What is KVKK? What does KVKK mean?

KVKK is the abbreviation consisting of the first letters of the Law on Protection of Personal Data No. 6698; In order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the procedures and principles to be followed by real and legal persons who process personal data fully or partially automatically or by non-automatic means provided that they are part of any data recording system. has entered.

In addition, it refers to the abbreviations of the Personal Data Protection Authority, which is an institution with administrative and financial autonomy and public legal personality, whose establishment is regulated by this law, and the Personal Data Protection Board, whose powers and duties are listed in the relevant law.

What is KVKK Personal Data? What is Private Personal Data?

All kinds of personal information relating to an identified or identifiable natural person, revealing the person's identity structure, (name, surname, date of birth, home address, work address, e-mail address, IP address, telephone number, fax number, credit card information, citizenship number, tax number, passport number, social security number, driver's license number, vehicle license plate, CV, photograph, video, etc.) are considered as personal data within the scope of the Law on Protection of Personal Data No. 6698; processing by natural or legal persons is only possible with the express consent of the person concerned.

In addition, with article 6 of the Law on the Protection of Personal Data No. 6698, the race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, disguise and dress, association, foundation or union membership, health, sexual life, criminal conviction and security Biometric and genetic data related to the measures taken, are counted as special quality personal data and their processing is prohibited without the explicit consent of the persons concerned.

What is KVKK express consent? What is lighting text?

Article 3, titled Definitions of the Law on Protection of Personal Data No. 6698; It is defined as consent on a specific subject, based on information and expressed with free will; As it is understood from this definition, express consent must be based on being informed.

The fact that there is no specific form requirement for how this information will be made and how to obtain explicit consent makes it possible to fulfill the requirements of Enlightenment and Explicit Consent, with the Enlightenment Text and the acceptance button below it, or by the call center, provided that the burden of proof is on the data controller.

When did KVKK come into force?

The European Union adopted the "Directive on the Protection of Individuals in Terms of the Processing and Free Movement of Personal Data of the European Parliament and the Council of Europe" in 1995 in order to harmonize the regulations between the member states regarding the protection of personal data. This Directive is in line with the legal regulations in the domestic laws of the member states, including Turkey, and the European Union General Data Protection Regulation (GDPR) numbered 2016679, which was made by the European Parliament, the European Council and the European Commission in 2016, entered into force in 2018 and is still valid in the EU today. originates.

In our country, the KVKK was prepared with the aim of effectively protecting human rights, membership negotiations with the EU and increasing international cooperation and trade, and was submitted to the Presidency of the Turkish Grand National Assembly on 26 December 2014; It was enacted on 24 March 2016 and entered into force by being published in the Official Gazette dated 7 April 2016 and numbered 29677.

For whom is KVKK Mandatory?

Article 2 of the Law on the Protection of Personal Data No. 6698 draws the scope of the law as "applies to natural and legal persons who process personal data fully or partially automatically or non-automatically provided that they are part of any data recording system".

Processing of personal data, on the other hand, means all kinds of operations performed on the data such as obtaining, recording, storing, preserving, changing, reorganizing, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data; Everyone is obliged to comply with the regulations brought by the KVKK, without making any distinction between real and legal persons who carry out these actions.

KVKK Veri Sorumlusu Kimdir? Veri İşleyen Kimdir?

Data Controller, with article 3 titled Definitions of the Law on Protection of Personal Data No. 6698, data recording system, which determines the purposes and means of processing personal data. defined as the natural or legal person responsible for its establishment and management.

Data Processor is defined in the same article as a natural or legal person who processes personal data on behalf of the Data Controller based on the authority given by him. In order to distinguish the two concepts from each other, it is necessary to determine the person who will answer the questions "why" and "how" the processing will be done.

What are the things to be done within the scope of KVKK?

Pursuant to the Law on Protection of Personal Data No. 6698, the obligations of the Data Controller, the clarification of the applications of the relevant persons (the person whose personal data are processed), taking the necessary measures to ensure data security, registration in the Data Controllers Registry (VERBIS), responding to the applications of the data subjects and the reasons for their processing. deletion, destruction or anonymization of personal data ex officio or upon the request of the person concerned, and fulfillment of the decisions of the Personal Data Protection Board.

What are KVKK Penalties and Sanctions?

According to the Turkish Penal Code No. 5237, the person who unlawfully records the Personal Data, from one year to three years; (This penalty may be increased by half, depending on the nature of the data) from two years to four years; Anyone who violates the obligation to delete, destroy or anonymize this data is punished with imprisonment from one year to two years.

In addition, according to the Law on the Protection of Personal Data No. 6698, from 5,000 Turkish Liras to 10,000 Turkish Liras for data controllers who do not fulfill their obligations regarding data security, from 15,000 Turkish Liras to 1,000,000 Turkish Liras for those who do not fulfill their obligations regarding data security, and for those who violate the obligation to register in the Data Controllers Registry. Administrative fines from 20,000 Turkish Liras to 1,000,000 Turkish Liras are applied.

What are the Differences between KVKK and GDPR?

Although the EU legal regulations were taken as a model during the preparation of the Personal Data Protection Law No. 6698, there are some differences between KVKK and GDPR;

Within the scope of GDPR, any company or individual (including third parties such as cloud service providers) that processes data, even if it is not a data controller, is considered responsible for the legal processing of data. By determining a different level of responsibility for the data processor, the sanction of administrative fine applies only to data controllers, and the obligation to register with the data controllers' registry covers only data controllers.

In general, the concept of the right to be forgotten, which is expressed as the right of individuals to control their personal data and to delete it whenever possible, has been included in a legal regulation for the first time with the GDPR; There is no individual regulation regarding this in the Law on the Protection of Personal Data No. 6698, this concept is shaped by the decisions of the Supreme Court and the Constitutional Court in our country.

While significant sanctions such as 200 million Euros or four percent of the global revenue of the service provider are foreseen for violations of data protection rules brought by GDPR, the relevant administrative fines (5 thousand Turkish Liras - 1 million Turkish Liras) are relatively lower in the Personal Data Protection Law No. 6698. appears to be limited in quantity.

Regulations regarding institutions such as the "right to data portability" regulated by GDPR, "mandatory data protection officer" in terms of processing sensitive data and "mandatory data protection impact assessment" in terms of risky data processing activities are not included in the Law on Protection of Personal Data No. 6698.