WHAT IS THE LAW ON PROTECTION OF PERSONAL DATA NO 6698?
In accordance with the procedures and principles in the Law on Protection of Personal Data No. 6698, which entered into force on 07.04.2016 and regardless of small and large scale, on 07.04.2018, it has become imperative that extra information, documents and personal data are protected and all departments within the companies Having knowledge about it is important.
A "Personal Data Protection Board", which is authorized to supervise, whether companies have harmonized under this law or not has been established. For companies that do not comply with the procedures and principles in the Law on Protection of Personal Data No. 6698 (Legal Entity Responsible-All Management in the Signature Circular), there are imprisonment and fines.
The penalty for not complying with the law regarding the recording, processing, transfer and destruction of the data can be between 1-6 years of imprisonment, and the penalty for not fulfilling the obligations specified in the law can be between 5,000 TL -1,000,000 TL. Companies are required to receive training to complete their work on compliance with the law and create corporate awareness.
As Kizil Denetim, Danismanlik, we support you with expert information technology experts, lawyers and process analysts within the scope of compliance with the law.
WHAT DO WE DO IN THIS PROCESS AS KIZIL DENETIM?
1. Within the scope of the law, the process analysis of all departments within the company is made and data inventory is issued.
2. Classification of Personal Data.
3. Adaptation of Data Processing Processes.
4. Harmonization of Data Transfer Processes.
5. Updating Contracts..
6. Establishment / alignment of application, complaint, appeal processes.
7. Creation of Open Consent and Illumination texts.
8. Establishment of the Institution KVKK Policy and Information Security Policy.
9. Data destruction as required by law.
10. Kurum içi KVKK farkındalık eğitimlerinin düzenlenmesi.
WHAT IS GDPR (GENERAL DATA PROTECTION REGULATION)?
The EU General Data Protection Regulation (GDPR) was developed to prepare a harmonious series of data privacy laws to protect EU citizens across Europe. This regulation replaces the Data Protection Directive 95/46 / EC and there are serious differences between them like the following:
Wider jurisdiction. The General Data Protection Regulation will apply to all companies that process personal data of anyone living within the European Union, regardless of the company's location.
Penalties. All institutions and organizations, including controllers and processors that are not compliant with GDPR, can receive up to 4% of their annual global turnover or up to 20 M euros (whichever is greater).
Consent should be clearly and easily understandable and should be distinguished from other issues. In addition, revocation of approval should be as easy as giving it.
Violation Notifications: Violation notifications will be mandatory and will need to be completed within 72 hours after the institution or organization becomes aware of the violation.
Privacy. GDPR requires the data protection function to be included from the start when designing systems, and not to be implemented by adding later.
It requires the existence of a clear and strictly implemented policy on the processing and protection of data.
It requires that all personal data processing activities are strictly restricted by approvals, procedures or instructions, and awareness must be provided and verifiable by all data processors and data accessors.
It demands that all data platforms and their protection plans be created, data transfer rules, protection rules and the compliance of the technical infrastructure are documented and operated in accordance with the policy.
The purpose of GDPR is to protect all EU citizens from privacy and data breaches in today's data-driven world. Although the basic principles of data privacy continue to follow the previous guidelines, many changes have been proposed in regulatory policies; You can find information on key points of data protection and their impact on work below.
Regional Coverage (extraterrestrial applicability)
GDPR has set clear rules for all data processing companies, regardless of the company's location, as the key element in the architecture of data privacy. With the law adopted, GDPR had a wide range of powers and powers in a wide range of fields. Due to the signed protocol agreements, my country has enforcement powers in almost every country in the world.
GDPR demonstrates its applicability very clearly - regardless of whether transactions take place in the EU, processing of personal data by controllers and businesses in the EU is sufficient to be covered by the law. Even if GDPR is a company not established in the EU, where the personal data of the data subjects in the EU is related to the following, it is sufficient for the GDPR to be included in the scope of GDPR.
All businesses and natural persons that violate the GDPR rules can be fined up to 4% of the annual global turnover or up to 20 million Euros (whichever is greater). This is the highest penalty applicable to the most serious violations that do not have sufficient customer approval to process data or violate the concept of Privacy with Design concepts. There is a gradual approach to fines, for example, a company may be fined 2% for not recording its cat and the personal data it is responsible to protect (article 28), It is important to note that these rules apply to both controllers and businesses - Cloud computing Hosting data in their systems is not exempt from GDPR sanction.
Differences between GDPR and KVKK
1 - KVKK Republic of Turkey of EU harmonization of our agents throughout the country's GDP is taken from gdpr standards adapted publication is a more comprehensive study.
2 - KVKK protection of data of natural persons and legal entities operating in the Republic of Turkey and covers issues related to the transferred abroad. GDPR data covers all companies and data processing companies operating in all EU countries and other countries.
3 - KVKK penalty obligations have been determined as an upper limit of 1.000.000 TL and GDPR has determined 4% or 20.000.000 Euro (whichever is greater) of the company turnover as a penal sanction.
4 - While KVKK rules are subject to sanctions in accordance with the rules of our country, GDPR rules have the authority to intervene and punish in line with the authority given to them independently from the country.