-
Call Us 0536 986 0950
Personal Data Protection Law No. 6698 (KVKK) came into force in 2016.
With this law, the procedures and principles for processing personal data have been defined and placed on a legal basis.
The regulation on how the personal data of the data subject will be processed has granted many rights to individuals. Accordingly, it has also imposed certain responsibilities on data controllers who process personal data.
A data controller can simply be defined as any natural or legal person who processes personal data.
Who is a data controller? A data controller can be the pharmacy where you buy your medicine, your doctor, the neighborhood market, or your school — in other words, individuals or institutions that interact with you in every aspect of daily life.
Data controllers must take the necessary administrative and technical measures to protect personal data and prevent data loss.
In addition, those who meet certain conditions must register with the Data Controllers Registry Information System (VERBIS). Due to the pandemic, the Personal Data Protection Authority extended the registration deadlines, and the final deadline was set as 31.12.2021.
The actions required within the scope of the Personal Data Protection Law should be addressed in two stages.
During this stage, the data controller must identify the actions required under KVKK and take the necessary measures.
Since the process can be complex and involves many procedures, it is recommended to seek professional support.
In order to properly manage the compliance process, it is necessary to work with individuals or institutions who have strong knowledge of both technical and administrative aspects and are familiar with the legislation.
Each administrative and technical measure must be carefully reviewed and implemented.
Any mistake made at the end of this process may result in serious financial and legal liabilities.
In other words, the data controller’s current situation should be thoroughly analyzed—like taking an X-ray—and the required measures should be determined and implemented accordingly.
At this stage, all necessary administrative and technical measures must be taken so that the data controller becomes fully compliant with KVKK.
Once this stage is completed, Stage 2 begins.
After initiating the KVKK compliance process and implementing the required technical and administrative measures, it is extremely important to maintain the continuity of these measures. This is because the KVKK process is a dynamic and ongoing process.
If the technical or administrative measures taken by data controllers change in practice, previously prepared documents and procedures must be updated accordingly.
For example, an employment contract may have been updated to comply with KVKK, but if the legislation changes later, the employment contract must also be updated.
Similarly, a data processing committee may have been established under the data retention and destruction policy. But what will happen if members of that committee leave their jobs later?
What should be done in the event of a data breach within the organization?
How will personal data that has been stored for legally required periods be destroyed at the end of the retention period, and who will decide on this process?
What actions should be taken in response to applications made by data subjects?
This second stage, which is often overlooked or not properly explained to data controllers, may lead to serious problems for organizations in the future.
As explained above, data controllers who entrust the first stage to inexperienced individuals offering very low-cost services may find themselves alone and unsupported in the second stage.
This may lead to financial penalties and legal sanctions.
Regardless of size, many businesses see these processes as an additional burden and try to avoid the associated costs. Since trained personnel are often not available, the responsibility is usually assigned to HR staff or accounting employees. However, these employees may view the KVKK process as an additional task alongside their primary duties and may not be able to manage it properly.
To avoid such difficulties, data controllers should work with reliable solution partners who stand behind their work and provide continuous support throughout the process.
Just as companies receive external support for accounting, occupational health, and workplace safety services, they can also obtain professional support for initiating legal procedures, implementing necessary measures, carrying out compliance activities, and ensuring the continuity of the Personal Data Protection Law compliance process.
By doing so, organizations can successfully complete the KVKK compliance process and maintain ongoing compliance.