Here you can access most recent articles on legislative updates regarding Personal Data Protection Law, Social Security Law, Taxation Law, Occupational Health and Safety Law, Code of Obligations, Labor Law, Turkish Commercial Code, Law on Protection of the Value of Turkish Currency, Foreign Exchange Legislation, and Immigration Law in Türkiye.
You can access the dates of the most recent international bilateral social security and double taxation treaties made between Türkiye and other countries and relevant documents here.
We are here for you to step into a more successful digital future by securing your
processes regarding privacy, security, and personal data with the help of our
end-to-end solutions for compliance and data protection.
CottGroup® is a leading holistic service provider offering tailor-made solutions to entities located in Türkiye for all their business processes by presenting them with global solutions using the knowledge and local expertise it has. We are ready to be your solution partner with the right combination of people and technology to provide the most appropriate management and consultancy in your KVKK and GDPR compliance processes with our expert team of consultants. While our services can be applied specifically to relevant units and departments or to the whole organization, if you are a multinational organization subject to GDPR, we can offer our services with packages of various scopes, as well. Our service solutions are mainly as follows:
We offer solutions that will enhance your security infrastructure with the information we obtain about the movement of data within your organization.
We help you maximize the protection of personal data to ensure the continuity of privacy by identifying your processes.
We examine your existing policies and procedures, identify the areas of improvement, and draft them for you to ensure your compliance.
Regulated upon taking international documents, Turkish constitution, Turkish Laws, comparative law practices, and the current needs of our country into consideration, this Law aims to protect the fundamental rights and freedoms of individuals, and especially the privacy of personal life by processing personal data in contemporary standards. In this context, the Law regulates the conditions of processing personal data, the basic principles to be adopted regarding the protection of personal data, the obligations of natural and legal persons who process personal data, and the procedures and principles they will comply with.
In order to make the regulations on the protection of personal data compliant in the member states of the European Union, The Personal Data Processing and Free Movement Directive No. 95/46/EC was abolished in line with the new requirements regarding the protection of personal data. Afterwards, in 2018, GDPR was put into practice. In order to ensure the data security of the EU residents, the regulation essentially aims to provide them with an effective approach to privacy and security by reshaping the organizations in terms of compliance.
Even though the concepts of fundamental rights and freedoms, personal data, privacy and security have been in our lives since the understanding of human rights emerged, these concepts have become even more important in our daily lives in recent times when the developments regarding technology and the implementation of fundamental rights and freedoms occurred. The Law on the Protection of Personal Data (KVKK), which is of the equivalence of GDPR in Türkiye, gives us information and guides us on how to protect our personal data, along with our fundamental rights and freedoms.
KVKK has been put into effect in 2016 and all organizations were given a deadline until the end of April 2018 to review their personal data processes and complete their compliance with the Law.
Regardless of their organizational structures or the number of employees, all organizations in Türkiye should have completed their KVKK compliance process by 2018. The completion of compliance process means that an organization arranges and executes any kind of personal data it keeps that belong to its employees, employee candidates, suppliers, stakeholders, etc., in other words, any kind of data that is subject to the processes which define us, in accordance with the conditions stipulated by the law.
Even if your organization is located within the borders of Türkiye and provides services in Türkiye, it will not be enough for you to be in compliance with the data protection processes in Türkiye and KVKK, solely. You may also be subject to the data protection practices of EU, that is, GDPR. In this case, your compliance process to be implemented within your organization and the sustainability of which is to be followed, must cover both KVKK and GDPR. In today's world, your compliance process to be implemented should become a routine business process rather than an audit activity and personal data protection processes should be adopted as a corporate culture.
In the Article 3 of the GDPR titled Regional Scope, it is regulated that natural or legal persons may be subject to the GDPR, even if they are not located within the borders of the European Union. In other words, it is elaborated in this article that it is possible for people who process personal data to be subject to both KVKK and GDPR. If an organization established in Türkiye process data of EU residents by any means of communication with a person resident in EU or a different method (by selling products and/or services to EU residents, using one of the languages used in the EU countries in their online systems), in this case, the organization will be subject to GDPR regarding these persons; and with regard to the data processing activities carried out in Türkiye, the organization will be subject to KVKK. That is, the organization will be obliged to fulfill the requirements of both laws.
Before KVKK came into force in 2016, there was a sanction for the unlawful acquisition, transmission and non-destruction of personal data in the Turkish Penal Code dated 12.10.2004. On 12.09.2012, with a paragraph added to the Article 20 of the Constitution, the protection of personal data has become a constitutional right. In 2016, based on the 1995 version of GDPR, the "data processing" processes that can be defined as any kind of transaction on the data were elaborated, and the terms in our lives were filled with the Constitution, Laws and International Conventions.
In the first phase, the internal organizational chart should be prepared and which personal data is processed in the departments/units within the organization should be specified by category (identity, communication, location, health, etc.). Afterwards, a data inventory should be prepared, and the following information should be included in the inventory.
In the light of the data inventory prepared, a declaration should be made to the data controllers' registry through VERBIS. It should not be forgotten that; VERBIS and Personal Data Inventory should contain parallel information and be up to date.
Fulfilling the requirements of KVKK should not be understood as a one-time audit, consultancy receiving, or only as fulfilling the VERBIS registration.
Even if you fulfill some of your legal obligations in this way, it is necessary to ensure continuity for compliance with the Law and ensure that the information declared is up to date.
KVKK has entered our lives in 2016 and is still a law that requires us to adapt new practices to our processes with updates. One of the directives of this law is to ensure that all our activities are always sustained in accordance with the provisions of KVKK, that our record in VERBIS, our Personal Data Inventory and other documents prepared during the compliance process are always kept up to date. Besides, it is another point stated in KVKK that audits should be carried out periodically to ensure sustainability.
At this point, the audit, consultancy and sustainability services offered by CottGroup® will determine whether your processes comply with the law; and after completing the compliance process, by monitoring whether the sustainability is ensured or not, it will provide a guarantee of protection from administrative and legal sanctions that you may face.
You can access legal regulations on the protection of personal data and current decisions published by the Turkish Personal Data Protection Board through our page on KVKK legislations.
In addition, in order to find out details of the consultancy we can provide you as CottGroup® in your compliance process and the scope of sustainability services we offer to our customers after completion of the compliance process, you can contact us.
By analyzing your risks that may arise due to legal incompliancy, we advise the required technical and administrative measures to have you process and store personal data fully compliant with the Law.Click here for service details
Then, it will be subject to GDPR.
Both KVKK and GDPR aim the minimization of data and to have transparent data processing procedure along with security and confidentiality methods. Besides, sanctions of any discrepancies with the legal obligations are strictly serious.
Although both laws have the same core idea, they differ on the penalties. It is crucial to cover obligations in the law that you have responsibility of, linked with compliancy periods, not to face with any enforcement and administrative legal procedures.
The given amounts are applied at the beginning of each calendar year by increasing the rate of revaluation determined and announced in accordance with the duplicated provisions of the Article 298 of the Tax Procedure Law No. 213 dated 4.1.1961 for that year.
In addition to these administrative fines mentioned in the Personal Data Protection Law, there are also jail sentences mentioned in the Turkish Criminal Code between 1 to 4 years.
According to the data of 2020, 32 data breach applications were published by the Turkish Personal Data Protection Authority and administrative fine of 6,870.000 TRY was imposed in total as a result of these sanctions. Moreover, the administrative fines imposed in 2021 were 7,512.000 TRY in total. Thus, the issue of personal data protection has been gaining more importance and the clock is ticking against the organizations who have not yet completed their compliance process.
In case of a probable data breach and/or incompliancy with the regulation, the sanctions to be imposed are very high when compared to KVKK.
The administrative penalty fine is determined as 4% of global revenue of the company that belongs to the previous year or 20,000.000 EUR Among these amounts, the highest one shall be imposed as a penalty fine.
Besides, the below mentioned ones shall also be imposed as a penalty:
It is safe to say that GDPR is the enhanced version of Turkish Data Protection Law (KVKK) and the KVKK is the first version of GDPR, released on 1995 under the name (Directive 95/46/EC). Since both regulations are the same in core concepts, it is more efficient for your operations to analyze the liabilities at first, then proceed with the compliancy measures. It will allow you to save both time and resources.
Within this scope, simply below the main concepts are summarized.
Key concepts on KVKK are;
Key concepts on GDPR are;
Designing better ways to work through cutting-edge products, premium services and exceptional experiences that enable people to reach their full potential. HR, Talent, Benefits, Payroll and Compliance informed by data and designed for people.
Learn more at www.adp.com
ADP, ADP logo and the slogan "Always Designing for PeopleTM" belong to the registered trademark of ADP, LLC.
Get a quote for your service requirements.