Easily manage your GDPR related
processes and take your
compliance to a higher level !

By using privao, you can effectively orchestrate GDPR processes such as explicit consent management, obligation to inform management, information request management and more…

More information

What is privao?

privao is a specially designed and developed mobile compatible, ERP-independent software solution which greatly helps organizations to take measures required by GDPR through managing personal data protection and orchestrating related processes centrally and with a holistic approach.

Functionalities of privao

Personal data processing inventory (PDPI)

privao allows you to create and manage your ‘Personal Data Processing Inventory ’ as a living document in compliance with the related national personal data protection regulations such as KVKK/GDPR.

Acquiring personal data w/ consent-integrated forms

privao allows collecting personal data through automatically created digital forms (for example, for visitors at receptions, job candidates, participants in digital or physical events) and obtaining explicit consents via email or SMS in order to be able to legitimately process the collected personal data.

Obtaining explicit consents

privao enables to automatically create explicit consent texts according to the purposes in the Personal Data Processing Inventory, collect, store, report and manage explicit consents from employees and third party individuals via e-Mail.

Information request fulfilment

privao allows fulfilment of personal data related information requests from individuals or official agencies; by informing the responsible employees to deal with the request, running the approval process and collecting, sending, tracking and reporting the necessary information to respond to the requests.

Obligation to inform (Clarification Texts) management

privao enables sending, recording, tracking, managing and reporting clarification texts which are automatically created according to latest KVKK/GDPR guidelines.

Self-service explicit consent management

Individuals can view and manage their explicit consent from a single platform with their computer or mobile devices; they can grant new consents, withdraw their existing consents and track the clarification texts they received.

Secure file-transfer via e-Mail add-on

privao enables to define the framework of file transfer process based on certain conditions and rules. The transfer is allowed to only authorized subjects through a secure privao link sent via e-mail. All data access requests are logged and when expiration date is due, the file is automatically removed from privao.

Data Breach Management

In case of any data breach, authorized personnel and organizations are automatically notified in order to take necessary precautions.

DPIA - Data Protection Impact Assessment

Thanks to Data Protection Impact Assessment, privao enables to conduct analysis of new personal data to be added and their purposes

Ready-to-use data and processes

privao provides ready-to-use master data, process designs and customizations that cover the requirements of legal regulations by saving time and costs and minimizing risks.

KVKK/GDPR related Task management

For the purpose of protecting personal data, privao can create and assign relevant tasks automatically or on-demand to responsible employees and helps tracking, managing, closing and reporting those tasks.

Technical features of privao

Our privao solution, with its wide integration feature, can be adapted to your needs, can be managed with mobile use, and consent can be obtained from people who share their data with you easily in order to use personal data by providing the flexibility you need.

Advanced integration

privao provides a powerful integration layer to exchange data through web services and allows downloading e-mail recipient information.

Integration with websites and portals

Thanks to its advanced integration structure, privao is a solution capable of working in connection with corporate websites , portals and landing web pages.

Multi-lingual solution

Although privao comes with Turkish and English language options as standard, it can be easily used in other languages with its embedded dictionary structure.

Mobile compatibility

privao is a ‘responsive’ software solution suitable for using on mobile devices, without the need for a native mobile application.

ERP independent

privao is a web application that does not have to be installed on or integrated to any ERP, including SAP® .

Customization and adaptation

privao can be easily customized, adapted and improved according to the company specific needs.

Ready-to-use data and processes

privao provides ready-to-use master data, process designs and customizations that cover the requirements of legal regulations by saving time and costs and minimizing risks.

Dashboard

privao has dashboard screens that enable tracking of explicit consent texts and tasks based on status (sent, accepted, rejected, pending, completed, etc.)

Natural integration with SAP® PDP

privao has a natural integration of SAP® PDP (Personal Data Protector) software which centrally manages and orchestrates all KVKK / GDPR processes within SAP® systems.

Department Based Use

Purposes, Explicit Consents, Clarification Texts can be tracked by each department or function for only the Data Subjects they are responsible for.

Role Based Authorization

Role based authorization is assigned to users in the system. Accessibility to screens and fields are restricted based on authorization level.

Cloud (SaaS) and On-Premise Options

privao can run on cloud environment, which eliminates maintenance cost and enables external individuals to connect platform. On-premise provides standard functions.

Automatic Data Removal Task Generation

When personal data retention period is over, removal tasks in systems and landscape are automatically created.

API Integration

privao provides a powerful integration layer to exchange data through web services and allows downloading e-mail recipient information and also capable of working in connection with external SWs, corporate websites , portals and landing web pages.

Collect Explicit Consent via Multiple Options

  1. User Form: Explicit Consent by approving Clarf. Text via SMS / e-mail sent by privao
  2. privao Task: Orchestration of personal data in acc. w/ rules & procedures identified in privao
  3. Integration w/ SW: Explicit Consent by approving Clarf. Text sent by SWs integrated w/ privao

System and Landscape Management

By introducing processing systems and landscapes, information update and removal requests are managed.

Request Management

Information requests, data update, data removal requests can be managed on system.

Transfer of External Recordings

Explicit Consents and Clarification Texts collected via external methods can be transferred into the system and managed by privao.

Multiple Organization Management

privao enables to administrate the processes for organizations with multiple subsidiaries (such as holdings) by single platform and same users.

Why privao?

Put an end to the complexity of gathering explicit consent

Manually obtaining, processing, storing, reporting, tracking and managing explicit consents from multiple systems can be complex and labour-intensive. MBIS’ privao solution allows you to easily overcome these difficulties from a single central platform.

Avoid legal sanctions

Failure to obtain explicit consent for certain personal data processing processes may result in severe administrative fines. With privao, you can protect your organization from these sanctions and secure GDPR / KVKK compliance.

Benefit from MBIS’s industrial experience in GDPR / KVKK

With privao, you will have the opportunity to benefit from MBIS’ experience and know-how on GDPR / KVKK gained from various industries, and you get valuable guidance during the project implementation.

Offer individuals self-service consent management

You can both reduce your workload and increase your prestige in the eyes of your customers by allowing individuals to control and manage their GDPR / KVKK rights by themselves, such as granting or withdrawing explicit consents, accessing clarification texts and requesting information.

Don't wait for months to activate your GDPR / KVKK solution

Compared to the other solutions available in the market, privao is a special application that can be deployed with full set of functions and technical features within days, which will bring you numerous benefits in a much shorter time

Prevent omissions, minimize risks n

Thanks to the ready-to-use embedded master data, processes and customizations privao brings to be compliant with regulations, you can minimize the risks that may occur due to manual entry errors, delays, forgetting and skipping.

How does privao work to get explicit consents via email?

Personal Data Processing Inventory (PDPI) is created in privao in accordance with data processing purposes.

Contact information of individuals to obtain explicit consents are (1) transferred from an Excel or other data files, (2) automatically retrieved from data sources through integration, or (3) manually entered.

Using the information in the PDPI, e- Rıza identifies the personal data that requires explicit consent and automatically creates explicit consent texts for them.

privao sends explicit consent text to the relevant persons via email.

Individuals grant or reject explicit consents by using the buttons in the email.

privao sends a reminder via email to people who didn’t respond for a given period of time.

privao records the responses to its database.

Accepted or rejected explicit consents are monitored through privao’s dashboard, and necessary actions are taken.

How does privao collect personal data and obtain explicit consent with digital forms?

Personal Data Processing Inventory (PDPI) is created in privao in accordance with data processing purposes.

In privao, Personal Data Collection forms are designed using templates without coding.

These forms are filled by (A) the reception or security personnel and the necessary personal data are obtained.

OR personal data is collected by filling digital forms (B) before physical or virtual activities (webinars, meetings, etc.).

OR digital forms are integrated into the (C) websites or portals of the companies and personal data is entered by the individuals by themselves.

privao requests explicit consent by sending an email or SMS to individuals for the personal data collected by the digital forms. Individuals grant or reject the explicit consent using the buttons in the email or by the verification codes sent via SMS.

privao records personal data along with e-Mail and SMS responses to its database.

Accepted or rejected explicit consents are monitored through privao’s dashboard, and necessary actions are taken.

Matters to be considered while obtaining explicit consent

Explicit consent, within the framework of the law, means that the individual grants consent to the processing of his/her personal data at his/her own will or upon request from other parties. With the explicit consent statement, the person actually informs a data controller about his/her legal value. Explicit consent will enable the relevant person to determine the limits, scope, form, purpose and duration of the data allowed to be processed.

There is no need to obtain explicit consents with hard-copy documents and signatures; e-Mail is also a legitimate option to acquire explicit consents as long as the data controller discharges its proof obligation.
A legitimate explicit consent should have 3 three elements:

  • Being related to a specific
    subject (or purpose)
  • The consent is based on
    information
  • Disclosure with
    free will

A general explicit consent which is not limited to a specific subject and not limited to the relevant purpose is not accepted, meaning that it is legally invalid. For example, consent declarations that do not indicate a specific subject or activities such as «all kinds of commercial transactions, all kinds of banking transactions and all kinds of data processing activities» are situations that can be considered within the scope of invalid consent.

Since giving explicit consent is an individual right, a given explicit consent can be revoked. In this context, as the right to determine the future of personal data belongs to the relevant person, the person can withdraw the explicit consent given to the data controller at any time. However, because the revocation process will have a forward-looking result, all activities carried out based on the explicit consent should be stopped by the data controller as soon as the withdrawal declaration reaches the data controller. In other words, the withdrawal declaration becomes effective from the moment it reaches the data controller.

Do not underestimate KVKK (Turkish personal data protection law) compliance

What are the legal sanctions of KVKK?

Imprisonment

  • One to three years of imprisonment is imposed on those who unlawfully record personal data. (The penalty is increased by half for sensitive personal data) (article 135 of the Turkish Criminal Law)
  • Two to four years imprisonment is imposed on those who unlawfully share, publish or intercept personal data. (article 136 of the Turkish Criminal Law)
  • One to two years imprisonment is imposed on those who do not destroy (or anonymize) personal data after the certain period of time dictated by the law. (article 138 of the Turkish Criminal Law)

Fines

  • Failure to fulfill the obligation to inform: From 5.000 TL to 100.000 TL
  • Failure to fulfill obligations regarding data security: From 15.000 TL to 1.000.000 TL
  • Failure to follow the decisions made by the board: From 25.000 TL to 1.000.000 TL
  • Violation of the obligation to register and notify the data controllers registry: From 20.000 TL to 1.000.000 TL, administrative fines are imposed.

* Penalties for recording personal data, unlawfully providing or intercepting data and not destroying data are not dependent on the filing of a complaint.

FAQ

What is personal data?

“Personal data” means any information relating to an identified or identifiable natural person. In order to speak of personal data, the data must be related to a person and that person must be identified or identifiable.

What is sensitive personal data?

Sensitive personal data is data which, if disclosed, can leave the data subject open to discrimination or unfair treatment.

What are the data processing requirements according to the Turkish Personal Data Protection Law (KVKK)?

Conditions for processing personal data

Personal data shall not be processed without explicit consent of the data subject. Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

  • It is expressly provided for by the laws.
  • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
  • It is necessary for compliance with a legal obligation to which the data controller is subject.
  • Personal data have been made public by the data subject himself/herself.
  • Data processing is necessary for the establishment, exercise or protection of any right.
  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

Sensitive personal data can only be processed with the explicit consent of data subject or with any of the conditions set out by the law. Personal data can not be transferred in country or abroad without the explicit consent of data subject. The requirements declared by the Personal Data Protection Authority must be fulfilled for international data transfer.

What is explicit consent?

“Explicit consent” means freely given, specific and informed consent by data owners (subject person) for the processing of personal data. Explicit consent must be related to a specified issue, based on information and declared by free will.

In which conditions can the sensitive data may be processed without seeking the explicit consent of the data subject?

There are different implementations in different regulations. Exceptions are defined in the laws that countries are subject to. It is not necessary to obtain explicit consent, in case of exceptions which are referred to in the law.

According to the Personal Data Protection Law, sensitive data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:

  • It is expressly provided for by the laws.
  • It is necessary for the protection of life or physical integrity of the person himself/herself or of any other person, who is unable to explain his/her consent due to the physical disability or whose consent is not deemed legally valid.
  • Processing of personal data of the parties of a contract is necessary, provided that it is directly related to the establishment or performance of the contract.
  • It is necessary for compliance with a legal obligation to which the data controller is subject
  • Personal data have been made public by the data subject himself/herself.
  • Data processing is necessary for the establishment, exercise or protection of any right.
  • Processing of data is necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.

How can explicit consent be obtained?

Explicit consent must be clear, understandable, simple and include a positive consent statement. Clarification must be presented before the consent statement. Explicit consent must be provable. Explicit consent must be withdrawable.

What is the obligation of data controller to inform?

The obligation of data controller to inform informs the data owner about; the identity of the data controller and, if any, its representative, the purpose for which personal data will be processed, the method and legal reason for collecting personal data and to whom and for what purpose personal data can be transferred, before processing personal data.

According to KVKK, disclosure is required during the acquisition of personal data. The fulfillment of the disclosure obligation must be provable. Disclosure should be carried out whenever personal data are processed or when the purpose of data processing changes. The disclosure obligation must be fulfilled; within a reasonable period after obtaining the personal data if personal data are not obtained from the subject person, during the first contact if the personal data will be used for communication with the subject person, and at the latest during the first transfer of the personal data if the personal data will be transferred.

What is privao?

privao is a personal data management system developed in compliance with different regulations such as GDPR and KVKK. It is a mobile compatible web application that can work with different systems with its powerful integration functions, and which helps manage processes such as creating a personal data processing inventory, automatically creating explicit consent texts, obtaining explicit consent from institution employees and third parties via email or integration, collecting personal data through automatically created forms, and obtaining Explicit Consent via email or SMS for the information in these forms, fulfilling the obligation of data controller to inform and meeting the information requests of individuals and institutions.

Data integrity is ensured by defining environments which personal data are stored to the system, information and data changes from data owners are managed, tasks are created for the environments where personal data are stored by calculating the retention periods of the purposes. It has many features such as multi-company management, management of transferred of external clarification and consents, strong reporting structure, multiple language support, information management, role and field-based user management, department management along with API support, CMS integration, secure file transfer and cloud model. In addition, new features are presented to customers every day through integrations to new systems.

The system's Individual Login Module enables data owners to manage their explicit consent requests from all institutions using the privao system without registering, providing corporate transparency and facilitating explicit consent management.

Why privao?

privao is a mobile compatible web application, not a software module. It supports different regulations such as GDPR and KVKK. Its strong infrastructure enables the integration of external systems. Tasks that can be created for environments where personal data are stored and, these tasks can be read and operated directly via external software. With the principle of transparency, personal data owners can examine their explicit consent, monitor data processing purposes, and easily manage them. It includes different features such as security measures inventory, message management system integration, versioning, secure file transfer, and customized reporting. It has a file upload feature that enables fast multiple data entries and updating the inventory. privao works in the cloud and is constantly developing by gaining new features.

How to obtain explicit consent on privao?

To obtain explicit consent on privao these steps can be followed:

  • After selecting one or more purposes on the privao system, selecting the contact groups (selecting an individual person, a group of persons or uploading from excel) and sending the explicit consent requests directly by email,
  • Sending explicit consent requests with privao forms via email and sending the explicit consent confirmation code via SMS,
  • Creating privao events and obtaining the data owner's consent during registration,
  • You can trigger sending explicit consent requests via emails and explicit consent confirmation code via SMS from other software through integration.

In addition, data owners can manage their explicit consent without creating a registration by entering the Personal Login Module on the privao system.

How to create information texts on privao?

Information texts are created based on the purposes created in privao. According to your purpose, you can directly use embedded text templates, edit existing templates, or upload the texts that you have created to the system.

How is obligation of data controller to inform performed in privao?

Information texts are created for desired purposes in privao. A common information text is automatically created for selected purposes, but you can create a new text or change the automatically created text. You can create the information texts by:

  • Selecting the person (selecting an individual person, a group of persons or uploading from excel) on the privao system and sending clarification tasks via an email,
  • Sending clarification texts via email and clarification links via SMS with privao forms,
  • Creating privao events and enabling data owners to see the texts during record creation,
  • Sharing automatically created clarification links in different environments (software or physical),
  • Triggering sending clarification text emails and SMS from other software through integration.

Which software is used with privao?

privao is software-independent. It is a mobile compatible web application.

Is privao integrated with SAP® ?

privao has an automatic integration with PDP. Institutions using the SAP® PDP module can directly use privao.

Is it possible to integrate privao with other software (ERP, CRM, website, mobile application etc.)?

You can integrate privao with other other software through its API support.

Can I receive email and SMS services from privao?

privao does not provide email or SMS services. Only emails and SMSs required for personal data management can be sent via the privao system.

Is there a Message Management System (IYS) integration?

Purposes stored in privao can be associated with the Message Management System (IYS). If you make an agreement with the intermediary service provider companies that privao is integrated with and make the necessary definitions in privao, you can manage commercial electronic message permissions via privao. This way, approval statuses within privao which are based on commercial electronic messages and require explicit consent are kept up-to-date by synchronizing the approval statuses in the message management system with the related purposes.

Which personal data are stored in privao?

The data subjects' names, surnames, emails, telephone numbers and privao user language preferences are stored in privao. The user language is to determine the interface language that data subjects will use to manage Explicit Consent and to manage information and data change requests. It is possible to collect personal information from data owners via privao forms, however, the data responsibility belongs to you.

Does privao support multiple companies and multiple brands?

privao has multi-company and multi-brand support. You can manage your group companies with authorized users.

What is secure file transfer?

With the privao add-on, you can share files with the people you define in privao for the purposes you have defined and selected for data sharing in the system. The files you want to send are stored on privao servers, secured and automatically destroyed at the end of the determined period.

Can privao be integrated with VERBIS?

The KVK Institution does not support integration, however, it is possible to manage your records by obtaining a VERBIS Inventory Report from privao.

Is it possible to use privao for different regulations such as GDPR and KVKK?

privao is designed with an infrastructure that complies with different regulations. You can use it by entering inventory for different regulations.

Can I provide information requests of data owners via privao?

You can provide information requests by creating personal data reports.

Can I manage information changes and anonymization requests via privao?

Data owners can request information, information update, and anonymization and can also manage their explicit consent via the privao Personal Login Module. You can provide demand management by manually defining external requests to the system.

Can I transfer explicit consents and information records received from external resources to privao?

It is possible to transfer external explicit consents and clarification/information records to privao.

What is the pricing?

privao is cloud-based. You can pay-per-use under commitment. Additional services are charged separately.

Where are privao servers located?

privao servers are located in data centers in Turkey.

Can we use our own email service?

You can use privao's or your own email service provider.

Can we use our own SMS service?

You can use privao's SMS service or arrange your own email service from SMS provider companies that privao has an agreement with. Once received, you must define your own email service on privao.

Where are privao email servers located?

privao emails are sent from servers located within Turkey.

AGT

MBIS farkıyla SAP® BPC çözümünü seçen AGT’nde gerçekleşen dijital dönüşüm projesinin detaylarını inceleyin.

  • Industry
    Food and Beverage
  • Country
    Germany
  • Product
    SAP® IBP
Download Case Study

Resources

Explore trends, SAP® technologies, news and insights through the eyes of MBIS team

MBIS'in sunduğu SAP® S/4HANA Finance Çözümü ile
kazanan siz olun.

Bu dokümanın amacı, bir S/4HANA Finance projesinin hazırlık aşamasında yapılması gerekenlere dikkat çekmek ve implementasyonun geri kalanının daha sorunsuz ilerlemesini sağlamaktır.

Download

SAP® S/4HANA Finance

SAP® S/4HANA Finance çözümü hakkında daha fazla bilgi
edinmek için webinar kaydımızı izleyin

Webinarı İzle

Please contact us for further information