Davies Parker's Blog

Kvkk Compliance: A Guide To Türkiye’s Data Protection Law

Davies Parker's photo
Davies Parker
·

2 min read

INTRODUCTION:

The Personal Data Protection Law №6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection legislation which came into force on 7 April 2016. This law has been enacted to establish a robust framework for handling the personal data of natural person whose personal data are being processed. KVKK sets out comprehensive guidelines for the collection, processing, and safeguarding of personal information.

The objective of the law is to protect people’s fundamental rights and freedoms, especially the right to privacy. The law sets obligations, principles, and procedures that individuals and organizations handling personal data must adhere to, placing significant responsibilities on organizations to protect privacy of their users and ensure data security in today’s digital world. In this blog, we will cover the key provisions, compliance requirements, and rights and obligations of both the data subject and data controller under the KVKK.

KEY DEFINITIONS AND CONCEPTS UNDER KVKK:

Article 3 of the KVKK contains the definition of several key terms. Article 3(1)(d) defines personal data as any information relating to an identified or identifiable natural person. Thus, any information that can be used to identify a person is considered personal data. The term ‘processing of personal data’ is referred as any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.

Furthermore, Article 3(1)(a) defines ‘explicit consent’ as those which are freely given, specific and informed. Data subject is defined as natural personal whose personal data are being processed. The Act explicitly defines who will be called the data controller and who will be called the data processor. ‘Data Controller’ refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system, whereas ‘Data Processor’ refers to the natural or legal person who processes personal data on behalf of the data controller upon its authorization.

Read Original Article Here > KVKK COMPLIANCE: A GUIDE TO TÜRKIYE’S DATA PROTECTION LAW