Skip links

Neirt Bilişim Technologies

KVKK Policy, We Are Ready for New Projects!

KVKK
Personal Data Protection Law

What is Personal Data?
Important information that contributes to the identification of an individual, such as ethnic origin, political opinions, religious beliefs, commercial relations and memberships, genetic data including biometric data, and health information, are defined as personal data. In this context, not only information that provides a definitive diagnosis of an individual such as his/her name, surname, date of birth and place of birth, but also information regarding the person’s physical, family, economic, social and other characteristics are considered personal data. The fact that a person is specific or identifiable refers to the fact that the existing data is associated with a real person in any way, making that person identifiable. In other words, it covers all situations where the data carries a concrete content expressing the physical, economic, cultural, social or psychological identity of the person or is associated with any record such as identity, tax or insurance number, allowing the person to be identified. Data such as name, telephone number, motor vehicle license plate, social security number, passport number, resume, picture, image and audio recordings, fingerprints, and genetic information are personal data due to their ability to make the person identifiable, even if indirectly.

(Draft Law on the Protection of Personal Data (1/541) and Justice Commission Report)

Is KVKK a Local Legislation?
The EU GDPR (European General Data Protection Directive), which is the source of inspiration for our law numbered 6698, which is not considered very original, has given the institutions that collect data the date to complete the preparations by the spring of 2018, just like KVKK numbered 6698. KVKK numbered 6698, together with its European counterpart GDPR, has an importance that will significantly affect the institutions called data controllers and significantly transform business practices.

Regulations Introduced by KVKK
The Personal Data Protection Law No. 6698 introduces regulations that will prevent the processing of personal data without the owner’s permission. According to this law, processing of individuals’ data without their permission is considered a crime.

If the relevant institution wants to obtain the individual’s permission, it must provide clear and understandable information about what type of data it will collect and for what purposes it will use. This information should also cover who the data will be shared with and how long it will be stored.

The Personal Data Protection Board, established to implement this regulation, will register and regulate institutions that collect/process data with the KVK Law No. 6698. Data owners who have problems with institutions that collect and process/operate their information will be able to apply to this official institution and file a complaint. This board is defined as an institution that has the authority to impose sanctions such as imposing a fine with six zeros on institutions that do not implement the rules, some of which are mentioned above, and even paving the way for imprisonment for officials who are at fault, negligence and have bad intentions.

Which Institutions Does KVKK Concern?

Any institution that receives and stores personal data defined above that can be linked to a natural person falls within the scope of this law. Therefore, institutions that operate such processes need to carry out a series of studies to comply with the law.

What to Do to Comply with the Law

The work to be done can be listed as follows:
– Ensuring the security functions of all information assets such as confidentiality, integrity and accessibility, i.e. working in accordance with the Information Security Management System (ISMS) standards
– Creating strategies to determine the types of data received/to be received from customers
– Creating a data inventory
– Detecting ALL structured/unstructured data in network systems, including retrospectively
– Classifying recorded personal data according to their characteristics
– Reaching ALL customers whose data is intended to be stored, including retrospectively, and informing customers about the institution’s intentions
– Obtaining the consent of employees and customers who are informed about the purposes of data processing through reasonable methods
– Developing technologies, policies and systems to implement all of the above in a sustainable manner
– Conducting evaluation, review and internal audit activities at certain periods
– Conducting effective studies such as Penetration Testing to ensure the security of systems and protection of data at certain intervals
– Making contributions to the institution’s management system that will ensure sustainability with the results to be obtained after internal audits, Penetration Testing etc.