Personal data processing inventory is the inventory that personal data processing activities carried out by data controllers depending on their business processes are recorded along with; personal data processing purpose and legal requirement, data category, data recipient group and data subject group, and the retention period required for the purposes for which the personal data is processed, the personal data that is foreseen to be transferred to foreign countries and the measures taken regarding data security.

With Dataficate, you can manage the personal data inventory keeping the previous versions. It's also possible to extract, manage and report the authorization matrix, to manage the technical and administrative measures, to track the status of the data recipients while managing the data processing inventory. You can create reports (VERBIS, Personal Data Inventory, etc.) and extract them as PDF, MS Word or MS Excel files.

Explicit consent means that data subject is clearly presented information and has an option to agree or disagree with the collection, use, or disclosure of personal information. Data subject, on the other hand, refers to the real person whose personal data is processed.

Personal Data cannot be processed without the explicit consent of the data subject (DPL Article 5.1), except for the existence of certain conditions (DPL Article 5.2).

Personal Data cannot be transferred abroad without the explicit consent of the data subject (Article 8.1 and Article 9.1 of DPL).

Data Controller is obliged to inform the data subjects about the purpose of data processing like how the data will be collected, processed, transferred etc.

In all cases where personal data is processed by the data controller or the parties authorized by the data owner by using physical or electronic media such as correspondence, voice recording, call center activities depending on the explicit consent of the data subject or other processing conditions in the Law, the obligation to infrom must be fulfilled. The proof of fulfillment of the obligation to inform is the responsibility of the data controller (COMMUNIQUÉ ON THE METHODS AND PRINCIPLES TO BE FOLLOWED IN FULFILLING THE OBLIGATION TO INFORM DPL Article 5.1.e).

With Dataficate, it's possible to perform explicit consent management and obligation to inform in accordance with the DPL. While consent can be managed using SMS and E-mail integration, the burden of proof is met electronically on behalf of the data controller with Blockchain and Time Stamp.

Data Subject is the natural person whose personal data is processed, has the right to know the purpose of processing personal data regarding him/her, knowing the third parties his/her data transferred in Turkey and abroad, correcting, deleting or requesting the destruction of his/her personal data and to demand the compensation in case of loss due to unlawful processing (KVKK_Article 11).

The data subject submits their requests in the scope of the Law to the data controller in writing or by other methods to be determined by the Personal Data Protection Board. The data controller accepts the request or rejects it by clarifying its reason and notifies the data subject in writing or electronically within 30 calendar days (KVKK_Article 13).

If the reason for processing of personal data disappears, personal data is deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject (DPL_Article 7.1). All transactions regarding the deletion, destruction and anonymization of personal data

are recorded and these records are kept for at least three years, excluding other legal obligations (Deletion, Destruction or Anonymization of Personal Data, Article 7.3).

Dataficate helps managing the data subject requests and data destruction processes on a process basis way which is in accordance with the DPL. Data subject requests are managed through online forms and written applications, and the process can be followed through the related module of Dataficate.

Various risks may arise regarding personal data security in data recording systems. In order to prevent these risks, it is necessary to take appropriate technical and administrative measures by providing the necessary time, resources and expertise.

In order to ensure the security of personal data, first of all, it is necessary to accurately determine what personal data is processed by the data controller, the evaluation of the risks that may arise regarding the protection of this data, analyzing the impact of these risks and take appropriate measures. After defining and prioritizing these risks; control and solution alternatives to reduce or eliminate these risks; cost, applicability and usefulness should be evaluated in line with the principles, necessary technical and administrative measures should be planned and put into practice (PERSONAL DATA SECURITY GUIDE - Technical and Administrative Measures).

Dataficate provides a solution to the Risk Analysis responsibility of Data Controllers by offering a risk management module that complies with the standards for Personal Data (ISO 27001, PCI DSS, etc.).

One of the conditions for processing personal data is that personal data can be processed on a contractual basis. Contract management is required in order to identify and associate contractual personal data processing of an enterprise, whose processes are identified by the Personal Data inventory.

Dataficate helps the management of contracts based on process-based inventory enabling version tracking.

In a company, department-specific files should be kept on a system and the file access logs must be kept and managed in a database. Access to the systems containing personal data should be restricted. (PERSONAL DATA SECURITY GUIDE - Technical and Administrative Measures)

Dataficate secures the files and records file access on the file management infrastructure it provides.

Data controller is obliged a) To prevent the unlawful processing of personal data, b) To prevent unlawful access to personal data and c) To ensure the protection of personal data.Thus, data controller is obliged to take all necessary technical and administrative measures to ensure the appropriate level of security (DPL_Article 12.1). It is stated in the Law that if the personal data is obtained by others illegally, the data controller is obliged to notify the data subject and the Data Protection Board within 72 hours. In other words, the data controller is obliged to manage personal data incidents within the framework of DPL.

Dataficate enables to manage the information security events taking place within the company and ensures that the process is managed in accordance with DPL in case of a possible incident violation.

The data controller should always be prepared for personal data security incidents. With this regards, it is an important issue to provide the infrastructure that will enable people to pass information on misconduct or wrongdoing.

Dataficate provides as a whistleblowing service to collect information anonymously and helps businesses to gather information about the personal data issues.