KVKK Rules - bounswe/bounswe2022group1 GitHub Wiki

Overview

KVKK means Personal Data Protection Regulation. KVKK is similar to GDPR. As a difference, Kvkk was drafted and passed by Turkey. The Protection of Personal Data in Turkey came into force on 7 April 2016 and The Turkish Data Protection Authority (TDPA) was established as a financially and administratively independent supervisory authority according to its official webpage. Difference from Gdpr, Data controllers have to enroll into VERBIS, the TDPA’s Data Controllers Registry Information System. Data controllers who violate KVKK rules face administrative fines of up to 1.5 million₺.

Terms in KVKK

Personal data is any data that relates to anyone. Mostly websites ask their users for permission to use personal data such as name, email addresses, locatin information, gender, biometric data, ethnicity, beliefs, web cookies.

Special Qualified Personal Data is about race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, costume and clothing, membership to associations, foundations or unions, health, sexual life, criminal convictions and security measures, biometric and genetic data.

Any action performed on personal data called Processing of Personal Data. For instance, some of these are collectig, deleting, updating, recording, storing.

The person whose personal data are being proccessed are called Data Subject.

Data controller is the legal person who determines the methods of processing personal data. Data controller is also responsible for the storage and management of this data.

Data processor is a third party legal persons who process personal data on behalf of a data controller.

Guidelines

There are some guidelines for preparing KVKK for a company. Besides these guidelines guides companies on how to use data.

• GUIDELINE ON ERASURE, DESTRUCTION OR ANONYMIZATION OF PERSONAL DATA: This guidelines contains points to be taken into consideration during erasure, destruction and anonymization of Personal Data.
• GUIDELINE ON DATA CONTROLLERS’ REGISTRY: This guide contains information on how to register to the Data Controllers' Registry.
• GUIDELINE ON THE IMPLEMENTATION OF PERSONAL DATA PROTECTION LAW: This guideline has been prepared to explain national and international regulations about personal data protection and the law in all aspects
• GUIDELINE ON PERSONAL DATA SECURITY: This guide includes the procedures and principles that the data controller should obey to ensure data security.
• GUIDELINE ON PREPARING OF PERSONAL DATA PROCESSING INVENTORY: This guide includes the points to be considered while preparing the Personal Data Processing Inventory.
• GUIDELINE ON IMPLEMENTATION OF THE OBLIGATION TO INFORM: This guidelines contains the points to be considered in the implementation of the obligation to inform.