Turkey KVKK

Who is excluded from KVKK compliance? 

There are several types of data that are excluded under KVKK, such as: 

• personal data processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
• personal data processed for official statistics and provided that they are being anonymized for the  purposes such as research, planning and statistics.
• personal data processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.
• personal data processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain national defense, national security, public security, public order or economic security.
• personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.

Additionally, the law states that there are situations where consent is not required: 

• It is expressly provided for by the laws.
• It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
• Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
• It is necessary for compliance with a legal obligation to which the data controller is subject.
• Personal data has been made public by the data subject himself/herself.
• Data processing is necessary for the establishment, exercise or protection of any right.
• Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

When it comes to personal data concerning health and sexual lifestyle, Article 6 makes a distinction between these and the other types of sensitive personal data, saying that for these two, the data “may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.”

Lastly, Article 28 of the law states that if your organization is in compliance with the fundamental principles of the law, you are exempted from Articles 10, 11, and 16 in the following cases where processing of personal data: 

• is necessary for the prevention of committing a crime or for crime investigation.
• is carried out on the data which are made public by the data subject himself/herself.
• is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorized public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law,
• is necessary for protection of the economic and financial interests of the State related to budget, tax and financial matters.
  
  

How can I keep my organization KVKK compliant? 

Just like with other laws, the KVKK offers several principles that your organization has to follow regarding the processing of personal data:

• Lawfulness and fairness 
• Being accurate and kept up to date where necessary.
• Being processed for specified, explicit and legitimate purposes.
• Being relevant, limited and proportionate to the purposes for which they are processed.
• Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.

Here is how to stay compliant:

• At the time when personal data are obtained, you must inform the data subjects about the following:
• your identity as the data controller and of your representative, if any;
• the purpose of processing of personal data;
• to whom and for which purposes the processed personal data may be transferred;
• the method and legal basis of collection of personal data;
• data subject access rights available.
• Take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
• preventing unlawful processing of personal data,
• preventing unlawful access to personal data,
• ensuring protection of personal data.
• In case the processing of personal data is carried out by another natural or legal person on your behalf, you are jointly responsible for taking security measures.
• Carry out the necessary audits, or have them made, either internally or outsourced, in order to ensure compliance. 
• In the event of a data breach, you must notify the affected data subject as well as the KVKK “within the shortest time.”
• As a data processor, you have to register with the Data Controllers’ Registry “prior to the start of data processing.”
  
  

What data access rights does KVKK grant? 

Article 11 grants the following rights:

• to learn whether his/her personal data are processed or not,

• to demand for information as to if his/her personal data have been processed,

• to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,

• to know the third parties to whom his personal data are transferred in country or abroad,

• to request the rectification of the incomplete or inaccurate data, if any,

• to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,

• to request that, following a request for rectification or erasure, this also be reported to any third parties to whom his/her personal data have been transferred,

• to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,

• to claim compensation for the damage arising from the unlawful processing of his/her personal data.

These can be summed up in the following data subject access rights: 

• Right to access 
• Right to be informed
• Right to correct 
• Right to delete 

How to address data subject access requests under KVKK?

The KVKK mandates that data subject access requests have to be addressed “within the shortest time by taking into account the nature of the demand and at the latest within thirty days” and that you must do so free of charge. However, there are cases where you are allowed to charge a fee if the action of replying to the request comes with an extra cost, but this cost will be determined by the Board of the regulating authority.

If you refuse a request you are required to inform the individual about this, as well as the reasons for refusal which have to be justified.

The individual will have the right to submit a complaint to the regulating authority if you refuse their request or if your response is deemed to be insufficient or provided outside of the mandated period of 30 days, and compensation may be granted to individuals following an investigation in the way you handled the data subject access request if you are find at fault. 

Enforcement and penalties

Turkish law takes into account the penal code when mandating penalties for serious violations of the data protection law, with imprisonment of 1 to 4 years being one possibility.

For misdemeanors, as detailed in Article 18 of the law, fines can range from 5,000 TL (approx. $270) to 1,000,000 TL (approx. $54,000) depending on the provision of the law that was violated. 

These fines are applicable to both “the natural persons and the private law legal persons who are the data controllers” and in the event that the violations are committed within public institutions or organizations, the provisions of the law will apply to the civil servants or public officers of those institutions or organizations. 

Data Subject Rights - GDPR vs. KVKK