MBIS e-Rıza

Sensitive personal data is data which, if disclosed, can leave the data subject open to discrimination or unfair treatment.

Conditions for processing personal data

Personal data shall not be processed without explicit consent of the data subject. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

• It is expressly provided for by the laws.
• It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
• Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
• It is necessary for compliance with a legal obligation to which the data controller is subject.
• Personal data have been made public by the data subject himself/herself.
• Data processing is necessary for the establishment, exercise or protection of any right.
• Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Sensitive personal data can only be processed with the explicit consent of data subject or with any of the conditions set out by the law. Personal data can not be transferred in country or abroad without the explicit consent of data subject. The requirements declared by the Personal Data Protection Authority must be fulfilled for international data transfer.

“Explicit consent” means freely given, specific and informed consent by data owners (subject person) for the processing of personal data. Explicit consent must be related to a specified issue, based on information and declared by free will.

There are different implementations in different regulations. Exceptions are defined in the laws that countries are subject to. It is not necessary to obtain explicit consent, in case of exceptions which are referred to in the law.

According to the Personal Data Protection Law, sensitive data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

• It is expressly provided for by the laws.
• It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
• Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
• It is necessary for compliance with a legal obligation to which the data controller is subject
• Personal data have been made public by the data subject himself/herself.
• Data processing is necessary for the establishment, exercise or protection of any right.
• Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Explicit consent must be clear, understandable, simple and include a positive consent statement. Clarification must be presented before the consent statement. Explicit consent must be provable. Explicit consent must be withdrawable.

The obligation of data controller to inform informs the data owner about; the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, the method and legal reason for collecting personal data and to whom and for what purpose personal data can be transferred, before processing personal data.

According to KVKK, disclosure is required during the acquisition of personal data. The fulfillment of the disclosure obligation must be provable. Disclosure should be carried out whenever personal data are processed or when the purpose of data processing changes. The disclosure obligation must be fulfilled; within a reasonable period after obtaining the personal data if personal data are not obtained from the subject person, during the first contact if the personal data will be used for communication with the subject person, and at the latest during the first transfer of the personal data if the personal data will be transferred.

e-Rıza is a personal data management system developed in compliance with different regulations such as GDPR and KVKK. It is a mobile compatible web application that can work with different systems with its powerful integration functions, and which helps manage processes such as creating a personal data processing inventory, automatically creating explicit consent texts, obtaining explicit consent from institution employees and third parties via email or integration, collecting personal data through automatically created forms, and obtaining Explicit Consent via email or SMS for the information in these forms, fulfilling the obligation of data controller to inform and meeting the information requests of individuals and institutions.

Data integrity is ensured by defining environments which personal data are stored to the system, information and data changes from data owners are managed, tasks are created for the environments where personal data are stored by calculating the retention periods of the purposes. It has many features such as multi-company management, management of transferred of external clarification and consents, strong reporting structure, multiple language support, information management, role and field-based user management, department management along with API support, CMS integration, secure file transfer and cloud model. In addition, new features are presented to customers every day through integrations to new systems.

The system's Individual Login Module enables data owners to manage their explicit consent requests from all institutions using the e-Rıza system without registering, providing corporate transparency and facilitating explicit consent management.

e-Rıza is a mobile compatible web application, not a software module. It supports different regulations such as GDPR and KVKK. Its strong infrastructure enables the integration of external systems. Tasks that can be created for environments where personal data are stored and, these tasks can be read and operated directly via external software. With the principle of transparency, personal data owners can examine their explicit consent, monitor data processing purposes, and easily manage them. It includes different features such as security measures inventory, message management system integration, versioning, secure file transfer, and customized reporting. It has a file upload feature that enables fast multiple data entries and updating the inventory. e-Rıza works in the cloud and is constantly developing by gaining new features.

To obtain explicit consent on e-Rıza these steps can be followed:

• After selecting one or more purposes on the e-Rıza system, selecting the contact groups (selecting an individual person, a group of persons or uploading from excel) and sending the explicit consent requests directly by email,
• Sending explicit consent requests with e-Rıza forms via email and sending the explicit consent confirmation code via SMS,
• Creating e-Rıza events and obtaining the data owner's consent during registration,
• You can trigger sending explicit consent requests via emails and explicit consent confirmation code via SMS from other software through integration.

In addition, data owners can manage their explicit consent without creating a registration by entering the Personal Login Module on the e-Rıza system.

Information texts are created based on the purposes created in e-Rıza. According to your purpose, you can directly use embedded text templates, edit existing templates, or upload the texts that you have created to the system.

Information texts are created for desired purposes in e-Rıza. A common information text is automatically created for selected purposes, but you can create a new text or change the automatically created text. You can create the information texts by:

• Selecting the person (selecting an individual person, a group of persons or uploading from excel) on the e-Rıza system and sending clarification tasks via an email,
• Sending clarification texts via email and clarification links via SMS with e-Rıza forms,
• Creating e-Rıza events and enabling data owners to see the texts during record creation,
• Sharing automatically created clarification links in different environments (software or physical),
• Triggering sending clarification text emails and SMS from other software through integration.

e-Rıza is software-independent. It is a mobile compatible web application.

e-Rıza has an automatic integration with PDP. Institutions using the SAP® PDP module can directly use e-Rıza.

You can integrate e-Rıza with other other software through its API support.

e-Rıza does not provide email or SMS services. Only emails and SMSs required for personal data management can be sent via the e-Rıza system.

Purposes stored in e-Rıza can be associated with the Message Management System (IYS). If you make an agreement with the intermediary service provider companies that e-Rıza is integrated with and make the necessary definitions in e-Rıza, you can manage commercial electronic message permissions via e-Rıza. This way, approval statuses within e-Rıza which are based on commercial electronic messages and require explicit consent are kept up-to-date by synchronizing the approval statuses in the message management system with the related purposes.

The data subjects' names, surnames, emails, telephone numbers and e-Rıza user language preferences are stored in e-Rıza. The user language is to determine the interface language that data subjects will use to manage Explicit Consent and to manage information and data change requests. It is possible to collect personal information from data owners via e-Rıza forms, however, the data responsibility belongs to you.

e-Rıza has multi-company and multi-brand support. You can manage your group companies with authorized users.

With the e-Rıza add-on, you can share files with the people you define in e-Rıza for the purposes you have defined and selected for data sharing in the system. The files you want to send are stored on e-Rıza servers, secured and automatically destroyed at the end of the determined period.

The KVK Institution does not support integration, however, it is possible to manage your records by obtaining a VERBIS Inventory Report from e-Rıza.

e-Rıza is designed with an infrastructure that complies with different regulations. You can use it by entering inventory for different regulations.

You can provide information requests by creating personal data reports.

Data owners can request information, information update, and anonymization and can also manage their explicit consent via the e-Rıza Personal Login Module. You can provide demand management by manually defining external requests to the system.

It is possible to transfer external explicit consents and clarification/information records to e-Rıza.

e-Rıza is cloud-based. You can pay-per-use under commitment. Additional services are charged separately.

e-Rıza servers are located in data centers in Turkey.

You can use e-Rıza's or your own email service provider.

You can use e-Rıza's SMS service or arrange your own email service from SMS provider companies that e-Rıza has an agreement with. Once received, you must define your own email service on e-Rıza.

e-Rıza emails are sent from servers located within Turkey.