The right to protect personal data, which is a fundamental human right, is directly related to the privacy of private life. The need to protect this data, which is objectionable to the hands of third parties, concerns both public institutions and private institutions. For this reason, the issue of protection of personal data is first introduced in the Turkish Penal Code No. 5237, 135 and 140. arranged between items. Then, with the amendment to the Constitution in 2010, the protection of personal data was constitutionally guaranteed. The Personal Data Protection Act, which was published in the Official Gazette dated April 7, 2016, has been the main regulation in this context.

The KVKK (Personal Data Protection Act) gives certain rights or sanctions to the person with the data and the persons responsible for the person's data and the persons who process the data.

What is Personal Data?

Any information relating to a person of a certain or determined nature is considered personal data. In addition to the credentials that provide a direct definitive diagnosis of the person, the data that can be identified by the person through the auxiliary data is also covered by personal data. As an example, you can use the Information such as Contact Information (Telephone-E-mail, etc.), Health Information (Disease-Blood group etc.), Credentials (Name-Last name, TC NO etc.), Association and Foundation Memberships, Photo and Camera Recordings, Genetic Information, Biometric Information, Financial Information and Bank Account Number are personal data.

Since personal data is not determined by limited counting, it is also possible to expand the scope of personal data based on the characteristics of each conc
rete event.

What are the Rights of the Person Concerned under the KVKK?

To find out if the personal data of the contact person is processed, to request information for it if processed, to know if it is used in accordance with the purpose of processing and their purpose, to know third parties where personal data is transferred at home or abroad, to ask for them corrected if personal data is incomplete or incorrectly processed, request ing personal data to be deleted or destroyed, and to inform third parties that personal data is transferred , by analyzing the data processed, the person has the right to object to the occurrement of a result against him, and to claim the damage spurned if the damage is done due to the unlawful processing of personal data.

What are the Obligations of the Data Controller under the KVKK?

The data controller is defined as "a real or legal entity responsible for the establishment and management of the data recording system, determining the processing objectives and means of personal data".

In the first paragraph of Article 12 of the Personal Data Protection Act;
"Data controller;
A) to prevent the processing of personal data in violation of the law,
b) To prevent unlawful access to personal data,
c) Maintaining personal data
all necessary technical and administrative measures to ensure the appropriate level of security.

A) Lighting Obligation

According to the disclosure obligation, the data controller must provide the contact with some information during the obtaining of personal data. These are

  • If the data controller and its representative,
  • For what purpose personal data will be processed,
  • To whom personal data can be added to it for what purpose,
  • The method and legal reason for collecting personal data,
    1. other rights listed in the article. The contact must be aware of and informed about every situation in which the data is processed.

B) Obligations to Data Security

The data controller is responsible for the following items regarding data security:

  • Preventing the illegal processing of personal data,
  • Preventing unlawful access to personal data,
  • To maintain personal data.

In order to carry out these obligations, the data controller must take all measures and carry out inspections related to the functioning of the law. If personal data is processed by another person on behalf of the data controller, both people are responsible for security. Both the data controller and the person who processed the data may not share or use the data for processing purposes after the task is terminated. If the data is 3. persons should be notified as soon as possible.

C) Obligation to Register on Data Responsible Register

Data managers must register with the Data Responsible Register (DATA) in order to share with the public and thus to use the right to protect personal data more effectively.

Real and legal person data managers with a multi-million or annual financial balance sheet total of more than 50 or more than TL 25 million, and real and legal person data managers based abroad must register with the Data Managers Information Registry System (VARBİIS) by December 31, 2019 (including this date). Those who do not register until the specified date will be issued an administrative fine of up to 1,000,000 Turkish liras.

D) Obligation to Answer Applications Made by Persons Concerned

Data managers must conclude the demands of the application of the law within thirty days at the latest, which are forwarded to it by the relevant persons. The data controller should report the positive or negative response of this request to the person concerned. If the person receives a rejection, he can file a complaint with the Board within thirty days of learning the answer. This is usually free, and can also be done for a fee if necessary.

E) Obligation to Fulfill Board Decisions

The data controller is responsible for the elimination of illegality on the issue if there is a complaint to the board or the board detects a violation.

Crimes and Misdemeanors under the KVKK

The Personal Data Protection Act also imposes punitive sanctions on those who do not comply with the law. These sanctions are divided into crimes and misdemeanors.

A) Crimes

The provisions of Article 135 to 140 of the Turkish Penal Code apply to crimes relating to personal data. In the Turkish Penal Code;

  • Anyone who illegally records personal data from one year to three years,
  • The person who illegally issues, spreads or possesses personal data to someone else from two years to four years,
  • Those who are obliged to destroy the data within the system will be sentenced to one to two years in prison if they do not perform their duties, even though the periods set by the law have passed.

B) Misdemeanors

In the Personal Data Protection Act;

  • 5,000 Turkish liras to 10,000 Turkish liras for those who do not fulfill the obligation of lighting,
  • Up to 1,000,000 Turkish liras for those who do not meet the obligations related to data security,
  • Up to 25,000 Turkish liras to 1,000,000 Turkish liras for those who do not meet the decisions made by the Board,
  • An administrative fine of up to 1,000,000 Turkish liras is issued for those who violate the obligation of registration and notification to the data managers' register.

Your registration in VERBIS and/or being of data managers who are exempt from the obligation to register in the register do not constitute a violation of the Personal Data Protection Act. Therefore, please note that if you process personal data in ways that are completely or partially automated or not automatically as part of any data registration system, you must comply with the Law.


It is necessary to determine what needs to be done under the Law and related legislation no. 6698 and to initiate the compliance process immediately within the following scope.

1 | Current Status Analysis
2 | Creating Data Policies
3 | Commissioning Matrix Studies
4 | Creating a Data Sharing Schema
5 | Preparation of Personal Data Inventory
6 | List of What to Have in the Personal Data Processing System
7 | Regulation of Contracts
8 | Regulation of Open Consent, Lighting and Information Texts
9 | Switching to the DATA Notification System
10 | Strengthening Corporate Communication
11 | Organizing Training and Awareness Activities
12 | Development of Technical Data Protection Measures
13 | Creating Personal Data Incompatibilities and Risk List
14 | Determination of Data Deletion, Periodic Destruction and Anonymization Practices
15 | Reducing Personal Data
16 | Preparation of The Outcome and Evaluation Report

In accordance with Article 12/3 of the KVKK No. 6698, the data controller must carry out or carry out the necessary audits in order to ensure the implementation of the provisions of this Law in its institution or organization.

Spread the word. Share this post!