Any information regarding a specific or identifiable person is considered personal data. This definition is determined similarly in both international and national legislation. The Personal Data Protection Law No. 6698 (KVKK), issued in 2016 in our country, was regulated as a framework law that will ensure the protection of all data of an identified or identifiable natural person. Article 2 of the Law states that the provisions of this Law shall apply to natural persons whose personal data are processed, and to natural and legal persons who process these data by fully or partially automatic or non-automatic means, provided that they are part of any data recording system.
Any information regarding a specific or identifiable person is considered personal data. This definition is determined similarly in both international and national legislation.
Personal Data Protection Law
The Personal Data Protection Law No. 6698 (KVKK), issued in 2016 in our country, was regulated as a framework law that will ensure the protection of all data of an identified or identifiable natural person.
Article 2 of the Law states that the provisions of this Law shall apply to natural persons whose personal data are processed, and to natural and legal persons who process these data by fully or partially automatic or non-automatic means, provided that they are part of any data recording system.
The Personal Data Protection Law is based on the European Union’s Directive 95/46/EC. As a matter of fact, one of the most important factors in the enactment of the Law is the importance of personal data in the EU harmonization process. In addition, the European Union Data Protection Regulation (GDPR) came into force on May 25, 2018. With this directive, the local regulations put forward by the European Union member countries regarding the protection of personal data were abolished and GDPR came into force in all European Union member countries, thus ensuring uniformity in personal data.
In addition to the Personal Data Protection Law, some additional regulations have been issued. These regulations;
-Personal Data Protection Authority Personnel Promotion and Title Change Regulation
-Personal Data Protection Authority Organization Regulation
-Personal Data Protection Expertise Regulation
-Regulation on Data Controllers Registry
-Regulation on the Working Procedures and Principles of the Personal Data Protection Board
-Regulation on Deletion, Destruction or Anonymization of Personal Data
– Personal Data Protection Authority Disciplinary Chiefs Regulation.
The rights of the relevant persons are regulated in Article 11 of the Personal Data Protection Law.
In Article 11 of the Law;Everyone can contact the data controller and obtain information about himself/herself;a) Learning whether personal data is processed or not,b) Requesting information if personal data has been processed,c) Learning the purpose of processing personal data and whether they are used for their intended purpose,ç) Knowing the third parties to whom personal data is transferred domestically or abroad,d) Requesting correction of personal data if they are incomplete or incorrectly processed,e) Requesting the deletion or destruction of personal data within the framework of the conditions stipulated in Article 7,f) To request that the transactions carried out in accordance with paragraphs (d) and (e) be notified to third parties to whom personal data is transferred,g) Objecting to the emergence of a result against the person by analyzing the processed data exclusively through automatic systems,g) Has the right to demand compensation for the damage in case of damage due to illegal processing of personal data.Again, in accordance with the law, the processing of personal data is subject to certain conditions. These conditions are stated in Article 5 of the law;a) It is clearly foreseen in the law,b) It is necessary for the protection of the life or physical integrity of the person or someone else who is unable to express his/her consent due to actual impossibility or whose consent is not given legal validity,c) It is necessary to process personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract,ç) It is mandatory for the data controller to fulfill its legal obligation,d) It has been made public by the person concerned,e) Data processing is mandatory for the establishment, exercise or protection of a right,f) It is necessary to process data for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the person concerned,In such cases, personal data may be processed without the explicit consent of the data owner.
However, special personal data is additionally included in the law. These are special categories of personal data in Article 6 of the Law; It is defined as data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and clothing, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data. . Processing of these data without the explicit consent of the relevant person is prohibited by the legislator.
The law provides for a number of criminal sanctions in case of violations. These criminal sanctions are;
· Illegal recording of personal data: 1-3 years imprisonment,
· Illegal transfer, dissemination or seizure of personal data: 2-4 years imprisonment
· Failure to destroy personal data after a certain period of time: 1-2 years imprisonment
· Violation of the obligation to inform: 5,000 TL – 100,000 TL administrative fine
· Violation of data security obligation: 15,000 TL – 1,000,000 TL administrative fine
· Opposition to the decisions of the Personal Data Protection Board: 25,000 TL – 1,000,000 TL administrative fine
· Violation of the obligation to register and notify the data controllers: An administrative fine of 20,000 TL – 1,000,000 TL has been determined.
In order to ensure compliance with KVKK, as Gürler Law Firm, we provide our clients with the following:
• Determination and analysis of the obligations to which clients are subject within the scope of KVKK,
• Ensuring the necessary cooperation with IT departments in the process of creating the data recording systems that the clients must use in order to fulfill the relevant obligations and providing the necessary support in terms of harmonizing the currently used data recording systems with the obligations within the scope of KVKK,
• Preparing and/or revising the contracts that clients must conclude with their customers or business partners within the scope of KVKK,
• Providing in-company awareness training to all relevant departments (legal, HR, IT, marketing, public relations, etc.) within the Data Controller in order to ensure full compliance with the obligations within the scope of KVKK,
Today, the Personal Data Protection Authority imposes large fines on companies in case of violations. In order to prevent these penalties, certain measures will need to be taken, especially by companies. Working with Personal Data Protection Lawyers who are experts in this field allows you to avoid these large amounts of fines. Gürler Law Firm works with many large-scale companies in this field and is honored to serve you, our valued clients and clients, with its expert staff in both the legal and IT parts of the process. In this area, we can provide clear and reliable solutions by forwarding relevant questions and problems to the Personal Data Protection Board.