What is Data and Why is it Important?
In our era, where technology is advancing at a dizzying pace, data has become a source of power. Data plays a vital role in every aspect of life, from the business processes of companies to the daily lives of individuals. However, the misuse of this power can lead to serious consequences such as violations of individual privacy, sanctions against companies, loss of trust, and even national security issues. To address this, many countries have implemented national regulations to protect personal data, while international authorities have introduced numerous frameworks. The most comprehensive and well-known among these is the General Data Protection Regulation (GDPR) introduced by the EU. In Turkey, the Personal Data Protection Law (KVKK) provides a legal framework for the protection and processing of personal data, complemented by board decisions and guidelines to ensure a comprehensive data protection process.
For companies, the process of protecting personal data has evolved beyond being merely a legal obligation to become a significant step that enhances their reliability, reputation, and competitive edge. Large corporations often evaluate their suppliers for compliance with KVKK and data security criteria, preferring to work with companies that meet these standards.
How is the Compliance Process Managed?
Identifying and Analyzing Data Processes
All processes within a company that involve the collection and processing of personal data must be thoroughly identified. Each company interacts with personal data according to its field of activity and business processes. Accurately determining the scope and nature of data processes is critical for ensuring full compliance with legal obligations.
Creating a Personal Data Inventory
A data inventory enables the company to have a holistic view of its personal data processing activities. This inventory includes:
Types of data processed,
Relevant data subjects,
Units collecting the data and their purposes,
Retention periods,
Details related to data transfers.
This inventory forms the foundation for the administrative and technical measures to be implemented in subsequent stages.
Implementing Administrative Measures
Under KVKK, companies are required to implement several administrative measures. These measures, detailed through board decisions and guidelines, include:
Establishing policies and procedures for personal data processing,
Preparing data security agreements with employees and service providers,
Regularly auditing data processes and conducting risk analyses.
Additionally, raising employee awareness about data security is a crucial step. Regular training sessions and disciplinary measures play an important role in both increasing awareness and minimizing data breaches.
Applying Technical Measures
The security of personal data depends on the correct and effective implementation of technical measures. Various technical measures are listed by the board, and companies often diversify these measures by adopting best practices. For instance:
Creating an authorization matrix,
Maintaining and auditing access logs,
Ensuring network and application security,
Utilizing data masking and backup systems,
Implementing strong encryption methods and conducting penetration tests.
Implementing these technical measures requires companies to work in coordination with their IT teams.
VERBİS Registration and Notification Obligation
One of the most significant obligations introduced by KVKK is the requirement to register with the Data Controllers Registry (VERBİS). Data controllers located in Turkey must register with this registry before beginning data processing activities. However, certain data controllers specified by the board are exempt from this requirement.
For data controllers not covered by these exemptions, VERBİS registration is mandatory, and failure to fulfill this obligation may result in substantial administrative fines. Therefore, it is crucial for companies to carefully monitor their registration processes. A basic table of exemptions is provided at the end of this article. However, as the amounts and limits in the table are updated annually, it is advisable to consult your legal advisor for up-to-date information.
Conclusion
The KVKK and GDPR compliance process is not merely a legal obligation but a strategic step that protects a company’s reliability and reputation. This process involves detailed work, including identifying data processes, creating an inventory, and implementing administrative and technical measures.
Particularly, fulfilling obligations such as VERBİS registration on time and accurately is a critical step to avoid administrative sanctions.
By obtaining legal and technical support on personal data security, companies can effectively manage their processes and prevent potential rights violations and sanctions in the future.
VERBİS Exemption Table
Data Controllers | Board Decision Date | Board Decision Number | Date Published in the Official Gazette |
Those processing data solely through non-automated means as part of a data recording system | 02.04.2018 | 2018/32 | 15.05.2018 |
Notaries operating under the Notary Law No. 1512 | 02.04.2018 | 2018/32 | 15.05.2018 |
Associations established under the Associations Law No. 5253, foundations established under the Foundations Law No. 5737, and unions established under the Unions and Collective Bargaining Agreements Law No. 6356, provided they process personal data solely in accordance with their legislation, objectives, and within the scope of their activities, and only for their employees, members, affiliates, and donors | 02.04.2018 | 2018/32 | 15.05.2018 |
Political parties established under the Political Parties Law No. 2820 | 02.04.2018 | 2018/32 | 15.05.2018 |
Lawyers operating under the Attorneys' Law No. 1136 | 02.04.2018 | 2018/32 | 15.05.2018 |
Independent accountants and certified public accountants operating under the Independent Accountant Financial Advisory and Certified Public Accountants Law No. 3568 | 02.04.2018 | 2018/32 | 15.05.2018 |
Customs brokers and authorized customs brokers operating under the Customs Law No. 4458 | 28.06.2018 | 2018/68 | 18.08.2018 |
Mediators | 05.07.2018 | 2018/75 | 18.08.2018 |
Real or legal persons with fewer than 50 employees annually and an annual financial balance sheet total of less than 25 million TL, provided their main activity does not involve processing special categories of personal data | 19.07.2018 | 2018/87 | 18.08.2018 |
Important Note:
Being exempt from the obligation to register with the Data Controllers Registry (VERBİS) does not mean being exempt from the provisions of the Personal Data Protection Law No. 6698. Data controllers who are exempt from registration are still required to comply with the other provisions of the law, just like any other data controller.
Comments