level of security in order to

  1. a) Prevent unlawful processing of personal data,
  2. b) Prevent unlawful access to personal data,
  3. c) Safeguard personal data.

(2) In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures set forth in the first paragraph.

(3) The data controller is obligated to carry out or have carried out necessary inspections within his institution and organization in order to ensure implementation of the provisions of this Law.

(4) Data controller and persons who process data shall not disclose and misuse personal data they learned contrary to the provisions of this Law. This obligation shall continue after leaving office.

(5) In case processed personal data are acquired by others through unlawful means, the data controller shall notify the data subject and the Board of such situation as soon as possible. The Board, if necessary, may declare such situation on its website or by other means which it deems appropriate.


Compliance Process on Turkish Personal Data Protection Law for Companies

(Technical and Organizational Measures)


In order to minimize the risk of administrative punishment against the companies by taking the necessary administrative and technical measures, it is necessary to determine the requirements of the company within the scope of the Law No. 6698 on Protection of Personal Data and related legislation and to initiate the compliance process.


Administrative measures should be carried out with the company’s legal advisers and lawyers, and technical measures should be carried out in coordination with the IT Department Managers. Training and awareness studies should be conducted with Human Resources (HR), Public Relations, Sales Marketing, Risk, Internal Audit, Quality and Compliance Departments according to the company’s structure and business models.

Although it is not mandatory to appoint a separate personnel as data protection offices (DPO), General Manager or Chairman of the company’s highest-level representative of these companies will be difficult to run these companies and organizations. Therefore, it is useful to identify a personnel that is specific to the job.


In the process of compliance, this staff will work in coordination with the company units as well as the compliance process consultant team and will contribute to the execution of the works in the company in accordance with the Turkish Data Protection Law and GDPR.


At the end of the compliance process, it is beneficial to monitor and audit the company’s data protection system in accordance with the standarts of ISO 27001 Information Security Management System (Security Techniques) ISO 31000 Corporate Risk Management System Risk Management – Principles and Guidelines) BS 10012 Personal Information Management System (IT)

Technical Measures

  1. Authority Matrix
  2. Authority Control Access Logs
  3. User Account Management
  4. Network Security
  5. Application Security
  6. Encryption
  7. Infiltration Test
  8. Intrusion Detection and Prevention Systems
  9. Log Records
  10. Data Masking
  11. Data Loss Prevention Software
  12. Backup
  13. Firewalls
  14. Current Anti-Virus Systems
  15. Deletion, Destruction, and Anonymization
  16. Key Management

Organizational Measures


  1. Preparation of Personal Data Processing Inventory
  2. Corporate Policies (Access, Information Security, Use, Retention and Destruction etc.)
  3. Contracts (Data Officer – Data Officer, Data Officer – Data Processor)
  4. Privacy Declarations
  5. Internal Periodic and / or Random Inspections Risk Analysis Work Contract, 6. Disciplinary Regulations (Provision of Provisions Appropriate to the Law)
  6. Corporate Communications (Crisis Management, Board and Contact Information Processes, Reputation Management, etc.)
  7. Training and Awareness Activities (Information Security and Law)
  8. Notification of Data Officers Registry Information System (VERBIS)

https://www.kvkk.gov.tr/

The Solution to the Requirements of Your Company Regarding Turkish Personal Data protection Law

With reference to temporary article 1/3 of Turkish Personal Data Protection Law; Personal data that is processed before the date of publication of this Law shall be rendered compliant within two years following the date of publication of this Law. Personal data that is determined to be contrary to the provisions of this Law shall be immediately deleted, destroyed, or anonymised. However, the consents that are lawfully obtained before the date of publication of this Law shall be deemed lawful in terms of this Law, provided that no declaration of intention to the contrary is made within one year.


Besides Turkish Personal Data Protection Law no. 6698, the EU General Data Protection Regulation (GDPR) entered into force on 25 May 2018.


All companies working with data on EU citizens need to act in accordance with GDPR. GDPR applies to all organizations that process the data of EU citizens, whether in the EU or outside the EU.


With the entry into force of GDPR, particularly, measures to be taken by companies and institutions working with data on EU citizens will increase.

Protection of personal data should be seen as a process rather than a project.

In contrast to the false perception of public opinion, the protection of personal data is not limited to a number of legal texts and some of the notifications made to the personnel working to the customers.


Turkish Personal Data Protection Corporate Training Program


According to Article 12 of the Law on Turkish Personal Data Protection Law, Data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to

  1. a) Prevent unlawful processing of personal data,
  2. b) Prevent unlawful access to personal data,
  3. c) Safeguard personal data.

Training and Awareness Activities (Information Security and Law) in the organizational measures section of the Personal Data Security issued by the Personal Data Protection Agency are required to be fulfilled by the company.

In accordance with the Article 18 of Turkish Personal Data Protection Law, For those who do not fulfill these obligations regarding data security, an administrative fine of between 15,000 Turkish Liras and 1,000,000 Turkish liras shall be imposed.

Who Should Participate İn Personal Data Protection Training?

Training on Protection of Personal Data Subjects

  1. The historical development of the Law on the Protection of Personal Data
  2. Purpose and justification of the Law on the Protection of Personal Data
  3. What are the companies and institutions covered by the Law on the Protection of Personal Data?
  4. What are the special categories of personal data?
  5. How should the person’s explicit consent be obtained before the collection of personal data?
  6. When should personal data be deleted and destroyed?
  7. How should personal data be anonymized?
  8. How can the collected personal data be processed?
  9. How can personal data be transferred to third persons?
  10. Who processes data and who is responsible for data?
  11. What is the responsibility of the data protection officer?
  12. What are the data security obligations of data protection officer?
  13. What are the rights of data subject?
  14. How to apply to the data officer?
  15. What is the Personal Data Protection Agency and the Board?
  16. What is the Data Controllers Registry?
  17. What are the relevant offenses and penalties in the Turkish Criminal Code?
  18. What are the misdemeanors and administrative fines related to the protection of personal data?
  19. What are the exceptions beyond the scope of the Personal Data Protection Act?
  20. What are the regulations in other laws and sectors?

Place and Duration of Personal Data Protection Training


Training can be done with the participation of all relevant department personnel for a total of 6 hours, which is 3 hours in the afternoon and 3 hours in the afternoon, between 3:00 pm and 17:00 pm.

Afterwards, training can be continued with the modules to be added in accordance with the special requests of the institution and departments.

Training can be held in the company’s own campuses.


Personal Data Protection awareness training is given by Av.Özgür Eralp.

Contact

You may send an e-mail to [email protected] to receive a Training, Consultancy and Supervision Service offer for the Personal Data Protection Compliance Process for your company or organization.