What is KVKK?
KVKK (Kişisel Verileri Koruma Kanunu - Personal Data Protection Law) is Turkey's personal data protection law that came into force in 2016. It is also known as Law No. 6698 and it is based on the EU Directive 95/46/EC. The regulating authority is the Turkish Data Protection Authority (TDPA) or Kişisel Verileri Koruma Korumu (KVKK), who publishes guidelines that help clarify and further outline Turkey’s data protection regime.
While it is fairly similar to the GDPR, the law differs in that it mandates, for example, that data controllers register into the Data Controller’s Registry, VERBIS, and it does not mention the DPO requirement. Also, KVKK does not specifically address the processing of personal information of children.
What is Personal Information and what are other key definitions?
Unlike other personal data protection laws, the KVKK includes more definitions. It defines the concerned individual as “the natural person, whose personal data are processed” and ‘personal data’ as “any information relating to an identified or identifiable natural person.”
Although it offers no examples of information that is protected, it does however define and give examples of ‘special categories of personal data,’ understood as sensitive personal information, namely “personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.”
Under KVKK organizations are either a ‘data processor’ meaning “the natural or legal person who processes personal data on behalf of the data controller upon its authorization,” or a ‘data controller,’ understood as “the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system,” which is “the system where personal data are processed by being structured according to specific criteria.”
Last but not least, under this data privacy law, ‘processing’ means “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.”
Who has to comply with the KVKK?
KVKK applies to “natural persons whose personal data are processed and to natural or legal persons processing such data wholly or partially by automated means or by non-automated means which provided that form part of a data filing system.”
What this means for your organization is that if you collect or process data collected from Turkey, whether you yourself are located in the country or are targeting Turkish data subjects, you are subject to the law.
Who is excluded from KVKK compliance?
There are several types of data that are excluded under KVKK, such as:
- personal data processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with.
- personal data processed for official statistics and provided that they are being anonymized for the purposes such as research, planning and statistics.
- personal data processed with artistic, historical, literary or scientific purposes, or within the scope of freedom of expression provided that national defense, national security, public security, public order, economic security, right to privacy or personal rights are not violated or the process doesn’t constitute a crime.
- personal data processed within the scope of preventive, protective and intelligence activities carried out by public institutions and organizations duly authorized and assigned by law to maintain national defense, national security, public security, public order or economic security.
- personal data are processed by judicial authorities or execution authorities with regard to investigation, prosecution, judicial or execution proceedings.
Additionally, the law states that there are situations where consent is not required:
- It is expressly provided for by the laws.
- It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
- Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
- It is necessary for compliance with a legal obligation to which the data controller is subject.
- Personal data has been made public by the data subject himself/herself.
- Data processing is necessary for the establishment, exercise or protection of any right.
- Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.
When it comes to personal data concerning health and sexual lifestyle, Article 6 makes a distinction between these and the other types of sensitive personal data, saying that for these two, the data “may only be processed, without seeking explicit consent of the data subject, by the persons subject to secrecy obligation or competent public institutions and organizations, for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing.”
Lastly, Article 28 of the law states that if your organization is in compliance with the fundamental principles of the law, you are exempted from Articles 10, 11, and 16 in the following cases where processing of personal data:
- is necessary for the prevention of committing a crime or for crime investigation.
- is carried out on the data which are made public by the data subject himself/herself.
- is necessary for performance of supervision or regulatory duties and disciplinary investigation and prosecution to be carried out by the assigned and authorized public institutions and organizations and by public professional organizations, in accordance with the power conferred on them by the law,
- is necessary for protection of the economic and financial interests of the State related to budget, tax and financial matters.
How can I keep my organization KVKK compliant?
Just like with other laws, the KVKK offers several principles that your organization has to follow regarding the processing of personal data:
- Lawfulness and fairness
- Being accurate and kept up to date where necessary.
- Being processed for specified, explicit and legitimate purposes.
- Being relevant, limited and proportionate to the purposes for which they are processed.
- Being stored for the period laid down by relevant legislation or the period required for the purpose for which the personal data are processed.
Here is how to stay compliant:
- At the time when personal data are obtained, you must inform the data subjects about the following:
- your identity as the data controller and of your representative, if any;
- the purpose of processing of personal data;
- to whom and for which purposes the processed personal data may be transferred;
- the method and legal basis of collection of personal data;
- data subject access rights available.
- Take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of:
- preventing unlawful processing of personal data,
- preventing unlawful access to personal data,
- ensuring protection of personal data.
- In case the processing of personal data is carried out by another natural or legal person on your behalf, you are jointly responsible for taking security measures.
- Carry out the necessary audits, or have them made, either internally or outsourced, in order to ensure compliance.
- In the event of a data breach, you must notify the affected data subject as well as the KVKK “within the shortest time.”
- As a data processor, you have to register with the Data Controllers’ Registry “prior to the start of data processing.”
What data access rights does KVKK grant?
Article 11 grants the following rights:
to learn whether his/her personal data are processed or not,
to demand for information as to if his/her personal data have been processed,
to learn the purpose of the processing of his/her personal data and whether these personal data are used in compliance with the purpose,
to know the third parties to whom his personal data are transferred in country or abroad,
to request the rectification of the incomplete or inaccurate data, if any,
to request the erasure or destruction of his/her personal data under the conditions referred to in Article 7,
to request that, following a request for rectification or erasure, this also be reported to any third parties to whom his/her personal data have been transferred,
to object to the occurrence of a result against the person himself/herself by analyzing the data processed solely through automated systems,
to claim compensation for the damage arising from the unlawful processing of his/her personal data.
These can be summed up in the following data subject access rights:
- Right to access
- Right to be informed
- Right to correct
- Right to delete
How to address data subject access requests under KVKK?
The KVKK mandates that data subject access requests have to be addressed “within the shortest time by taking into account the nature of the demand and at the latest within thirty days” and that you must do so free of charge. However, there are cases where you are allowed to charge a fee if the action of replying to the request comes with an extra cost, but this cost will be determined by the Board of the regulating authority.
If you refuse a request you are required to inform the individual about this, as well as the reasons for refusal which have to be justified.
The individual will have the right to submit a complaint to the regulating authority if you refuse their request or if your response is deemed to be insufficient or provided outside of the mandated period of 30 days, and compensation may be granted to individuals following an investigation in the way you handled the data subject access request if you are find at fault.
Enforcement and penalties
Turkish law takes into account the penal code when mandating penalties for serious violations of the data protection law, with imprisonment of 1 to 4 years being one possibility.
For misdemeanors, as detailed in Article 18 of the law, fines can range from 5,000 TL (approx. $270) to 1,000,000 TL (approx. $54,000) depending on the provision of the law that was violated.
These fines are applicable to both “the natural persons and the private law legal persons who are the data controllers” and in the event that the violations are committed within public institutions or organizations, the provisions of the law will apply to the civil servants or public officers of those institutions or organizations.
Data Subject Rights - GDPR vs. KVKK
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- Right to access
- Right to correct
- Right to delete
- Right to be informed
How can Clym help?
Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Customizable branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.