The Personal Data Protection Authority has published a guide titled "Familiar Mistakes Regarding the Protection of Personal Data". This guide provides very self-explanatory answers to the frequently asked questions companies ask during the compliance process. It has been a guide in which some of the issues that were not clearly stated in the law and that the consultants and lawyers could not agree on a certain point during the compliance process, were also clarified.
The questions and answers that we frequently encounter are as follows in the guide;
Since lawyers are exempt from the obligation to register with the Registry, are they also exempt from the Law?
- Being exempt from registration obligation does not mean that it will be exempted from the Law. Within the framework of the authority given to the Board by Article 16 of the Law, the lawyers who have been authorized in accordance with the Attorneyship Law, pursuant to the Decision No. 2018/85 taken by the Board, are only exempted from the obligation to register in the Registry. Therefore, the Law will continue to apply to lawyers with its other provisions.
As stated here, the absence of the obligation to register with Verbis does not include non-compliance with the Law. As we stated in all KVKK consultancy processes; Even if the Data Controller shares personal data with his lawyers, he has to control how it is stored, for what purpose it is processed and with what security measures it is protected. Therefore, the change of shared parties does not change the authorities and responsibilities of Data Controllers.
Do all data controllers have to prepare personal data processing inventory?
- Not all data controllers are required to prepare personal data processing inventory. In accordance with Article 5 of the Regulation on the Data Controllers Registry, the preparation of a personal data processing inventory is an obligation that the data controllers responsible for registering with the Registry must fulfill. Therefore, data controllers who are exempt from the obligation to register with the Registry are not obliged to prepare a personal data processing inventory. However, data controllers who are exempt from registration in the Registry are also recommended to prepare a personal data processing inventory.
Again, as stated in the Law, we see that data controllers, other than companies that are obliged to register with the Data Controllers Registry, are not obliged to prepare data processing inventory. But again, the point that has been emphasized is that all data controllers must comply with the Law. It is also obliged to take data security measures according to its scope. In case of any data breach, they are likely to face fines or administrative penalties. We believe that these issues should not be ignored.
Will any action be taken against those who do not fulfill their obligation to register in the Registry, although they are not covered by the exception?
- Even though they are not within the scope of exemption from the obligation to register with the Registry, the data controllers who do not fulfill the obligation to register to the Registry will be determined by the Authority and action will be taken against them within the scope of the Law.
Here is an answer to a frequently asked question. If the Registry Obligation is not fulfilled, the necessary actions will be taken by the Authority since it is against the Law. In other words, it seems inevitable that administrative fines will be imposed on those who are obliged to register with VERBIS but do not.
You can find 70 questions and answers like these in the Guide, the link of which we have shared below. Stay healthy and safe.
Guide link: https://kvkk.gov.tr/SharedFolderServer/CMSFiles/28d8adba-2b41-41b2-bf36-d0ff0d845666.pdf
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.