The draft on the Law on the Protection of Personal Data was referred to the Presidency of the Turkish Grand National Assembly on January 18, 2016. The KVKK was adopted and enacted by the General Assembly of the Turkish Grand National Assembly on March 24, 2016 and entered into force by being published in the Official Gazette dated April 7, 2016 and No 29677. On April 7, 2018, the validation period of the Law was completed and became active. As of this date, the KVKK has given businesses a number of responsibilities to be complied with.

As UITSEC, we carry out compliance audits in order to determine the deficiencies of institutions and organizations that make the necessary preparations for compliance with the law as well as KVKK consultancy.

Relevant audit titles are:

  • - Administrative Measures Audit
  • - Technical Measures Audit
  • - Documentation Audit

Administrative and Technical Measures;

The law requires enterprises to take the following administrative and technical measures related to personal data security. In the event of a violation, businesses expect large penalties for the lack of administrative and technical measures.

Within the scope of the Administrative Measures Audit, the preparations made for the following topics are controlled;

  • • Personal Data Processing Inventory
  • • Corporate Policies (Access, Information Security, Use, Storage and Destruction etc.)
  • • Agreements
  • • Privacy Contracts
  • • Risk Analysis
  • • Employment Contract, Disciplinary Regulation (Adding Legal Provisions)
  • • Corporate Communication (Crisis Management, Informing the Board and Relevant Person, Reputation Management, etc.)
  • • Training and Awareness Activities (Information Security and Law)
  • • Notification to Data Controllers Registry Information System (VERBIS)

Within the scope of the Technical Measures Audit, the preparations made for the following topics are controlled;

  • • Authority Matrix
  • • Authority Control
  • • Access Logs
  • • User Account Management
  • • Network Security
  • • Application Security
  • • Encryption
  • • Penetration Test
  • • Attack Detection and Prevention Systems
  • • Log Records
  • • Data Masking
  • • Data Loss Prevention Software
  • • Backup
  • • Firewalls
  • • Updated Anti-Virus Systems
  • • Deletion, Destruction, or Anonymization
  • • Key Management

Within the scope of Documentation Audit, the preparations made for the following topics are controlled;

  • • Personal Data Disclosures
  • • Explicit Consent
  • • Personal Data Protection Policies
  • • Personal Data Storage and Destruction Policies
  • • Personal Data Request Methods
  • • Personal Data Inventory

As UITSEC, we support institutions and organizations to take the necessary measures to fully comply with the KVKK and not to face any sanctions in case of a possible complaint or violation.