The Law on Protection of Personal Data No. 6698 came into effect in 2016.
The law determines the procedures and principles for processing personal data and establishes a legal basis for it.
The regulations on how personal data of individuals should be processed provide many rights to those individuals, and as a result, impose responsibilities on data controllers who process personal data.
A data controller can be defined as any natural or legal person who processes personal data.
Who is a data controller? A data controller can be a pharmacy where you buy medicine, your doctor, a grocery store in your neighborhood, your school, in other words, individuals or institutions that are touched upon in all areas of life.
Data controllers must take necessary administrative and technical measures to protect personal data and prevent data loss.
Those who meet certain conditions must also register with the DATA CONTROLLERS' REGISTRY INFORMATION SYSTEM (VERBIS). Due to the pandemic, the deadlines for registering with the VERBIS system have been extended by the PERSONAL DATA PROTECTION AGENCY, and the deadline has now been set as December 31, 2021.
WHAT SHOULD BE DONE WITHIN THE SCOPE OF THE LAW ON PROTECTION OF PERSONAL DATA SHOULD BE HANDLED IN TWO STAGES.
During this process, the data controller must identify the works that need to be done within the scope of the Law on the Protection of Personal Data and take necessary measures.
Since the process is somewhat complicated and there are many procedures that need to be carried out, professional support should be obtained in this regard.
For the compliance process to be carried out, individuals or institutions that are well-versed in both technical and administrative aspects of the regulations should be consulted. Each of the administrative and technical measures to be taken should be reviewed individually, and all procedures should be fulfilled.
At the end of the process, a mistake made will have a great financial and legal responsibility.
The data controller needs to take an x-ray, so to speak, and determine the measures to be taken according to the result obtained and carry out the procedures.
In this stage defined as stage 1, necessary administrative and technical measures must be taken, and the data controller must be made compliant with the Law on Protection of Personal Data.
From this point on, stage 2 begins.
CONTINUATION AND ENSURING THE CONTINUITY OF THE LAW ON PROTECTION OF PERSONAL DATA:
After the initiation of the compliance process with the Law on Protection of Personal Data and taking the necessary technical and administrative measures, it is essential to ensure the continuity of the measures taken. Because the Law on Protection of Personal Data is a process that lives and evolves.
If the technical and administrative measures taken by data controllers change, the documents and procedures previously prepared must be updated accordingly.
For example, the employment contract has been made compliant with the Law on Protection of Personal Data, but if there is a change in the legislation later, the employment contract will need to be updated.
If the individuals in the data processing committee leave the job, what will happen?
What procedures need to be followed in case of data loss in the business?
Records must be kept for the necessary legal periods...