PERSONAL DATA PROTECTION LAW NO. 6698 entered into force in 2016.
The law defines the procedures and principles for processing personal data and establishes a legal basis.
The regulation governing how the personal data of a data subject will be processed grants data subjects numerous rights and, accordingly, imposes responsibilities on data controllers who process personal data.
A data controller can be simply defined as any natural or legal person who processes personal data.
Who is a data controller? A data controller is the pharmacy where you buy your medication, your doctor, your local supermarket, your school—in other words, any person or institution that interacts with your data in every aspect of life.
Data controllers must take the necessary administrative and technical measures to protect personal data and prevent data loss.
Those who meet certain requirements must also register with the DATA CONTROLLER REGISTRY INFORMATION SYSTEM (VERBIS). Due to the pandemic, the PERSONAL DATA PROTECTION AUTHORITY has extended the deadline for registration in the VERBIS system, and the current deadline is December 31, 2021.
ACTIONS UNDER THE PERSONAL DATA PROTECTION LAW SHOULD BE PROCESSED IN TWO STAGES.
STAGE 1:
COMPLIANCE ACTIONS:
During this process, the data controller must determine the actions they need to take under the KVKK and take the necessary measures.
Due to the complexity of the process and the numerous procedures required, professional support should be sought.
To carry out the compliance process, it is necessary to work with individuals or institutions who are well-versed in both technical and administrative aspects of this work and are familiar with the relevant legislation. Each administrative and technical measure must be individually reviewed, and all procedures must be implemented.
Any errors made at the end of the process will result in significant financial and criminal liability.
The data controller must be x-rayed, so to speak, and the necessary measures must be determined and implemented based on the results.
In this phase, which we define as the first phase, the necessary administrative and technical measures must be taken, and the data controller must be brought into compliance with the KVKK.
From this point on, the second phase begins.
STAGE 2:
CONTINUING THE KVKK COMPLIANCE PROCESS AND ENSURING CONTINUITY:
After initiating the KVKK compliance process and implementing the necessary technical and administrative measures, it is crucial to ensure the continuity of these measures. The KVKK process is a living process.
If the technical and administrative measures implemented by the data controllers change, the previously prepared documents and the process must be updated.
For example, if an employment contract has been made compliant with the KVKK, but the legislation subsequently changes, the employment contract will need to be updated.
What will happen if a data processing committee is established in the data retention and destruction policy, but the members of the committee later leave the company?
How will the necessary applications be made in the event of data loss?
How will personal data stored for the required legal periods be destroyed at the end of this period, and who will decide on this?
What will be done in response to the data subject's application?
This second stage, overlooked by data controllers and not explained to them, will have detrimental consequences for data controllers in the coming period.
Because, as we explained above, data controllers who entrust the first stage to uninformed and cheap performers out of daily worries will be left alone and without support in the second stage.
Financial and criminal penalties will become possible.
All businesses, large and small, view these processes as an additional burden and avoid the costs. Because they lack trained personnel, the process is delegated to HR or accounting personnel. However, the HR or accounting personnel will view this task as a chore in addition to their primary job and will be unable to properly complete the KVKK process.
To avoid this challenging process, data controllers must work with serious, dedicated solution partners who will stand by them throughout this process and stand behind their work.
Just as accounting procedures and occupational health and safety procedures are outsourced, professional support can be obtained from outside to initiate legal proceedings under Personal Data Protection Law, implement measures, execute procedures, and ensure the continuity of the process.
This will ensure a smooth and consistent KVKK compliance process and ensure compliance.