According to the Article 3/d of Personal Data Protection Law, “All kinds of information about the real person whose identity is already determined or can be determined” is considered as personal data. Persons’ names, addresses, e-mail addresses, phone numbers, health information, photos etc. can be shown as examples of personal data. This personal information can be processed in daily life for many reasons.
The law has defined the processing of personal data as “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof”.
According to Personal Data Protection Law, these data shall only be processed in compliance with procedures and principles laid down under this Law or other laws. “Explicit consent” is at the beginning of these conditions. Explicit consent is defined as “freely given, specific and informed consent”. Explicit consent of the data is required in the processing of personal data except for the exceptional circumstances specified in the Law. In this context, data controller is obliged to inform the data subjects about the data to be processed, for which purpose the data will be processed, their rights as data subject, the method of collection of personal data, etc.
Data controllers who process the data shall register with the Data Controllers’ Registry. In this context, Data Controllers’ Registry Information System (VERBIS) has been prepared. The data processed in VERBİS are categorically processed. However, by taking into account the objective criteria set by the Board such as the nature and quantity of the data processed, that data processing is laid down in a law, or transferring the data to third parties, the Board may provide derogation from the obligation of registration with the Data Controllers’ Registry.
Categorical data entry to VERBİS should be made for the data controllers whose number of employees are more than 50 or annual turnover is more than 25 million Turkish Liras and the data controllers which are operated abroad until the date of 30.06.2020, for the data controllers whose number of employees are less than 50 and annual turnover is less than 25 million Turkish Liras as well as their field of main activity is processing special categories of personal data until the date of 30.09.2020 and for data controllers of the public institutions and organizations until the date of 31.12.2020 .
In case personal data are not recorded in accordance with the law, imprisonment can be sentenced in accordance with the Turkish Penal Code Article 135 ff and administrative fine can be given in accordance with Article 18 of Personal Data Protection Law.
As Yalçın Toygar Law Office, we present to your attention the road map of the Data Protection Data Law compliance study that we will carry out in your management within the framework of the Personal Data Protection Law No. 6698
I. Determination Of The Current Situation;
-Detection of the data which already collected
– Detection of the collected personal data
– Determining the purposes and duration of data collection and determining if it is needed or not
– If there are other persons or firms which the data transferred, determining the transferred data and its purpose to transfer if there are other persons or firms which the data transferred
– Determining the information given to the persons and the form and time of the approvals while collecting the data
– Determination of administrative and technical measures taken to protect personal data
– Personal Data Protection meeting with the company IT staff or business partner
(About the acquisition, processing, transfer, authorization, storage and security of digital data)
– Personal Data Protection meeting with company website and social media manager or business partner
(About the acquisition, processing, transfer, authorization, storage and security of digital data, explicit consent processes and data policy dissemination)
– Unit based compliance determination and application studies
II. Regulatory Compliance Audit;
– Determining whether the data is special categories of personal data
– Determination of compliance with the legislation of the collection and processing of data
– Determination of the suitability of the approvals received from persons
– Determination of compliance with the legislation of processing times
III. Compliance With Legislation;
– Fulfillment of the approval of the necessary persons for data that do not comply with the legislation but are determined to be compliant with the legislation
– Production of necessary documents and texts, arrangement of unit documents.
– Creating data inventory
– VERBIS (Data Controllers’ Registry Information System) registration preparation and registration creation