What should institutions pay attention to while preparing for Law of Protection of Personal Data transformation?

To this date, an administrative fine of approximately 9 million TL has been imposed within the scope of the Law of Protection of Personal Data. Companies need to transform in all areas within the scope of Law of Protection of Personal Data. Otherwise, the risk of penalty is high.

The fact that a large part of business and daily life has now been transferred to digital environments, the increase in data collection and processing capacity has brought along the need to protect personal data.

Law of Protection of Personal Data that entered into force in 2016 in Turkey but it was not fully implemented by companies.

The Law of Protection of Personal Data, which includes critical changes for companies, has brought many concepts and obligations such as data controller, data processor, and personal data not being processed with explicit consent. Companies are also required to register with the Data Controllers Registry Information System (VER-BİS).

THERE IS A PENAL SANCTION

An administrative penalty from 15 thousand TL to 1 million TL can be imposed on those who do not fulfill their obligations regarding data security. In 2020, the upper amount will increase to 1.5 million TL.

WHAT SHOULD INSTITUTIONS CONSIDER WHEN PREPARING?

PEAKUP, which provides consultancy services to institutions, has prepared a list of nine items to work in accordance with the Law of Protection of Personal Data.

1- It should be shared with the candidate in detail for how long the resume containing the personal information of the candidate applying for a job will be kept in the company database and who it will be shared with, and when they will be destroyed or anonymized.

2- The storage conditions of resumes should be protected against any office accident or cyber-attack.

3- In resumes with reference information, the candidate should be reminded that he/she must also get the consent of the person of reference.

4- The protection conditions of health information or criminal record that are in the cope of special personal data must comply with the Law of Protection of Personal Data processes.

5- Law of Protection of Personal Data clause should be added to employee contracts to inform them about their rights.

6- Consent of the employees must be obtained before sharing their photographs.

7- The angles of security cameras should be positioned in a way that they do not interfere with the private life of the employee.

8- Fingerprints or retinal scanning should not be preferred in security solutions.

9- Risk analysis should be done in IT departments in order to avoid internal and external cyber-attacks.