What is KVKK?
Personal data refers to all kinds of information belonging to an identified or identifiable natural person. In order to protect our personal data within the scope of fundamental rights and freedoms, the Personal Data Protection Law has come into force. Depending on this law, the "Personal Data Protection Board" has also entered our lives with the relevant law in order to operate the law, maintain the processes and ex officio audit whether the companies have made harmonization within the scope of this law.
Personal Data Protection Board No. 6698, which came into force on 07.04.2016 and covered all companies on 07.04.2018. In accordance with the procedures and principles in the Data Protection Law, the obligations and rules to be followed by companies that process personal data have been determined in order to protect the fundamental rights and freedoms of individuals, from the processing of personal data to the privacy of private life. Protection of personal data has become a necessity and all employees within the companies are required to be informed about this law in line with their level of authority.
In case of company audit carried out by the Authority upon complaint or ex officio, imprisonment and fines are foreseen in accordance with the law for companies that are found not to comply with the procedures and principles in the Personal Data Protection Law. The penalty for not complying with the law regarding the processing, preservation, retention period of data, domestic and international transfer and destruction of data can be imprisonment between 1 and 6 years in accordance with the Penal Code, and the penalty for not fulfilling the obligations specified in the law may be an administrative fine between 5,000 TL and 1,000,000 TL. It is important for companies to carry out compliance projects regarding the protection of personal data in order to avoid facing these penalties.
How Should Our Business Plan for the KVKK Process Be?
- Classification of Personal Data: First contact with departments to determine the working and organizational structure of the data controller company
- Making the data map: Seeing the data processing process within the company after the training with department employees
- Data Harmonization of Processing Processes: Training on data processing activities, assessing the company's compliance, detecting negligence, reporting accordingly
- Harmonization of Data Transfer Processes: Domestic-international-intercompany data transfer
- Updating Contracts: Employment contracts made with employees and inter-company agreements contracts
- Harmonization of application, complaint and objection processes: Taking preventive measures regarding complaints arising from negligence and violation
- Creation of Explicit Consent and Information texts: Information and consent in line with the nature of personal data processed in line with the data minimization principle
- Institution's KVKK Policy and Information Security Policy
- Establishing a Destruction Policy for the destruction of data in accordance with the law
- Organizing in-house KVKK awareness training
The KVKK compliance project work can be completed in Article 10. The length of this process and the working hours will vary depending on the large or small, complex or simple structure of the company.
What is GDPR?
GDPR came into force on May 25, 2018. The EU General Data Protection Regulation (GDPR) is designed to ensure data privacy and security to protect EU citizens across Europe.
GDPR covers all kinds of personal data operations for all companies that collect, process and store personal data of anyone living within the borders of the European Union. Based on this, unlike GDPR and KVKK, it goes beyond the principle of expediency and imposes responsibility on all natural and legal persons who process the data of people residing in the European Union. In this regard, if a business processes the data of people residing in the European Union (there is no requirement to be an EU citizen), it is obliged to act in compliance with the GDPR. For example, when an EU citizen whose data has been violated in a hotel in Turkey applies to the Board in his/her own country within the scope of GDPR, a fine may be imposed on the hotel that caused the violation by not taking the necessary precautions and measures in accordance with the GDPR.
If we need to talk about the differences between GDPR and KVKK;
- KVKK covers the protection of data of legal entities and real persons operating in Turkey and their transfer abroad. GDPR covers all companies and individuals who process data in all EU countries and other countries.
- GDPR is a more comprehensive study than KVKK, and the KVKK study conducted by Turkey was prepared taking into account GDPR standards.
- KVKK penalty obligations have been determined as an upper limit of 1,000,000 TL, and GDPR has determined a criminal sanction of 4% of the company's turnover or 20,000,000 Euros (whichever is greater).
- While the KVKK regarding the application in terms of location is valid only within the borders of Turkey, GDPR rules are also binding for non-EU countries.