Author: Attorney Murat Keçeciler | Attorney
Dear Keçeciler, could you please briefly introduce yourself to us and our readers?
I was born in Konya in 1980, and completed my primary, secondary and high school education at Private Ayşeabla College in Ankara. Then I came to Istanbul for university education. I successfully completed my law education at Marmara University Faculty of Law between 1998-2002. I registered with the Istanbul Bar Association in 2002 and received my attorney's license. After my undergraduate education, I started my master's degree in Private Law at Istanbul University Faculty of Law. I successfully completed my master's degree with my thesis titled "Resolution of International Sports Disputes by Arbitration". I continue my academic studies in the Private Law PhD program at Yeditepe University Institute of Social Sciences. I started my career as a lawyer at Ulusoy Ticari Yatırımlar Holding legal consultancy in 2002, and later continued at ASC Attorney Partnership, one of the first law partnerships in Turkey. Later, I founded "Keçeciler&Partners Law Firm" in 2005. I am currently continuing my career as a lawyer at Keçeciler&Partners. We have been involved in many projects in the field of M&A in our office, where we provide consultancy to many companies in the field of private law. Recently, we have been involved in KVKK process management projects with our solution partners. In addition to my legal profession, I work as a manager in many NGOs. I work as a management consultant in IT and IT groups. I have been a member of the Founders Board of Konyalılar Education Foundation, a member of the General Assembly Board of Istanbul Arbitration Center (İSTAC), as well as a member of the TFF Arbitration Board, and the Young Businessmen Association of Turkey (TÜGİAD). In addition to these duties, I participate as a speaker in panels and seminars in the fields of Youth, Arbitration and IT Law at many universities and youth organizations.
What is the Purpose of the Law and What is Personal Data According to the Law?
The Law ensures that all processes related to personal data, from obtaining, storing, processing, sharing and finally destroying the data considered as personal data, are carried out in accordance with the standards it determines. In this context, the Law aims to ensure the security of personal data. For this purpose, significant administrative fines and TCK-supported sanctions are foreseen.
According to the law, we can briefly define Personal Data as follows; The law defines any information relating to a natural person whose identity is known or can be determined as personal data.
Isn't this definition too broad?
Yes, the term “all kinds of information” is extremely broad. In fact, according to the law, not only information revealing the identity of a natural person, such as their name, surname, date of birth and place of birth, but also all data that makes a person directly or indirectly identifiable, such as telephone number, motor vehicle license plate, social security number, passport number, CV, photo, video and audio recordings, fingerprints, IP address, e-mail address, etc., are considered personal data. Even a person’s nickname or nickname is considered personal data if it helps to identify a person in a distinctive way when combined with other data.
Who are affected by the law?
The law has introduced three definitions of subject. The first of these is the "Relevant Person", the relevant person is the real person who owns the data. It should be particularly noted here that the law protects the data of real persons. Therefore, data belonging to legal entities that are in the nature of trade secrets such as company secrets, know-how, customer portfolio, etc. are not protected by law.
The law defines the second group of persons as "Data Controller". Data controllers are real and private or public law legal entities who are responsible for the processes from obtaining, preserving and processing of personal data, provided that it is fully or partially automated or part of any data recording system. It is useful to emphasize here that legal entities, including public legal entities, are data controllers. In this sense, all state institutions and organizations, including the Presidency and Ministries, are legally data controllers and are subject to obligations regarding the processing of personal data. Of course, public institutions have more exceptions regarding data processing than private law legal entities. In terms of being a data controller, it is important to process personal data in a data recording system. Here, I would like to draw attention to the fact that those who do not use a technological data recording system and who keep data with a recording system, even if it is analog or on paper, will have the status of Data Controller.
In addition to these two categories, the Law also introduced the definition of "Data Processor". Data Processors are commercial message intermediaries, accountants, lawyers, etc. who process data on behalf of the Data Controller or with the authority granted by the Data Controller. The Data Controller is also responsible for the unlawful acts and actions of the Data Processors.
What are the Obligations of the Data Controller?
The Data Controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the safe storage of personal data. In addition to these measures, the Data Controller is also obliged to respond to the applications of the relevant person arising from Law No. 6698 within 30 days at the latest. Data controllers are also obliged to register in the Data Controller Registry kept by the Institution and to comply with the principle decisions and secondary legislation published by the Board. In the event of a data breach, it is among the obligations of the Data Controllers to notify the Institution within 72 hours.
What are the sanctions for non-compliance with these?
As we have stated above, the Law has regulated certain sanctions for the data controller in cases of non-compliance. In this context, according to TCK 136, it is defined as a crime punishable by imprisonment from 2 to 4 years to provide, disseminate and obtain personal data to third parties in violation of the law. Again, according to TCK 138, if personal data is not destroyed despite the expiration of the legal period, a prison sentence of 1 to 2 years may be imposed. In addition, according to Article 17 of the KVKK, if the data obtained in violation of Article 7 is not deleted or anonymized, the data controller may face imprisonment from 1 to 2 years.
In addition to prison sentences, administrative fines of 5,000 TL - 100,000 TL may be imposed in case of violation of the Disclosure Obligation under Article 6698, between 15,000 TL - 1,000,000 TL in case of violation of the Data Security Obligation, between 25,000 TL - 1,000,000 TL in case of failure to fulfill the decisions given by the Board, and between 20,000 TL - 1,000,000 TL in case of violation of the Obligation to Register in the Data Controllers Registry.
What is Data Policy and End-to-End Audit?
Each Data Controller must carry out or have carried out the necessary audits in order to fulfill its legal obligations and ensure the implementation of the provisions of Law No. 6698. For this purpose, a data policy that includes active and end-to-end auditing should be created. Therefore, an effective data policy should include the following points;
- It should cover process management,
- It should include informed consent and the methods and processes for obtaining consent,
- In order to ensure data security, the institution should include "data confidentiality" measures for internal and external data processors, including the period when they leave the institution.
- If the processed personal data is obtained by others through illegal means, the data controller must notify the relevant person and the Institution as soon as possible. This notification procedure must be included,
- The method, authority and processes for responding to relevant applications must be clearly defined.
- The purposes for which data is used must be clearly defined, and the procedures and principles for destroying data after these purposes or the consent of the relevant person ceases and the legal retention periods expire must be included.
In this context, expert consultancy is important when preparing a data policy. It is important to actively implement the data policy and to constantly monitor it, as well as to prepare it. Because Personal Data Protection is a compliance process. As in all compliance processes, this process is a living process that needs to be constantly updated. In addition, it is essential to use some technical software to detect the data and which recording system it is in, and to observe whether the persons processing the data are performing the transactions in accordance with their authorizations.
What Should Be Considered When Preparing a Personal Data Policy?
First of all, it should not be forgotten that this policy will be shaped according to each institution's own corporate culture and needs. The guidelines published by the institution are instructive. In practice, it is seen that companies copy and paste texts used by different companies without any specific experience. This situation causes serious problems and companies take meaningless risks.
Personal Data Policy is a set of administrative and technical measures. The Covid period has shown that working from home methods will be used more frequently. Due to social distance, it will become more common for meetings to be held online or via video conference methods, even if they are in the same building within the organization. With increasing digitalization, cybersecurity risks are also increasing. For this reason, structures where the texts prepared within the scope of administrative measures are not supported by technical measures may pay very heavy prices in terms of personal data security. Data security is a special area within cybersecurity. For this reason, it is essential to ensure this data security with expert technical teams.
While preparing administrative and technical measures, all units of the data controller must contribute to the process organizationally. Because the Personal Data Policy is also an institutionalization process, therefore, it is important for it to be carried out with the contribution of all units in order to monitor the personal data impact assessment of every change or new transaction to be made within the organization in the future. In this way, personal data security awareness of each stakeholder and player in the organizational structure will be provided more quickly.
Is Personal Data Security Separate from Cyber Security?
No, Data security is a subheading within the concept of cyber security. Cyber security is a concept that regularly checks computers and servers, mobile devices, electronic systems, networks and tries to establish the security of all data, including personal data, by protecting these structures from malicious attacks. The concept of cyber security has both a public and private sector side. KVKK has introduced a regulation regarding personal data. On the other hand, there are special regulations in the TCK regarding cyber crimes. Detailed and special regulations have been made for cyber security in Law No. 5651. In many countries around the world, basic texts and regulations have been introduced to combat crime types defined as cyber crimes, internet crimes or cyber crimes.
What is the Situation in the Fight Against Cyber Crimes?
With the spread of the internet in the world, the types of crimes and criminals are also changing. Cyber crimes are no longer just crimes in cyberspace or related to information systems. Today, hybrid and complex crime types are emerging. In the meantime, cyber security is becoming an area of international relations. Countries have begun to determine special strategies and policies to prevent cyber attacks, develop counter-attacks, etc. It is inevitable that cyber diplomacy will develop and spread in the future.
There is currently no common attitude and approach to combating cybercrime in the world. Since they are included in the category of transnational crimes, bilateral agreements as well as multilateral international agreements need to be made in the fight against cybercrime and cybercriminals. Each country has its own definition of cybercrime in terms of its own legislation, so unfortunately there is no uniformity. There is no template that everyone can directly accept. It is not easy to make this definition because it has a technological background.
The Budapest Agreement, signed in 2001 at the Council of Europe, is an important and pioneering international text in this field. Turkey became a signatory to this agreement in 2010. We put this agreement into effect in 2014. In 2016, we harmonized the articles of the Turkish Penal Code with the articles of the agreement regarding criminal provisions. Our articles regarding Criminal Procedure are still behind the agreement. For this reason, some of our deficiencies in the forensic computer science field still continue. In this sense, we see that our gendarmerie and police organizations are making significant efforts. However, unfortunately, it is possible to observe some shortcomings on the prosecutor's office side.
Thank you for taking the time to answer our questions.
I thank you for giving me this opportunity and possibility.
