PDPL & GDPR 360+ Compliance Projects Consultancy
We provide support for you to implement the necessary administrative (+ technical) and legal measures on data privacy in order to minimise the number of data breaches we may face, minimise existing risks and threats, prevent reputational and revenue losses of your organisation, and protect your brand value at the highest level.
As GRC LEGAL, by identifying your risks that may arise as a result of legal non-compliance, we help you to provide the necessary administrative (+ technical) and legal measures to ensure that all kinds of personal data are processed in accordance with the Personal Data Protection Law No. 6698 (“KVKK”) and to make this a life cycle. Data controllers; i) It is obliged to ensure the implementation of all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, ii) To prevent unlawful access to personal data, and iii) To ensure the preservation of personal data.
The KVKK, which entered into force on 7 April 2016, has initiated a major change and transformation process by affecting all operational processes and activities of both natural person individuals and legal entity institutions and organisations. This change and transformation process has a number of internal dynamics arising from the LPPD and secondary legislation regulations. The LPPD is not only a system that concerns personal data legislation, but it is in a continuous and dynamic relationship with other areas of law and especially with the entire eco-system, which also concerns all IT systematics and infrastructure, where the human element takes place and working life is in contact with.
The legislator has designed the KVKK as a framework law instead of the detailed regulation approach applied in some laws, and left the filling of its interior to practice and experience. For this reason, there is no checklist in the “KVKK Compliance” studies, and the Personal Data Protection Board (“Board”), which was established as the enforcer and auditor of the KVKK, shapes the living legislation with the guidelines and both principle and sanction decisions it has created in line with the needs and demands, and has made a name for itself with its so-called “new generation” rules in business life with administrative fines of up to 30 million TL imposed on dozens of companies in the last three years.
In addition to ensuring compliance with their duties and obligations as data controllers arising from the LPPD and directing and managing the relevant personal data processing activities, companies are obliged to carry out or have the necessary audits carried out in order to ensure and confirm that the provisions of this Law are implemented in their own institution or organisation in accordance with the legislation and in a complete manner.
At this point, the Board extended the deadline for VERBIS registration to 31 December 2021 for the last time and did not announce any extension decision again, especially upon the major errors and inaccuracies in VERBIS records of companies with 50 employees or more and companies with a financial balance sheet total of more than 25 million Turkish Liras. In this respect, the accuracy and timeliness of VERBIS records has become essential in order not to be subjected to administrative fines reaching up to 2 Million TL one-time in terms of fulfilling other KVKK obligations, including not notifying VERBIS as required.
Hundreds of thousands of companies, including the corporate big players that shape the sectors, have entered the Board’s audit radar since the effective date of 7 April 2016. Simply registering with VERBIS does not mean compliance with the Law, and other obligations of companies continue even more seriously. In this respect, it is now inevitable that the relevant processes and activities should be ensured through audits and continuous updating and compliance mechanisms in order to carry out compliance studies first and then to confirm whether the processes are integrated in accordance with the Law.
The purpose of the Coaching study, which is carried out with our technical expert and lawyer partners, is to evaluate the compliance studies carried out by the companies in the capacity of data controller in terms of scope, content and implementation, and to implement preventive (pro-active) measures in order to avoid any grievance against the Law and the Board, which is the supervisory body. The aforementioned framework regulations have been expanded with the guidelines and decisions issued by the Board, and a number of checklists have emerged within the scope of administrative, legal and technical measures to be taken for data security.
In this respect, it is aimed to ensure full compliance and to make data controllers strong, attentive, transparent and accountable by ensuring company maturity and adaptation through current status determination and periodic audits, real-time control of existing risks and company awareness within the scope of the legislation on technical, administrative and legal measures to be followed, and making compliance processes an internal culture; through operation, documentation, audit, training and process support services to be provided both remotely and on-site during the service period.