GDPR for Companies | GDPR for Businesses

GDPR for Companies | First of all, as you've probably heard by now, but it's worth repeating: The deadlines for registration in the Data Controllers Registry have been extended by approximately 6 months. For many companies, the deadline for registration in the Data Controllers Registry is now June 31, 2020. So, what about your company? Personal Data Protection Law’Is it ready for the GDPR (General Data Protection Regulation)? Probably not. Because, even when we disregard other obligations, the number of companies that have applied for registration is far below what it should be.

So, what is the Personal Data Protection Law (KVKK), and why was it enacted? First of all, regarding the subject... GDPR for Everyone We recommend you review our article. The Law No. 6698 on the Protection of Personal Data was published in the Official Gazette in 2016 and entered our legislation. However, personal data protection legislation is older than that. Essentially, the law aims to protect the personal data (any data that can identify an individual) of real persons like you and me, in other words, to ensure our privacy. The main reason for the inclusion of this law in our legislation is undoubtedly that it is one of the six steps that must be taken within the scope of the European Union harmonization process. 

The concept of personal data should not be taken lightly; from name and surname to license plate number, from your computer's IP address to your fingerprint, all of these are forms of personal data. In practice, it is quite difficult to find a company that does not keep criminal records or health reports in its personnel files. However, under the law, biometric data such as fingerprints, criminal conviction data such as criminal records, or health information are classified as special categories of personal data, and additional precautions and obligations are stipulated when processing such data.

Furthermore, the Personal Data Protection Law (KVKK) introduced a new concept to our legislation: the data controller. The data controller is the natural or legal person who determines the purposes and means of processing personal data. For example, in terms of personnel files, the data controller is the employer company. Here, I would like to point out an important detail that is often confused in practice: the data controller is not the company personnel (human resources, patient admissions staff, etc.), but the legal entity of the company.

When we examine the Personal Data Protection Law, we see that companies have certain obligations towards their personnel, consumers, or relevant individuals with whom they interact, and that in case of violations of the law, for the year 2020... Administrative fines up to 1,802,640 TL The things they will encounter are clearly regulated.

What are companies' obligations under the Turkish Personal Data Protection Law (KVKK)? The obligations imposed on companies by law can be grouped under several headings. Undoubtedly, one of the most important of these is that of data controllers. obligation to provide information (KVKK Article 10). The obligation to inform is a duty that must be fulfilled upon the request of the data subject, regardless of any formal requirements. Companies are obligated to create information texts in accordance with the data inventory they prepare and to inform data subjects through appropriate platforms. In practice, this obligation can be fulfilled through various platforms such as texts on the website or voice recordings before telephone calls. Furthermore, it is important to add that the information texts must be prepared in accordance with the inventory and must avoid vague or confusing expressions.

Another obligation that companies must pay attention to is, in accordance with the principles and regulations brought about by the law, obligation to take all necessary technical and administrative measures(Article 12 of the Turkish Personal Data Protection Law). Of course, the obligations that a hospital should fulfill within reasonable limits will differ from the measures expected of an iron and steel company. Examples of administrative measures that should be taken include confidentiality agreements, personnel disciplinary regulations and references to the Personal Data Protection Law in employment contracts, or internal company personal data processing policies; while examples of technical measures include data security software such as anti-virus, firewall, and backup systems.

Data Controller Companies also have the obligation to respond to applications from data subjects or to provide information and documents requested by the Personal Data Protection Authority within the prescribed legal time limits (Articles 13-15 of the Personal Data Protection Law). It is important that these responses comply with the formal requirements specified in the relevant circular.

Another obligation stipulated in Article 16 of the Personal Data Protection Law is:, Data controllers have an obligation to register with the Data Controllers Registry. Although multiple stages are envisioned within this scope, it applies to companies with more than 50 employees (in at least 7 of the Summary and Premium Service Declarations they have submitted within a year) or those with total assets or liabilities exceeding 25,000,000 TL in their annual financial statement. The last registration date is June 31, 2020. In order to register, it is crucial to first prepare a personal data inventory within the company. The Data Controllers Registry is a system designed in accordance with the principles of accountability and public transparency. It is open to everyone. You can access it through the website without paying any fees or creating a membership registration.www.verbis.kvkk.gov.trYou can check the records of companies that have completed their registration.

It is important to add that, as emphasized in the Personal Data Protection Authority's decision No. 2019/387 regarding the extension of the registration deadlines in the Data Controllers Registry, the information declared to the registry must be accurate, up-to-date, and reliable, covering all personal data processing activities. In fact, the Authority stated in its review that the information declared by many companies did not match, revealing serious errors and violations of the Law/Regulations. Therefore, companies that have registered and notified the registry haphazardly without preparing a personal data processing inventory, or those that have failed to complete the inventory preparation process and thus cannot fulfill their registration and notification obligations on time, must urgently rectify these deficiencies.

Belirtili yükümlülükler haricinde, toplamakta olduğunuz kişisel verileri- ilgili diğer hukuki işleme şartlarından hiçbirine dahil olmaması durumunda – ilgili kişilerden açık rıza almak gibi bir takım başka yükümlülükleriniz de olduğunu ve tabii her halükârda kişisel verileri “Processing in accordance with the law and rules of honesty, accurately and up-to-date, for specific, explicit and legitimate purposes and limited to those purposes, and retaining them only for the period necessary for the purpose for which they were processed” Let us state that you should consider these principles at every stage.

To give examples of decisions made by the Personal Data Protection Board, there is the 50,000 TL fine imposed on a lawyer for sending a message to the debtor's nephew, and the restrictions on access to gyms. the fingerprinting was not proportionate within the scope of the legislation The decisions include administrative fines of 20,000 TL imposed on an asset management company for sending multiple messages on the same subject, and even over 3,000,000 TL imposed on Facebook for two separate violations, to name just a few. In another decision, the Board imposed an administrative fine of 75,000 TL on a company where its personnel processed personal information obtained from their previous company and contacted the relevant individuals within their new company.  

All these concepts and obligations can be confusing if you're hearing about them for the first time. However, working with an expert consulting firm on the subject makes the process much less stressful. A few well-executed adjustments and a gradual integration of GDPR into your company culture will protect your company from high administrative fines and allow you to complete the compliance process smoothly.

Kind regards,

Mustafa YOLCU, Att. – 05.01.2020

Address: Nergis Neighborhood, Girne Boulevard No: 83, Floor 2, Apartment 2, Karşıyaka, İzmir

E-mail: info@efeshukuk.com

Phone: +90 534 415 52 56