GDPR and Data

What is DATA?

About 5 years ago, there were no GDPR and KVKK in our lives. In the previous 15 years, there was no e-commerce and Netmera. 40 years ago, Software technologies that were used only in large engineering projects, developed manufacturing sectors and centers of large financial institutions have now entered all areas of life. The customer who wants to get the coat he sees in the store cheaper via the internet, the bank customer who wants to close his term account and get bonds, the taxpayer who wants to pay the delayed tax debt, the passenger who wants to check-in the seat next to the emergency exit door on the plane before anyone else can now do all of these with the phone at hand, without having to leave their home…

Moreover, using Netmera, you can offer your customers a shoe that fits their coat last week, an earthquake policy right after the mortgage loan they use, a limit increase when the credit card limit is low, a car rental proposal to your passengers before Rome travel. In addition to these, you can always inform the restaurant about the promotion of the food it is ordering, and the news about the topics they are interested in, you can also report that the team they are a fan of is scoring while the goal is still in the stadium, and you can even celebrate their birthday even before their partner.

It is not only smart but also cheap, right? In the digital world, you save store, branch, office rental and personnel expenses, and you can engage your customer smart just in time. So, isn’t there a new responsibility brought by this comfort? Even a basic “click” of your customer or your staff in the digital world leaves a personal trail behind them, the name of this trail is data. This data can even be data that your customers do not want to be shared with third parties.


Although personal data is stored in your company’s digital/physical media, the owner of the data is your customer, not you. You can’t collect, store or process this data unless you have your client’s explicit consent. Moreover, this consent is not unlimited. The areas where you can process the data are limited to the extent you receive your client’s explicit consent and with regulatory laws. According to these laws, companies; It is defined as a data controller, not a data owner.

What is KVKK and GDPR?

Despite its broad scope, The EU Data Protection Directive 95/46 / EC, adopted in 1995, was replaced by the General Data Protection Regulation (adopted in the European Parliament in 2016) when it became inadequate with the widespread development of rapidly developing technology and spread of international trade, making borders more and more permeable. GDPR is a European Union regulation aimed at protecting the personal data of EU citizens. In Turkey, No. 6698 Personal Data Protection Act (KVKK) came into force from 2016 again with similar coverage. Both GDPR and KVKK; aim to protect the constitutional fundamental rights and freedoms of its citizens, especially the privacy of private life, by defining their data responsibilities regarding data collection, storage and processing.

The biggest effect of KVKK and GDPR was realized in the field of thought. Until these laws were passed, companies saw themselves as the owners of the data. After this law came into force, it was clearly defined that the sole owner of the data was the real person-customer receiving services from him. Companies have been identified as data responsible who can process and store this data as much as their customer allows, and also need to protect it. And of course, severe sanctions were imposed on data breaches. GDPR envisages very high administrative fines for data breaches, such as 200 million euros or 4% of the company’s global revenue. In KVKK, fines are limited to lower amounts (minimum 5000 and highest 1 million Turkish lira).

What needs to be done to be KVKK and GDPR compatible?

Both regulations clearly define the definition of direct consent. According to this, companies can; In order to collect, store and operate the data, it must specify in detail what purpose this data will be used for, and accordingly requests the approval of customers. Channels should be provided by companies that allow customers who allow the operation of their data to be removed easily and at any time. The processing of the data should be limited and measured concerning what the customer approves of this data. The company should take all necessary technological and administrative measures for data protection and regularly subject its systems to leak and security tests. In case of a data breach, it should be notified to the data owner and data protection authority with the definition of “as soon as possible” although it is not given 72 hours according to GDPR and full time in KVKK. According to KVKK, if the personal data is taken abroad, the direct consent of the customer and the permission of the sector regulators (BRSA, BTK, MASAK etc.) are required. If the customer requests that all of his data be deleted, this data must be deleted entirely or anonymized that it will be impossible to reach the person.

Netmera and GDPR-KVKK

Netmera has highly sensitive software libraries in the collection and processing of personal data. Personal data fields that may be among the analytical data produced by the customer while browsing mobile applications and websites are marked from the Netmera panel and this data is collected and processed only for authorized customers. If the customer has not given permission, Netmera SDK will filter this information and this information will not be collected.
The screens where the personal data of the customer appear are available to authorized users only. All personal data accesses and updates made on these screens are recorded. This information can be reported instantly at the time of the request of the customer or legal authority, and if the customer requests, all personal data can be deleted instantly. Channel notifications (Mobil push, web push, SMS ve e-mail), which are made separately, are made only to the customers who give permission and only in the categories they want. When the customer does not want to be notified, Netmera offers the ways to easily report this to the system, and from now on, it does not make any submissions to the customer from that channel or category.
Netmera is regularly subjected to security and penetration tests by independent audit companies.