KVKK Compliance Process for Companies
The main source of the Law on the Protection of Personal Data, which was published in the
Official Gazette on April 7, 2016, and entered into force, is Law No. 6698 on the Protection of
Personal Data.
According to the law, the concept of personal data is defined. Accordingly, personal data
refers to any kind of information related to a specific or identifiable real person. Companies
have access to the personal data of many individuals as a result of their commercial activities.
According to the law, the company’s legal personality carries the title of data controller
regarding this data.
The data controller is defined as the person who determines the purposes
and means of processing the data and is responsible for the establishment and management of
the data recording system. In this context, it is necessary to fulfill the responsibilities arising
from the Law. It is useful to share some basic information about how companies will conduct
the KVKK compliance process and what needs to be done in accordance with the KVKK and
related legislation:
- Data controller companies process the data of individuals in three different categories as data
controllers. These are; - Company employees and job applicants,
- Customers,
- Business partners, suppliers, and consultants.
Companies are obliged to protect the data of individuals in these three groups. The content of
this protection is mainly the processing, storage, sharing, deletion, and anonymization of
personal data in accordance with the Law. However, establishing the necessary technical
infrastructure regarding the platforms where personal data is processed and stored and taking
measures against possible cyber attacks is another important point.
Processing of personal data is only possible with the explicit prior consent of the data subject.
Although there are exceptions to this rule, explicit consent is generally required. In this
regard, some documents need to be prepared and work needs to be done. These documents;
A- Preparation of the Information Text
The information text refers to the text that includes the purpose of acquiring the information,
where the data is stored, who has access permission to this data, and to whom the data can be
transferred. The data policy and data destruction policies should also be included in this text.
The company needs to prepare an information text for the following individuals;
- Employees or job applicants
- Customers
- Third parties with the public
After sharing the information text, the explicit consent of individuals must be obtained.
Explicit consent must be obtained before the data is processed. It is possible to obtain explicit
consent both in writing and online. Companies that collect data using websites should make
the necessary arrangements to allow individuals to give online consent for the processing of
their personal data after ensuring that the information text is read on the website where data is
collected.
B- Preparation of Privacy and Cookie Policies
Companies with active websites must have privacy and cookie policies on their sites.
C- Preparation of Confidentiality Agreements
Confidentiality agreements must be made with business partners, suppliers, accountants, call
centers, and other companies with whom business is conducted.
Ç- Establishment of Company Internal Cyber Protection Policies
Data controllers have an obligation to implement necessary protection measures regarding the
data they process. The necessary technological infrastructure against cyber attacks should be
established, and auditing activities should be carried out. Otherwise, there may be penalties
and legal sanctions. Companies have obligations to ensure the confidentiality of their
employees’ and customers’ data, prevent unauthorized access to this data, and establish the
necessary technical infrastructure for this purpose. Even if the employer receives services
from another workplace or company to ensure data security, this does not eliminate the
company’s own responsibility.
D- Obligations Regarding Commercial Electronic Communications
Companies must obtain the explicit consent of individuals in accordance with the KVKK in
order to use the contact information they have obtained about their customers to send
commercial electronic communications to these individuals. The provisions in the Regulation
on Commercial Communication and Commercial Electronic Communications have made it
mandatory for companies wishing to send commercial electronic communications to register
with the Message Management System. The Message Management System (IYS) is a national
database where companies can store and manage permissions for commercial
communications such as calls, messages, and emails, and where recipients can view, remove,
and store the permissions they have given.
Obligations of Companies Regarding the Message Management System
The explicit consent of customers regarding data processing must be obtained online through
the IYS. If the company has obtained the explicit consent of the customer through its own
means rather than through the system, it must record the consent declaration within three
business days, with the burden of proof on itself.
Unrecorded approvals in the Message Management System are considered invalid. Sending
commercial electronic communications to customers without obtaining consent is against the
law. The deadline for recording existing approvals in the IYS is May 31, 2021. Approvals that
are not recorded in the system before this date will be considered invalid, and sending
commercial electronic communications to these recipients will be against the law.
According to the regulation, companies are obliged to keep records of approvals related to
commercial electronic communications sent to recipients’ electronic communication addresses
for three years from the date of recording, as well as other records related to commercial
electronic communications. These records are for the purpose of promoting products and
services, marketing, or increasing visibility with content such as greetings and wishes.
E- Obligations Regarding Data Transfer Abroad
The first requirement for the transfer of personal data abroad is to obtain the explicit consent
of the data subject. In addition, it is necessary to investigate whether the country to which
personal data will be shared can provide sufficient protection for these data, and if it is
determined that it cannot provide such protection, data sharing should not be carried out.
The Personal Data Protection Board announces countries that provide sufficient protection for
data sharing. If data will be shared with a country that is not included in this list, a decision
should be made by evaluating international agreements, the principle of reciprocity, and the
protection measures committed by the data controller who will share the data. Sharing
personal data of multinational companies with centers or affiliated partnerships abroad in
violation of these obligations may result in liability under the KVKK.
F- Preparation of Data Inventory by Classifying Processed Personal Data and Notification to
VERBİS
Companies are obliged to register with the VERBİS system under the title of data controller.
Companies are not required to upload all the data they process to VERBİS. Their obligations
in this regard are to provide general information about the data they process. In order to make
this notification, the categorized inventory of all data recorded by the company should be
prepared, the types of data should be determined, information should be provided regarding
the purpose and duration of data processing and data storage, and notification should be made
regarding other issues such as to whom the data can be transferred. The information that
needs to be registered in VERBİS is as follows:
Identity and address information of the data controller and, if any, its representative,
The purpose of processing personal data determined within the scope of the use of personal
data,
The time that may be required according to the reason for processing personal data,
Information about data categories related to data subject groups and these individuals,
Recipient groups to which personal data can be transferred,
Personal data to be shared with foreign countries,
Measures implemented to ensure the protection of personal data.
G- Reporting Data Breaches
In the event that personal data processed is unlawfully obtained by others, the data controller
must notify the Personal Data Protection Board within 72 hours. This notification can be
made through the Board’s website. If the data controller identifies the data subjects whose
data has been breached, they must also notify these individuals as soon as possible.