GDPR Measures | What are the Security Measures Envisaged in the Data Controllers Registry?

Personal Data Protection Law (KVKK) measures | Personal Data Protection Lawyer | Izmir Lawyer | Izmir Law Firm

Personal Data Protection Law Article 12 requires data controllers to take administrative and technical measures to ensure an appropriate level of security. So, what measures must be taken under the Personal Data Protection Law (KVKK)?

1. Network and application securities are provided.
2. Closed system network is used for personal data transfers via network.
3. Key management is implemented.
4. Security measures are implemented within the scope of the procurement, development, and maintenance of information technology systems.
5. The security of personal data stored in the cloud is ensured.
6. Disciplinary regulations exist for employees that include data security provisions.
7. Data security training and awareness programs are conducted periodically for employees.
8. An authorization matrix has been created for employees.
9. Access logs are kept regularly.
10. Corporate policies have been developed and implemented regarding access, information security, usage, storage, and disposal.
11. When necessary, data masking measures are applied.
12. Confidentiality agreements are being made.
13. Employees who have a job change or leave their job are removed from their authority in this area.
14. Current anti-virus systems are used.
15. Firewalls are used.
16. The signed agreements include data security provisions.
17. Extra security measures are taken for personal data transmitted via paper, and the relevant documents are sent in a classified document format.
18. Personal data security policies and procedures have been established.
19. Personal data security issues are reported promptly.
20. Personal data security is being monitored.
21. Necessary security measures are taken for entering and exiting physical environments containing personal data.
22. Physical environments containing personal data are secured against external risks (fire, flood, etc.).
23. The security of environments containing personal data is ensured.
24. Personal data is minimized as much as possible.
25. Personal data are backed up and the security of backed up personal data is also ensured.
26. User account management and authorization control system is applied and their follow-up is also performed.
27. Internal periodic and/or random audits are conducted and commissioned.
28. Log records are kept without user intervention.
29. Current risks and threats have been identified.
30. Protocols and procedures for the security of sensitive personal data have been established and are being implemented.
31. If sensitive personal data is to be sent via email, it must be sent encrypted and using a registered electronic mail (KEP) or corporate email account.
32. For sensitive personal data, secure encryption/cryptographic keys are used and managed by different units.
33. Intrusion detection and prevention systems are used.
34. Penetration test is applied.
35. Cyber ​​security measures have been taken and their implementation is constantly monitored.
36. Encryption is done.
37. Personal data transferred via portable memory, CD, or DVD is encrypted.
38. Data processing service providers are subject to periodic audits regarding data security.
39. Data processing service providers are being made aware of data security issues.
40. Data loss prevention software is used.

To receive advice on this matter, please contact us. Contact page.

Address: Nergis Neighborhood, Girne Boulevard No: 83, Floor 2, Apartment 2, Karşıyaka, İzmir

E-mail: info@efeshukuk.com

Phone: +90 534 415 52 56