MBIS e-Rıza

Collect explicit consents, create your personal data processing inventory and manage GDPR / KVKK related processes effectively with MBIS e-Rıza

You can easily run and control your GDPR / KVKK processes with a holistic approach and ensure your legal compliances within days with e-Rıza, an ERP-independent software solution specially developed in MBIS R&D Center.

More information

What is e-Rıza?

e-Rıza is a mobile compatible, ERP-independent Web application specially designed and developed in MBIS R&D center to help organizations to be compliant with GDPR / KVKK regulations by automatically creating Explicit Consent texts according to the personal data processing purposes, obtaining Explicit Consents from employees and 3rd party individuals via e-mail (or through system integration), collecting personal data through automatically created Digital Forms and managing the GDPR / KVKK processes such as Obligation to Inform, Information Request Fulfilment etc.

Thanks to its powerful integration functions, e-Rıza can be integrated to any system which supports Web services by giving you freedom, scalability and flexibility for data acces.

e-Rıza can be deployed on-premise or can be used over cloud.

Main functionalities of e-Rıza

Obtaining explicit consents by email

e-Rıza enables to automatically create explicit consent texts according to the purposes in the Personal Data Processing Inventory, collect, store, report and manage explicit consents from employees and third party individuals via e-Mail.

Acquiring personal data with digital forms

e-Rıza allows collecting personal data through automatically created digital forms (for example, for visitors at receptions, job candidates, participants in digital or physical events) and obtaining explicit consents via email or SMS in order to be able to legitimately process the collected personal data.

Self-service explicit consent management

Individuals can view and manage their explicit consent from a single platform with their computer or mobile devices; they can grant new consents, withdraw their existing consents and track the clarification texts they received.

Personal data processing inventory (PDPI)

e-Rıza allows you to create and manage your ‘Personal Data Processing Inventory ’ as a living document in compliance with the related national personal data protection regulations such as GDPR and KVKK.

Obligation to inform

e-Rıza enables sending, recording, tracking, managing and reporting the clarification texts which are automatically created according to latest GDPR / KVKK guidelines.

Information request fulfilment

e-Rıza allows fulfilment of personal data related information requests from individuals or official agencies; by informing the responsible employees to deal with the request, running the approval process and collecting, sending, tracking and reporting the necessary information to respond to the requests.

Task management

For the purpose of protecting personal data, e-Rıza can create and assign GDPR / KVKK relevant tasks automatically or on-demand to responsible employees and helps tracking, managing, closing and reporting those tasks.

and more...

e-Rıza offers many more functionalities in terms of both ensuring the security of sensitive personal data and managing processes within the scope of GDPR / KVKK.

e-Rıza’s technical features

Our e-Rıza solution, with its wide integration feature, can be adapted to your needs, can be managed with mobile use, and consent can be obtained from people who share their data with you easily in order to use personal data by providing the flexibility you need.

Advanced integration

e-Rıza provides a powerful integration layer to exchange data through web services and allows downloading e-mail recipient information.

Integration with websites and portals

Thanks to its advanced integration structure, e-Rıza is a solution capable of working in connection with corporate websites , portals and landing web pages.

Multi-lingual solution

Although e-Rıza comes with Turkish and English language options as standard, it can be easily used in other languages with its embedded dictionary structure.

Mobile compatibility

e-Rıza is a ‘responsive’ software solution suitable for using on mobile devices, without the need for a native mobile application.

ERP independent

e-Rıza is a web application that does not have to be installed on or integrated to any ERP, including SAP.

Customization and adaptation

e-Rıza can be easily customized, adapted and improved according to the company specific needs.

Ready-to-use data and processes

e-Rıza provides ready-to-use master data, process designs and customizations that cover the requirements of legal regulations by saving time and costs and minimizing risks.

Dashboard

e-Rıza has dashboard screens that enable tracking of explicit consent texts and tasks based on status (sent, accepted, rejected, pending, completed, etc.)

Natural integration with SAP PDP

e-Rıza has a natural integration of SAP PDP (Personal Data Protector) software which centrally manages and orchestrates all KVKK / GDPR processes within SAP systems.

Why e-Rıza?

Put an end to the complexity of gathering explicit consent

Manually obtaining, processing, storing, reporting, tracking and managing explicit consents from multiple systems can be complex and labour-intensive. MBIS’ e-Rıza solution allows you to easily overcome these difficulties from a single central platform.

Avoid legal sanctions

Failure to obtain explicit consent for certain personal data processing processes may result in severe administrative fines. With e-Rıza, you can protect your organization from these sanctions and secure GDPR / KVKK compliance.

Benefit from MBIS’s industrial experience in GDPR / KVKK

With e-Rıza, you will have the opportunity to benefit from MBIS’ experience and know-how on GDPR / KVKK gained from various industries, and you get valuable guidance during the project implementation.

Offer individuals self-service consent management

You can both reduce your workload and increase your prestige in the eyes of your customers by allowing individuals to control and manage their GDPR / KVKK rights by themselves, such as granting or withdrawing explicit consents, accessing clarification texts and requesting information.

Don't wait for months to activate your GDPR / KVKK solution

Compared to the other solutions available in the market, e-Rıza is a special application that can be deployed with full set of functions and technical features within days, which will bring you numerous benefits in a much shorter time

Prevent omissions, minimize risks n

Thanks to the ready-to-use embedded master data, processes and customizations e-Rıza brings to be compliant with regulations, you can minimize the risks that may occur due to manual entry errors, delays, forgetting and skipping.

How does e-Rıza work to get explicit consents via email?

Personal Data Processing Inventory (PDPI) is created in e-Rıza in accordance with data processing purposes.

Contact information of individuals to obtain explicit consents are (1) transferred from an Excel or other data files, (2) automatically retrieved from data sources through integration, or (3) manually entered.

Using the information in the PDPI, e- Rıza identifies the personal data that requires explicit consent and automatically creates explicit consent texts for them.

e-Rıza sends explicit consent text to the relevant persons via email.

Individuals grant or reject explicit consents by using the buttons in the email.

e-Rıza sends a reminder via email to people who didn’t respond for a given period of time.

e-Rıza records the responses to its database.

Accepted or rejected explicit consents are monitored through e-Rıza’s dashboard, and necessary actions are taken.

How does e-Rıza collect personal data and obtain explicit consent with digital forms?

Personal Data Processing Inventory (PDPI) is created in e-Rıza in accordance with data processing purposes.

In e-Rıza, Personal Data Collection forms are designed using templates without coding.

These forms are filled by (A) the reception or security personnel and the necessary personal data are obtained.

OR personal data is collected by filling digital forms (B) before physical or virtual activities (webinars, meetings, etc.).

OR digital forms are integrated into the (C) websites or portals of the companies and personal data is entered by the individuals by themselves.

e-Rıza requests explicit consent by sending an email or SMS to individuals for the personal data collected by the digital forms. Individuals grant or reject the explicit consent using the buttons in the email or by the verification codes sent via SMS.

e-Rıza records personal data along with e-Mail and SMS responses to its database.

Accepted or rejected explicit consents are monitored through e-Rıza’s dashboard, and necessary actions are taken.

Matters to be considered while obtaining explicit consent

Explicit consent, within the framework of the law, means that the individual grants consent to the processing of his/her personal data at his/her own will or upon request from other parties. With the explicit consent statement, the person actually informs a data controller about his/her legal value. Explicit consent will enable the relevant person to determine the limits, scope, form, purpose and duration of the data allowed to be processed.

There is no need to obtain explicit consents with hard-copy documents and signatures; e-Mail is also a legitimate option to acquire explicit consents as long as the data controller discharges its proof obligation.
A legitimate explicit consent should have 3 three elements:

  • Being related to a specific
    subject (or purpose)
  • The consent is based on
    information
  • Disclosure with
    free will

A general explicit consent which is not limited to a specific subject and not limited to the relevant purpose is not accepted, meaning that it is legally invalid. For example, consent declarations that do not indicate a specific subject or activities such as «all kinds of commercial transactions, all kinds of banking transactions and all kinds of data processing activities» are situations that can be considered within the scope of invalid consent.

Since giving explicit consent is an individual right, a given explicit consent can be revoked. In this context, as the right to determine the future of personal data belongs to the relevant person, the person can withdraw the explicit consent given to the data controller at any time. However, because the revocation process will have a forward-looking result, all activities carried out based on the explicit consent should be stopped by the data controller as soon as the withdrawal declaration reaches the data controller. In other words, the withdrawal declaration becomes effective from the moment it reaches the data controller.

Do not underestimate KVKK (Turkish personal data protection law) compliance

What are the legal sanctions of KVKK?

Imprisonment

  • One to three years of imprisonment is imposed on those who unlawfully record personal data. (The penalty is increased by half for sensitive personal data) (article 135 of the Turkish Criminal Law)
  • Two to four years imprisonment is imposed on those who unlawfully share, publish or intercept personal data. (article 136 of the Turkish Criminal Law)
  • One to two years imprisonment is imposed on those who do not destroy (or anonymize) personal data after the certain period of time dictated by the law. (article 138 of the Turkish Criminal Law)

Fines

  • Failure to fulfill the obligation to inform: From 5.000 TL to 100.000 TL
  • Failure to fulfill obligations regarding data security: From 15.000 TL to 1.000.000 TL
  • Failure to follow the decisions made by the board: From 25.000 TL to 1.000.000 TL
  • Violation of the obligation to register and notify the data controllers registry: From 20.000 TL to 1.000.000 TL, administrative fines are imposed.

* Penalties for recording personal data, unlawfully providing or intercepting data and not destroying data are not dependent on the filing of a complaint.

FAQ

What is personal data?

“Personal data” means any information relating to an identified or identifiable natural person. In order to speak of personal data, the data must be related to a person and that person must be identified or identifiable.

What is sensitive personal data?

Sensitive personal data is data which, if disclosed, can leave the data subject open to discrimination or unfair treatment.

What are the data processing requirements according to the Turkish Personal Data Protection Law (KVKK)?

Conditions for processing personal data

Personal data shall not be processed without explicit consent of the data subject. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

  • It is expressly provided for by the laws.
  • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
  • It is necessary for compliance with a legal obligation to which the data controller is subject.
  • Personal data have been made public by the data subject himself/herself.
  • Data processing is necessary for the establishment, exercise or protection of any right.
  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Sensitive personal data can only be processed with the explicit consent of data subject or with any of the conditions set out by the law. Personal data can not be transferred in country or abroad without the explicit consent of data subject. The requirements declared by the Personal Data Protection Authority must be fulfilled for international data transfer.

What is explicit consent?

“Explicit consent” means freely given, specific and informed consent by data owners (subject person) for the processing of personal data. Explicit consent must be related to a specified issue, based on information and declared by free will.

In which conditions can the sensitive data may be processed without seeking the explicit consent of the data subject?

There are different implementations in different regulations. Exceptions are defined in the laws that countries are subject to. It is not necessary to obtain explicit consent, in case of exceptions which are referred to in the law.

According to the Personal Data Protection Law, sensitive data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

  • It is expressly provided for by the laws.
  • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
  • It is necessary for compliance with a legal obligation to which the data controller is subject
  • Personal data have been made public by the data subject himself/herself.
  • Data processing is necessary for the establishment, exercise or protection of any right.
  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

How can explicit consent be obtained?

Explicit consent must be clear, understandable, simple and include a positive consent statement. Clarification must be presented before the consent statement. Explicit consent must be provable. Explicit consent must be withdrawable.

What is the obligation of data controller to inform?

The obligation of data controller to inform informs the data owner about; the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, the method and legal reason for collecting personal data and to whom and for what purpose personal data can be transferred, before processing personal data.

According to KVKK, disclosure is required during the acquisition of personal data. The fulfillment of the disclosure obligation must be provable. Disclosure should be carried out whenever personal data are processed or when the purpose of data processing changes. The disclosure obligation must be fulfilled; within a reasonable period after obtaining the personal data if personal data are not obtained from the subject person, during the first contact if the personal data will be used for communication with the subject person, and at the latest during the first transfer of the personal data if the personal data will be transferred.

What is e-Rıza?

e-Rıza is a personal data management system developed in compliance with different regulations such as GDPR and KVKK. It is a mobile compatible web application that can work with different systems with its powerful integration functions, and which helps manage processes such as creating a personal data processing inventory, automatically creating explicit consent texts, obtaining explicit consent from institution employees and third parties via email or integration, collecting personal data through automatically created forms, and obtaining Explicit Consent via email or SMS for the information in these forms, fulfilling the obligation of data controller to inform and meeting the information requests of individuals and institutions.

Data integrity is ensured by defining environments which personal data are stored to the system, information and data changes from data owners are managed, tasks are created for the environments where personal data are stored by calculating the retention periods of the purposes. It has many features such as multi-company management, management of transferred of external clarification and consents, strong reporting structure, multiple language support, information management, role and field-based user management, department management along with API support, CMS integration, secure file transfer and cloud model. In addition, new features are presented to customers every day through integrations to new systems.

The system's Individual Login Module enables data owners to manage their explicit consent requests from all institutions using the e-Rıza system without registering, providing corporate transparency and facilitating explicit consent management.

Why e-Rıza?

e-Rıza is a mobile compatible web application, not a software module. It supports different regulations such as GDPR and KVKK. Its strong infrastructure enables the integration of external systems. Tasks that can be created for environments where personal data are stored and, these tasks can be read and operated directly via external software. With the principle of transparency, personal data owners can examine their explicit consent, monitor data processing purposes, and easily manage them. It includes different features such as security measures inventory, message management system integration, versioning, secure file transfer, and customized reporting. It has a file upload feature that enables fast multiple data entries and updating the inventory. e-Rıza works in the cloud and is constantly developing by gaining new features.

How to obtain explicit consent on e-Rıza?

To obtain explicit consent on e-Rıza these steps can be followed:

  • After selecting one or more purposes on the e-Rıza system, selecting the contact groups (selecting an individual person, a group of persons or uploading from excel) and sending the explicit consent requests directly by email,
  • Sending explicit consent requests with e-Rıza forms via email and sending the explicit consent confirmation code via SMS,
  • Creating e-Rıza events and obtaining the data owner's consent during registration,
  • You can trigger sending explicit consent requests via emails and explicit consent confirmation code via SMS from other software through integration.

In addition, data owners can manage their explicit consent without creating a registration by entering the Personal Login Module on the e-Rıza system.

How to create information texts on e-Rıza?

Information texts are created based on the purposes created in e-Rıza. According to your purpose, you can directly use embedded text templates, edit existing templates, or upload the texts that you have created to the system.

How is obligation of data controller to inform performed in e-Rıza?

Information texts are created for desired purposes in e-Rıza. A common information text is automatically created for selected purposes, but you can create a new text or change the automatically created text. You can create the information texts by:

  • Selecting the person (selecting an individual person, a group of persons or uploading from excel) on the e-Rıza system and sending clarification tasks via an email,
  • Sending clarification texts via email and clarification links via SMS with e-Rıza forms,
  • Creating e-Rıza events and enabling data owners to see the texts during record creation,
  • Sharing automatically created clarification links in different environments (software or physical),
  • Triggering sending clarification text emails and SMS from other software through integration.

Which software is used with e-Rıza?

e-Rıza is software-independent. It is a mobile compatible web application.

Is e-Rıza integrated with SAP?

e-Rıza has an automatic integration with PDP. Institutions using the SAP PDP module can directly use e-Rıza.

Is it possible to integrate e-Rıza with other software (ERP, CRM, website, mobile application etc.)?

You can integrate e-Rıza with other other software through its API support.

Can I receive email and SMS services from e-Rıza?

e-Rıza does not provide email or SMS services. Only emails and SMSs required for personal data management can be sent via the e-Rıza system.

Is there a Message Management System (IYS) integration?

Purposes stored in e-Rıza can be associated with the Message Management System (IYS). If you make an agreement with the intermediary service provider companies that e-Rıza is integrated with and make the necessary definitions in e-Rıza, you can manage commercial electronic message permissions via e-Rıza. This way, approval statuses within e-Rıza which are based on commercial electronic messages and require explicit consent are kept up-to-date by synchronizing the approval statuses in the message management system with the related purposes.

Which personal data are stored in e-Rıza?

The data subjects' names, surnames, emails, telephone numbers and e-Rıza user language preferences are stored in e-Rıza. The user language is to determine the interface language that data subjects will use to manage Explicit Consent and to manage information and data change requests. It is possible to collect personal information from data owners via e-Rıza forms, however, the data responsibility belongs to you.

Does e-Rıza support multiple companies and multiple brands?

e-Rıza has multi-company and multi-brand support. You can manage your group companies with authorized users.

What is secure file transfer?

With the e-Rıza add-on, you can share files with the people you define in e-Rıza for the purposes you have defined and selected for data sharing in the system. The files you want to send are stored on e-Rıza servers, secured and automatically destroyed at the end of the determined period.

Can e-Rıza be integrated with VERBIS?

The KVK Institution does not support integration, however, it is possible to manage your records by obtaining a VERBIS Inventory Report from e-Rıza.

Is it possible to use e-Rıza for different regulations such as GDPR and KVKK?

e-Rıza is designed with an infrastructure that complies with different regulations. You can use it by entering inventory for different regulations.

Can I provide information requests of data owners via e-Rıza?

You can provide information requests by creating personal data reports.

Can I manage information changes and anonymization requests via e-Rıza?

Data owners can request information, information update, and anonymization and can also manage their explicit consent via the e-Rıza Personal Login Module. You can provide demand management by manually defining external requests to the system.

Can I transfer explicit consents and information records received from external resources to e-Rıza?

It is possible to transfer external explicit consents and clarification/information records to e-Rıza.

What is the pricing?

e-Rıza is cloud-based. You can pay-per-use under commitment. Additional services are charged separately.

Where are e-Rıza servers located?

e-Rıza servers are located in data centers in Turkey.

Can we use our own email service?

You can use e-Rıza's or your own email service provider.

Can we use our own SMS service?

You can use e-Rıza's SMS service or arrange your own email service from SMS provider companies that e-Rıza has an agreement with. Once received, you must define your own email service on e-Rıza.

Where are e-Rıza email servers located?

e-Rıza emails are sent from servers located within Turkey.

AGT

MBIS farkıyla SAP BPC çözümünü seçen AGT’nde gerçekleşen dijital dönüşüm projesinin detaylarını inceleyin.

  • Industry
    Food and Beverage
  • Country
    Germany
  • Product
    SAP IBP
Download Case Study

Resources

Explore trends, SAP technologies, news and insights through the eyes of MBIS team

MBIS'in sunduğu SAP S/4HANA Finance Çözümü ile
kazanan siz olun.

Bu dokümanın amacı, bir S/4HANA Finance projesinin hazırlık aşamasında yapılması gerekenlere dikkat çekmek ve implementasyonun geri kalanının daha sorunsuz ilerlemesini sağlamaktır.

Download

SAP S/4HANA Finance

SAP S/4HANA Finance çözümü hakkında daha fazla bilgi
edinmek için webinar kaydımızı izleyin

Webinarı İzle

Please contact us for further information