Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Obligations of Data Controllers under the Law on Protection of Personal Data in Turkey

PrintMailRate-it

published on 23 February 2024 | reading time approx. 4 minutes

The Law on Protection of Personal Data (“KVKK”) in Turkey imposes several obligations regarding the processing, storage, destruction, and protection of personal data. 

At the forefront of these obligations is the requirement for data controllers to fulfill certain duties and responsibilities. The main obligations of data controllers under the KVKK in Turkey are as follows:

  1. Compliance with Principles of Processing Personal Data: Data controllers are required to process personal data in accordance with the principles of legality, fairness, and transparency, and for specified, explicit, and legitimate purposes. Ensuring that the data is accurate, up-to-date, and, when necessary, updated also falls within the responsibility of data controllers.
  2. Duty of Informing Data Subjects: Data controllers are obliged to inform data subjects about how their personal data will be processed, for what purposes it will be processed, to whom and for what purposes it may be transferred. This notification is usually provided through a clarification text.
  3. Ensuring Data Security: Data controllers are responsible for ensuring the protection of personal data from unauthorized access, alteration, dissemination, or destruction. Data controllers are entrusted with the responsibility of implementing and continuously improving technical and administrative measures to ensure the security of personal data.
  4. Protecting Data Subjects Rights: Data controllers must take necessary steps to protect the rights granted to data subjects under the KVKK. These rights include but are not limited to the right to information, access to personal data, rectification or erasure of personal data, and the right to object to processing.
  5. Reporting Data Breaches: In the event of any data breach, data controllers are obliged to immediately detect the breach and take necessary measures.

These obligations ensure that data controllers fulfill their responsibilities regarding the protection of personal data and contribute to the achievement of the purpose of the KVKK, which is to ensure the confidentiality, integrity, and security of personal data.

Furthermore, data processors are obliged to prepare certain documents and guidelines, present them to the relevant persons and sign them if necessary.

Clarification Text

One of the most important documents under the KVKK is the clarification text. The clarification text is a document that informs data subjects about how personal data is processed. This document is usually presented to data subjects from the data processors, at websites, applications, or other. The clarification text should include information on what data is collected, how this data is processed, with whom it is shared, and the rights of data subjects. Additionally, the identity and contact information of the data controller should be included in the clarification text. Even if the law does not stipulate that the declaration must be signed, we advise that the data subject should sign this text because of the burden of proof.

Destruction and Storage Policy

According to the KVKK, personal data must be stored for a certain period. However, it is also important to destroy the data after this period expires. The destruction and storage policy is a document that determines how data controllers will manage these processes. This policy should explain in detail which data will be stored for how long, how it will be destroyed after this period, and how the destruction process will be carried out.

Data Security Policy

Data security is one of the fundamental principles of the KVKK. Data controllers are obliged to take necessary measures to protect personal data from unauthorized access, alteration, or destruction. Therefore, it is important for data controllers to develop a data security policy. This policy should determine the technical and administrative measures to be taken to ensure the security of data. Additionally, it should draw a process in the event of potential data breaches.

Employee Training Programs

Imperative for fostering a culture of compliance, these programs furnish employees with a nuanced understanding of data protection principles, KVKK stipulations, and their attendant obligations in safeguarding personal data. These training programs will help employees understand and implement data security policies.

The documents and policies that data controllers need to prepare under the KVKK are of great importance for establishing and maintaining a data protection culture. Documents such as the clarification text, destruction and storage policy, data security policy, data breach notification procedure, and employee training programs will help data controllers fulfill their legal obligations and ensure data security. It is also important to regularly review and update these documents because in the event of a request from the data subject as well as the authority, they must be submitted in accordance with the law.

 DATA PROTECTION BITES

author

Contact Person Picture

Bortecine Gultekin

Avukat

+90 212 3101 434

Invia richiesta

 RÖDL & PARTNER TURKEY

Discover more about our offices in Turkey. 
Deutschland Weltweit Search Menu