The ‘Law on the Protection of Personal Data No. 6698’, which has been waiting as a draft for many years and came into force on April 7, 2016, is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations and the rules to be followed by real and legal persons who process personal data. has its purpose.

Except for the exceptions specified in the Law, personal data cannot be processed without the explicit consent of the person concerned; It cannot be transferred to third parties and abroad. In case of non-compliance with these articles, which are also stated in separate articles in the Law, institutions may be sentenced to administrative fines.

Processing of personal data; obtaining, recording, storing, preserving, changing, rearranging, disclosing, transferring, taking over, making available, classifying or using personal data in whole or in part by automatic or non-automatic means provided that it is a part of any data recording system. It refers to all kinds of operations performed on the data, such as blocking.

Personal Data Protection Law; when personal data is considered as information entrusted to institutions and organizations by their original owners; It lays the groundwork for the data processing institutions to be “accountable” to the original owners of the data regarding the data they have entrusted, and defines the rules. The law brings with it an important transformation for the institutions that process personal data.

Personal data processed before the publication date of this Law should be brought into compliance with the provisions of this Law within two years from the date of publication; Personal data that are found to be in violation of the provisions of this Law should be immediately deleted, destroyed or anonymized. However, the consents obtained from the data owner in accordance with the law before the publication date of this Law may be considered in accordance with this Law, unless otherwise stated by the data owner within one year.

The main question that concerns institutions is: “What should we do to be accountable for the personal data we have entrusted to us?” Institutions that can answer this question will also comply with the Law on the Protection of Personal Data.

Institutions and organizations can answer the above-mentioned basic question:

Solutions to the Law on Protection of Personal Data

They are approaches that are used with leverage effect in order to meet the requirements of laws and regulations for a long time and for the development of the institution, providing the standards and adapting to the times. The method these approaches point to for the Personal Data Protection Law is Institutional Architecture.

What is Enterprise Architecture?

The concept of corporate architecture that entered our lives with the Millennium; It is a business conduct methodology that enables us to define all relationships from strategy to business units, from processes to activities, from the applications and data used in the activities to the information technology infrastructure components on which they run, and to evaluate all kinds of change requests and demands with impact analysis.

Enterprise Architecture; It is a discipline that feeds the decision support system, which is based on the use of common language, standards and references, and business method and which should be arranged according to the dynamics and needs of each institution, and rules the way of doing business.

Enterprise Architecture Frameworks in the world are basically gathered around 3 main frameworks as follows:

The elements that make up the corporate architecture are gathered in four main groups:

1. Elements of business architecture; It includes use cases and task diagrams that design business processes. Objects that constitute data entries, records, data summaries and management decisions that occur during workflows are also part of the business architecture.
2. Information and data architecture; It designs corporate entities, the relationships between these entities, data flows between entities, and business logic. The elements that make up the information and data architecture come together to form the system architecture.
3. Asset packages, interfaces, components, and architectural structures are used to design system architecture elements.
4. Technology infrastructure elements, on the other hand, describe the application software, system software, peripherals, computer hardware and computer networks that make up the systems, and the relationships between these elements.

The Law on Protection of Personal Data No. 6698 aims to take the necessary security measures in systems and infrastructures where the customer data that companies store in their infrastructures.

In this context, companies and institutions are obliged to prevent access violations to the personal data they keep. In the event of a violation that may occur, this access will require forensic investigations, and personal data should be protected with the necessary infrastructure in order to carry out these forensic studies.

According to the classification, labeling and sensitivity of the data, it should be ensured that the accesses are kept under surveillance with the most restricted rights and in a way that can be reported later. It is important to prevent data leakage, to record access to areas where personal data is protected meticulously and to be constantly reportable.

With identity management and access management, access to the sources where the data is located must be provided without administrator rights, through certain approval mechanisms. In addition, the information security tests in these sources should be carried out meticulously, the necessary vulnerability analyzes should be carried out with the relevant tools, reported in accordance with the internal audit and compliance rules, and these analyzes should be carried out periodically.

Some topics to be considered in the field of information security:

It is recommended to establish a joint commission and to establish a governance structure in order to ensure the coordination of the legally indicated items within the Institution/Enterprise with the IT departments. The requirements for the steps to be taken from a legal point of view must be prepared, and then a consistent and sustainable implementation policy must be established.

In the legal sense, the first things to be done are:

After the above-mentioned definitions are made, their legal relations with the articles of the law should be addressed in an understandable and traceable way.

Stakeholder analysis and communication strategy work should be carried out, and it should be ensured that these issues are understood correctly by the stakeholders, task responsibilities are defined and mutually agreed in the action plans, metrics of all kinds of action plans are created in a measurable way by the stakeholders and practitioners and the stages of their follow-up are determined.

Periodic evaluation results of the action plans in accordance with the legal measurem

Criminal Cases

In terms of crimes related to personal data, the provisions of Articles 135 to 140 of the Turkish Penal Code dated 26/9/2004 and numbered 5237 are applied.
According to the law, those who violate personal data are sentenced to imprisonment from 1 to 3 years. In addition, the person who obtains this data through violation can be sentenced to imprisonment from 2 to 4 years.

In accordance with the law on the protection of personal data no. 6698;

From 5,000 Turkish Liras to 100,000 Turkish Liras for those who do not fulfill the obligation to inform in Article 10,
From 15,000 Turkish Liras to 1,000,000 Turkish Liras for those who do not fulfill their obligations regarding data security stipulated in Article 12,
From 25,000 Turkish lira to 1,000,000 Turkish lira for those who fail to fulfill the decisions given by the Board in accordance with Article 15,
An administrative fine from 20,000 Turkish lira to 1,000,000 Turkish lira is imposed on those who violate the obligation to register and notify in the Data Controllers Registry stipulated in Article 16.