What is PDPR Consultancy?

PDPR consultancy ensures the fulfillment of technical administrative and legal consultancy and technical measures in order to increase the security of the company PDPR by ensuring the confidentiality and protection of the data of your customers who leave personal data to your company in order to protect personal data.

Who is the Data Supervisor?

It refers to the person who determines the way personal data is processed and the processing devices, and who is responsible for the establishment and management of the recording system. It is the person who determines the purpose, manner and method of processing personal data.

PDPR and Penalties

Regarding those who violate the obligation to register and notify the data controllers registry, in accordance with the first paragraph of Article 18 of the Personal Data Protection Law (KVKK);
Administrative fines are imposed from 20,000 Turkish lira to 1,000,000 Turkish lira.

Consult Us to Avoid Exposure to PDPR Penalties

Personal Data Protection Law Consultancy

Our Services

Since 1991, Comel has been creating solutions that increase efficiency and reduce operation costs with the vision of “SOLUTIONS MANAGING YOUR FUTURE” within the scope of Corporate Business Solutions, System Integration and Information Security for many companies.

You can find information on technical measures for your PDPR compliance process below.

Purpose in PDPR processes;

Where is there personal data? To find this data.
Do I have a legal basis or express consent to keep this data? To detect it.
Anyone can tell you – do you keep my personal data? If so, for what purpose are you holding it? To be able to answer if asked.
Finding and deleting personal data previously received with explicit consent, upon request of the person giving explicit consent.
To find and delete data belonging to a person after the legal period has expired.
To ensure the security of this personal data.
To be able to do the deletion, destruction or anonymization process as specified in the law.
Technical measures to be implemented in this context are as follows.

Authority Matrix

Authority Control
Access Logs
User Account Management
Network Security
Application Security
Penetration Test
Attack Detection and Prevention Systems
Log Records
Data Masking
Data Loss Prevention Software
Current Anti-Virus Systems
Deletion, Destruction or Anonymization
Key Management

PDPR Data Controller and Responsibilities


PDPR Lighting Obligation

The law on the protection of personal data grants the data subject the right to obtain information by whom, for what purposes and for what legal reasons such personal data can be processed, to whom the personal data can be transferred and for what purposes, and deals with these issues within the scope of the data controller’s obligation to inform the person. Accordingly, the data controller is obliged to provide the following information to the relevant person through the person collecting the personal data during the acquisition of personal data within the framework of the tenth article of the personal data protection law:

  • Identity of the data controller and PGPR representative, if any, defined in accordance with the law on protection of personal data,
  • For what purpose the data will be used within the scope of PGPR,
  • To whom and for what purpose the collected personal data can be given,
  • Collection method of personal data collection according to PGPR law and legal reason according to PGPR, rights earned according to other PGPR listed in the eleventh article.

It should be stated that the data processing activity is subject to the explicit consent of the person concerned within the scope of PGPR, or in cases where the activity is carried out under another condition of the Personal data protection law, the PGPR data controller’s obligation to inform the data subject in accordance with the provisions of the PGPR continues. In other words, the person concerned should be enlightened in accordance with the law on protection of personal data in all cases where personal data are processed.


PGPR Obligations Regarding Data Security

According to Article 12 of the Law regarding the security of personal data, the PGPR data controller;

  • To prevent personal data from being processed contrary to the PGPR law,
  • To prevent access to personal data in violation of the PGPR law,
  • Ensuring the protection of personal data in accordance with the PGPR law
    is obliged with.

In order to fulfill these obligations, the PGPR Data Controller must take all necessary technical and administrative measures to ensure the security level according to the appropriate PGPR. It is among the powers and duties of the PGPR board to take regulatory action to determine the obligations regarding the security of personal data. However, additional measures may be taken depending on the nature of the personal data processed on the basis of the sector, based on the PGPR minimum criteria to be determined by the PGPR Board.

The PGPR Data Controller is jointly responsible with these persons to take the necessary measures to protect the personal data in case the personal data to be collected is processed by another person on his behalf. Therefore, personal data processors are also under the obligation to take measures to ensure personal data security. For example, if the records of the PGPR data controller’s company are stored by another accounting company, the data controller will be jointly responsible for the protection of the personal data together with the accounting company that holds the personal data in order to take the measures specified in the first paragraph regarding the processing of the data.

In the law on the protection of personal data, an audit obligation has been imposed on the personal data controller regarding personal data security. The PGPR Data Controller is obliged to carry out or have the necessary PGPR audits in his company in order to ensure the implementation of the provisions of the PGPR law. Therefore, the PGPR data controller can either perform the data audit of the PGPR himself or have it audited by a third party.

On the other hand, PGPR data controllers and persons who process personal data cannot give the personal data they collect to anyone in violation of the provisions of this personal data protection law and cannot use the personal data for purposes other than processing. This obligation continues even after they leave the job.

Finally, in case the processed personal data is seized by others in violation of the PGPR law, the PGPR data officer will notify the personal data officer and the PGPR Board as soon as possible. The PGPR Board announces this situation, if necessary, on its PGPR website or by any other method it deems appropriate.

It seems clear how important data security is and the need for consultancy on the protection of personal data.


What is the Data Controllers Registry System?

The Data Controllers Registry system serves under the name VERBIS, it is a central recording system in which the data controllers defined in the personal data protection law have to register and declare the information about the processing activities of personal data. PGPR Data Controllers are obliged to register to the PGPR Data Controllers Registry kept by the PGPR Directorate under the supervision of the PGPR Board. Therefore, the PGPR data controllers are disclosed to the public through registration in this system and the protection of personal data is made more effective with this method.

As Comel, we ensure that your Verbis records are made within the framework of our KVKK consultancy service.

Processing of Personal Data According to PDPR

The procedures and principles regarding the processing of personal data are specified in Article 4 of the personal data protection law.
According to this; The general conditions listed in the personal data protection law for the processing of personal data are as follows:

  • Compliance with the PGPR Law, Law and honesty rules,
  • The data reported to the PGPR system is accurate and up-to-date when necessary,
  • Processing personal data for specific, explicit and legitimate purposes,
  • Being connected, limited and proportionate within the scope of PGPR law for the purposes for which personal data are processed,
  • Being kept for the period required for the purpose for which they are processed foreseen or declared in the relevant legislation of the PGPR.
  • The principles regarding the processing of personal data should be at the core of all personal data processing activities, and all personal data processing activities should be carried out in accordance with the principles of the personal data protection law.

For the protection of personal data, COMEL offers the most comprehensive end-to-end PGPR consultancy service to your company.

Consult Us to Avoid Exposure to PDPR Penalties