Personal Data Protection Law (KVKK) Basic Principles | Personal Data Protection Lawyer | Izmir Lawyer | Izmir Law Firm
1- Compliance with the Fundamental Principles of the Personal Data Protection Law (KVKK), Lawfulness, and Rules of Honesty.
The first fundamental principle of the KVKK (Turkish Personal Data Protection Law) is the principle of compliance with the law and the rule of good faith. This principle means that the processing of personal data must comply with the principles established by laws and other legal regulations. According to the principle of good faith, the data controller must consider the interests and reasonable expectations of the data subjects while pursuing its data processing objectives. It must act in a way that prevents the occurrence of consequences that the data subject did not expect and should not have expected. Furthermore, according to this principle, the data processing activity must be transparent to the data subject, and the data controller must comply with its obligations to inform and warn.
2- Being accurate and up-to-date when necessary.
This principle, which emphasizes the importance of the accuracy and timeliness of personal data, is consistent with the right of the data subject to request correction of data as stipulated in the Law. Maintaining personal data accurately and up-to-date is not only in the interest of the data controller but also necessary for the protection of the fundamental rights and freedoms of the data subject. The active duty of care to ensure that personal data is accurate and, where necessary, up-to-date applies if the data controller derives a benefit from this data concerning the data subject (e.g., credit transactions). Otherwise, the data controller must always keep open channels to ensure that the data subject's information is accurate and up-to-date.
3- Processing for Specific, Explicit and Legitimate Purposes
The principle that the purposes for processing personal data must be specific, legitimate, and clear;
- Ensuring that personal data processing activities are clearly understandable to the data subject,
- To determine which legal processing conditions the personal data processing activities are based on,
- It ensures that the personal data processing activity and the purpose for which this activity is carried out are described in sufficient detail to provide clarity.
For example, while a clothing store might process its customers' first and last names for a legitimate purpose, processing their mother's maiden name would not be considered a legitimate purpose.
4- Being relevant, limited, and proportionate to the purpose for which they are committed.
The processing of data must be suitable for achieving the stated purposes, and the processing of personal data that is not related to or needed for the achievement of the purpose should be avoided. Similarly, data processing should not be undertaken to meet potential future needs. Because processing data to meet potential needs constitutes a new data processing step.
This will mean that the activity is carried out in this way. In this case, one of the conditions for processing personal data regulated in Article 5 of the Law must be met. Furthermore, the processed data will be limited only to the personal data necessary for achieving the purpose. Processing data beyond what is necessary for the purpose will constitute a violation of the principle of limitation. The important thing here is to obtain sufficient data to achieve the purpose and to avoid processing data that is not necessary for that purpose. Personal data should not be collected or processed for purposes that do not currently exist and are only envisioned to occur later.
5- Retention for the period stipulated in the relevant legislation or for the period necessary for the purpose for which they were processed.
Personal data must be retained for a period necessary for the purpose for which it was processed, as required by the "principle of purpose limitation". In this regard, the data controller is obliged to take administrative and technical measures. As stated in Article 12 of the Law, the data controller must take all necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data.
Kişisel Verileri Koruma Kurumu tarafından hazırlanmış “BASIC PRINCIPLES REGARDING THE PROCESSING OF PERSONAL DATAR” broşürü için tıklayabilirsiniz. Hukuki danışmanlık almak için ise tarafımız ile Contact page.
For our other articles we have prepared under the Personal Data Protection Law;
- Exemption from VERBİS Registration
- How is the annual number of employees calculated for KVKK (Personal Data Protection Law) registration purposes?
- How should the total financial balance be calculated in relation to the Personal Data Protection Law (KVKK) registration?
- What are the reasons for processing personal data listed in the Data Controllers Registry?
Address: Nergis Neighborhood, Girne Boulevard No: 83, Floor 2, Apartment 2, Karşıyaka, İzmir
E-mail: info@efeshukuk.com
Phone: +90 534 415 52 56
