Online Payment


Personal Data Protection Law and Related Legislation

K&P Legal provides complete legal consultancy services regarding the Personal Data Protection Law and compliance with the legislation.

With the Law No. 6698 on the Protection of Personal Data (KVKK), which was published in the Official Gazette dated 07.04.2016 and entered into force, all companies should have started to take serious precautions. Otherwise, it is possible to face very serious penalties.

Failure to carry out these works, which are required as per KVKK, 17. and It is stated in Article 18 that it requires the payment of serious prison sentences and fines. For example, the Law Not deleting and anonymizing personal data in Article 17 requires a prison sentence of 1 year to 2 years in accordance with Article 138 of the Turkish Penal Code. In accordance with Article 140 of the Penal Code, reference has been made to the provisions that security measures will be applied to legal persons. The security measures to be applied for companies are the cancellation of the company’s operating license and the confiscation of certain values belonging to the company, as stated in article 60 of the TCK.

On the other hand, Article 18 of the same Law. In accordance with the article, violation of the disclosure obligation specified in the Law is fined up to 100.000 TL, violation of the data security obligation, opposition to the decisions of the Personal Data Protection Board and violation of the obligation to register and notify with the data controllers’ registry and up to 1,000,000.00 TL. sanctioned. (With the revaluation rates published as of 2021, these figures increased as every year and became 196,686 TL. and 1,966,862,00 TL.)

On the other hand, if you are doing business with countries such as European Union countries, America and Canada, doing this work is already a separate necessity for you. According to the regulation, which is briefly called GDPR in the European Union legislation and has almost similar provisions, companies that do business with the EU, produce services, and target EU consumers are also subject to GDPR, although they operate outside the European Union.

According to this regulation, even if the country to which they are affiliated is not an EU member, institutions that provide goods or services to personal data owners in the EU or monitor the behavior of the relevant data owners are considered to be responsible for GDPR. GDPR is an aggressive regulation that is different from the legal regulations seen so far. Violation of the legislation and violation of obligations have very severe sanctions. For example, Article 83 of the GDPR. In case of violation of GDPR obligations, a fine of up to 20 million EURO or a penalty of up to four percent (4%) of the company’s global turnover of the previous year is incurred by the competent authority in that EU country. According to the legal regulation, it is decided that whichever of these is higher, you will have to pay the penalty.

As a result, it does not matter KVKK or GDPR, as a requirement of these legal regulations, companies have been obliged to work on the protection of personal data. For this reason, companies should take immediate measures, provide awareness training from expert lawyers to all their personnel who come into contact with the data, create privacy policies and protect personal data, prepare all necessary documents, policies and procedures in accordance with the relevant legislation, obtain consents in terms of KVK from their current employees in the workplace, There is an obligation to appoint controllers and data processors, to define the limits of their duties and responsibilities, to create a data recording system in the workplace and to register it in the data controllers registry. ,

Again, in line with the regulation on the deletion, destruction or anonymization of existing personal data, the data controllers determined at the workplace are obliged to prepare a personal data storage and destruction policy in accordance with the personal data processing inventory.

For companies, the Chairman of the Board of Directors and members of the Board of Directors, as well as persons authorized to represent the company with a circular of signature, such as the General Manager or Company Manager, are directly responsible as per the Turkish Penal Code.

As it can be seen, what needs to be done within the scope of KVKK and GDPR is not a simple task, it is a team work that requires a good analysis of your company and serious preparation, and a systematic work, along with both the strengthening of the legal infrastructure and analysis and solution proposals in terms of information infrastructure. requires some work. For this, it is a necessity to carry out the necessary work under the leadership of a law firm that is expert in the subject, and also, if necessary, together with an accompanying expert IT firm.

With over 30 years of experience, strong team, offices in Izmir and Istanbul, K&P Legal Law Firm is our solution partner within the scope of Personal Data Protection Law with its experience in Corporate Law, Labor Law, Commercial Law, International Law, IT Law and Contracts Law. is ready to serve your company in the most accurate, effective and practical way with its companies.