PERSONAL DATA PROTECTION LAW NO. 6698 entered into force in 2016.
The law determined the procedures and principles for processing personal data and established a legal basis.
The regulation on how the personal data of the relevant person will be processed has given many rights to the relevant persons and accordingly imposed responsibilities on the data controllers who process personal data.
The data controller can be simply defined as any real or legal person who processes personal data.
Who is the data controller? The data controller is the pharmacy where you buy your medicine, your doctor, the market in your neighborhood, your school, in other words, the person or institution that is touched in every area of life.
Data controllers must take the necessary administrative and technical measures to protect personal data and must not cause data loss.
Again, those who meet certain conditions must register with the DATA CONTROLLER REGISTRY INFORMATION SYSTEM (VERBIS). The deadlines for registration in the VERBIS system have been extended by the PERSONAL DATA PROTECTION AGENCY due to the pandemic process and the deadline for now is 31.12.2021.
THINGS TO BE DONE WITHIN THE SCOPE OF THE PERSONAL DATA PROTECTION LAW SHOULD BE CONSIDERED IN TWO STAGES.
STAGE 1:
COMPLIANCE WORKS:
In this process, the data controller must determine the work to be done within the scope of the KVKK and take the necessary measures.
Since the process is a bit complicated and the procedures to be done are too many, professional support should be obtained in this regard.
In order to carry out the compliance process, it is necessary to work with people or institutions who know this job very well both technically and administratively and who are well-versed in the legislation. Each of the administrative and technical measures to be taken should be reviewed one by one and all procedures should be carried out.
Any mistake made at the end of the process will have very large financial and criminal liability.
The data controller should be x-rayed, so to speak, and the measures to be taken should be determined and the procedures should be carried out according to the results.
In this stage, which we define as the 1st stage, the necessary administrative and technical measures should be taken and the data controller should be made compliant with the KVKK.
From this moment on, the 2nd stage begins.
STAGE 2:
CONTINUATION OF THE KVKK COMPLIANCE PROCESS AND ENSURING CONTINUITY:
After the initiation of the KVKK compliance process and the necessary technical and administrative measures are taken, it is very important to ensure the continuity of these measures taken. Because the KVKK process is a living process.
In case the technical and administrative measures taken by the data controllers actually change, the previously prepared documents and the process should be updated.
For example, if the employment contract has been made compliant with the KVKK, but if there is a change in the legislation later, the employment contract will need to be updated.
What will be done if a data processing committee is established in the data storage and destruction policy, but the people in the committee later leave the job?
Again, how will the necessary applications be made in case of data loss in the business?
How will the personal data stored for the required legal periods be destroyed at the end of the period and who will decide on these?
What will be done in response to the application of the relevant person?
This second stage, which is overlooked by the data controllers and not explained to them, will have detrimental consequences for the data controllers in the coming period.
Because, as we tried to explain above, data controllers who entrust the first stage to those who do it very cheaply and who do not have knowledge due to daily concerns will be left alone and without support in the second stage.
It will become possible to be subject to financial and criminal sanctions.
All businesses, whether small or large, see these transactions as an additional burden and avoid their costs. Since there is no trained personnel in this regard, the issue is referred to HR or an employee in accounting. However, the HR or accounting employee will see this job as a chore in addition to their main job and will not be able to properly carry out the KVKK process.
In order to avoid this difficult process, data controllers need to work with serious solution partners who will be with them during this process and who stand behind their work.
Just as external support is received for accounting transactions, occupational safety and health transactions, external professional support can be received for initiating legal transactions, taking measures, carrying out transactions and ensuring the continuity of the process within the scope of the Personal Data Protection Law.
Thus, it will be possible to overcome the KVKK compliance process without any problems and to maintain compliance.
Türkçe