Online Payment


Special Studies to be Done in Companies within the Scope of the Law on the Protection of Personal Data and the Importance of This Study


What to do under the Law on the Protection of Personal Data



The Law on Protection of Personal Data No. 6698, which was published in the Official Gazette dated 07.04.2016 and entered into force, has entered our daily life with all its details. The 2-year harmonization period given by the law has ended and as of April 2018, the law has become applicable with all its provisions.

As of this date, there is a possibility that all small, medium or large-sized companies will take serious precautions, otherwise they will face large penalties as explained below.

As we all know, personal data has become an important element of economies today. In this process, personal data has been bought and sold for money due to commercial transactions made over the internet, and personal data called “Big Data” in international jargon has now gained great importance. The Law on the Protection of Personal Data No. 6698, published on the basis of the European Union directives, has been put into practice within this framework.


In the approximately 2 years that passed after the publication of the Law, besides the KVK Law, 3 separate regulations on the subject were published, the Personal Data Protection Board was established and this Board started to work.

As a result, companies have become obligated to work on the protection of personal data. For this reason, companies take immediate action, undergo training, protect personal data and create a privacy policy, obtain consent from their existing employees in the workplace, appoint a data controller and a data processor at the workplace, determine the limits of their duties and responsibilities, create a data recording system in the workplace and do this. There is an obligation to register with the data controllers registry.

Again, in line with the regulation on the deletion, destruction or anonymization of existing personal data, the obligation to determine the data controllers and data processors determined in the workplace and to prepare a personal data storage and destruction policy in accordance with the personal data processing inventory has been introduced. It is necessary for companies to determine and work in this direction.

A special clause should be added to all contracts to be concluded with the company’s current suppliers, all companies and individuals with whom it does business, and third parties, within the framework of the personal data protection law.

It should be defined whether any information available at the workplace is personal data, and the processing of this personal data must be based on a principle.

According to the provisions of the “Regulation on Data Controllers” published in the official gazette dated 31.12.2017, studies must be planned in accordance with the VERBIS system that will come into effect.


Failure to carry out these works required by the Law on the Protection of Personal Data No. 6698, 17. and It is stated in Article 18 that it requires the payment of serious prison sentences and fines.

17 of the law. Failure to delete and anonymize personal data in Article 138 of the Turkish Penal Code (TCK) requires a prison sentence of 1 year to 2 years .

Again, reference was made to the provisions that illegal recording of personal data will be punished with imprisonment from 1 to 3 years in accordance with Article 135 of the TCK, which is referred to by the KVK Law, and that security measures will be applied to legal persons in accordance with Article 140 of the TCK.

The security measures to be applied for companies are also serious problems, because as stated in article 60 of the Turkish Penal Code, these measures are the cancellation of the operating license and the confiscation of certain values belonging to the company and the computers and other equipment that are the subject of the crime (ie the seizure of them).

On the other hand, Article 18 of the same Law. In accordance with the article, violation of the disclosure obligation specified in the Law is fined up to 100.000 TL, violation of the data security obligation, opposition to the decisions of the Personal Data Protection Board and violation of the obligation to register and notify with the data controllers’ registry and up to 1,000,000.00 TL. sanctioned.

Of the penalties in question for companies;

  1. With the Chairman of the Board of Directors and members of the Board of Directors
  2. General Manager or Company Manager
  3. And persons who have the authority to represent the company directly or indirectly, such as unit Managers authorized by the signature circular.

They are responsible in accordance with the Turkish Penal Code.


The Personal Data Protection Board, established by law, takes decisions concerning our commercial life from time to time, and some of these decisions are published. The established Data Protection Board will start audits upon complaint or ex officio, by creating new staff under the name of expert and assistant expert.

As can be seen, there is a serious work to be done within the scope of the Law on the Protection of Personal Data No. 6698. For this, it is a necessity that the necessary work is to be a law firm that has a habit of working with the corporate culture, which is expert in the field of Company Law, and to carry out a detailed study.

K&P Legal Law Firm is ready to serve your company in the most accurate, most effective and practical way within the scope of Personal Data Protection Law, with its experience of up to 28 years, strong team, offices in Izmir and Istanbul, and its experience in the fields of Corporate Law, Labor Law, Commercial Law. .

With this work;

  • To hold a preliminary information meeting with the company’s senior management, where the importance of the issue and the work to be done are conveyed, and to convey information in the form of an executive summary,
  • Establishing and determining a project preparation team within the company and taking these people into detailed training,
  • Creating a work plan suitable for the structure of the company by removing the profile,
  • Determining the source of all the information collected within the scope of KVKK within the company, analyzing them, and carrying out determination studies regarding their classification,
  • Providing training to employees on the subject,
  • Preparing the training document related to the law and publishing it within the company,
  • Training different departments that are related to KVKK separately,
  • Reviewing all existing employment contracts in the workplace, revising employee employment contracts prospectively,
  • Obtaining employee / personnel consents regarding personal data,
  • Company suppliers regarding personal data and 3. Reviewing contracts with individuals
  • Obtaining additional consents from these companies and suppliers,
  • Establishment of data controller and data processor teams within the company and special training of these teams,
  • Obtaining data processor undertaking and data controller undertakings,
  • Preparation of informative texts on the protection of personal data,
  • Handling company processes and making them compatible with the Law,
  • Protection of personal data and creation of data security and privacy policy,
  • Making special data transfer agreements with suppliers and companies with whom data is exchanged frequently,
  • Establishing the necessary administrative and technical infrastructure for the protection of personal data,
  • Working together with the IT department to establish privacy, cyber security and cookie policies within the company,
  • Working with the IT department to establish the necessary infrastructure for network security, computer security, user security and information security in accordance with the law,
  • Providing consultancy on updating social networking sites such as the company’s Web site, Facebook, Twitter in accordance with the law,
  • Providing consultancy on making the necessary records in the data controllers registry to be established within the scope of the Personal Data Protection Law,
  • Creating a data map for registration in the VERBIS system
  • Preparation of public disclosure text,

This requires a long-term study in which each process is analyzed in detail.


While all these studies ensure that the KVK system is established in your company, a lot of data will accumulate in the companies over time and the security of this data will have to be ensured. In accordance with the KVK Law, it is important to establish data security and privacy policies by planning how personal data is generated in your company, where it is stored, how it is stored, when it will be destroyed, and the protection of this data against third parties or malicious attacks. required.

This requires you to work with a company with a strong IT infrastructure. At this point, K&P Legal, with our IT company, which is our KVK solution partner, with a strong infrastructure;

  • Ensuring Cyber Security
  • Monitoring of Personal Data Security in terms of IT
  • Ensuring the Security of Environments Containing Personal Data
  • Accurate Storage of Personal Data in the Cloud
  • Information Technology Systems Procurement, Development and Maintenance
  • And Backup of Personal Data

It also provides the necessary analyzes in your company on issues such as:

At this point, our experts in your company; By making the necessary examination under the supervision of your IT department, user account management, network security, application security, encryption, penetration tests, intrusion detection and prevention systems, data loss prevention software, data limitation solutions, backup, firewalls, up-to-date anti-virus systems, e- By making investigations and deep technical analyzes such as mail security solutions, server security and patch management solutions, they determine the most accurate and most effective protection and storage solutions for your company and report them to you. After this stage, it will be very beneficial for your company to act by seeing and knowing what is needed most in your company.

As a result, it is an extremely important set of rules that should be taken very seriously for all companies and institutions with the reasons and consequences of KVKK and its related legislation, and that should be emphasized by working with a team of experts.

Other Articles