What is KVKK? What does KVKK mean?

KVKK is the abbreviation consisting of the first letters of the Personal Data Protection Law No. 6698; It is put into effect in order to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the procedures and principles to be followed by real and legal persons who process personal data by fully or partially automatic or non-automatic means provided that they are part of any data recording system. has entered.

It also refers to the abbreviations consisting of the first letters of the Personal Data Protection Authority, which is an institution established by this law, has administrative and financial autonomy and has public legal personality, and the Personal Data Protection Board, whose powers and duties are listed in the relevant law.

What is KVKK Personal Data? What is Special Personal Data?

Any personal information relating to an identified or identifiable natural person, revealing the identity of the person (name, surname, date of birth, home address, business address, e-mail address, IP address, telephone number, fax number, credit card information, citizenship number, tax number, passport number, social security number, driver’s license number, vehicle license plate, CV, photograph, video, etc.) are considered as personal data within the scope of the Personal Data Protection Law No. 6698; Processing by natural or legal persons is only possible with the express consent of the person concerned.

In addition, according to Article 6 of the Personal Data Protection Law No. 6698, individuals’ race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security. Data regarding measures and biometric and genetic data are considered as special personal data and are prohibited from being processed without the express consent of the persons concerned.

What is KVKK Explicit Consent? What is Clarification Text?

Article 3 titled Definitions of the Personal Data Protection Law No. 6698 means explicit consent; It is defined as consent regarding a specific subject, based on informed consent and expressed with free will; As can be understood from this definition, explicit consent must be based on information.

The fact that there is no specific form requirement regarding how this information will be provided and how explicit consent will be obtained, makes it possible to fulfill the Disclosure and Explicit Consent obligations electronically via the Information Text and the acceptance button below or through the call center, provided that the burden of proof is on the data controller.

When did KVKK come into force?

The European Union adopted the “Directive of the European Parliament and the Council of Europe on the Protection of Individuals with Respect to the Processing and Free Movement of Personal Data” in 1995 in order to harmonize the regulations between member states regarding the protection of personal data. This Directive is in accordance with the legal regulations in the domestic law of the member states, including Turkey, and the European Union General Data Protection Regulation No. 2016/679, which was made by the European Parliament, the European Council and the European Commission in 2016, entered into force in 2018 and is still valid legislation in the EU today ( GDPR ).

In our country, KVKK was prepared with the aim of effectively protecting human rights, membership negotiations with the EU and increasing international cooperation and trade, and was submitted to the Presidency of the Turkish Grand National Assembly on 26 December 2014; It became law on 24 March 2016 and came into force after being published in the Official Gazette No. 29677 dated 7 April 2016.

For whom is KVKK mandatory?

Article 2 of the Personal Data Protection Law No. 6698 draws the scope of the law as “applied to real and legal persons who process personal data by fully or partially automatic or non-automatic means, provided that they are part of any data recording system.”

Processing of personal data refers to all kinds of operations performed on data such as obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or preventing the use of personal data; Everyone, without discrimination between real and legal persons who carry out these actions, is obliged to comply with the regulations introduced by the KVKK.

Who is the KVKK Data Controller? Who is the Data Processor?

In Article 3 titled Definitions of the Personal Data Protection Law No. 6698, Data Controller is defined as the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.

Data Processor is defined in the same article as the real or legal person who processes personal data on behalf of the data controller, based on the authority given by the data controller. In order to distinguish between the two concepts, it is necessary to determine the person who will answer the questions “why” and “how” the processing activity will be carried out.

What must be done within the scope of KVKK?

In accordance with the Personal Data Protection Law No. 6698, the obligations of the Data Controller are to clarify the applications of the relevant persons (relevant person: the person whose personal data is processed), to take the necessary measures to ensure data security , to register in the Data Controllers Registry ( VERBİS ), to answer the applications of the relevant persons and to determine the reasons that require processing. In case of disappearance, deletion, destruction or anonymization of personal data ex officio or upon the request of the relevant person and fulfillment of the decisions of the Personal Data Protection Board.

What are KVKK Penalties and Sanctions?

According to the Turkish Penal Code No. 5237, a person who records Personal Data unlawfully shall be sentenced to a term of one to three years; (Depending on the nature of the data, this penalty may be increased by half) Anyone who unlawfully obtains or disseminates this data shall be sentenced to a term of two to four years; Anyone who violates the obligation to delete, destroy or anonymise this data is punished with imprisonment from one to two years.

In addition, according to the Personal Data Protection Law No. 6698, a fine of 5,000 Turkish Liras to 10,000 Turkish Liras will be imposed on data controllers who do not fulfill their obligation to inform, from 15,000 Turkish Liras to 1,000,000 Turkish Liras for those who do not fulfill their obligations regarding data security, and a fine of 1,000,000 Turkish Liras will be imposed on those who violate the obligation to register in the Data Controllers Registry. Administrative fines ranging from 20,000 Turkish Liras to 1,000,000 Turkish Liras are imposed.

What are the differences between KVKK and GDPR?

Although the EU legal regulations were taken as a model during the preparation process of the Personal Data Protection Law No. 6698, there are some differences between KVKK and GDPR ;

Within the scope of GDPR, any company or individual (including third parties such as cloud service providers) that processes data, even if it is not a data controller, is considered responsible for the lawful processing of data, while in accordance with Article 18/2 of the Personal Data Protection Law No. 6698, data By determining a different level of responsibility for the controller and the data processor, administrative fines are imposed only on data controllers, and the obligation to register in the data controllers’ registry only covers data controllers.

Although the concept of the right to be forgotten, which is generally expressed as the right of individuals to control their personal data and delete it when possible, has been included in the framework of a legal regulation for the first time with the GDPR; There is no individual regulation regarding this in the Personal Data Protection Law No. 6698, and this concept is shaped by the decisions of the Supreme Court and the Constitutional Court in our country.

While significant amounts of sanctions, such as 200 million Euros or four percent of the service provider’s global revenue, are foreseen for violations of the data protection rules introduced by the GDPR, the relevant administrative fines (5 thousand Turkish Liras – 1 million Turkish Liras) are relatively lower in the Personal Data Protection Law No. 6698. seems to be limited in quantity.

Regulations regarding institutions such as the “right to data portability” regulated by the GDPR, the “mandatory data protection officer” for the processing of sensitive data, and the “mandatory data protection impact assessment” for risky data processing activities are not included in the Personal Data Protection Law No. 6698.