KVKK (Kişisel Verileri Koruma Kanunu - Personal Data Protection Law) is Turkey's personal data protection law that came into force in 2016. It is also known as Law No. 6698 and it is based on the EU Directive 95/46/EC. The regulating authority is the Turkish Data Protection Authority (TDPA) or Kişisel Verileri Koruma Korumu (KVKK), who publishes guidelines that help clarify and further outline Turkey’s data protection regime.
While it is fairly similar to the GDPR, the law differs in that it mandates, for example, that data controllers register into the Data Controller’s Registry, VERBIS, and it does not mention the DPO requirement. Also, KVKK does not specifically address the processing of personal information of children.
What is Personal Information and what are other key definitions?
Unlike other personal data protection laws, the KVKK includes more definitions. It defines the concerned individual as “the natural person, whose personal data are processed” and ‘personal data’ as “any information relating to an identified or identifiable natural person.”
Although it offers no examples of information that is protected, it does however define and give examples of ‘special categories of personal data,’ understood as sensitive personal information, namely “personal data relating to the race, ethnic origin, political opinion, philosophical belief, religion, religious sect or other belief, appearance, membership to associations, foundations or trade-unions, data concerning health, sexual life, criminal convictions and security measures, and the biometric and genetic data.”
Under KVKK organizations are either a ‘data processor’ meaning “the natural or legal person who processes personal data on behalf of the data controller upon its authorization,” or a ‘data controller,’ understood as “the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data filing system,” which is “the system where personal data are processed by being structured according to specific criteria.”
Last but not least, under this data privacy law, ‘processing’ means “any operation which is performed on personal data, wholly or partially by automated means or non-automated means which provided that form part of a data filing system, such as collection, recording, storage, protection, alteration, adaptation, disclosure, transfer, retrieval, making available for collection, categorization, preventing the use thereof.”