CORPORATE TRANSFORMATION PROCESS UNDER THE LAW ON THE PROTECTION OF PERSONAL DATA

CORPORATE TRANSFORMATION PROCESS UNDER THE LAW ON THE PROTECTION OF PERSONAL DATA

With the entry into force of the Law on the Protection of Personal Data No. 6698 (“KVKK” or “Law”) in 2016 within the scope of the European Union harmonization process, the need for private law and public law persons operating in our country to comply with the Law and relevant legislation provisions and to realize institutional transformation has emerged. In this context, as Güzel Law Firm, in this article, we will briefly write about the scope of the Law and briefly how the institutional transformation process should be carried out.

  1. What is Personal Data and Sensitive Personal Data?

Personal Data refers to any information relating to an identified or identifiable real person. Identity information, contact information, association or foundation memberships, health information, genetic and biometric data, financial information, camera recordings or photographs can be considered as personal data. Here, we need to state that two elements must be present in order for a data to be qualified as personal data:

  • There must be data on a real person,
  • The identity of the real person concerned must be certain or identifiable,

As can be understood from the aforementioned elements, data on legal persons and anonymous data are outside the scope of the Law.

Special categories of personal data, which can be defined as a more strictly protected sub-category of personal data, have been determined in the Law through limited counting. These are: data about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. It is not possible to extend these special categories of personal data by comparison.

As a rule, it is prohibited to process sensitive personal data without the explicit consent of the person concerned. Personal data related to health and sexual life can only be processed without the explicit consent of the person concerned, for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, planning and management of health services and their financing, or by authorized institutions and organizations that are under the obligation of secrecy. In case of processing of sensitive personal data, it is obligatory to take adequate measures determined by the Board[1].

  1. Legislation on the Protection of Personal Data

With the amendment made in the Constitution of the Republic of Turkey in 2010, personal data belonging to real persons are under constitutional protection. The following statements are included in the article 20/3 of the Constitution:

“Everyone has the right to request the protection of his/her personal data. This right includes being informed of, having access to and requesting the correction and deletion of his/her personal data, and to be informed whether these are used in consistency with envisaged objectives. Personal data can be processed only in cases envisaged by law or by the person’s explicit consent. The principles and procedures regarding the protection of personal data shall be laid down in law.”

The Law enacted on the basis of Article 20 of the Constitution entered into force on March 24, 2016. From the moment when the law entrusts the data of the data owners to the private law and/or public law persons who process the data; it aims to regulate ‘accountability’ in every stage starting from how personal data will be used, processed and/or transferred, who should have access to data, and to data deletion. Following the entry into force of the Law, secondary regulations such as regulations and communiqués were put into effect.

  1. Necessity of Institutional Transformation within the Scope of KVKK

Today, many private law legal entities, public institutions and organizations, foreign organizations or natural persons obtain and use a large amount of personal data within the scope of their own activities. These data processors aim to reach more personal data and share it with third parties in order to provide better service or increase trade volume. To turn to more personal data processing; while providing an economic contribution or an increase in the quality of the service provided due to the convenience and advantages provided by the personal data processed, it also raises various risks and violation possibilities regarding data security. Within the scope of the law, serious fines are established for private law real and legal persons regarding data breaches, and disciplinary provisions are also applied for public employees. In this context, all persons concerned should be informed about the Personal Data Protection legislation, which has entered our lives as a new legislation, at least at the level of general awareness. For this, it is of great importance to realize the institutional transformation process regarding the KVKK legislation.

  1. Stages of Institutional Transformation Process within the Scope of KVKK

The institutional transformation process to be carried out especially for private law and public law legal entities within the scope of the law includes certain stages. If the mentioned stages are fulfilled completely, the risk of encountering the administrative sanctions imposed by the Law will be considerably reduced.

4.1. Current Situation and Scope Determination

By answering the question sets prepared by us considering the provisions of the legislation, it will be determined at what stage the private law or public law legal entities involved in the institutional transformation process are within the scope of KVKK. If there are administrative/technical measures already taken, the compliance of these measures with the provisions of the legislation will be checked and necessary improvement suggestions will be shared.

The level of awareness on the functioning of the relevant legal entity and the protection of personal data will be determined by conducting interviews with the employees of private law or public law legal entities in the institutional transformation process. Upon the determination of the current situation, the scope of service to be provided and the work schedule will be arranged.

4.2. Detailed Analysis and Reporting

After determining the roadmap for the KVKK corporate transformation process, a “Due Diligence” will be made and a detailed Analysis Report will be prepared for the needs of the relevant data controller. The report will include the problems and the administrative and technical measures to be taken to solve these problems. With the report, the clarification texts, explicit consent texts and personal data policies required by the relevant data controller will be created and shared.

4.3. Administrative and Technical Measures

There are different administrative and technical measures that each data controller should take to protect personal data. Which measures are required by private law or public law legal entities involved in the institutional transformation process will be determined in the first and second stages, and consultancy will be provided to take the necessary administrative and technical measures in this context. Some of these measures are:

4.3.1. Some of the Administrative Measures

  • Arrangement of authorization matrix by analyzing legal entity division of work and labor
  • Revision of contracts with made legal entity employees and third parties
  • Preparing the data inventory and updating it in the process when necessary
  • If necessary, registration in the Data Controllers Registry
  • Preparation of the personal data policy of the legal entity
  • Preparation of complaint management protocol
  • Preparation of Employee/Customer/Visitor/Data Processor clarification and consent texts
  • Preparation of website personal data clarification and approval texts
  • Preparation of policy regarding special categories of personal data
  • Preparation of all administrative/legal documents specific to the legal entity involved in the corporate transformation process

4.3.2. Some of the Technical Measures

  • Creation of an authority matrix within the legal entity
  • Making updates for the detection of access logs
  • Updating user account management and encryptions in accordance with the provisions of the legislation
  • Updating data masking when necessary
  • Implementation of data loss prevention software
  • Ensuring that backups are made in accordance with the provisions of the legislation
  • Ensuring that the deletion, destruction, anonymization procedures are carried out in accordance with the provisions of the legislation
  • By performing a penetration test on the servers and the website, it will be determined whether data security is ensured and necessary updates will be made.
  • Taking all necessary technical measures specific to the legal entity involved in the corporate transformation process

4.4. Application Support and Training

A KVKK transformation without application support and training will mean nothing more than some words written on a paper. In this context, it is of great importance to provide the necessary support for the implementation of the personal data protection legislation within the relevant private law and public law legal entities and to provide trainings so that every employee is aware of the KVKK legislation. Following the trainings to be given, measurement and evaluation is required to ensure that all employees are aware of their responsibilities, and it is necessary for the completion of the corporate transformation process within the scope of KVKK.

4.5. Audit

Following the completion of the KVKK transformation, an audit report will be prepared together with the evaluation of whether the administrative and technical requirements arising from the Law are implemented by the relevant data controller private law or public law legal entity employees, and the implementation of the institutional transformation process carried out within the scope of KVKK will be determined. The aim of the audit report is to ensure that the managers responsible for taking the necessary measures are aware of the deficiencies in case it is determined that the processes contrary to the provisions of the legislation are carried out despite the preparation of the necessary measures, the provision of trainings and warnings.

  1. Penalties in Case of Personal Data Breach

In the event that the personal data of the real persons concerned are processed, administrative fines to be imposed by the Personal Data Protection Board and imprisonment for the offense specified in the Turkish Penal Code may be in question. In addition, in case of data breach in terms of public law legal entities that are not subject to administrative fines, disciplinary punishment may be imposed on the responsible public officer.

5.1. Administrative Fines

The administrative fines imposed in the Law for 2021 are as follows:

  • In case of violation of the obligation to inform, the Board may impose an administrative fine with a lower limit of 9,834.00 TL and an upper limit of 196,686,00 TL.
  • In case of breach of data security, the Board may impose an administrative fine with a lower limit of 29,503.00 TL and an upper limit of 1,966,862.00 TL.
  • In case of not fulfilling the Board’s decisions, the Board may impose an administrative fine with a lower limit of 49,172.00 TL and an upper limit of 1,966,862.00 TL.
  • In case of violation of the obligation to register and notify with the Data Controllers Registry, the Board may impose an administrative fine with a lower limit of 39,337,00 TL and an upper limit of 1,966,862,00 TL. 

5.2. Imprisonment

Article 135-140 of the Turkish Penal Code between 1 and 4.5 years of imprisonment is imposed for personal data breaches. Although we do not go into details as it is not within the scope of this article, we would like to point out that there is a risk of facing imprisonment, especially if personal data is processed unlawfully for financial gain.

  1. Conclusion

It is of great importance that all private law and public law legal entities carry out the institutional transformation process within the scope of KVKK in order not to be faced with violations of personal data, which is under constitutional protection and whose procedures and principles regarding protection have been determined with the entry into force of the Law, and as a result, administrative and criminal sanctions.

Regards,

Attorney at Law Bekir Bozdağ

[1] 31/01/2018 tarih ve 2018/10 sayılı Kişisel Verilerin Korunması Kurulu Kararı

 

Leave a Reply

Your email address will not be published. Required fields are marked *