Obligations of Data Controllers under the Law on Protection of Personal Data in Turkey

At the forefront of these obligations is the requirement for data controllers to fulfill certain duties and responsibilities. The main obligations of data controllers under the KVKK in Turkey are as follows:

These obligations ensure that data controllers fulfill their responsibilities regarding the protection of personal data and contribute to the achievement of the purpose of the KVKK, which is to ensure the confidentiality, integrity, and security of personal data.

Furthermore, data processors are obliged to prepare certain documents and guidelines, present them to the relevant persons and sign them if necessary.

One of the most important documents under the KVKK is the clarification text. The clarification text is a document that informs data subjects about how personal data is processed. This document is usually presented to data subjects from the data processors, at websites, applications, or other. The clarification text should include information on what data is collected, how this data is processed, with whom it is shared, and the rights of data subjects. Additionally, the identity and contact information of the data controller should be included in the clarification text. Even if the law does not stipulate that the declaration must be signed, we advise that the data subject should sign this text because of the burden of proof.

According to the KVKK, personal data must be stored for a certain period. However, it is also important to destroy the data after this period expires. The destruction and storage policy is a document that determines how data controllers will manage these processes. This policy should explain in detail which data will be stored for how long, how it will be destroyed after this period, and how the destruction process will be carried out.

Data security is one of the fundamental principles of the KVKK. Data controllers are obliged to take necessary measures to protect personal data from unauthorized access, alteration, or destruction. Therefore, it is important for data controllers to develop a data security policy. This policy should determine the technical and administrative measures to be taken to ensure the security of data. Additionally, it should draw a process in the event of potential data breaches.

Imperative for fostering a culture of compliance, these programs furnish employees with a nuanced understanding of data protection principles, KVKK stipulations, and their attendant obligations in safeguarding personal data. These training programs will help employees understand and implement data security policies.

The documents and policies that data controllers need to prepare under the KVKK are of great importance for establishing and maintaining a data protection culture. Documents such as the clarification text, destruction and storage policy, data security policy, data breach notification procedure, and employee training programs will help data controllers fulfill their legal obligations and ensure data security. It is also important to regularly review and update these documents because in the event of a request from the data subject as well as the authority, they must be submitted in accordance with the law.