Insights into Türkiye’s Personal Data Protection Law (KVKK)
As the world becomes increasingly digitalized, personal data is being collected and processed at an unprecedented rate. To ensure the protection of personal data, the Turkish government has established the Personal Data Protection Authority (KVKK) and the Personal Data Protection Law (KVKK) in Türkiye. In this article, we will provide an overview of the KVKK and what it means for organizations that process personal data in Türkiye.
What is the purpose of KVKK?
ARTICLE 1 Chapter I of KVKK– (1) The purpose of this Law is to protect the fundamental rights and freedoms of persons, privacy of personal life in particular, while personal data are processed, and to set forth obligations of natural and legal persons who process personal data and procedures and principles to comply with for the same.i
Codification of Turkish Personal Data Protection Law No. 6698 (KVKK or DPL)
The KVKK was introduced in 2016 and came into force on April 7th of that year.ii The law regulates the processing and protection of personal data by private sector entities operating in the country. It provides individuals with control over their personal data and ensures that it is handled in a responsible and secure manner by organizations in Türkiye.
The KVKK sets out the rights of individuals concerning their personal data and establishes obligations for organizations handling personal data. These obligations include obtaining consent for the collection and use of personal information, implementing appropriate security measures to protect personal data, and allowing individuals to request access, correction, or deletion of their personal information. Organizations must also appoint a data protection officer and provide appropriate training to employees who process personal data.iii
What the Data Protection Law No. 6698 Covers?
The definition of personal data under the KVKK is quite broad and encompasses a wide range of information including, but not limited to, personal identification information, contact information, financial information, health information, biometric data, sexual life and orientation information, and more. It is important to note that the processing, storage, and sharing of personal data must be done in accordance with the provisions of the KVKK and must ensure the protection of the privacy and security of the data subjects.iv
Organizations that fail to comply with the KVKK are subject to significant fines, and the law requires organizations to take appropriate technical and organizational measures to protect the security of personal data. This includes measures such as encryption and access controls.v
The Personal Data Protection Law (KVKK) in Türkiye is a crucial piece of legislation that helps to protect the privacy and security of individuals’ personal data. By understanding the provisions of the KVKK and taking the necessary steps to comply with the law, organizations can ensure that they are handling personal data in a responsible and secure manner.