Personal data is the totality of data that we share in almost any environment in the digital world we live in. In order to benefit from the blessings of the digital world in almost every service we receive, we have to share our most basic data such as first name, e-mail address, phone number. This fundamental data makes up our digital footprint everywhere.
As data sharing increases, the questions of where and for what purpose this data is used have begun to puzzle our minds. Sharing our data with third parties for marketing, improvement, and development purposes may also lead to some security issues. For this, governments and government agencies make a number of regulations and take measures against malicious use of our data.
In many regions of the world, data protection laws and regulations of different names have been issued regarding the protection of their citizens' data. In Europe, the General Data Protection Regulation (GDPR) is the most comprehensive of these. Because, it requires the compatibility of all websites that are open to the access of european citizens.
In this context, the “Convention No. 108 on the protection of individuals vis-à-vis automated processing of personal data” was opened for signature by the Council of Europe on 28 January 1981, which established principles for the protection of personal data and the cross-border flow of data with all Member States. This agreement was signed by Turkey within the framework of the European Union integration process. It was incorporated into the internal law of the Republic of Turkey within the framework of the legislation published in the Official Gazette on March 17, 2016.
On April 7, 2016, the Law on the Protection of Personal Data No. 6698, which clearly states the requirements for data collection and processing, came into force in Turkey. Criminal sanctions are imposed on natural and legal persons who process data improperly in accordance with the requirements of this law.
Let's take a closer look at the law on the protection of personal data (kvkk), which today all natural and legal entities are obliged to comply with...
Personal Data
All information belonging to identifiable or identifiable natural persons is personal data. The natural person is defined in law as any individual who is “born fully and rightfully”, not institutionalized. Every citizen who complies with these requirements without distinction of language, religion, race, gender is a real person.
Personal data according to kvkk legislation No. 6698:
The natural person whose personal data is processed is called the “relevant person” according to the Law on the Protection of Personal Data No. 6698.
The processing of personal data is defined in the kvkk legislation exactly as follows:
“any operations carried out on data such as obtaining, recording, storing, retaining, modifying, rearranging, disclosing, transferring, acquiring, making available, classifying or preventing the use of personal data by non-automated means, including being part of any data recording system” (6698 sec. Kvkk, m. 3.1/e).
In short, the process of collecting, processing and sharing data that identifies or guides the identification of the person concerned is called “processing of personal data”.
it is the consent that the person declares in his free will, by giving the necessary information on any matter. According to Article 5 of the KVKK, it is mandatory to obtain explicit consent prior to the processing and sharing of personal data. Otherwise, severe criminal sanctions will be imposed.
There are 3 basic requirements for explicit consent:
1. Do not relate to a specific topic:
the data controller must clearly indicate on which subject he or she seeks consent, and the actions to be taken should not be outside the subject of the consent received. A text that says “I consent to the use of all my personal data in relation to any matter” is not sufficient on its own. The data controller must provide information separately for each purpose and obtain explicit consent for each purpose separately.
2. Relying on information:
in order to obtain the consent of the person concerned, it is necessary to have knowledge of the matter. This information should describe the identity of the data controller, the purpose of the data processing activity, what type of data will be collected and used, the right to withdraw consent, information on automatic decision-making, the decision on conformity in case of transfer abroad and the risks that may arise in the absence of the necessary measures.
There can be no mention of the clear and free will of the person concerned, who does not know what he is consenting to. Therefore, information should be provided in a language that everyone understands.
3. Disclosure by free will:
It is illegal for the data controller or any of the data processors to resort to methods such as threats, deception, coercion in relation to the receipt and processing of the data of the person concerned. In such a situation, the explicit consent of the person is not considered obtained. If a person who has doubts about the processing of personal data refuses to be processed, the data controller should not try to convince him.
Personal data that is strictly necessary for the functioning of the website/platform in question must also be specified and there must be an option to refuse data that serves other purposes, such as marketing or experience improvement.
There is also the right to withdraw the consent given by the person concerned. The processing of shared data until the consent is withdrawn is lawful, but if the data subject has withdrawn his consent, the data controller is obliged to respect this decision.
It is the person who determines the purposes, methods and means of processing personal data. Refers to the natural or legal person responsible for the establishment and management of the data recording system.
is the system in which personal data are recorded and processed as determined by the data controller.
is the natural or legal person who processes the data on his behalf within the scope of the authority granted by the data controller.
The main objective in establishing the KVKK is the processing and protection of personal data in accordance with the standards of the era. From the stages of processing personal data, to the procedures and principles that the processing natural and legal entities will comply with, are set out in this law.
The protection of the privacy of the person's data is guaranteed by this law. Thanks to this law, personal data cannot be collected properly, accessed by unauthorized persons, disclosure, unintentional use or misuse. Thanks to kvkk, a person's rights and freedoms cannot be violated.
The kvkk legislation No. 6698 does not have a specific period for storing personal data, but there are some restrictions and an additional regulation on deleting, destroying and anonymizing personal data.
As clearly stated in Article 11 of regulation 30224 published in the Official Gazette, the data controller determines the time necessary to delete, destroy and anonymize personal data; however, he must carry out these operations periodically. Expired personal data must be deleted at the first periodic deletion after the retention period. Expired data is anonymized within 6 months if there is no other reason requiring its retention.
The period during which periodic deletions will take place must be specified in the kvkk explicit consent form. If the data controller does not have the obligation to draw up a personal data retention and destruction policy, it will delete, destroy or anonymize the personal data when the specified retention period expires. If necessary, the personal data protection board may shorten this period. Since the situations that require the retention of data may vary depending on the nature of the work, periods should be determined in consultation with a lawyer specialized in this field.
For example, the data of people applying for an event will have to be deleted if they are not given permission to use it afterwards.
In addition, interested persons may contact the data controller in accordance with Article 13 of the KVKK to request the deletion, destruction and anonymization of their personal data. In this case, after the request has been fulfilled, if all the terms of data processing have disappeared, after 30 days the request must be carried out and the person must be informed.
If the data has been processed before the request has been processed and transferred to third parties, the data controller is obliged to inform the data processors of the situation and to carry out the request. If the conditions for processing personal data have not completely disappeared, the request of the person concerned may be refused by indicating the reasons, by notifying them in written or digital form no later than thirty days.
Law No. 6698 entered into force on April 7, 2016 for the processing and protection of personal data in accordance with the standards of the era. From the stages of processing personal data, to the procedures and principles that the processing natural and legal entities will comply with, are set out in this law. Thanks to this law, personal data cannot be collected indiscriminately, made accessible to unauthorized persons, disclosure, unintentional use or misuse. All information belonging to identifiable or identifiable natural persons is personal data.
Personal data according to kvkk legislation No. 6698:
This data cannot be shared without the express consent of the person concerned.
Disclaimer: All rights to any articles and content published belong to Efilli Software. All or part of any content, such as text, audio, video, and even if the source is shown or the active link is provided, cannot be used, published, shared or modified.
