What is KVKK?
The Turkish Data Protection Law (Turkish law no. 6698 - KVKK) was adopted in March 2016 and entered into force in April 2016. Among other things, Article 16 of the KVKK includes a provision requiring registration for all data controllers subject to this law in a Data Controller Registry (VERBIS). Additionally, data controllers located outside of Turkey are required to appoint a representative. The deadline for compliance with these obligations has been postponed several times and finally expired on December 31st, 2021.
Find out in this article whether your organisation is subject to KVKK! You can find more information here.
1. Is your organisation subject to KVKK?
Article 2 KVKK defines the scope of the Turkish data protection regulation. KVKK applies to natural and legal persons processing personal data of Turkish data subjects.
A “data subject ” is the person whose personal data is processed. “Personal data ” means any information relating to an identified or identifiable natural person. The definition of “processing ” is very broad and includes any operation which is performed on the data, such as collecting, recording, storing, altering, transferring, etc.
The law does not distinguish between public and private bodies. The procedures and principles laid down are generally applicable to all organisations.
Exemptions of the applicability include the processing only for purposes of private households, official statistics with anonymized data, processing by judicial authorities and processing for public order.
2. Data Controller Registry VERBIS and VERBIS representative
A “data controller” according to Article 4 para (1) lit (i) KVKK is a legal or natural person determining the purpose and means of processing personal data. Article 16 KVKK stipulates that all Turkish and non-Turkish data controllers must register in the Data Controller Registry (VERBIS) before starting to process personal data. Only certain professions like notary publics, law firms and accounting firms, trade unions and political parties are exempted. For non-Turkish data controllers there is no threshold due to turnover or the number of employees, meaning that even small non-Turkish organisations are subject to KVKK.
The VERBIS registration requires entering a company’s processing activities with:
- the data categories,
- the categories of data subjects,
- the purposes of the processing,
- legal basis,
- data transfers,
- technical and organisational measures and
- retention period.
Any changes to these records have to be made public through VERBIS within seven days of the change.
This registry is to be made public under the supervision of Turkish data protection authorities.
3. Requirements for Non-Turkish controllers
Similar to Art 27 GDPR, the Turkish data protection regulation contains a provision which is only applicable on foreign data controllers requiring them to appoint a representative in Turkey in addition to the VERBIS registration. Other than under GDPR there is no obligation for data processors to appoint a representative. However, it is important to note that the applicability of KVKK does not depend on the amount of data processed of Turkish data subjects. So being a B2B service provider with limited sales activity in Turkey does not per se exclude KVKK applicability.
Furthermore, the representative conducts the registration for VERBIS. The prevailing legal opinion considers a registration by a foreign controller itself as impossible. At least from a practical point of view this makes sense, because the attempt by a foreign data controller to self-register would be as if one had declared their own non-compliance with the requirement to appoint a representative to the Turkish data protection authority.
In GDPR and UK-GDPR you will find an exemption for the appointment of a representative for public bodies, meaning e.g. public universities and governmental institutions do not have to appoint a representative according to Art 27 (UK) GDPR. However, as mentioned above, KVKK does not distinguish between private and public bodies, but only contains exemptions for preventive, protective and intelligence activities by public bodies.
The process of appointing a data controller representative in Turkey is more complicated than under GDPR, because the appointment needs to be signed and the signature needs to be notarized and apostilled. An end-to-end digital process is not possible.
4. Data subject rights under KVKK
Besides the information right, Turkish data subjects have the following data subject rights (DSRs):
- Right to access
- Right to rectification
- Right to be forgotten
- Right to restriction
- Right to object processing through automated decision making
- Right to compensation for damages
For the procedure of the data subject request a Communique has been published by the Turkish data protection authority. The request made by the data subject must include name, physical address, Turkish Citizen number (TC), a contact method (email, fax number, telephone) and of course the subject of the DSR. The answer of the controller must contain the same information.
5. What are the fines for non-compliance?
For violations of disclosure obligations, fines of up to TL 270,000 may be imposed in 2022. However, for violations of the registration obligation in VERBIS, significantly higher fines of up to TL 2,700,000 may be imposed. Administrative fines in Turkey are re-evaluated each year. The increase from 2021 to 2022 is 36.20%. This should be kept in mind when working on compliance with KVKK.
Take action now and onboard
your Turkey DCR
From December 31st, 2021, onwards the obligations to appoint a Data Controller Representative and to register with VERBIS are enforceable. Avoid fines and demonstrate your KVKK compliance by appointing Prighter.