Personal Data Protection (GDPR) Law Services
Today, as the area covered by digital technologies and especially the internet in our lives expands, the protection of personal data has also begun to take place within the scope of the law. It has become mandatory for companies and businesses to obtain legal support in compliance processes regarding the protection of the personal data of their customers and employees. Legal support needs come to the fore, especially in the compliance processes of multinational or international companies with the personal data protection law of various countries in which they operate.
As Viridis Legal Partners, we provide support to our clients in terms of personal data protection law within the scope of our consultancy services, as well as one-time or continuous legal support regarding the protection of personal data.
What Is Personal Data Protection Law?
The field of law that regulates the protection, processing and deletion of personal data is called personal data protection law. In order to clarify the subject, questions such as what is personal data are included in the following stages of this article. It may be appropriate to state that this field of law emerged upon the developments in the field of informatics and informatics law and is a relatively new field of law.
The first that comes to mind among the legislation that brings legal regulations in this field is GDPR. In Turkey, there is the Personal Data Protection Law No. 6698 (KVKK) came into force in 2016, which regulates this field. It would be suitable to say that the said Law contains regulations very similar to the GDPR.
What Is Personal Data?
Similar to GDPR, within the scope of the aforementioned Law; any information regarding an identified or identifiable individual is called personal data. Among these, the data regarding people’s race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, appearance and dress, association, foundation or union membership, health, sexual life, criminal conviction and security measures, as well as biometric and genetic data are classified as special personal data. It is prohibited to process special personal data without the explicit consent of the person concerned.
What is the Processing of Personal Data?
The definition of Processing of Personal Data is also regulated quite closely to the GDPR in the KVKK. According to the aforementioned law, the processing of personal data refers to any operations which are performed on personal data, whether or not by automated methods, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What Should You Know About Data Protection Act in Turkey?
What Are The Core Principles of Data Protection Law in Turkey?
The purpose of the personal data protection law with the first article of the said Law; It is stated as “to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data and to regulate the obligations and the procedures and principles to be followed by real and legal persons who process personal data.”
In the aforementioned law, general principles in the processing of personal data are listed as follows.
- Complying with the law and the rules of honesty,
- Being accurate and up to date when necessary,
- Processing for specific, clear and legitimate purposes,
- Being related to the purpose for which they are processed, being limited and proportionate,
- To be kept for the period stipulated in the relevant legislation or necessary for the purpose for which they are processed.
Where Is The Application Area of KVKK?
Regarding the application of personal data protection legislation in terms of location, it would be appropriate to say that the legislation of the location of the real person whose data is obtained and processed will be applied.
In the Guidelines No. 3/2018 of the European Data Protection Board regarding the scope of application of the General Data Protection Regulation (GDPR) in terms of location, it is stated that an office of a company established in a third country should be located within the borders of the Union and the activities of this office should increase the revenues of the company located in the third country that is the data controller. It has been stated that, if provided, the provisions of the GDPR will be applied to the personal data processing activities of the data controller located abroad. In Turkey, the Personal Data Protection Board, in its decision dated 23.06.2020 and numbered 2020/471, ruled that the representative of a bank located abroad in Turkey has an obligation to register and notify the registry and that the KVKK is also applicable for this business.
What are the Sanctions for Failure to Comply with the Personal Data Protection Law in Turkey?
It could be said that violation of the Personal Data Protection Law is subject to two types of sanctions: criminal and administrative. While some penal provisions were introduced with the 17th article of the said Law, administrative fines were also stated with the 18th article.
Criminal Sanctions
Article 17 of the Law made a direct reference to Articles 135 to 140 of the Turkish Penal Code and stated that the prison sentences stipulated therein would be applied. Here, the prosecution of crimes is kept dependent on the complaint of the person concerned and it is stated that security measures can also be applied for legal entities. The regulations introduced are as follows.
“Recording of Personal Data
Article 135
(1) Any person who illegally records personal data shall be sentenced to a penalty of imprisonment for a term of one to three years.
(2) Any person who illegally records personal data on another person’s political, philosophical or religious opinions, their racial origins; their illegal moral tendencies, sex lives, health or relations to trade unions shall be sentenced to a penalty of imprisonment in accordance with the above paragraph.
Illegally Obtaining or Giving Data
Article 136 (1) Any person who illegally obtains, disseminates or gives to another person someone’s personal data shall be sentenced to a penalty of imprisonment for a term of two to four years.
Qualified Versions
Article 137 (1) Where the offences defined in the above articles are committed;
- a) by a public official misusing his power derived form his public post, or
- b) by benefiting from the privileges derived from a profession or trade. the penalty to be imposed shall be increased by one-half.
Destruction of Data
Article 138 (1) Any person who fails to destroy data in accordance with the prescribed procedures, before the expiry of the legally prescribed period for destruction, shall be sentenced to a penalty of imprisonment for a term of one to two years.
(2)Where the subject of the offence remains within the scope of the information to be removed or eliminated under the provisions of the Code of Criminal Procedure, the penalty to be imposed shall be increased by one fold. “
Administrative Fines
Administrative fines included in Article 18 of KVKK will be applied as follows, based on the revaluation rate of 58.46% in 2024:
- In Case of Violation of the Disclosure Obligation: 47.303-946.308 TL
- In Case of Violation Regarding Data Security: 141.934-9.463.213-TL
- In Case of Contravention with the Decisions Made by the Board: 236.557-9.463.213-TL
- In Case of Violation of the Registration and Notification Obligation to Verbis (Data Controllers Registry): 189.245-9.463.213-TL
How Does Privacy Legislation Vary Across the Globe?
What Is The Impact of GDPR on Global Data Privacy?
GDPR stands out as the most detailed and deterrent legislation created in the field of personal data protection. Based on Article 8 of the European Convention on Human Rights, GDPR, which covers fundamental issues such as privacy and family protection, stands out with its applicability to businesses that provide goods and services to EU citizen data subjects or provide or process people’s data free of charge. It also has a deterrent effect, with fines of up to 4% of businesses’ annual global turnover or 20 million euros, whichever is higher.
How Does Privacy Legislation Differ in the United States, EU, and Asia?
With the GDPR regulation and personal data protection law coming to the fore, various countries around the world have intensified their efforts to create legislation in this field.
While there is no single overarching data protection law in the United States, there are many privacy and data security laws at the state level that overlap with federal laws. Many businesses operating in the United States must comply not only with applicable federal laws but also with a number of state privacy and security laws and regulations. The state of California alone has more than 25 data security and privacy laws. One of these is the California Consumer Privacy Act (“CCPA”).
In the People’s Republic of China, the Personal Data Protection Law (“PIPL”) came into force on November 1, 2021. PIPL is the first law regulating personal data protection at the national level in the People’s Republic of China. PIPL protects the personal information held and processed by organisations operating in China and those established outside China. PIPL’s data protection principles include lawfulness, necessity, good faith, purpose limitation and data minimisation, transparency, accuracy, accountability and security accountability. Individuals have rights to be informed, access, copy, deletion, rectification, portability and rights to respond to automated decision-making. Businesses and organisations must be more accountable and act in good faith when collecting, using and storing personal information.
As a result, it would be suitable to say that the regulations that many countries have set or are setting, although they have differences, included regulations very similar to the GDPR and that they hold businesses operating in their countries responsible for protecting the personal data of their citizens.
Why Is It Crucial For Businesses to Understand Data Protection Laws?
Compliance with KVKK, which aims to protect personal data and prevent its collection and processing without permission, is important for companies that have the status of data controller or data processor. In addition, failure to comply with the personal data protection law may result in heavy administrative fines and loss of reputation for companies.
How We Can Assist You?
As Viridis Legal Partners, your data protection law firm in Turkey, we are aware that violating the obligations under the data protection law and KVKK may lead to serious administrative and judicial consequences. As personal data protection law lawyers in Istanbul, we provide legal support to our clients in this field by carrying out meticulous work on all legal matters, transactions, disputes and lawsuits specific to personal data protection law, KVKK.
To our foreign company clients located or operating in Turkey, legal consultancy and support services in many areas such as; temporary or permanent legal advice; Establishing a commercial electronic message system on legal grounds; Supervising and regulating the compliance of the current operations of companies in terms of data protection act in Turkey, turkish personal data protection law, KVKK; follow-up of objection and cancellation cases against the decisions of the Personal Data Protection Board; VERBIS registration, tracking and updating processes of companies; managing companies’ KVKK compliance processes, compliance advisory services, monitoring and executing the criminal process regarding privacy policy law, KVKK crimes, and many more.
Contact us at today to discuss your specific legal needs or inquire about our data protection law services. We are here to assist you in navigating the complexities of personal data protection in Turkey.
Meet Our Data Protection Law Expert at Viridis Legal Partners
Explore top-tier Data Protection Law services in Turkey with Nadide Özdemir, the founder of Viridis Legal Partners. As a seasoned legal expert, Nadide specializes in providing comprehensive support for businesses, ensuring compliance with data protection regulations and safeguarding sensitive information. Viridis Legal Partners offers tailored legal advice, consultancy services, and assistance in navigating the complexities of data protection laws.
Trust Nadide Özdemir and Viridis Legal Partners to secure your business and provide expert guidance in the dynamic landscape of data protection in Turkey.
Experience:
Yeditepe University, Faculty of Law - 2016
Marmara University Public Law Master’s Degree - 2019
Founder of Viridis Legal Partners - 2023
Istanbul Bar Association - 57790
Language: English, German, Turkish
Tel: +90 538 289 28 68
E-mail: [email protected]
Personal Data Protection FAQ
The legal domain governing the safeguarding, processing, and deletion of personal data is termed personal data protection law. This relatively new field of law emerged alongside advancements in informatics and informatics law. In Turkey, the Personal Data Protection Law No. 6698 (KVKK), enacted in 2016, parallels the GDPR and regulates personal data protection.
Similar to GDPR, KVKK defines personal data as any information related to an identified or identifiable individual. Special personal data, including details about race, ethnic origin, political opinions, health, and criminal convictions, requires explicit consent for processing.
The definition aligns closely with GDPR, encompassing various operations on personal data, whether automated or not. These operations include collection, recording, organization, storage, and destruction, emphasizing the need for lawful and transparent data processing.
The core principles outlined in the KVKK prioritize complying with the law, accuracy, processing for specific purposes, limited data processing, and adherence to defined retention periods.
The KVKK applies based on the location of the individual whose data is processed. The Personal Data Protection Board decision emphasizes the applicability of KVKK even for foreign entities, highlighting the obligation to register for businesses with a presence in Turkey.
Violations of KVKK incur both criminal and administrative sanctions. Criminal sanctions, including imprisonment, are specified in Article 17, while administrative fines, detailed in Article 18, cover various breaches such as disclosure obligations, data security violations, and non-compliance with decisions by the board.
GDPR, a comprehensive legislation on data protection, has influenced global data privacy. Privacy legislation varies worldwide, with the United States having diverse state-level laws, and China enacting the Personal Data Protection Law regulating data held by organizations inside and outside its borders.
Understanding and complying with data protection laws, like KVKK, is crucial for businesses to protect personal data, avoid heavy fines, and uphold their reputation. Failure to comply may lead to severe consequences, making legal guidance essential.
Corporate Lawyer in Turkey
Expert corporate legal services in Turkey. Contact Viridis Legal Partners for assistance with company formation, governance, M&A, and compliance.
Turkish Business Lawyer
Learn about the role of Turkish business lawyers and how they help companies navigate Turkey’s legal landscape.
Obtaining Operating Licences for Payment Institutions in Turkey
Learn the detailed steps and requirements for acquiring an operating license for payment institutions in Turkey. Expert legal assistance by commercial law attorneys at Viridis Legal Partners.