Turkey TDPA

The Most Appropriate Managementand Consultation in Your Turkey TDPA Compliance Procedures

What is TDPA(KVKK)?

TDPA, namely the Law on Protection of Personal Data No. 6698, which was published in the Official Gazette No. 29677 on April 7, 2016, and entered into force, is a set of data protection regulations, as the name suggests. TDPA focuses on the obligations of businesses to protect personal data and privacy and also regulates data related to data transfer outside of Turkey.

Personal Data Protection Law (KVKK)

The following are the general principles of KVKK:

· It is necessary to follow the law and good faith principles.
· To ensure that data is correct and up to date as needed.
· To process data for specific, unambiguous, and legal reasons.
· To have data that is confined and restricted to the processing goal.
· To store as needed for processing purposes or as determined by KVKK.
· Appointing an audit officer is optional but highly recommended.

Data Inventory & VERBIS Registration

In the first phase, the internal organizational chart should be prepared and which personal data is processed in the departments/units within the organization should be specified by category (identity, communication, location, health, etc.). Afterwards, a data inventory should be prepared, and the following information should be included in the inventory.

In the light of the data inventory prepared, a declaration should be made to the data controllers’ registry through VERBIS. It should not be forgotten that; VERBIS and Personal Data Inventory should contain parallel information and be up to date.

Data Controller Registry VERBIS and VERBIS Representative

A “data controller” according to Article 4 para (1) lit (i) KVKK is a legal or natural person determining the purpose and means of processing personal data. Article 16 KVKK stipulates that all Turkish and non-Turkish data controllers must register in the Data Controller Registry (VERBIS) before starting to process personal data. A process-based relational database should be created. Only certain professions like notary publics, law firms and accounting firms, trade unions, and political parties are exempted. For non-Turkish data controllers, there is no threshold due to turnover or the number of employees, meaning that even small non-Turkish organizations are subject to KVKK.

The VERBIS registration requires entering a company’s processing activities with:

Who is impacted?

The KVKK applies to all data controllers and processors who collect or process data from Turkey. This covers entities in Turkey, as well as any foreign natural or legal persons who process the personal information of Turkish data subjects.

What are the penalties for
non-compliance?

Negligence and breaches in personal data protection impose significant legal and criminal obligations on businesses. For example, as of 2023, penalty of up to 600,000 TRY are imposed in the case of a breach of the disclosure obligation; sanctions of up to 6,000.000 TRY are imposed in the case of a breach of the VERBIS registration and notification obligation. If personal data are not destroyed within the prescribed time frame, imprisonment of up to 2 years is imposed, and in the case of criminal action, imprisonment of up to 4 years is enforced.

Looking for help complying with the Turkey KVKK?

DPOsphere is a leading holistic service provider that provides tailor-made solutions to entities in Turkey for all of their business processes by delivering global solutions based on its knowledge and local skills. With our skilled team of consultants, we are ready to be your solution partner with the perfect combination of people and technology to deliver the most appropriate management and consultation in your KVKK compliance procedures.

DPOsphere services and solutions

With the information we gather about data movement within your organization, we provide solutions that will strengthen your security infrastructure.

We assist you in maximizing personal data security and ensuring privacy continuity by identifying your processes.

We review your current policies and processes, find areas for improvement, then draft them for you to assure compliance.

Why Choose Us?

DPOsphere helps global corporations abide by the relevant laws. By doing this, businesses gain the trust of their customers and
develop stronger, longer-lasting business
partnerships.
To determine the data flow within a group of businesses, DPOsphere does thorough data mapping. In light of this, we assist our clients in closing any gaps that are now present. The adoption of privacy rules, organizational and technical safeguards, contractual agreements, protocols for data breaches, and demands from data subjects are all included in this. We can carve out legal exceptions for cultural differences while keeping an eye on our customers’ larger commercial interests thanks to our multilingual team of lawyers and DPOsphere experts.
To reap these benefits, firms must first have a thorough awareness of the domestic and international regulations that govern their operations and industry. DPOsphere’s jurisdictions are focused on assessments and audits related to specific domain components like as data security. These reassessments and audits are critical for maintaining a system’s viability and avoiding legal violations while meeting statutory, regulatory, security, and contractual duties.
DPOsphere addresses these requirements while also providing the simplicity of use and flexibility required to ensure compliance with the legislation applicable to your firm, all from a single user-friendly interface. Maintain compliance and peace of mind while growing your organization by choosing DPOsphere, relying on our cutting-edge technology and legal experience.