
PURCHASING AND E-COMMERCE MANAGER
The law on the Protection of Personal Data numbered 6698 was enacted in Türkiye on March 24, 2016 and officially put into force on April 7, 2018, after a 2-year transition period. The Law on the Protection of Personal Data aims to protect the fundamental freedom and rights of individuals, especially the privacy of personal life, during the processing of personal data, and to regulate the rules that real and legal persons processing personal data must follow. Upon the enforcement of this law, users’ personal data has been put under protection as a “constitutional right”, and no real or legal persons will be able to process personal data or transfer it to third parties and organizations without the explicit consent of the relevant individual. All the “legal entities” and sectors, regardless of public or private, are obliged to comply with this law. Under this law, the data owners have the right to learn if their data has been processed and request the deletion of any personal data, from any kinds of institutions or organizations. The data processed before the law was put into force, on the other hand, should be stored in accordance with the provisions of this law available on www.kvkk.gov.tr.

What does “processing of personal data” mean?
Within the scope of KVKK, all the personal information is “personal data.” These include identity information, communication, location, customer, transaction security information, financial information, personal information, marketing information, as well as visual and auditory data. The data owner may need to share some or all of their information with the platform operator in order to be able to make transactions on the platform. The platform operator can process and use this data for marketing activities or operational reasons.
What are the basic principles for processing the personal data?
The most basic principle is to comply with the law and the principles of honesty. However, principles such as being up-to-date, processing the data only for legitimate purposes, and keeping them under appropriate conditions are also important. In addition, it is mandatory before the law, to obtain the explicit consent of the owners for processing their personal data.
What is explicit consent?
It is the consent statement that the data owner has given to the data storage platform for the processing of their personal data. When obtaining explicit consent, the conditions of ”being related to a certain subject“, ”being based on information“ and ”being given by free will” are sought after. A user who has given explicit consent also has the right to withdraw it at any time.
What are the situations where explicit consent is not sought after?
For the data that has already become anonymous/public and in the situations that threaten public order and national security, data may be shared with the relevant authorities without seeking any explicit consent, provided that this doesn’t violate the privacy and personal rights of the said individual.
With this law, the users’ personal data was put under protection as a “constitutional right”.
Who are the “data controller” and “data processor”?
The Data Controller is the real or legal entity that determines the purposes of processing personal data and is responsible for installing and managing the data storing system. Data processor, on the other hand, is the real or legal entity that will process this data on behalf of the data controller. Data controllers are required to inform the user when they receive the user’s personal data and register this in the VERBIS system.
What are the obligations of the data controller?
The data controller has 2 types of obligations. The first is the “Obligation to Inform”. The data controller has to provide information about the purpose of data processing, the ways the data is acquired, and the third parties to whom it can be transferred. The other obligation is the “Data Security Obligation”. The data controller is the party primarily responsible for the security of the data they collect.

What is the “data controller’s track record”?
All the real and legal persons who process personal data are required to register in the “Data Controllers Registration System” before starting to process data. The web address https://www.kvkk.gov.tr/ can be used to register to VERBIS system.
What is the Personal Data Protection Board?
The legal unit that takes measures related to the processing of personal data, supervises data controllers, reviews the objections of data owners and monitors/transfers them to the relevant data controller, looks for possible violations and reaches a final decision is the “KVK Board”.
What Happens If the KVK Provisions Are Not Complied With?
The data controller is obliged to inform the data owner and the Board if the personal data is obtained by other parties. The Board also makes the necessary information to the public. In addition, there are administrative fines in amounts specified in the law for those who do not comply with the data security provisions.



