Compliance LawInformation Technology LawWhat are the Basic Obligations of the Personal Data Protection Law (KVKK)?

Comprehensive KVKK Guide: 8 Key Obligations and Practical Compliance Steps for Data Controllers

In the digital age, data is recognised as the new oil of the economy. However, this valuable asset also brings with it a great responsibility. Law No. 6698 on the Protection of Personal Data (KVKK), which entered into force in 2016, is the main legal framework that determines the rules regarding the processing of personal data in Turkey. The LPPD, which is largely in line with the European Union’s GDPR (General Data Protection Regulation), imposes a number of important obligations on all natural and legal persons who process personal data (“data controllers”). Failure to comply with these obligations may result in administrative fines imposed by the Personal Data Protection Authority (the “Board”), which can amount to millions of liras, and in some cases even imprisonment under the Turkish Penal Code. In this article, we will examine in detail the basic KVKK obligations that a data controller should know and the practical steps to be taken to comply with these obligations.

Basic Concepts:

• Personal Data: Any information relating to an identified or identifiable natural person (Name, surname, Turkish ID number, e-mail, telephone, IP address, photograph, CV information, etc.).
• Data Controller: The natural or legal person (i.e. your company) who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system.
• Data Processor: The natural or legal person who processes personal data on behalf of the data controller based on the authorisation granted by the data controller (i.e. the accounting firm from which you receive payroll service).
• Data Subject: The natural person whose personal data is processed (employee, customer, website visitor, etc.).

8 Basic Obligations of Data Controllers:

1. Processing in accordance with the Law and Good Faith (Art. 4 of the LPPD): This is the general principle underlying all data processing activities. Data must be processed for specific, explicit and legitimate purposes, must be relevant, limited and proportionate to the purpose for which they are processed, must be kept accurate and up-to-date, and must be retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed.

2. Obligation to Inform (Art. 10 of the LPPD): This is one of the most frequently violated obligations. At the time of obtaining personal data, the data controller is obliged to inform the data subject about

   • The identity of the data controller.
   • The purpose for which personal data will be processed.
   • To whom and for what purpose the processed personal data may be transferred.
   • The method and legal reason for collecting personal data.
   • The rights of the data subject listed in Article 11 of the LPPD (access, correction, deletion, etc.). Disclosure must be made in a clear, understandable and easily accessible manner (for example, the privacy policy on the website, the disclosure text on the job application form).

3. Obligation to Obtain Explicit Consent (Art. 5, 6 of the LPPD): The basic rule for processing personal data is to obtain the “explicit consent” of the data subject. Explicit consent is defined as “consent regarding a specific subject, based on information and expressed with free will”. However, explicit consent is not required in the following cases listed in Article 5/2 of the LPPD:

   • It is clearly stipulated in the laws.
   • It is mandatory for the protection of the life or physical integrity of the person who is unable to disclose his/her consent due to actual impossibility.
   • It is directly related to the establishment or performance of a contract.
   • It is mandatory for the data controller to fulfil its legal obligation.
   • It has been made public by the data subject himself/herself.
   • Data processing is mandatory for the establishment, exercise or protection of a right.
   • Data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.

4. Stricter Rules for Processing Special Categories of Personal Data: Data relating to race, ethnic origin, political opinion, philosophical belief, religion, sect, appearance and dress, association/foundation/union membership, health, sexual life, criminal conviction and security measures, and biometric and genetic data are “sensitive personal data”. As a rule, the processing of these data is subject to the explicit consent of the data subject. Data relating to health and sexual life can only be processed for purposes such as the protection of public health, preventive medicine, by persons under the obligation of confidentiality or by authorised institutions without seeking consent.

5. Obligation to Ensure Data Security (Art. 12 of the LPPD): The data controller is obliged to take all necessary administrative and technical measures to ensure the appropriate level of security in order to prevent unlawful processing and access to personal data and to ensure its preservation.

   • Technical Measures: Authorisation matrix, access logs, penetration tests, encryption, network security, backup.
   • Administrative Measures: Preparing a data processing inventory, creating internal policies (data retention and destruction policy, etc.), signing confidentiality undertakings, training for employees, adding KVKK provisions to contracts with data processors.

6. Obligation to Register with the Data Controllers Registry (VERBIS) (Art. 16 of the LPPD): Data controllers with more than 50 employees or a total annual financial balance sheet of more than TRY 100 million and data controllers residing abroad are obliged to register with VERBIS before starting data processing. In this registry, information such as which category of data, for what purposes and for how long they process data is declared.

7. Compliance with the Rules for Data Transfer Abroad (Art. 9 of the LPPD): As a rule, the transfer of personal data abroad is subject to the explicit consent of the data subject. For transfer without consent, there must be adequate protection in the country of transfer (the list of safe countries announced by the Board) or, if there is no adequate protection, the data controllers in Turkey and abroad must undertake in writing to provide adequate protection and the Board’s authorisation must be obtained.

8. Obligation to Respond to Applications of Data Subjects (Art. 13 of the LPPD): Data subjects may apply to the data controller and make requests regarding their data. The data controller is obliged to finalise these applications free of charge as soon as possible and within thirty days at the latest.

Compliance with the LPPD is not a one-time project, but a dynamic process that requires constant attention and care. Companies must meticulously fulfil the above-mentioned obligations in order to put their data processing activities on a legal basis, to avoid potential administrative fines and, most importantly, to gain the trust of their customers and employees. In this process, it is the best approach to start by preparing a data processing inventory, taking a picture of the current situation and creating a road map to eliminate deficiencies. Considering the complexity of the KVKK compliance process, it is highly recommended to get support from an expert lawyer or consultant in this field to minimise the risks.