0212 438 04 76
0541 341 20 34
Get Offer

What is the Personal Data Protection Law?

What is the Personal Data Protection Law?

Law No. 6698, dated April 7, 2016, is the first official law that came into force in our country on the protection of personal data. Within the scope of the Personal Data Protection Law, new legal responsibilities have emerged, especially for companies. Law No. 6698, which generally overlaps with the laws on the protection of personal data applied in the European Union, is not an exact copy, even if it resembles EU laws. Rather, it can be defined as the national data protection law developed on the protection of personal data by preserving the compatibility of EU laws and Turkish laws. Because the Law on Protection of Personal Data, Turkish Penal Code and T.C. It took its final form in line with the provisions of the Constitution. At this point, it has filled a gap in the Turkish legal system related to advanced technology and information communication tools, which is clearly felt.

In order to better understand KVKK, it is useful to explain some of the concepts specified in the law. The most important of these is, of course, the definition of personal data. All kinds of information belonging to real persons are in the status of personal data according to the law. The identity of the said natural person may be certain or identifiable. The natural person whose personal data is processed is also defined as the relevant person in the law.

Defined in KVKK; Another concept whose duties and responsibilities are explained in detail is data controller. Natural or legal persons who process personal data and establish and manage a personal data recording system for this purpose are defined as data controllers. The natural or legal persons authorized by the data controller to process the data are also declared as data processors.

Personal Data Processing Conditions

One of the issues that KVKK emphasizes the most is undoubtedly the rules and principles that must be followed during the processing of personal data. According to the law, data controllers can process personal data under certain conditions. The first of these conditions is the explicit consent of the person concerned. No personal data can be processed without the explicit consent of the person concerned. In some special cases, personal data may be processed without the consent of the person concerned. Some of these are those:

• Clearly stated in laws.
• There is no actual possibility to give explicit consent.
• Parties are obliged to process personal data as per a contract.
• Obligation to process personal data in order to fulfill legal obligations.
• The legitimate interests of the data controller are in question, provided that the rights and freedoms of the data subject are observed.

Some sensitive personal data defined in KVKK can never be processed without the explicit consent of the person concerned. These are information such as religion, language, race, political opinion, belief, sexual life, etc.
Personal data;

• obtaining,
• recording,
• storage,
• preservation,
• replacement,
• reorganization,
• disclosure,
• transfer,
• takeover,
• making it available,
• classification,
• preventing its use,

it means processing the data. In this context, the conditions specified in the law must arise when processing personal data. It should be relevant, limited and measured for the purpose for which it is processed. The reasons that make the processing of data obligatory must comply with the law and the rules of good faith.

Personal Data Protection Authority

The Personal Data Protection Authority, which is a public legal entity, was established to fulfill the duties assigned by the KVKK. This institution has administrative and financial autonomy and is associated with the minister appointed by the president. The main tasks of the institution are:
• To follow up, evaluate, research and prepare suggestions related to the practices directly or indirectly related to KVKK.
• Collaborating with other public institutions, professional chambers, universities and non-governmental organizations regarding personal data.
• To follow and evaluate international developments regarding personal data; to develop international cooperation when necessary.
• To prepare annual activity reports and submit this report to the Presidency, the Human Rights Investigation Commission of the Turkish Grand National Assembly.


Another important issue regarding KVKK is the Data Controllers Registry Information System, namely VERBIS. According to Article 16 of the Law, data controllers with real or legal personality must register with the Data Controllers Registry before starting to process personal data. VERBIS is a platform prepared for entering categorical information about these registration processes and the personal data to be processed. Data controllers can become a member of VERBIS from the website of the Personal Data Protection Authority.

The information to be entered into VERBIS is as follows:

• Data controller information; the representative or contact person appointed by the data controller (if any) information.
• The purpose of processing the personal data in question.
• Data information of these persons regarding the categories to which personal data relates.
• If personal data is transferred to another place according to KVKK, the recipients to whom the data will be transferred.
• He is taken to the dormitory service.
• Security measures related to personal protection
• How long the personal data is kept.