What is KVKK? Things to know about KVKK (Episode-2)

The aforementioned KVKK law was accepted by the General Assembly of the Grand National Assembly of Turkey on March 24, 2016 and enacted and entered into force by being published in the Official Newspaper dated April 7, 2016 and numbered 29677.

What is KVKK?

KVKK is the law of Protection of Personal Data. At the same time institution of KVKK involved our life in order to run this law and continue proceed the processes. From this date forward, audits started and serious steps were taken to protect personal data. KVKK law which has long been waiting as a draft has entered into action by publishing in Official Newspaper in April 7, 2016. In this way the rules that firms whose processing personal data will comply have been decided from which processing of personal data to privacy of personal life to protect fundamental right and freedoms of persons.

What is the Purpose of the Law No. 6698 on the Protection of Personal Data?

With the law which was prepared for processing and protecting personal data within contemporary standards by considering the international documents, comparative law applications and standards of our country. The purpose of KVKK law has started by protecting the conditions of processing of fundamental rights and freedoms of persons and regulating the responsibilities and procedures and principles which will be complied by real and legal persons. Protecting the privacy and providing the data security of persons is also counted in this context. With the KVKK law it is aimed that to prevent the violation of personal rights as a result of unlimited or randomly collection of personal data, having them accessible to unauthorized persons, disclosure or misuse.

Who The Protection of Personal Data Covers?

The KVKK Law is applied to natural persons whose personal data are processed, and to real and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system. So this law covers everyone who fully or partially process the personal data.

Everyone who is eligible is deemed as in the scope of this law because at the law the real persons whose data are processed are mentioned. However since “real persons whose data are processed” phrase was used, legal persons whose data are processed kept out of the scope of this law.

Protection of Personal Data

When it comes to the protection of personal data, it is aimed to protect fundamental right and freedoms by discipline the processing of personal data. In fact the definition of protection personal data in basis is to protect not the data, the persons whose related to these data.

According to the expressions from the law; It refers to the administrative, technical and legal measures aimed at protecting individuals from damages arising from the fully or partially automatic or non-automatic processing of the data about them and embodied in the principles on the protection of personal data.

What is The Definition of Personal Data?

According to these phrases “personal data” refers to the every king of information related to real person whose identity is specific or identifiable. In order to be able to talk about personal data, the data must be related to a real person and this person must be specific or identifiable. In other words, there is a condition that the person must be clearly defined in the stored or processed data.

For instance, Cyber Security Specialist Ali Ber - ali.berk@example.com when we look at this example since title information, name, surname and e-mail are included together we can clearly say that it refers to a single person.

Personal data is related to the real person whereas data related to the legal persons is out of the definition of personal data. Thus, information related to legal person such as commercial title or address of a company(situations that they would be related to real person are excluded) wouldn’t be deemed as personal data.

Making a person specific or identifiable: personal data, either would be able to display the identity of the related person, it covers all information which provides to be able to identify the person as a result of relating it with any record by not directly showing that persons identity.

Any kind of information: this expression is very wide, it is not just a real persons; information that identifies its identity such as name, surname, birth data and birth place, also the data that makes a person identifiable in a direct or indirect way such as; phone number, plate of engine vehicle, social security number, passport number, cv, picture, visual and voice records, finger prints, e-mail address, hobbies, preferences, persons contacted, membership of groups, family information, health information are accepted as personal data.

What important is that a data would be able to related to a person or identify it. For example, if pseudonyms, alone or combined with other sources, are capable of identifying the person, such data is also considered personal data. Also often used data such as reports like customer complaint related to the real person that their identity is identified or identifiable, employee performance indication, records like interview evaluation, voice and visual, pictures, customer transaction, documentaries and letter, invitation writings which included in written/records like resume, payroll, bill, bank receipt, credit card extract, copy of ID might as well be counted as personal data.

What Does Sensitive Personal Data Mean?

Sensitive personal data are data that, if learned by others, may cause the person to become a victim or be exposed to discrimination. To give an example of sensitive personal data; we can list people's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, association, foundation or syndicate membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data. According to this sensitive personal data generally keep many sectors responsible.

What Does Processing of Personal Data Mean?

It refers to; obtaining, recording, storing, preserving, changing, rearranging, defining, transferring, taking over, making available, classifying or blocking from all kinds of operations performed on the data provided that it is a part of any data recording system which using personal data completely or partially by automatic or non-automatic means. For instance, personal data is being stored just in a disk, CD, server is an act of data processing whether any other process is done with mentioned data. Hence, storing personal data too means that processing personal data.

What Does the Published KVKK Law No. 6698 and the Obligation of Clarification Mean?

KVKK law No. 6698 which provides control over processing of personal data and regulates it, aims that to protect fundamental rights and freedoms. It was entered into action that requires to have complied with the fulfillment of the Clarification Obligation published in the Official Newspaper dated 10 March 2018 and numbered 30356, in Article 10 of the KVKK titled “Information Obligation of the Data Controller” on the Protection of Personal Data Law No. 6698 published in the Official Newspaper dated 7 April 2016 and numbered 29677. to protect the rights and freedoms of consumers regarding the storage, sharing, use, and similar points of personal data processed following the Communique on the Procedures and Principles. It has become obligatory to inform before processing the data of the consumers, by having their explicit consent, for information giving, processing, sharing and similar situations in accordance with the obligation of clarification.

What Does Processing of Personal Data Included in The Law by Automatically Mean?

What the automatic processing isn’t defined in the law. In this context, processing that is fully or partially automated; It can be defined as performing automatic or partially automatic processes such as recording data, applying logical or arithmetic operations to these data, changing, deleting, recovering or transferring data by minimizing the need for human intervention or assistance.

In other words, automatic data processing; covers processing acts that is performed by itself without requiring human intervention in the context of algorithms which prepared in advance through software or hardware features that are get done by processor powered devices such as computer, phone, watch etc.

What Does Processing of Personal Data Included in The Law by Non-Automatically Mean?

Processing methods without connecting to a data recording system defines the process act that was prepared manually however eases the accessibility and understanding. Like above mentioned, personal data are subject to law even they aren’t exposed to automatic processing.

In order to pursue the studies and applications over which the protecting personal data, The Personal Data Protection Authority was established in our country. The purpose of the authority which is expressed as KVKK: is to provide protection over personal data in the context of protecting private life and fundamental rights and freedom as expressed in the constitution, and develop consciousness level by making awareness to this, and to create and environment that would increase the competition of public actors in the data based economy as well. It has been defined as an authority that is active and internationally speaking over the protection of personal data and creation of citizenship awareness.

By the law, the companies, state authorities, universities, associations, chambers, foundations, SME’s, organizations have been given time upon establishing an administration system regarding the protection of personal data until until the month of July. Subsequently the KVKK authority has begun its controls and review the notifications. Organizations that do not establish a system for the protection of personal data by the law have also implemented serious penalties such as administrative fines between 5,000 and 1,400,000 TL for misdemeanors, closure decision and imprisonment from 1 year to 4.5 years for crimes.