What is KVKK?

The Personal Data Protection Law aims to protect the fundamental rights and freedoms of your company, company employees and valuable customers, especially the privacy of private life, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed.

What is Personal Data?

Personal data refers to any information relating to an identified or identifiable natural person. In this context, personal data is not only the information that provides the definitive diagnosis of the individual such as the name, surname, date of birth and place of birth, but also information about the physical, familial, economic, social and other characteristics of the person.

You may be subject to a judicial prison sentence of up to 4 years and an administrative fine of up to 1 million TL.

KVKK imposes an obligation on real and legal persons to ensure the security of personal data. Envisioning a prison sentence of between 1 and 3 years in case of illegal recording of personal data, the Law envisages 2-4 years of imprisonment in case the personal data is illegally transferred, disseminated or seized. If personal data is not destroyed after a certain period of time, a prison sentence of 1 to 2 years may be imposed according to the Law.

In case of violation of obligations, administrative fines may be imposed according to KVKK. The Law stipulates a fine of 5,000 – 100.000 TL for violation of the obligation to inform, and it includes the provision that a fine of 15.000 – 1.000.000 TL can be imposed for violation of the data security obligation. In case of opposition to the decisions of the Personal Data Protection Board, an administrative fine of 25,000 - 1,000,000 TL will be paid, and in case of violation of the obligation to register and notify the data controllers, an administrative fine of 20,000 - 1,000,000 TL will be paid.

What is the application deadline?

Real and legal person data controllers whose annual number of employees are more than 50 or whose annual financial balance sheet exceeds 25 million TL, except for a few professions, whose deadlines for completion of KVKK compliance processes are exceptionally regulated, must complete the KVKK compliance processes by September 30, 2020, and the Data Controllers Registry Information System. What (VERBIS) registration is required. A penalty of up to 1 million 470 thousand TL will be imposed on data controllers who do not register with VERBIS until 30 September.

How should the security of personal data be ensured?

- Personal data should be prevented from being taken out of the institution accidentally or maliciously.

- Controlling users' internet access and taking precautions against possible attacks

- User machines must be protected against security vulnerabilities so that they are not exposed to a targeted attack

- Ensure that regular vulnerability checks are carried out

- Products such as antivirus and antispam should be used to protect against malicious software,

- A security intelligence product (SIEM) should be used to ensure security monitoring,

- User must use authentication and management products,

- In case personal data is damaged for any reason, detailed controls should be provided to ensure that the backup systems are working and their returns are healthy, in order to ensure that the data can be restored.

Advantages of Personal Data Protection Law

Awareness:

- More accurate, regular and effective use of human resources.

Consciousness:

- Reduction of negative scenarios in business relations. To give an example of this issue, the prevention of trying to leak data within the company.

Finding Data:

- Accelerating access to data, which is the most valuable asset of institutions.

Data Classification:

- Determining the value of data and increasing its security by classifying sensitive data.

Business continuity:

- Alternative storage of the essential stone, namely data, in order to ensure business continuity and continuity.

Click here for the law on the protection of personal data.