CodeLify
Back to Legal Index

KVKK Compliance

Our commitment to compliance with Turkey's Personal Data Protection Law (KVKK).

Last Updated: May 15, 2023
Last updated: May 15, 2023

1. Introduction

At Codelify, we take data protection very seriously and are committed to complying with the Personal Data Protection Law No. 6698 (KVKK) of Turkey. This page explains how we process personal data in accordance with KVKK principles and outlines your rights under this law.

The KVKK is Turkey's comprehensive data protection law that aims to protect individual privacy and regulate the processing of personal data.

2. Our Role Under KVKK

Under the KVKK, Codelify acts as both a "data controller" (veri sorumlusu) and a "data processor" (veri işleyen) depending on the circumstances:

  • Data Controller: We act as a data controller when we determine the purposes and means of processing personal data, such as when we collect information about our customers and users for account management, marketing, and business operations.
  • Data Processor: We act as a data processor when we process personal data on behalf of our clients who use our services for their own business purposes.

In both roles, we are committed to handling personal data responsibly and in compliance with KVKK requirements.

3. Our KVKK Compliance Measures

We have implemented several measures to ensure compliance with KVKK principles:

3.1 Data Inventory and Registration

We maintain a detailed data inventory (veri envanteri) that documents all personal data processing activities. We have also registered with VERBIS (Data Controllers' Registry Information System) as required by law.

3.2 Explicit Consent

We obtain explicit consent (açık rıza) from individuals before processing their personal data when required by law, and ensure that the consent is freely given, specific, informed, and unambiguous.

3.3 Data Security Measures

We have implemented appropriate technical and organizational security measures to protect personal data against unauthorized access, damage, loss, or alteration.

3.4 Data Processing Agreements

We have implemented data processing agreements with our vendors and partners who process personal data on our behalf, ensuring they meet KVKK requirements.

3.5 Data Breach Procedures

We have established procedures for detecting, reporting, and investigating personal data breaches, and for notifying the Personal Data Protection Authority (KVKK) and affected data subjects when necessary.

4. Legal Basis for Processing

Under the KVKK, we process personal data on one or more of the following legal bases:

  • Explicit Consent: The data subject has given explicit consent for the processing of their personal data for one or more specific purposes.
  • Legal Obligation: The processing is necessary for compliance with a legal obligation to which the data controller is subject.
  • Contractual Necessity: The processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject before entering into a contract.
  • Legitimate Interest: The processing is necessary for the legitimate interests pursued by the data controller, except where such interests are overridden by the fundamental rights and freedoms of the data subject.
  • Vital Interests: The processing is necessary to protect the vital interests of the data subject or another natural person.
  • Publicly Available Data: The personal data has been made public by the data subject themselves.

We clearly identify the legal basis for each processing activity in our Privacy Policy and internal documentation.

5. Data Subject Rights

Under the KVKK, individuals ("data subjects") have several rights regarding their personal data. We have implemented procedures to ensure these rights can be exercised:

5.1 Right to Information

You have the right to be informed about whether your personal data is being processed, the purposes for which it is processed, and to whom and for what purpose it is transferred.

5.2 Right to Access

You have the right to request information about your personal data that we process, including requesting a copy of your personal data.

5.3 Right to Rectification

You have the right to request the correction of inaccurate or incomplete personal data concerning you.

5.4 Right to Erasure

You have the right to request the deletion or destruction of your personal data under certain circumstances, such as when the data is no longer necessary for the purpose it was collected.

5.5 Right to Object

You have the right to object to the processing of your personal data in certain circumstances.

5.6 Right to Data Portability

You have the right to request the transfer of your personal data to another data controller.

6. International Data Transfers

When we transfer personal data outside of Turkey, we ensure that adequate protection is maintained through:

  • Written commitment from the receiving party to provide adequate data protection
  • Approval from the Personal Data Protection Board for transfers to countries that do not provide adequate protection
  • Standard contractual clauses or binding corporate rules where applicable
  • Explicit consent of the data subject for the transfer

We regularly review and update our international transfer mechanisms to align with regulatory requirements and guidance.

7. Data Protection Officer

To oversee our data protection strategy and implementation, we have appointed a Data Protection Officer who is responsible for:

  • Ensuring our organization's compliance with KVKK
  • Monitoring internal data protection activities
  • Providing advice regarding Data Protection Impact Assessments
  • Acting as a contact point for the Personal Data Protection Authority
  • Responding to data subject inquiries and requests

You can contact our Data Protection Officer at kvkk@codelify.com for any questions related to KVKK or data protection.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. Our data retention policies specify retention periods for different types of data, after which the data is securely deleted or anonymized.

Factors we consider when determining appropriate retention periods include:

  • The amount, nature, and sensitivity of the personal data
  • The potential risk of harm from unauthorized use or disclosure
  • The purposes for which we process the data
  • Whether we can achieve those purposes through other means
  • Legal, regulatory, and contractual requirements

9. KVKK Compliance for Our Clients

We provide tools and features to help our clients comply with KVKK when using our services, including:

  • Data Processing Agreements: Comprehensive agreements that address KVKK requirements
  • Data Subject Request Tools: Features to help clients respond to data subject requests
  • Security Features: Tools and settings to implement appropriate technical and organizational measures
  • Documentation: Clear guidance on how our services can be used in a KVKK-compliant manner

10. How to Exercise Your Rights

If you would like to exercise any of your KVKK rights regarding your personal data, you can contact us through the following methods:

  • By email: kvkk@codelify.com
  • By phone: +90 123 456 7890
  • By mail: Codelify, Istanbul, Turkey
  • Through our online form: [link to data subject request form]

We aim to respond to all legitimate requests within 30 days. Occasionally, it may take us longer if your request is particularly complex or you have made several requests.

If you are not satisfied with our response, you can file a complaint with the Turkish Personal Data Protection Authority (KVKK).