ARE YOU AWARE OF THE RESPONSIBILITIES IMPOSED ON YOU BY THE PERSONAL DATA ACT?

ARE YOU AWARE OF THE RESPONSIBILITIES IMPOSED ON YOU BY THE PERSONAL DATA ACT?

kvkk
The Law on Protection of Personal Data No. 6698 (KVKK) entered into force after being published in the Official Gazette dated 7 April 2016 and numbered 29677. Within the scope of KVKK, the definition of 'Data Controller' has been made and various obligations regarding the Data Controller have been introduced. First of all, it should be noted that; Within the scope of the relevant legislation, 'Data Controller' is defined as the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. As a legal entity, companies will directly become "data controllers" within the scope of their activities in processing personal data.

WHAT SHOULD ORGANIZATIONS DO UNDER THE LAW?


Data Controllers who process personal data must register with the 'Data Controllers Registry' before starting data processing. In addition, in accordance with the Regulation on the Data Controllers Registry, the Data Controllers, who have to register with the Data Controllers Registry, are obliged to prepare a personal data processing inventory. Pursuant to sub-paragraph 'ç' of the first paragraph of Article 5 of the Regulation on the Data Controllers Registry, it is stated that "Data controllers who are obliged to register with the Registry are obliged to prepare a Personal Data Processing Inventory. The information to be disclosed to the Registry in registry applications is prepared based on the Personal Data Processing Inventory".

WHAT IS PERSONAL DATA INVENTORY?

Personal data processing inventory is specified in the 'h' clause of the first paragraph of Article 4 of the Regulation; "The inventory they have created by associating the personal data processing purposes and legal reason, the data category, the transferred recipient group and the data subject group by explaining the maximum storage period required for the purposes for which the personal data is processed, the personal data to be transferred to foreign countries and the measures taken regarding data security". Thus the Inventory should contain as a minimum;
• Personal data processing activities
• Personal data processing purposes
• Legal reason for processing personal data
• Data category
• Transferred recipient group
• Data subject contact group

VERBIS (DATA INFORMATION SYSTEM) REGISTRATION REQUIREMENT

The minimum elements specified in the inventory are also recorded in the Data Controllers Registry System (VERBIS). However, there are various differences between the Data Controllers Registry and the Data Processing Inventory. These are;

- • While entering information under headings in the limited fields specified in the Data Controllers Registry, all these data should be included in the Personal Data Inventory in more detail.

- • The Data Controllers Registry is kept open to the public. The information entered into VERBİS can be viewed by anyone who wishes. The Personal Data Inventory will remain within the Data Controller's own entity and will only be submitted when requested by the Personal Data Protection Board.

- • While it is mandatory to enter the relevant fields within the VERBIS system, no terms or conditions are stipulated in terms of the form of the Inventory.
As a result, while preparing the Personal Data Processing Inventory, all personal data processed in physical and electronic environment should be analyzed, the processing stages of personal data should be determined one by one, personal data flow charts should be created and a detailed report should be made.

WHAT IS THE PENALTY FOR FAILING TO MEET THESE OBLIGATIONS?

Considering the high administrative fines (from 39.000 TL to 1.800.000 TL) brought with the KVKK and the crimes related to personal data that may lead to the prosecution of the Managers within the scope of Article 136 of the Turkish Penal Code; It is extremely important to prepare personal data processing inventory and enter data into the VERBIS system as required by law.

INSTITUTIONS AND THEIR PERIODS WITHIN THE SCOPE OF THE OBLIGATIONS REQUIRED BY LAW

kvkkSince the concept of personal data is a new concept in our legal system. In this area, there may be difficulties in finding enough qualified experts in terms of both knowledge and application experience. For this reason, obtaining consulting services from an expert staff while fulfilling the obligations stipulated by the law will significantly prevent problems that may arise later. Since this field of law requires knowledge of the field beyond general knowledge of law, only the help of a lawyer and lawyer may not be sufficient. Working with staff who are knowledgeable and experienced in international and national legislation on Personal Data processing, Anonymization, Storage, Destruction, Sharing with third parties will provide important advantages to your institution. In this process, our office, with its staff who have experience and knowledge in this field, creating data security policies stipulated by the legislation (inventory) of companies within the scope of data protection obligation and entering the basic elements of this policy into the KVKK database (VERBIS), recording, processing and third parties and third parties of the data of the data owner. It provides the highest level of consultancy service needed in the sharing and deletion processes with institutions and in fulfilling other issues requested by KVKK in these processes.