In our increasingly digital world, the privacy of personal data has an important place. In this article, “How do we protect our data in Turkey? “We have compiled the answers to the question and the development process of the rules on data privacy in Turkey for you.
With the constitutional amendment made by law No. 5982 in 2010, according to Article 20 of the constitution, our personal data has received constitutional security within the scope of the “right to privacy and protection of private life” of personal data. Under this article, everyone has the right to respect for their private life and family life. According to Paragraph 3 of the same article, everyone also has the right to request the protection of their personal data. On April 7, 2016, the law on the protection of personal data No. 6698 (kvkk) came into force. This law states that the fundamental rights and freedoms of individuals must be protected in the processing of personal data and regulates the obligations of persons who process personal data.
Turkish Criminal Code No. 5237, which came into force in 2004, also contains criminal provisions on privacy and protection of personal data. In accordance with Article 135 of the Turkish Penal Code, persons who register unlawful personal data are subject to imprisonment from 1 year to 3 years. In addition, the penalty rate for using data for political, philosophical and religious views, for unlawful moral acts and for damaging reputation is increased by half.
The agency for the protection of personal data regularly conducts trainings in various provinces. Practice/training workshops are increasing and systematic audit work continues. In a report prepared on November 27, 2013, the State Supervisory Board of the Presidency stated that personal data is not safe in Turkey. In the published report, it is noted that there is a lack of awareness in institutions regarding information security and protection of personal data.
Although years have passed, ddk has not issued a new report on personal data. It is known to everyone that the level of awareness has increased since the implementation of kvkk, adopted by tbmm on March 24, 2016.
Within the scope of the confidentiality of private life and the protection of fundamental rights and freedoms stipulated in the Constitution, it improves the level of consciousness by ensuring the protection of personal data in Turkey and creating awareness thereof, and also creates an environment that enhances the international competitive capacities of private and public actors in the data-driven economy. It is moving towards becoming an effective and internationally speaking authority in the formation of citizenship consciousness with the protection of personal data.
Every day, individuals are also faced with breaches of personal data in companies. According to Article 12 on data security contained in the Kvkk legislation, the data controller is required to take all measures within the scope of this law. Data controllers are required to participate in legal compliance projects in order to protect personal data and to receive training on the registration processes of the registry information system (verbis) and their obligations for data controllers. Companies should not disrupt the training of data controllers as long as they store personal data. At the same time, companies must establish privacy policies regarding cookies, use firewalls and obtain digital certificates within the presence of a website or mobile application.
According to the Law on the Protection of Personal Data 6698, an administrative fine of 20,000 Turkish lira to 1.000.000 Turkish lira is imposed on persons who violate the obligation to register and notify data controllers in accordance with the law on the protection of personal data.
Those who fail to meet the lighting obligation 5.000 TL — 100,000,
Those who do not fulfill the obligations related to data security 15,000 TL — 1,000,000 TL, those who do not comply with the decisions made by the board 25,000 TL — 1,000,000 TL, and those who violate the registration and notification obligation in the register of data controllers face an administrative fine of 20,000 TL — 1,000,000 TL.
In accordance with the Turkish penal code, recording personal data unlawfully carries a prison sentence of one year to three years, illegal registration of personal data relating to the political, philosophical or religious views of persons, racial origin; illegal registration of personal data relating to their moral inclinations, health status or trade union connections is half the prison sentence from one year to three years is increased in proportion.
Giving, disseminating or seizing personal data to someone else unlawfully results in a prison sentence of two years to four years. If these offences are committed by a public official and by abusing the authority of his office, taking advantage of the convenience afforded by a certain profession and art, the above penalties shall be increased by half.
The prison sentence of those who are obliged to destroy the data in the system despite the expiration of the periods established by the law has elapsed, from one year to two years, increases the penalty for data that must be eliminated or destroyed in accordance with the provisions of the Criminal Procedure Code, one time increases the penalty for the subject of the crime to be data that must be eliminated or destroyed in accordance with the provisions of the Code of Criminal Procedure.
Since the law on the protection of personal data entered into force on April 7, 2016, it has imposed administrative fines on many companies since it came into force on January 12, 2017. The Board for the protection of personal data initiated an examination of the personal data on the complaints of the data subjects who have been processed in accordance with the law, but continued to investigate the personal data by making a decision, if necessary, by making a decision spontaneously. As of the end of last year, 3,585 complaints had been filed. Of the complaints filed, 2 thousand 401 were concluded.
As of the end of 2019, several companies were fined 14 million 100 thousand pounds for “disregard for data security and failure to comply with legal obligations” and “not reporting the breach within 72 hours”.
As an example of these penalties, According to reviews on a famous social networking site, a data breach was reached and as a result, a fine of 1 million 650 thousand liras was issued on September 18, 2019. An airline responsible for data breaches affecting 1286 people in Turkey and accessing the passport numbers of 155 people was fined 550 thousand liras on May 7, 2018. On July 8, 2019, an investment company sold its client's personal data to a different company for advertising, and the advertising company was fined 75 thousand TL for searching the client without permission for product promotion purposes. The board also fined a company 75 thousand TL for making its former employee's mobile phone number into unauthorized data processing.
**Prevents data from being exported abroad using 100% domestic servers. **
Thanks to our economical packages, the high costs of foreign software and the need to reach support teams if necessary are avoided.
With the easy-to-use admin panel, you can reliably store and manage your cookies and analyze accepted/not accepted cookies.
With detailed reports, you can perform healthy analysis for your company and website, and you can easily put your business on track.
Judging by the laws that have come out about the protection of personal data, additional regulations to these laws and the penalties imposed on companies that do not comply with them, today is the best time to make your website compliant with kvkk and gdhpr.
With our effective consent development team, legal advisors and experts, all located in Turkey, we are ready to support you whenever you need it.
Efilli stays in Turkey with its consent management platform!
Disclaimer: All rights to any articles and content published belong to Efilli Software. All or part of any content, such as text, audio, video, and even if the source is shown or the active link is provided, cannot be used, published, shared or modified.
