23 Jun, 2020

New Normally KVKK Compliance

In our Webinar held on June 18, 2020, we discussed what risks the changes experienced during and after the COVID-19 process have in terms of KVKK and how we can manage these risks. As September 30, 2020, which is the deadline for registration to VERBIS, approaches, you can watch our webinar where we addressed the following questions from the new normal framework and answered the following questions.

• Does the KVKK Compliance Process end with the VERBIS registration or does it start with the actual VERBIS registration?
• What lessons should we learn from case studies of data breach?
• Can KVKK be harmonized only with the completion of administrative and legal measures?
• How should KVKK Technical Measures be handled in the new normal?
• How do law, governance and cybersecurity go together?
• How should KVKK relationship be established with other regulations?
• How should the retention periods specified in the data inventory be determined?
• Under what conditions should existing company contracts be updated during the KVKK compliance process?
• In what ways do the texts of Illumination and Open Consent differ?
• What risks does VPN use have in terms of KVKK?
• Are our existing data security solutions sufficient? How do we identify deficiencies?
• What should we do before, during and after a data breach?
• How are data security measures positioned according to company sizes?
• What are the overlooked topics in the data inventory?
• How to create a data inventory in the context of business processes?
• What are the points to be considered when registering with VERBIS?

 

[vc_row][vc_column][vc_video link=”https://youtu.be/Jfsuc9E_MoU” el_width=”100″][vc_empty_space][mnky_heading title=”SORU-CEVAP” line_color=”#dd1818″][vc_empty_space]

[vc_toggle title=”Çalışanlarımız evden çalışıyor. Kendi bilgisayarlarını kullanıyor. Biz bazı önlemleri almamıza rağmen bu bilgisayarları tam olarak kontrol edemiyoruz ve VPN ile bağlantı sağlanıyor? Bu konuda ne yapabiliriz? Bu bilgisayarlarda sadece antivirüs programları var.”]

First of all, it should be ensured whether the VPN used itself has any weaknesses. Afterwards, employees must be authenticated with multi-factor authentication while remotely accessing company data, otherwise attackers can infiltrate the system through open RDP applications that can be entered with a single password. In addition, it should be checked whether the antivirus / end point protection solutions used by the employees are up-to-date. It should also be ensured that the employees do not connect to the internet over the common network, and an internet service that only they can connect to the employees should be provided by the company during the remote working period.

[/vc_toggle]
[vc_toggle title=”BYOD konusunda kurumlar politika geliştirmesi ve iş sözleşmesine ekletmesi, kurumun sorumluluğu yerine getirmesi için yeterli olur mu? “]

Accessing company information from personal computers is fundamentally problematic. Due to the decrease in access and control possibilities, there is a possibility that many problems will already be encountered until personal data is received. When we evaluate in terms of personal data, if the employee works with his/her own computer; In my opinion, it will be sufficient to prepare and convey the rules to be obeyed while working in the form of an instruction and to check whether this instruction is acted in accordance with it. Of course, in cases where the employee is malicious, there will not be much difference between the company computer / employee computer, in both cases the company will be held responsible as the data controller if adequate precautions are not taken. In such a case, disciplinary punishment / recourse of the damage suffered, etc. It would be useful to include the provisions in the employment contract as you stated.

[/vc_toggle]

[vc_toggle title=”Örneğin İdari tebdirlerde erişim yönetimi politika ve prosedürleri ve saklama imha gibi politikası gibi alanlar var. Teknik tedbirlerle bunun gibi idari tedbirleri nasıl bir arada değerlendireceğiz? idari ve teknik kısımları birbirinden bağımsız olarak gerçekleştiremez miyiz? “]

KVKK is a process that should progress in a holistic structure. While taking administrative measures, it is determined what kind of data is contained in the documents used, and most of the time, the areas where personal data are kept are determined and the appropriate solutions are located at the stage of technical measures. In fact, these two processes are not independent of each other, but should proceed like a successive spiral. For example, the retention and destruction policy cannot be considered as an administrative measure alone, because the determination of the data to be stored and destroyed proceeds together in the administrative and technical process. While the hard copy documents are being examined in the administrative process, a technical examination is required to detect the personal data in the databases.

[/vc_toggle]

[vc_toggle title=”Umut Bey ve Neslihan Hanım’a bir sorum var. çalıştığımız bir çok 3. taraf firma var. Bu firmalarla kişisel veri aktarıyoruz ama bu firmaların hangi güvenlik önlemlerini aldıklarını bilmiyoruz. Sözleşmemizde tüm ihlallerin bu firmalar sorumluluğunda olduğunu yazdık. Bir veri ihlali olursa tüm cezayı bu firmalar mı karşılar? Sözleşmeye yazdık ama veri sorumlusu biziz sonuçta? “]

It will be useful to inform which security measures should be taken in the data processing contract to be signed. If it is left to the discretion of the data processor, the possibility of taking adequate security measures will decrease in my opinion. As it is known, in case of any penal sanction, it is possible to reflect this penalty to the other party of the contract with the contractual relationship. However, as the basic principles of the Law of Obligations; I would like to remind you that this contract is bound by the mandatory rules of law, and that no one can claim compensation from third parties for a loss based on their own fault. Here, guaranteeing the contract, bona fide solutions, etc. I will not go into details, but I would like to state that even if you are going to recourse to the data processor, you can recourse in proportion to the fault of the data processor, and if all fault is yours, you will not be able to recourse.

[/vc_toggle]

[vc_toggle title=”Verilerin yurt dışına gönderilmesine ilişkin olarak, örneğin zoom üzerinden yapılan etkinliklerde kayıtların zoom tarafından yurt dışı serverlarda tutulması bu kapsamda değerlendirilebilir mi?”]

Yes, it can be evaluated.

[/vc_toggle]

[vc_toggle title=”Merhaba, özellikle pandemi sürecinde online geçiş ile ilgili olarak Verilerin Verilmesi zorunluluğu oluşturan uygulamalar var. Örneğin bir öğrenci olarak sınavlarımız online gerçekleştirilirken bazı üniversiteler kamera ve mikrofon açılmasını zorunlu kılıyor burada sınava girebilmek için kişisel verileri vermek zorunluluğu doğuyor. Yanlış söylüyorsam affedin ama Kişisel Verilerin Verilmesi hizmet alınmasının bir ön şartı olamaz diye biliyorum, bu kapsamda anayasal bir hak olan eğitim hakkının kişisel veri koşuluna bağlanması hakkında ne düşünüyorsunuz?”]

In accordance with the law, certain conditions are stipulated for the processing of personal data, in summary; “Explicit consent” is obtained in matters that do not fall under the headings of 1) other, 2) other. The most important and powerful item under the "Other" heading is "explicitly stipulated in the law". Determining the identity of the person taking the exam and determining that the person who is required to take the exam and the person taking the exam are the same person at the entrance to the exam are obligations arising from the law. It's like showing your ID when you enter the exam venue, letting the supervisor examine it on the table. In other words, in this sense, the processing of your data serves a greater purpose. Conversely, you don't want someone else to take the test for you and deliberately give you a low grade. In other words, the said regulation in the law actually aims to protect your data. Although service provision cannot be subject to explicit consent, if one of the processing conditions in Article 5 of the law is present, the data can be processed without explicit consent, and if personal data is not transmitted, the service can be avoided. For example, you will not be able to enter the exam area without showing your ID.

[/vc_toggle]

[vc_toggle title=”VERBİS Kaydını detaylı olarak çalışmadığımızda ya da eksik/yanlış bilgi verdiğimizde bunun kontrolü nasıl yapılacak? KVK Kurumu’nun bununla ilgili denetim çalışmaları ne zaman başlar sizce?”]

The Board has started to recruit auditors and consultants intensively within the last 6 months, which shows that the board will begin to audit companies within the scope of protecting personal data on a regular basis, like financial audits, in the near future. My prediction is that Verbis will start with the end of the registration dates.

[/vc_toggle]

[vc_toggle title=”Neslihan Hanım’a bir soru sormak istiyorum. 3. taraflarla KVKK kapsamında sözleşmelerimizi aylar önce yeniledik. Veri işleyenlerle birlikte veri sorumluluları müştereken sorumlu olduğu belirtiliyor Kanunda. Fakat 3. taraflar da evden çalışmaya geçtiler ve teknik tedbirler konusunda bu veri işleyenlerin sözleşmede yer alan süreçleri değişti. Bu veri işleyenlerle yeniden mi sözleşme yapmamız gerekiyor? Şu an alınan teknik tedbirleri denetlemekte zorlanıyoruz çünkü?”]

In the data controller-data processor contract, if there is a change in the scope of data processing, its purposes or the scope of the personal data processed, the contract must of course be renewed, but otherwise there is no need to renew it. However, we should not forget that the data controller is obliged to control and follow the administrative and technical measures taken by the data processor. Therefore, it is the responsibility of the Data Controller to control whether the data processor has taken the precautions with the transition to the remote working period, and whether the VPN security has been ensured. In case of any data leakage, the Data Controller is also responsible for this breach.

[/vc_toggle]

[vc_toggle title=”Kurulun Bulut kullanımında, yine 9. maddeye atıfta bulunup, Açık rıza alınmasını adreslemesi, senelerdir taleplere rağmen güvenlik ülkeler ve bulut sağlayıcılar kısmını sürümcemede bırakması konusunda görüşünüz nedir? “]

First, listing the countries with published minimum specifications is very difficult and produces inconsistent results. Actually, I think that this provision in the law is problematic. It is not right to expect a board to decide whether the country is safe or not. Banning the export of data abroad is not a reasonable solution in integrated economies. I think that the focus should be on measures to be taken individually.

[/vc_toggle]

[vc_toggle title=”Çalışanlara ne kadar farkındalık eğitimi verirsek verelim yine de şirkette her gün veri ihlali oluyor KVKK’ya göre. En basitinden; çalışanlar kendi alanları dışında yer alan departmanların veritabanına giriş yapabiliyor ya da e mail ile birbiriyle paylaşıyor. Bunları nasıl engelleriz teknik tedbirler kapsamında? “]

Of course, awareness alone will not be enough in this case. Employees should not be able to access any place other than documents and fields that they need to use in their own business processes. For this, I can recommend using active directoy as the simplest method. Even if e-mail security is to be ensured and a stronger measure is desired to be taken with regard to sharing via e-mail, certain rules can be written with DLP to prevent the personal data of employees from being shared with other than certain people, or a warning message is sent to the admin when it is shared, so it is determined who shared it. and warning.

[/vc_toggle]

[/vc_column][/vc_row]

 

[vc_column][vc_empty_space]

[mnky_heading title=”KONUŞMACILAR” line_color=”#dd3333″][vc_empty_space][vc_row_inner][vc_column_inner width=”1/2″][vc_column_text]Moderatör
Erdem Eriş
CyberArts
Kurucu & Genel Müdür[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image image=”2721″][/vc_column_inner][/vc_row_inner][vc_separator][vc_row_inner][vc_column_inner width=”1/2″][vc_column_text]Neslihan Kocacık
CyberArts
KVKK Danışmanı[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image image=”2724″][/vc_column_inner][/vc_row_inner][vc_separator][vc_row_inner][vc_column_inner width=”1/2″][vc_column_text]Güniz Çiçek
Elmadag Law & Consultancy
Avukat[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image image=”2854″][/vc_column_inner][/vc_row_inner][vc_separator][vc_row_inner][vc_column_inner width=”1/2″][vc_column_text]Umut Şensu
Avukat[/vc_column_text][/vc_column_inner][vc_column_inner width=”1/2″][vc_single_image image=”2831″][/vc_column_inner][/vc_row_inner]

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram