Register

Name

Surname

Phone

Password

Membership Agreement I have read and accept.

KVKK Agreement I have read and accept.

SCOPE OF THE LAW ON THE PROTECTION OF PERSONAL DATA The Law does not distinguish between public and private organizations. The procedures and principles determined by the Law apply to all institutions and organizations. Therefore, the provisions of this law will also apply to personal data processed by public institutions. The scope of the Personal Data Protection Law is extremely broad and clear. This law covers all natural and legal persons who process personal data partially or completely, automatically or non-automatically, provided that they are part of the data recording system, as well as natural persons whose personal data are processed. For the institutions in the legal entity group, there is no distinction between being a private or public organization, and the same procedures and principles are accepted as valid for all of them. Since real persons constitute the party whose data is processed, everyone who has the capacity of right is within the scope of the law. Since the law is based on protecting "personal" data and the term "natural persons whose personal data are processed" is used in the provisions of the law, the data of legal entities are excluded from this law. In addition, natural and legal persons who collect and process data without being part of the data recording system are also outside the scope of the law. The Law obliges natural and legal persons who will process data to register with the Data Controllers Registry (VERBIS). However, in some cases, considering criteria such as the size, nature, subject matter and purpose of the data to be processed, the Board may exempt some data controllers from registering with this registry. The law only applies to data relating to natural persons. Data relating to legal entities are not covered by this law. This is because Article 1 of the Law uses the term "natural persons whose personal data are processed". The provisions of the Law on the processing of personal data do not apply to personal data that are physically recorded and are not part of the data recording system.

After the Law No. 6698 entered into force, one of the concepts that entered our lives together with personal data and the processing of this data is the concept of "explicit consent". In Article 3 of the Law, explicit consent is defined as "consent regarding a specific subject, based on information and expressed with free will". Accordingly, Article 5, paragraph 1 of the Law states that "Personal data cannot be processed without the explicit consent of the data subject", Article 6, paragraph 2 states that "Processing of sensitive personal data without the explicit consent of the data subject is prohibited", Article 8, paragraph 1 states that "Personal data cannot be transferred without the explicit consent of the data subject", and Article 9, paragraph 1 states that "Personal data cannot be transferred abroad without the explicit consent of the data subject". Anonymization (Anonymization) Anonymization or anonymization refers to making the data impossible to be associated with an identified or identifiable natural person under any circumstances, even if the data is matched with other data. In this context, if it can be understood to whom the data belongs after matching and supplementing with other data by performing a trace on the remaining data, this data cannot be considered to be anonymized. At this point, it should be noted that there is a difference between anonymous data and anonymized data. While anonymous data refers to data that cannot be associated with a specific person, anonymized data is data that was previously associated with a person but is no longer linked. Data Subject The Law stipulates that only the data of natural persons are protected. For this reason, the term "data subject" is used to refer to the natural person whose personal data is processed. According to the purpose of the law, the fundamental principle to be protected consists of fundamental rights and freedoms, especially the right to privacy. The person to be protected is the "natural person" as clearly stated in the definitions section of the regulation.Personal Data Personal data is any information relating to a specific or identifiable person. In this case, it can be said that basically two criteria are used to distinguish personal data from non-personal data. Accordingly, in order to talk about personal data, the data must be related to a person and this person must be specific or identifiable. Personal data is any information that shows the personal, professional and familial characteristics of an individual, which is suitable for distinguishing that individual from other individuals and revealing his/her qualifications. In the Law, personal data is defined as "any information relating to an identified or identifiable natural person". This information includes issues such as the identity, ethnic origin, physical characteristics, health, education, employment status, sexual life, family life, communications with others, residence address, credit card, personal thoughts and beliefs, association and union memberships, shopping habits of a certain person. Processing of Personal Data The concept of processing personal data refers to a chained cycle. Article 2 of the Law defines data processing as a process that starts with the acquisition of personal data for the first time by fully or partially automated or non-automated means, provided that it is part of any data recording system, and any subsequent processing. After personal data is collected in the specified manner, any activity carried out in the process until deletion, destruction or anonymization is considered as processing of personal data within the scope of the law. Personal data can be processed in various ways: - Collection or recording: Processing of personal data starts from the moment they are obtained for the first time. - Organizing/storing: Storing, hosting or storing personal data in a digital or physical environment is considered as processing. - Use/modification: Any use of personal data, including viewing, is considered processing. - Transmission: Transmission of personal data by various means. - Dissemination/making accessible: Making data digitally available to third parties, such as physically distributing or sharing it, is also a form of processing. - Blocking/deletion/destruction/anonymization: These are also considered as a processing activity. Data Controller and Data Processor Data controller refers to the natural or legal person who determines the purposes and means of processing personal data and is responsible for the establishment and management of the data recording system. Legal entities are themselves "data controllers" within the scope of their activities in processing personal data, and the legal liability specified in the relevant regulations will arise in the person of the legal entity. Data processor is defined as natural or legal persons who process personal data on behalf of the data controller based on the authorization granted by the data controller. These persons are a separate natural or legal person authorized by the data controller through a personal data processing agreement, who processes personal data within the framework of the instructions given to him/her. The activities of the data processor are mostly limited to the technical parts of data processing. The authority to take decisions regarding the processing of personal data belongs to the data controller. The data controller is the person who determines the purpose and method of processing personal data. In other words, it is the person who will answer the questions of "why" and "how" the processing activity will be carried out. It is possible to say that a legal or natural person can be both a data controller and a data processor at the same time. For example, a tourism company acts as a "data controller" with respect to the data of its own employees, while it acts as a "data processor" with respect to the data of its customers' employees.

DATA RECORDING SYSTEM (VERBIS) Data recording system refers to the recording system in which personal data are structured and processed according to certain criteria. These systems can be created in electronic or physical environment. The Law obliges natural and legal persons who will process data to register with the Data Controllers Registry (VERBIS). According to the justification of the law, personal data processed by non-automatic means will not be considered within the scope of the law if they are not part of a data recording system.

DATA CONTROLLERS REGISTRY INFORMATION SYSTEM (VERBIS) VERBIS is a registration system in which natural and legal persons who process personal data must register before starting to process personal data and enter information on a categorical basis about the personal data they process. According to Article 16 of the Law No. 6698 on the Protection of Personal Data, real and legal person data controllers who process personal data are required to register with the Data Controllers Registry before starting to process personal data. In this context, Data Controllers Registry Information System ("VERBIS") has been prepared by our Presidency and data controllers will register to this system. For registration to VERBIS, detailed information can be obtained through the VERBIS guide available at www.kvkk.gov.tr. In addition, through the ALO 198 Data Protection Hotline, which has started to serve as the KVKK Information Advisory Center, technical and legal issues about VERBIS can be accessed and information can be obtained free of charge from anywhere in Turkey, regardless of GSM. No fee is required to register with VERBIS.

WHICH DATA CONTROLLERS ARE OBLIGED TO REGISTER WITH VERBIS? According to Article 162 of the Law, natural and legal persons who process personal data are required to register with Verbis before starting to process personal data. In this context, as a general rule, natural and legal person data controllers resident in Turkey, natural and legal person data controllers resident abroad, and data controllers of public institutions and organizations are required to register with VERBIS if they process personal data in Turkey.

IS IT MANDATORY FOR ALL NATURAL AND LEGAL PERSONS WHO ARE DATA CONTROLLERS TO REGISTER WITH VERBIS? As a general rule, all natural persons and legal entities who process personal data within the borders of Turkey within the scope of their activities are obliged to register with Verbis. Accordingly, all natural person data controllers, except for those exempted by the provisions of the law or board decisions, are required to register with Verbis.

SHOULD ALL DATA PROCESSED BY DATA CONTROLLERS BE REGISTERED TO VERBIS? The information to be entered by the data controllers in the registration to VERBIS will not be the personal data of the real persons whose personal data are processed, but only the information on a categorical basis in the form of headings of the data that the data controllers process. For example, a public institution processes some personal data such as name, surname, telephone number, Turkish ID number, license plate number by fulfilling the obligation to inform natural persons who visit the institution. In this case, it will enter information to VERBIS that it processes not the data such as name, surname, telephone number, Turkish ID number, license plate number of real persons, but the "identity category" and "communication category", which are the upper category of these and are already included as optional fields in VERBIS.