Turkey TDPA
The Most Appropriate Managementand Consultation in Your Turkey TDPA Compliance Procedures
What is TDPA(KVKK)?
Personal Data Protection Law (KVKK)
The following are the general principles of KVKK:
· It is necessary to follow the law and good faith principles.
· To ensure that data is correct and up to date as needed.
· To process data for specific, unambiguous, and legal reasons.
· To have data that is confined and restricted to the processing goal.
· To store as needed for processing purposes or as determined by KVKK.
· Appointing an audit officer is optional but highly recommended.
Data Inventory & VERBIS Registration
In the first phase, the internal organizational chart should be prepared and which personal data is processed in the departments/units within the organization should be specified by category (identity, communication, location, health, etc.). Afterwards, a data inventory should be prepared, and the following information should be included in the inventory.
- Which personal data are processed in the specified categories (ID: Name, Surname, TR Identity Number etc.)
- Natural person whose data are processed (customer, employee, supplier, stakeholder, third parties)
- Purpose and legal reason of data processing
- Whether data are transferred abroad or not
- How long the processed data will be stored/Retention periods
- Administrative and technical measures taken regarding the personal data processed
- What types of personal data are processed; sensitive personal data (health, race, religion) or personal data (name, contact information)
In the light of the data inventory prepared, a declaration should be made to the data controllers’ registry through VERBIS. It should not be forgotten that; VERBIS and Personal Data Inventory should contain parallel information and be up to date.
Data Controller Registry VERBIS and VERBIS Representative
A “data controller” according to Article 4 para (1) lit (i) KVKK is a legal or natural person determining the purpose and means of processing personal data. Article 16 KVKK stipulates that all Turkish and non-Turkish data controllers must register in the Data Controller Registry (VERBIS) before starting to process personal data. A process-based relational database should be created. Only certain professions like notary publics, law firms and accounting firms, trade unions, and political parties are exempted. For non-Turkish data controllers, there is no threshold due to turnover or the number of employees, meaning that even small non-Turkish organizations are subject to KVKK.
The VERBIS registration requires entering a company’s processing activities with:
1
The data categories
2
The categories of data subjects
3
The purposes of the processing
4
Legal basis
5
Data transfers
6
Technical and organizational measures and
7
Retention period.
Who is impacted?
The KVKK applies to all data controllers and processors who collect or process data from Turkey. This covers entities in Turkey, as well as any foreign natural or legal persons who process the personal information of Turkish data subjects.
What are the penalties for
non-compliance?
Negligence and breaches in personal data protection impose significant legal and criminal obligations on businesses. For example, as of 2023, penalty of up to 600,000 TRY are imposed in the case of a breach of the disclosure obligation; sanctions of up to 6,000.000 TRY are imposed in the case of a breach of the VERBIS registration and notification obligation. If personal data are not destroyed within the prescribed time frame, imprisonment of up to 2 years is imposed, and in the case of criminal action, imprisonment of up to 4 years is enforced.
Looking for help complying with the Turkey KVKK?
DPOsphere is a leading holistic service provider that provides tailor-made solutions to entities in Turkey for all of their business processes by delivering global solutions based on its knowledge and local skills. With our skilled team of consultants, we are ready to be your solution partner with the perfect combination of people and technology to deliver the most appropriate management and consultation in your KVKK compliance procedures.
DPOsphere services and solutions
With the information we gather about data movement within your organization, we provide solutions that will strengthen your security infrastructure.
We assist you in maximizing personal data security and ensuring privacy continuity by identifying your processes.
We review your current policies and processes, find areas for improvement, then draft them for you to assure compliance.
Why Choose Us?
develop stronger, longer-lasting business
partnerships.
