In our Webinar held on June 18, 2020, we discussed what risks the changes experienced during and after the COVID-19 process have in terms of KVKK and how we can manage these risks. As September 30, 2020, which is the deadline for registration to VERBIS, approaches, you can watch our webinar where we addressed the following questions from the new normal framework and answered the following questions.
• Does the KVKK Compliance Process end with the VERBIS registration or does it start with the actual VERBIS registration?
• What lessons should we learn from case studies of data breach?
• Can KVKK be harmonized only with the completion of administrative and legal measures?
• How should KVKK Technical Measures be handled in the new normal?
• How do law, governance and cybersecurity go together?
• How should KVKK relationship be established with other regulations?
• How should the retention periods specified in the data inventory be determined?
• Under what conditions should existing company contracts be updated during the KVKK compliance process?
• In what ways do the texts of Illumination and Open Consent differ?
• What risks does VPN use have in terms of KVKK?
• Are our existing data security solutions sufficient? How do we identify deficiencies?
• What should we do before, during and after a data breach?
• How are data security measures positioned according to company sizes?
• What are the overlooked topics in the data inventory?
• How to create a data inventory in the context of business processes?
• What are the points to be considered when registering with VERBIS?
Our employees work from home. They use their own computers. Although we take some precautions, we cannot fully control these computers and connection with VPN is provided. What can we do about it? These computers only have antivirus programs.
First of all, it should be ensured whether the VPN used itself has any weaknesses. Afterwards, employees must be authenticated with multi-factor authentication while remotely accessing company data, otherwise attackers can infiltrate the system through open RDP applications that can be entered with a single password. In addition, it should be checked whether the antivirus / end point protection solutions used by the employees are up-to-date. It should also be ensured that the employees do not connect to the internet over the common network, and an internet service that only they can connect to the employees should be provided by the company during the remote working period.
Would it be sufficient for the institution to develop a policy on BYOD and add it to the employment contract for the institution to fulfill its responsibility?
Accessing company information from personal computers is fundamentally problematic. Due to the decrease in access and control possibilities, there is a possibility that many problems will already be encountered until personal data is received. When we evaluate in terms of personal data, if the employee works with his/her own computer; In my opinion, it will be sufficient to prepare and convey the rules to be obeyed while working in the form of an instruction and to check whether this instruction is acted in accordance with it. Of course, in cases where the employee is malicious, there will not be much difference between the company computer / employee computer, in both cases the company will be held responsible as the data controller if adequate precautions are not taken. In such a case, disciplinary punishment / recourse of the damage suffered, etc. It would be useful to include the provisions in the employment contract as you stated.
For example, there are areas such as access management policies and procedures and policy such as storage and destruction in administrative measures. How are we going to evaluate technical measures and administrative measures like this together? Can't we carry out the administrative and technical parts independently of each other?
KVKK is a process that should progress in a holistic structure. While taking administrative measures, it is determined what kind of data is contained in the documents used, and most of the time, the areas where personal data are kept are determined and the appropriate solutions are located at the stage of technical measures. In fact, these two processes are not independent of each other, but should proceed like a successive spiral. For example, the retention and destruction policy cannot be considered as an administrative measure alone, because the determination of the data to be stored and destroyed proceeds together in the administrative and technical process. While the hard copy documents are being examined in the administrative process, a technical examination is required to detect the personal data in the databases.
I have a question for Mr. Umut and Ms. Neslihan. There are many 3rd party companies we work with. We transfer personal data with these companies, but we do not know what security measures these companies take. We have written in our contract that all violations are the responsibility of these companies. If there is a data breach, do these companies cover all the penalties? We wrote it in the contract, but we are the data controller after all?
It will be useful to inform which security measures should be taken in the data processing contract to be signed. If it is left to the discretion of the data processor, the possibility of taking adequate security measures will decrease in my opinion. As it is known, in case of any penal sanction, it is possible to reflect this penalty to the other party of the contract with the contractual relationship. However, as the basic principles of the Law of Obligations; I would like to remind you that this contract is bound by the mandatory rules of law, and that no one can claim compensation from third parties for a loss based on their own fault. Here, guaranteeing the contract, bona fide solutions, etc. I will not go into details, but I would like to state that even if you are going to recourse to the data processor, you can recourse in proportion to the fault of the data processor, and if all fault is yours, you will not be able to recourse.
Regarding the sending of data abroad, for example, keeping the records on the foreign servers by Zoom in the events held over Zoom, can it be considered within this scope?
Yes, it can be evaluated.
Hello, there are applications that make it mandatory to give data regarding online transition, especially during the pandemic process. For example, as a student, while our exams are held online, some universities require camera and microphone to be opened, here it is necessary to provide personal data in order to take the exam. Forgive me if I'm wrong, but I know that providing Personal Data cannot be a prerequisite for receiving services. What do you think about the right to education, which is a constitutional right, in this context?
In accordance with the law, certain conditions are stipulated for the processing of personal data, in summary; “Explicit consent” is obtained in matters that do not fall under the headings of 1) other, 2) other. The most important and powerful item under the "Other" heading is "explicitly stipulated in the law". Determining the identity of the person taking the exam and determining that the person who is required to take the exam and the person taking the exam are the same person at the entrance to the exam are obligations arising from the law. It's like showing your ID when you enter the exam venue, letting the supervisor examine it on the table. In other words, in this sense, the processing of your data serves a greater purpose. Conversely, you don't want someone else to take the test for you and deliberately give you a low grade. In other words, the said regulation in the law actually aims to protect your data. Although service provision cannot be subject to explicit consent, if one of the processing conditions in Article 5 of the law is present, the data can be processed without explicit consent, and if personal data is not transmitted, the service can be avoided. For example, you will not be able to enter the exam area without showing your ID.
When we do not study the VERBIS Registration in detail or we provide incomplete/wrong information, how will it be checked? When do you think the KVK Institution's audit work on this will start?
The Board has started to recruit auditors and consultants intensively within the last 6 months, which shows that the board will begin to audit companies within the scope of protecting personal data on a regular basis, like financial audits, in the near future. My prediction is that Verbis will start with the end of the registration dates.
I would like to ask a question to Ms. Neslihan. We renewed our contracts with 3rd parties within the scope of KVKK months ago. It is stated in the Law that data controllers and data controllers are jointly responsible. However, 3rd parties have also switched to working from home and the processes of these data processors in the contract have changed regarding technical measures. Do we need to re-contract with these data processors? Because we have difficulty in controlling the technical measures taken at the moment?
In the data controller-data processor contract, if there is a change in the scope of data processing, its purposes or the scope of the personal data processed, the contract must of course be renewed, but otherwise there is no need to renew it. However, we should not forget that the data controller is obliged to control and follow the administrative and technical measures taken by the data processor. Therefore, it is the responsibility of the Data Controller to control whether the data processor has taken the precautions with the transition to the remote working period, and whether the VPN security has been ensured. In case of any data leakage, the Data Controller is also responsible for this breach.
What is your opinion on the Board's use of the Cloud, again referring to Article 9, addressing the obtaining of explicit consent, leaving the security countries and cloud providers part in the release despite the requests for years?
First, listing the countries with published minimum specifications is very difficult and produces inconsistent results. Actually, I think that this provision in the law is problematic. It is not right to expect a board to decide whether the country is safe or not. Banning the export of data abroad is not a reasonable solution in integrated economies. I think that the focus should be on measures to be taken individually.
No matter how much awareness training we give to the employees, data breaches occur every day in the company, according to KVKK. Simply put; Employees can access the database of departments outside their fields or share it with each other via e-mail. How can we prevent them within the scope of technical measures?
Of course, awareness alone will not be enough in this case. Employees should not be able to access any place other than documents and fields that they need to use in their own business processes. For this, I can recommend using active directoy as the simplest method. Even if e-mail security is to be ensured and a stronger measure is desired to be taken with regard to sharing via e-mail, certain rules can be written with DLP to prevent the personal data of employees from being shared with other than certain people, or a warning message is sent to the admin when it is shared, so it is determined who shared it. and warning.
[mnky_heading title=”SPEAKERS” line_color=”#dd3333″]
Moderator
Erdem Eriş
CyberArts
Founder & General Manager
Neslihan Kocacık
CyberArts
KVKK Consultant
Güniz Çiçek
Elmadag Law & Consultancy
Lawyer
Umut Şensu
Lawyer