Cookies help us deliver our services. By using our services, you agree to our use of cookies.
Shopping cart
Search
What is KVKK?
What is KVKK? What Does KVKK Stand For?
KVKK is an abbreviation formed from the initials of the "Personal Data Protection Law No. 6698." It was enacted to protect individuals' fundamental rights and freedoms, particularly the right to privacy, in the processing of personal data, whether wholly or partially automated or manually processed as part of any data recording system. The law also establishes procedures and principles that must be followed by real and legal persons who process personal data.
Additionally, KVKK refers to the Personal Data Protection Authority, an institution established under this law, with administrative and financial autonomy and legal personality, as well as the Personal Data Protection Board, whose authority and duties are outlined in the law.
What is Personal Data under KVKK? What is Special Category Personal Data?
Personal data refers to any information related to an identified or identifiable natural person, including name, surname, date of birth, home address, work address, email address, IP address, phone number, fax number, credit card details, citizenship number, tax number, passport number, social security number, driver's license number, vehicle license plate, resume, photograph, video, etc. These are considered personal data under the Personal Data Protection Law No. 6698, and their processing by real or legal persons is only permissible with the explicit consent of the individual concerned.
Furthermore, Article 6 of the Personal Data Protection Law No. 6698 classifies data on a person's race, ethnic origin, political opinions, philosophical beliefs, religion, sect, or other beliefs, appearance, association, foundation or union membership, health, sexual life, criminal convictions, and security measures, as well as biometric and genetic data, as special category personal data. The processing of these without the explicit consent of the individual is prohibited.
What is Explicit Consent under KVKK? What is an Information Notice?
Article 3 of the Personal Data Protection Law No. 6698 defines explicit consent as "consent given on a specific subject, based on information, and freely expressed." From this definition, it is clear that explicit consent must be based on information.
There is no specific form requirement for how this information and explicit consent should be obtained. Therefore, compliance with the obligation to inform and obtain explicit consent can be fulfilled through an electronic environment, such as an Information Notice with an acceptance button below it, or via a call center, provided that the burden of proof remains on the data controller.
When Did KVKK Come into Effect?
In 1995, the European Union adopted the "Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data" to harmonize the regulations on personal data protection among member states. This directive served as the basis for national legal regulations, including those in Turkey, and also laid the groundwork for the General Data Protection Regulation (GDPR) No. 2016/679, which was adopted in 2016 and came into effect in 2018, and is still applicable in the EU.
In Turkey, the KVKK was drafted with the aim of effectively protecting human rights, advancing EU membership negotiations, and enhancing international cooperation and trade. It was submitted to the Turkish Grand National Assembly on December 26, 2014, passed into law on March 24, 2016, and published in the Official Gazette on April 7, 2016, thereby coming into force.
Who Must Comply with KVKK?
Article 2 of the Personal Data Protection Law No. 6698 defines the scope of the law as applicable to "real and legal persons who process personal data wholly or partially by automated means, or non-automated means provided that they are part of a data recording system."
The processing of personal data includes obtaining, recording, storing, maintaining, altering, re-arranging, disclosing, transferring, taking over, making available, classifying, or preventing the use of personal data. Therefore, all real and legal persons who engage in these activities are subject to the regulations brought by KVKK.
Who is a Data Controller under KVKK? Who is a Data Processor?
Article 3 of the Personal Data Protection Law No. 6698 defines a Data Controller as the natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.
A Data Processor, on the other hand, is defined in the same article as the natural or legal person who processes personal data on behalf of the Data Controller based on the authority given by the Data Controller. To distinguish between the two concepts, it is necessary to identify the person who determines "why" and "how" the processing activity will be conducted.
What Must Be Done Under KVKK?
The obligations of the Data Controller under the Personal Data Protection Law No. 6698 include informing the data subjects (data subjects: persons whose personal data are processed), taking necessary measures to ensure data security, registering with the Data Controllers’ Registry (VERBIS), responding to data subjects’ requests, deleting, destroying, or anonymizing personal data when the reasons for processing cease to exist, and complying with the decisions of the Personal Data Protection Board.
What Are the Penalties and Sanctions Under KVKK?
According to the Turkish Penal Code No. 5237, anyone who unlawfully records personal data can be sentenced to imprisonment from one to three years; (this sentence can be increased by half depending on the nature of the data) anyone who unlawfully obtains or disseminates such data can be sentenced to imprisonment from two to four years; and anyone who fails to fulfill the obligation to delete, destroy, or anonymize such data can be sentenced to imprisonment from one to two years.
Additionally, according to the Personal Data Protection Law No. 6698, data controllers who fail to fulfill their obligation to inform may be fined between 5,000 and 10,000 Turkish Liras, those who fail to meet data security obligations may be fined between 15,000 and 1,000,000 Turkish Liras, and those who violate the obligation to register with the Data Controllers’ Registry may be fined between 20,000 and 1,000,000 Turkish Liras.
What Are the Differences Between KVKK and GDPR?
Although the European Union's legal regulations served as a model in the drafting of the Personal Data Protection Law No. 6698, there are some differences between KVKK and GDPR.
Under GDPR, even if a company or individual is not a data controller, they are held accountable for the lawful processing of data (including third parties such as cloud service providers). However, according to Article 18/2 of the Personal Data Protection Law No. 6698, different levels of responsibility have been established for data controllers and data processors, with administrative fines applied only to data controllers, and the obligation to register with the Data Controllers’ Registry only applying to data controllers.
While GDPR introduced the "right to be forgotten," which is generally defined as the right of individuals to control their personal data and delete it when possible, the Personal Data Protection Law No. 6698 does not contain specific provisions related to this concept. In Turkey, this right has been shaped by the decisions of the High Court and the Constitutional Court.
GDPR imposes significant penalties for violations of data protection rules, including fines of up to 200 million Euros or 4% of the global revenue of the service provider, whereas the administrative fines under the Personal Data Protection Law No. 6698 are relatively lower, ranging from 5,000 to 1,000,000 Turkish Liras.
The GDPR includes regulations on the "right to data portability," "mandatory data protection officer" for sensitive data processing, and "mandatory data protection impact assessments" for high-risk data processing activities, none of which are found in the Personal Data Protection Law No. 6698.
