INTRODUCTION:
The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection legislation which came into force on 7 April 2016. This law has been enacted to establish a robust framework for handling the personal data of natural person whose personal data are being processed. KVKK sets out comprehensive guidelines for the collection, processing, and safeguarding of personal information.
The objective of the law is to protect people’s fundamental rights and freedoms, especially the right to privacy. The law sets obligations, principles, and procedures that individuals and organizations handling personal data must adhere to, placing significant responsibilities on organizations to protect privacy of their users and ensure data security in today’s digital world. In this blog, we will cover the key provisions, compliance requirements, and rights and obligations of both the data subject and data controller under the KVKK.
KEY DEFINITIONS AND CONCEPTS UNDER KVKK:
Article 3 of the KVKK contains the definition of several key terms. Article 3(1)(d) defines personal data as any information relating to an identified or identifiable natural person. Thus, any information that can be used to identify a person is considered personal data. The term ‘processing of personal data’ is referred as any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.
Furthermore, Article 3(1)(a) defines ‘explicit consent’ as those which are freely given, specific and informed. Data subject is defined as natural personal whose personal data are being processed. The Act explicitly defines who will be called the data controller and who will be called the data processor. ‘Data Controller’ refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, whereas ‘Data Processor’ refers to the natural or legal person who processes personal data on behalf of the data controller upon its authorization.
CORE PRINCIPLES OF DATA PROCESSING IN KVKK:
Article 4 of the KVKK provides that data may only be processed in accordance with applicable laws, as outlined in this regulation or other relevant legislation. In processing personal data, the principles of fairness and lawfulness must be upheld. Additionally, processing should serve specific, legitimate, and clearly defined purposes. It must also be limited and proportionate to the intended purposes.
Article 5 states that personal data may not be processed without the data subject’s explicit consent, except in certain cases. These exceptions include instances where data processing is expressly provided by law; necessary to protect life or physical integrity of data subject himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid; or required for the establishment or performance of a contract subject to the condition that it is directly related to the establishment or performance of the contract. Processing without consent is also permitted when it is essential for compliance with a legal obligation, when data has been made public by the data subject, or if it is needed to establish, exercise, or protect a legal right. Additionally, data may be processed without prior consent if it serves the legitimate interests of the data controller, provided this does not infringe upon the fundamental rights and freedoms of the data subject.
The law categorises certain kinds of data as a special category of data. These data include personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data. Article 6 provides that generally such data which fall under the category of special category of data cannot be processed without explicit consent from the data subject. However, exceptions allow processing without consent in cases specified by law. For health and sexual life data, processing without consent is allowed only by authorized individuals or organizations bound by confidentiality and solely for purposes related to public health and healthcare management. Additionally, the Board mandates specific safeguards to ensure this data’s protection while processing special category of data. Article 7 mandates that personal data be erased, destroyed, or anonymized when the reasons for its processing no longer exist.
TRANSFER OF PERSONAL DATA:
Article 8 states that personal data cannot be transferred without the clear consent of the data subject, except in certain cases. Data may be shared without consent if it’s necessary to protect someone’s life or physical safety and they can’t give consent due to a physical disability or if their consent is not legally valid. Additionally, most types of personal data can be shared without consent if laws allow it. However, data related to health and sexual life can only be shared without consent by authorized individuals or public organizations that are bound by confidentiality, and only for purposes like public health protection, medical diagnosis, treatment, and healthcare management, as long as proper safety measures are followed.
Article 9 provides that personal data cannot be transferred outside Türkiye without the explicit consent of the person whose data is being transferred. However, there are certain exceptions to this rule. Data can be transferred abroad without consent if certain conditions, outlined in Articles 5(2) and 6(3) of the Law, are met. These conditions include situations where data processing is legally required, necessary for the protection of someone’s life, related to a contract, or essential to protect someone’s rights, among others. Furthermore, it provides that even if the data transfer falls under one of these exceptions, it is only allowed if the receiving country provides an adequate level of data protection. If adequate protection isn’t available in the receiving country, then data can only be transferred if the data controllers in Türkiye and the foreign country agree in writing to ensure adequate protection, and if the Turkish Data Protection Board approves the transfer. The Board is responsible for listing countries that provide adequate protection and for making case-by-case decisions on whether a specific country is suitable for data transfer. They consider various factors, including international conventions Türkiye is part of, the specific data involved, and the protective measures in the receiving country. In cases where there is a significant risk of harm to Türkiye’s interests or to the data subject, the Board must give special authorization for the transfer, with input from other relevant institutions.
RIGHTS AND OBLIGATIONS:
Article 10 of the KVKK outlines the responsibilities of data controllers to ensure transparency, data security, and respect for individuals’ rights. It provides that while collecting data, the data controller must inform individuals about key details, such as the controller’s identity, the purpose of data processing, possible data recipients, the method and legal basis of data collection, and the individual’s rights over their data as given in Article 11.
Individuals have several rights regarding their personal data. They can inquire if their data is being processed and understand how it’s used, check if the purpose of processing aligns with the stated intent, and know who the data may be shared with, domestically or internationally. They can also request corrections if their data is incomplete or inaccurate and ask for deletion or destruction of data under certain conditions. Additionally, they can demand notification of these actions to any third parties who received their data, object to unfavourable decisions made through automated processing, and claim compensation if they suffer harm due to unlawful data handling.
Article 12 provides that Data controllers are also obligated to ensure data security by preventing unauthorized access and unlawful processing, taking necessary technical and organizational measures, and performing or arranging audits to maintain compliance. They must keep data confidential, both during and after their role, and may not disclose or use it for other purposes. If there’s a data breach and personal data is accessed unlawfully, the data controller must notify the affected individuals and report it to the Data Protection Board promptly, which may publicly announce the breach if necessary. This regulation ultimately aims to protect individuals’ data rights and hold data controllers accountable for responsible data management.
DATA CONTROLLERS’ REGISTRY:
The Data Controllers’ Registry, known as VERBİS, is a publicly accessible database maintained by the Data Protection Board, the governing body of Türkiye ‘s Data Protection Authority (DPA). Article 16 of the KVKK provides that natural or legal persons who process personal data are required to register with the Data Controllers’ Registry before beginning data processing. However, the Board may grant exemptions from this registration obligation based on objective criteria, such as the nature and volume of data processed, whether the data processing is mandated by law, or if the data is transferred to third parties.
To apply for registration, data controllers must submit a notification that includes: the identity and address of the data controller and their representative (if any); the purpose of processing the personal data; details about the group(s) of persons whose data is being processed and the categories of data involved; information on the recipients or recipient groups to whom the data may be transferred; any personal data intended to be transferred abroad; security measures in place to protect the data; and the maximum storage period necessary to fulfil the data processing purpose. Furthermore, it provides that any changes to this information must be immediately notified to the Presidency. Additionally, Article 16(5) provides that detailed procedures and principles regarding the Data Controllers’ Registry shall be established through a by-law, and in pursuance of this, by-laws have been prepared to outline these procedures.
CONCLUSION:
Türkiye’s KVKK is a significant legislative framework aimed at safeguarding personal data and ensuring privacy rights in the digital age. By setting clear standards for data collection, processing, and protection, KVKK places substantial responsibility on data controllers and processors, encouraging transparency and accountability. The law provides individuals with essential rights to control their personal data and mandates that organizations establish robust data security practices. The Data Controllers’ Registry (VERBİS) and strict requirements on data transfer add further layers of protection. Compliance with KVKK is crucial not only for legal adherence but also for fostering trust among data subjects. As digital landscapes evolve, KVKK continues to strengthen the protection of personal data and the right to privacy in Türkiye.