The need for continuous Turkish Personal Data Protection Law (DPL or KVKK) compliance consultancy services appears to be escalating daily. Personal data is defined in the Turkish Personal Data Protection Law No. 6698 as any information relating to an identified or identifiable natural person.
‘Any information’ refers to not only personal information that enables to identify an individual such as name, surname, date of birth, place of birth; it also refers to physical, familial, economic, social and such similar information that makes the individual identifiable.
Since personal data is not determined by numerus clausus in KVKK, it is possible to expand the scope of personal data based on the characteristics of each concrete case. On this basis, a natural person’s motor vehicle license plate, interview results, IP addresses, audio and video recordings, location information, criminal record, credit card statements, social media likes, fingerprints, etc. information can also be defined as personal data.
Images of individuals captured by a video surveillance system may be considered personal data if the individuals are recognizable.
The customer’s voice recording that gives bank orders in the telephone banking system can be accepted as personal data.
A commission was established for the first time in 1989 to enact a special law on personal data protection in Turkey. This commission was dissolved before it could complete its work. A new commission was formed in 2000, and this commission introduced a bill as a result of three years of work. However, the bill could not be enacted for various reasons. Although a new draft was prepared under the leadership of the Ministry of Justice and submitted to the Turkish Grand National Assembly (TBMM) in 2008 and 2014, the relevant bills lost their value because the legislative period ended.
In this context, the “Draft Law on Personal Data Protection” was submitted to the Presidency of the Turkish Grand National Assembly on December 26, 2014. The Draft Law was enacted on March 24, 2016, and the Law on Personal Data Protection No. 6698 was published in the Official Gazette dated April 7, 2016, and numbered 29677 and entered into force.
We provide consultancy services in accordance with KVKK by monitoring all data protection processes and compliance requirements of companies. Our data protection experts are certified with CIPP/E, ISO/IEC 27001:2013 Information Security Management System, ISO/IEC 27701:2019 Personal Data Management System Lead Auditor, ITIL V3. Our extensive sectoral knowledge and experience enable us to carry out the technical, administrative and legal requirements of KVKK Audit and Risk Assessment processes from an overall perspective. The amendment to the new Personal Data Protection Law which will be prepared in compliance with the EU General Data Protection Regulation (“GDPR”) and will be presented at the end of March 2022 as determined by the Ministry of Treasury and Finance, shows that the continuity of KVKK compliance consultancy services is becoming more critical day by day.