Every country has a law that protects personal data and its processing. Turkey was one of the first countries to start the trend of legislating data protection.
History of the KVKK
Turkey’s Personal Data Protection law No. 6698 or KVKK came into force on 7 April 2016. This law was published weeks before the famous GDPR. The KVKK is the first law in Turkey that regulates the protection of personal data and specifies the obligations that entities and individuals must comply with. Before the KVKK came into force, Turkey did not have a law that regulates the protection and privacy of personal data. After that, the Turkish Data Protection Authority was established as a financial supervisory authority. It was made to enforce the provisions of the KVKK and increase public awareness about personal data protection. The KVKK protects the fundamental rights and freedoms of every person.
The KVKK is based on the European Union Data Protection Directive 95/46/EC. This directive was about the protection of individuals “with regard to the processing of the personal data and on the free movement of such data”. This directive was replaced by the GDPR. The KVKK differs from the GDPR not only because of that fact but also because Turkey’s law has its unique requirements.
Categories of Personal Data
The KVKK applies to individuals whose personal data are processed and natural or legal persons who processed such data fully or partially. Rules of the Data Protection Law apply to all organizations and institutions. Moreover, the law should apply to all persons and entities who process information of Turkish data subjects, regardless of whether they are located in Turkey or not. Moreover, the law regulates how personal data should be processed. The KVKK says that personal data should be:
- Processed lawfully and fairly.
- Accurate and where necessary.
- Processed for specified, explicit, and legitimate purposes.
It is interesting to note, that the law has two special categories of personal data: personal data related to health or sexual life and other special categories of personal data. These two categories are protected more strictly and can be processed with explicit consent and under the obligation of confidentiality only for a limited list of purposes.
International transfer of personal data is permitted only with explicit consent and if a country has a level of data protection according to TDPA (The Turkish Data Protection Authority). These points are similar to the GDPR, but according to KVKK, the authority may prohibit the cross-border transfer of data, if the interests of the data subject could be harmful.
Also, you should remember that for breaches of data protection law there could be imprisonment up to 3 years and penalties till 1000000 TL. Moreover, the individuals can claim compensation for unlawful collection or processing of personal data.
In DataSunrise we understand the importance of compliance procedures. Especially, when you need to comply with different laws from several countries. That is why we are offering you our best solution for data protection DataSunrise Data & Database security software, which helps you concentrate on your business and do not worry about data breaches and losses.