KVKK

Within the scope of the need for the protection of personal data and harmonization with the European Union, a draft Law on the Protection of Personal Data was submitted to the Turkish Grand National Assembly. The draft law was approved by the parliament on March 24, 2016 and became law and was published in the Official Gazette No. 29677 on April 7, 2016.

What is Protection of Personal Data?

The protection of personal data is to ensure that data processing activities are carried out in accordance with predetermined rules and to provide a discipline so that the fundamental rights and freedoms of the person are not harmed. It should be emphasized at this point: Data protection is not about prohibiting the use of data; it is about ensuring that the owner of the data decides how and by whom the data will be used and for what purpose, and to ensure that the data owner's right to request information on this issue is permanent.

What is the Basis of KVKK?

The protection of personal data is guaranteed by the Constitution. It is a requirement of the amendment to Article 20 of the Constitution, which regulates the right to privacy. Of course, this is not an unlimited right. This right, which is limited for legitimate purposes in the Constitution of the Republic of Turkey, has been provided in the European Union by Directive 95/46/EC as of 1995.

What is the Purpose of KVKK?

In our age where information technologies are developing rapidly and official transactions are mostly carried out electronically, the processing of personal data has many advantages. For example, you can receive news about campaigns and discounts from an organization to which you have provided your information. However, there is also the possibility of misuse of your information. The purpose of the law is to eliminate this possibility. The purpose of the KVKK is to ensure that data is processed in a certain regime and that data processing activities are carried out by adopting the principle of transparency. This ensures that the data subject has a say over their data.

Who is include by KVKK??

The KVKK covers all natural and legal persons with legal capacity. Every citizen, including public institutions, is obliged to comply with the procedures and principles of the law. The cases that the law states as exceptions depending on the precondition of not violating national security, privacy of private life or personal rights are as follows:

• Processing of data for activities related to other persons living in the same dwelling
• Use and anonymisation of personal data as statistical data for official research by public institutions and organisations authorised by law
• Within the scope of freedom of expression; processing for science, art, history and literature
• Processing of personal data by judicial or enforcement authorities

The cases considered as partial exceptions, provided that they comply with the purpose and basic principles of the Law, are the processing of data for the purposes of preventing the commission of a crime, disciplinary prosecution and investigation, and protecting the financial interests of the state.

What is Personal Data?

Any private information belonging to real persons is personal data. Any information that makes a person directly or indirectly identifiable, from telephone number to vehicle registration plate, from hobbies to health information, is within the scope of personal data.

Let's give an example: When a statement is made in the crowd as ‘Ahmet, who is here, supports the Galatasaray team’, personal data about Ahmet is shared, and at this point, the processes such as how and where the person who discloses Ahmet's personal data accesses the data, what he can do with this information, and how he will be punished if there is a violation are determined by law.

What is Special Quality (Sensitive) Data?

Special categories of data are sensitive data. This is because data on religious beliefs, political opinions, membership of associations or trade unions, criminal convictions, sexual life, etc. may lead to the victimisation of the person concerned or the victimisation of other people by giving privileges to the person concerned when they are learned by others.

Who is the Relevant Person?

The data subject is the person whose personal data is accessed as a result of the data processing activity. If it is a real person reached as a result of the data belonging to legal entities, these data are also evaluated within the scope of the law.

What are Data Controller and Data Processor?

The data controller is the person who is responsible for managing the data by deciding for which purpose the personal data will be processed and through which channels the data processing activities will be carried out. Therefore, since it is the data controller who determines what to do with the data, it is the person with the highest level of responsibility under the law.  The data controller is also responsible for the actions of lower level controllers who process data, up to compensation.

The person who carries out the data processing activity based on the authorisation granted by the data controller is the data processor. In some cases, the data processor may be an independent data controller. Let us explain this situation with an example:

A beverage company has chosen to use questionnaires as a marketing method and has contracted with a specialised supplier.  The fact that the supplier only supplies labour to fill in the questionnaires on the street and sends the forms to the beverage company as they are filled in shows that the survey company is the data processor. If it was the survey company that made the decision on how to conduct the survey and how to manage the data, we could say that the survey company is the data controller.

What is Processing of Personal Data?

All kinds of operations such as manually obtaining, storing, changing, transferring, preventing the use of all or part of a personal data means the processing of personal data. Storing someone else's information on a hard disc or CD without any further processing is also a data processing activity.

Is there an organisation that follows the rules of the law?

The Board, which is the governing body of the Personal Data Protection Authority established under the KVKK, is responsible for making decisions regarding the protection of personal data. Consisting of 9 members, the Board is responsible for hearing complaints, imposing financial sanctions when necessary, and keeping the registry of data controllers in case of the cases specified in the Law. Four members of the Board are elected by the President of the Republic and five members of the Board are elected from among the persons nominated by the political party groups in proportion to the number of members of the political party groups in the TBMM.

Where to Submit Personal Data Requests?

As personal data owners, if you submit your requests regarding your rights via e-mail to kisiselverilerim@bilgi.edu.tr, our University will finalise the request within thirty days at the latest, depending on the nature of the request.