How to Get Your Software Product Ready for the Turkish Data Protection Law by KVKK: GDPR vs DPL

The Turkish Law on the Protection of Personal Data No. 6698 was published back in 2016. Compliance with this law is to be checked by a Turkish government entity called the KVKK (Kişisel Verileri Koruma Kurumu): in particular, by its Personal Data Protection Board. Registering a company’s management processes and operations with the KVKK is one of the main requirements under this law. While previously most Turkish companies that made business in Europe, were concerned with GDPR-Compliant web and app development for Turkey, now they need to be compliant with this new law.

Turkish businesses requested to prolong the deadline, as they found it a challenge to get ready by the initial deadline of December 31, 2019. On December 27, 2019, the KVKK postponed the deadline until June 30, 2020. Given that there’s little time left, there likely won’t be another delay, so every company that works in Turkey or provides service to Turkish users will soon have to comply with the Law on the Protection of Personal Data.

In this article, we’ll talk about the main points of the Turkey data protection law (DPL for short) that you should take into account when developing software for Turkish audiences, especially if you outsource your development to another country. We’ll also compare this Turkish law to the GDPR that’s in force in the EU.

Registering a company’s management processes and operations with the KVKK is one of the main requirements under this law

There is a misconception that GDPR is the law on the protection of personal data in Turkey. However, if your site or app offers service in Turkey, you should comply with the Turkey data protection laws.

What is the KVKK data protection law?

The DPL is the main law in Turkey concerning the way companies collect, manage, and protect users’ info. The main goal of this law is to protect the rights of individuals to personal privacy. The main government structure that controls compliance with the DPL is the KVKK.

The KVKK is a government entity whose main goal is to enforce the DPL. All companies that store, process, or manage personal information are obliged to register and structure it according to certain criteria. Moreover, companies should comply with the DPL not only for their customers or users but also for their employees. That’s why if you create enterprise software for your workers, you should also make sure it is adequately protected.

So what exactly is data processing in DPL? It’s any operation involving personal data:

• Collection
• Recording
• Storage
• Retrieval
• Alteration
• Transferring
• Classification

KVKK states that personal data is any information that identifies a person:

• Name and surname
• Phone number
• Passport number
• Driver’s licence

Other info that concerns health, sexuality, political opinions, ethnic origin, etc. is data of a special nature and is also protected by the DPL.

The DPL was largely inspired by the GDPR, and we’ll talk about their differences and similarities later. Currently, legislators are still adding and publishing amendments to the law. The main principles of the DPL remain the same though.

1. Explicit consent

Each user or employee that shares personal information with a company, be it sensitive or non-sensitive data, should do so with explicit consent. For example, if you collect email addresses through your website or track users with cookies, you should warn users that you will store and process them. However, in the DPL, there are cases in which personal info can be collected without consent.

This is the case when collection is clearly legitimate according to other laws, when it’s necessary to prevent harm to a user’s life or health.

2. Right to be forgotten

Anyone whose data is stored and processed by a company has the right to request the deletion of that information. Companies need to accommodate these requests as soon as possible.

3. Right of users to know about their data

Users can also request all the data on them that a company processes and stores and may ask how exactly the company processes their data and for what purpose. Users also have a right to know whether companies transfer their info to third parties.

If a user’s information was processed in a manner that violates the law, the user has a right to request compensation.

4. Data transfer restrictions

Companies have to consult the KVKK if they plan to transfer personal data to a third party at home or abroad. The Data Protection Board established by the KVKK will decide whether the country to which a company plans to transfer data is safe in terms of security.

For example, if you outsource backend development to another country, you should make sure the company abroad is able to protect your information. At Mobindustry, we sign non-disclosure agreements (NDAs) with penalties in case of any breaches.

5. Informing on breaches

If a breach occurs, a company is obliged to inform the KVKK as soon as possible as well as to inform users whose data was compromised. If a company used the services of a controller who consulted on data protection measures, the controller will also share responsibility for the breach. A controller may be a physical person or a third party that’s responsible for managing and protecting data.

6. Obligatory technical and administrative measures

According to the DPL, every company and organization should take all necessary measures, both technical and administrative, to protect user data. This includes physical security and cybersecurity measures, both internal and external.

What are the penalties for violating the DPL?

The DPL lays out a strict system for fining companies and individuals who break the law by failing to protect personal data or intentionally violating its security. Here’s a list of possible unlawful actions and punishments:

• If you don’t inform the KVKK and your users about the data you collect and the purpose of its collection and if you fail to provide other information that a user has a right to know, you’ll face an administrative fine of 5,000 to 10,000 lira (approximately $750 to $1500).
• If your company or a data controller who is supposed to provide data security fail to protect user information, the fine is 15,000 to 1,000,000 lira (about $2,300 to $150,000).
• If you fail to provide all necessary documentation to the KVKK for investigation and examination, the fine is 25,000 to 1,000,000 lira ($3,800 to $150,000).
• If you fail to register your company with the KVKK in the Registry of Data Controllers, you’ll need to pay from 20,000 to 1,000,000 lira (around $3,000 to $150,000)

For not deleting personal data from your registry upon request, you may face a 1- to 2-year sentence

Apart from these fines, there’s also criminal accountability for unlawful operations with personal data.

For example, for not deleting personal data from your registry upon request, you may face a 1- to 2-year sentence. Illegal collection or data transfer can be punished with a 2- to 4-year sentence.

What’s the difference between the KVKK law and the GDPR?

The Turkish Data Protection Law was released in anticipation of the GDPR and is strongly inspired by it. They have much in common — for example, an obligation to protect all information both physically and technically. The GDPR and DPL share the right to be forgotten and to know exactly what information is available to companies and how they use it.

Is Turkey governed by GDPR? Only those businesses that work for European clients are governed by GPDR. Turkey GDPR isn’t a thing, as Turkey data protection law 2018 is a similar law to GDPR, but is made for Turkey specifically.

However, there are two main differences concerning the term “explicit consent” and the transferring of data to another country. In the DPL, explicit consent is required as a rule; however, there are many exceptions, as some types of data don’t require consent if processing is permitted by another law. In the GDPR, however, even if a person allows processing of special categories of data, explicit consent is still required.

Another major difference is the rule on transferring data abroad, as customer information can only be transferred to “safe” countries, and the list of those countries is determined by the KVKK. However, so far the list hasn’t been published, so companies will need to request it directly from the Data Protection Board.

The fining systems are also different. According to the GDPR, for the most severe violations the fine is up to 20,000,000 euros, or 4% of the company’s annual global revenue. According to the data protection in Turkey KVKK determines all fines according to the type of violation.

6 steps to compliance with the DPL

Here’s a checklist that will get you ready for the personal data protection law.

1. Keep everything documented

Document every change to your privacy policy, backend updates, and user information. This is very important in case of a breach, as it will allow you to quickly identify where it occurred. It’s also important to document the history of updates, including all changes in third-party services.

2. Update your software and permissions

Look closely at your software product and determine the types of personal user data that are absolutely necessary for you to provide service. For example, Uber requires geolocation — without it, the Uber application won’t be able to perform its main function.

Make sure you don’t gather more than you need, and describe specifically what you need the data you do gather for. You’ll then need to provide this information to the KVKK Data Controller’s Registry and inform your users how the information about them is used.

3. Encrypt all data you store and transfer

Encrypt and obfuscate all data you store. If you store your users’ data without encryption, it will make the consequences of a breach much more critical.

To encrypt properly, consult with cybersecurity specialists. They will help you find the best encryption tool and make sure all your data is stored securely.

4. Investigate all third-party compliance services

Your own software is just one point of entry for hackers. More often, hackers use small breaches in third-party software. This software can be responsible for:

• Geolocation and maps (e.g. Google Maps)
• Mobile payments (e.g. Stripe)
• Social media login (e.g. Facebook API)
• UI elements (libraries and frameworks)

Basically, each library, API, and service you use in your software can become a gateway for hackers. That’s why you should make sure you use reliable third-party software that’s compliant with the Data Protection Law.

5. Educate your staff and users on security

Make sure your staff knows all the measures necessary to prevent а security breach. Have instructions your workers can refer to in different cases.

Also, it’s important to educate your users. Make sure they create reliable passwords for their profiles in your service and know how to react to account violations.

6. Consult with the Data Protection Board on data transfers

If you plan to make a transfer abroad, make sure to consult with the KVKK on countries to which it’s safe to transfer data. Because the KVKK hasn’t yet published a list of safe countries, you’ll need to contact them directly and explain your transfer plans and goals.

How Mobindustry can help you comply with the Turkish Data Protection Law

Mobindustry is a mobile development company with expertise in cybersecurity provided by our partner company Apriorit. We can help you evaluate all categories of data according to the DPL and analyze how you currently deal with this data.

We’ll also help you with documentation concerning the reason for collecting and storing specific categories of data and will make sure the information you collect and store is in fact necessary for your product and service.

Our expertise in security will help us run your software through multiple security and penetration tests to make sure all possible breaches are eliminated.

To sum up, Mobindustry will help you:

• Evaluate and categorize the information you currently collect
• Ensure the security of cloud services, servers, local storage, and third-party services
• Take technical security measures
• Determine possible hazards and vulnerabilities
• Perform risk management
• Minimize the collection of personal info without sacrificing your service
• Educate your staff on security best practices

Contact us to find out more about how we can help you with DPL and GDPR compliance of your software, including websites and both Android and iOS apps.