TR202014794A2 - KVKK COMPLIANCE STANDARDS MANAGEMENT SYSTEM AND METHOD - Google Patents

Abstract

Invention, within the scope of KVKK (Personal Data Protection Law); processing, sharing, destroying personal data that are obliged to institutions, obtaining express consent, archiving, creating and managing personal data inventories (adding, updating, deleting), managing digital platforms where personal data is kept within the organization, and at the same time, customer KVKK compliance standards are related to the management system and method developed to receive and follow up and finalize the applications of external stakeholders such as suppliers and employees.

Description

DESCRIPTION KVKK COMPLIANCE STANDARDS MANAGEMENT SYSTEM AND METHOD TECHNICAL FIELD Invention, within the scope of KVKK (Personal Data Protection Law); liable to institutions Processing, sharing, destroying the personal data, especially for these issues obtaining explicit consents, archiving them, creating personal data inventories managing (adding, updating, deleting) personal data within the organization manage the digital platforms on which it is kept with the specified functions and At the same time, external stakeholders such as customers, suppliers, employees KVKK compliance developed to follow up and finalize the applications standards are related to the management system and method.

KNOWN STATE OF THE TECHNIQUE In recent years, in our country, personal data protection law (KVKK) Efforts are made to protect data by companies and public institutions. 6698 In the processing of personal data with the Personal Data Protection Law No. fundamental rights and freedoms of individuals, especially the privacy of private life. to protect the obligations of real and legal persons processing personal data and and the procedures and principles that individuals will follow are regulated. In accordance with the relevant law, institutions use personal data of employees, business partners or customers. and/or when sharing/transferring, "lighting text" must be published and/or "open consent must be obtained.

Individuals determine the level of use of their personal data within the institution. question, want to change the way of use and/or personal request the deletion of their data. Personal data, within the institution where (where), what is it processed for and by whom, request for deletion On the other hand, which data will be deleted from where, which data will be deleted under what conditions. Issues such as archives need to be resolved. In this case the data It is very difficult in practice to detect and continue the necessary processes. forms. These operations are performed manually in the state of the art. is carried out. This situation slows down the work of the relevant personnel considerably, It causes job loss as it takes a long time in terms of time and cost and It can also lead to incorrect and/or incomplete transactions.

The invention titled “Data Protection System and Method” and the processing of personal data and The system and method used to prevent violations of sharing Automatically detects the data specified as personal data in the legislation and It allows processing on it. Relevant invention is different in the organization The data held and processed by the departments are independent of each other. cannot ensure that it is processed in standards. Relevant invention, personal data only It has the feature of detecting and controlling explicit consent.

As a result, for the reasons described above and the existing solutions are not sufficient There is a need to make a technical development in the related field due to the lack of is becoming.

DESCRIPTION OF THE INVENTION The present invention is designed to eliminate the above mentioned disadvantages and KVKK (Personal Data Protection) developed to bring new advantages to the field Law) within the scope of; processing of personal data that is obligated to institutions, sharing, destroying, obtaining explicit consent for these issues, archiving, creating and managing personal data inventories (add, update, deletion) of digital platforms where personal data is kept within the institution. managed with the specified functions and at the same time, customer, supplier, To follow up the applications of external stakeholders such as employees within this scope, and KVKK compliance standards management system developed to finalize and relates to method.

This invention; Individuals determine the level of use of their personal data within the institution. You can query, want to change the way of use and/or access your personal data. You can request deletion. Where (where) the data of individuals is in the institution, what It is processed for and by whom, in the face of deletion request, which data Where will it be deleted, which data will be archived under what conditions? Resolving situations that may affect privacy and related technical problems aims.

Creating inventory cards, keeping them up-to-date The data held and processed by the departments are independent of each other. Inventories with decision support mechanism, update in accordance with the standards determining which inventories require express consent, reports will be provided.

Ensuring secure data record access structure, company and department based inventory ability to follow up, generate dynamic reports, open consent inquiry automatic guidance of the user with algorithms, application Automatic response will be provided in accordance with the requests coming from the process.

The purpose of the invention is to create a personal data inventory compatible with the VERBIS system, creating inventory cards, making main and sub-versioning on the basis of inventory and to keep the inventory up-to-date.

Another purpose of the invention is to ensure that the KVKK inventories within the institution are in the law. by creating it in the specified standards and making it possible to register with VERBIS. is to provide automatic VERBIS record integration.

Another object of the invention is to be held by different departments within the institution. and processing of the processed data in accordance with independent legal standards, and update is provided.

Another object of the invention is the automatic task scheduler and inventory and person-based It is to ensure that action is taken with determined periods.

Another object of the invention is to determine for which inventories it is clear within the inventory records. is to reveal the need for consent by decision support mechanisms.

Another aim of the invention is to provide comprehensive inventory reporting and personal data. making management easy and manageable.

Another aim of the invention is to provide secure data recording and access structure, It is to ensure that it is suitable for the company structure.

Another purpose of the invention is to follow company and department based inventory, It is the ability to produce dynamic reports in order to keep the VERBIS records up to date.

Another aim of the invention is to collect applications easily and quickly with the application portal. is to ensure its operation.

Another aim of the invention is to provide the user's automatic consent with the open consent query algorithm. It is to ensure that the process can be directed.

Another object of the invention is to comply with requests from the application process. is the realization of 'auto-response' generation. drawings The present invention, which is briefly summarized above and discussed in more detail below, embodiments of the invention correspond to exemplary embodiments of the invention depicted in the accompanying drawings. can be understood by pressing. However, the accompanying drawings are only typical of this invention. and the invention therefore describes other equally effective not be deemed to limit its scope, as it may allow applications must be specified.

Figure-1: It is the view of the process steps of the collective inventory record.

Figure-2: The view of the Single Inventory Record/Update Process steps.

Figure-3: Process steps in the Single Inventory Record I Update Process is the sequel.

Figure-4: The view of the Open Consent Process process steps.

Figure-5: The view of the Inventory Review Process process steps.

Figure-6: The view of the Application and Complaint Management process process steps.

Figure-7: Open Consent Inquiry Algorithm is the view of the process steps.

Figure-8: Continuation of the process steps in the Open Consent Inquiry Algorithm is the view.

Figure-9: The processing steps of the Automatic Response Generation Algorithm for the Application is the view.

To make the figures easier to understand, specify identical elements common to the figures. Identical reference numbers are used where possible. Figures to scale is not drawn and can be simplified for clarity. Elements of an application and a useful application to other applications without the need for further explanation. is considered to be included. Explanation of Details in Drawings The equivalents of the reference numbers shown in the figures are given below. 1. The process starts 2. Parameter management maintenance tables are filled 3. Inventories are added to the system by adding line by line in the table logic. saved 4. A new inventory record request is created . Survey questions are answered for inventory registration .one. request information 6. The requested information is given 6.1. Give information 7. Inventory that needs to be updated at the end of the inventory review process If there is a record, the process starts 8. Does the inventory record require administrator approval? 9. Admin checks new inventory record 9.1. sent back 9.2. Approved . Company KVKK legal officer answers survey questions .one. Additional approval requested 11.1. Response is given 12. Is explicit consent sought? 13. Will open consents be completed? 14. The open consent process begins for the completion of the explicit consents .Data destruction process starts to destroy my data 16. Inventory selections to complete the explicit consent of the relevant inventory makes 17. Explicit consent texts are sent to the relevant persons in order to complete the explicit consents. 17.1. Open consents completed 18. Automatic process starts depending on the period defined in the system. 19. The inventory that is requested to be reviewed is selected. . Does the inventory need to be updated or personal items that need to be destroyed? check if there is data 21. Inventory record that needs updating or personal items that need to be destroyed data decision is checked 21.1. data destruction 21.2. Inventory update 22. Data destruction decisions are controlled by the legal officers of the Company Kvkk 22.1. Decisions are rejected 22.2. Decisions are confirmed 23. The data that needs to be destroyed are removed from the media where the data is stored. destroyed by those responsible. 24. An application or complaint request is submitted by the relevant person via the web portal . For manual application and complaint requests, the request can be made through the system. is created 26. Identity verification done by the contact person 27. Prepared responses to application or complaint requests 27.1. Approval is requested 27.2. Evaluation result 28. Answers are forwarded to the person making the request. 29. The process ends . basses 31 .Is the data shared abroad? 32. Is the shared country a safe country? 33. Is there a KVK board permission and adequate protection commitment from the other party? 34. Is there sensitive data? . Is it healthy and sexual? 36. Are there any exceptions? 37. Approval and warning text is displayed “Only article 6.3 of the law Can you process this information within the scope of your approval?" 38. Has consent been given? 39. Is there a retention period? 40. Data can be stored for as long as the data retention period specified in the relevant law. 41 .Explicit consent is sought. Is there consent? 42. Explicit consent can be stored depending on the data retention period. 43. Data destruction policy should be implemented or express consent should be obtained 44. Will you take action to obtain mandatory express consent? 48. Data can be kept for as long as the data retention period specified in the relevant law. 52. Whether the request is an information request or an action request is checked. 52.1. action request 52.2. Information request 53. Is there any associated inventory? 54. A result is produced that no personal data is kept 55. Requested questions are checked 55.1. Information that the data is shared abroad or to third parties 55.2. Information on how long personal data is kept 55.3. Information on the purpose for which personal data is kept 56. Data processing activities of related inventories by visiting the inventories It is singularized and converted into answer text. 57. Data processing purposes of related inventories by browsing the inventories It is singularized and converted into answer text. 58. Data retention times of related inventories by browsing inventories for the same data types, based on the longest durations for the same data types. is converted 59. Data transfer information of related inventories by browsing inventories It is deduplicated and converted into answer text in tabular form. 60. Action for requested data destruction, update, transfer cancellation assignments to the authorities, structures, records are kept DETAILED DESCRIPTION OF THE INVENTION In this detailed explanation, KVKK compliance standards developed as the subject of the invention preferred alternatives to the management system and method structuring for a better understanding of the subject and no limiting effect described in a way that does not constitute.

The schematic of the KVKK compliance standards management system and method in the invention The view is shown in Figure 1 to Figure 9.

Personal data inventory management; creation of personal data inventories, personal data review of inventories and inventory cards covers.

Facilitating entry methods in the step of creating personal data inventories batch entry with algorithmic survey method and import methods with Excel. method of ensuring that it is done is used. data by a spider Extracting data sets by processing and analyzing them with decision support mechanisms. an automated process by automatically creating inventory records. structure is obtained.

In the step of reviewing personal data inventories, review A workflow for the purpose of following up the task at the times determined for the period The solution is provided by building on the (workflow) engine. Currently all A common gateway for integrated operation with workflow engines Solution by choosing a work flow engine that will work like a gateway is provided.

Open consent management; a decision to establish the requirement for express consent with the support system algorithm and a constantly learning structure related to it. will be supported. Follow-up and management as a result of the relevant algorithm is a task. It is provided with the workflow solution.

Data destruction management; deletion, destruction and anonymization steps is formed. Integration point with peripheral systems in data erasure management With a spider to be created and written, the data will be analyzed and the relevant digital Safe deletion from locations and even confirmation management mechanisms. In disposal management, environmental with a spider that will be written by creating an integration point with the systems The data is analyzed and the destruction process from the relevant digital locations is done in a secure way. It is ensured that it is done in this way and even managed with approval mechanisms.

In the anonymization process; integration point with peripheral systems With a spider to be created and written, the data will be analyzed and the relevant digital secure anonymization from locations and even It will be managed through approval mechanisms.

In the application portal and management process, in the application portal section, each platform It has been designed in a common language structure in order to develop a suitable structure. Identity verification mechanisms e-signature, mobile signature, SMS verification etc. as integrations have been made. Integration with any in-house business flow platform Built-in APL support has been created to provide Application process management In the second part, on the management of the applications, the work flow engine is focused on. A built-in process design has been made.

Inventory cards; content of created inventories and associated personal data. creating a history within the authorizations, a log of all actions and operations It emerges as a result of being kept with its structure. Therefore, a detailed log infrastructure This is provided by the solution.

Meet; batch inventory that allows multiple data to be recorded at once registration module, single inventory recording / updating module, which allows recording a single data, The open consent module where the user's permissions to process the data are made, Inventory review module where personal data is updated or destroyed, To obtain information about personal data, to destroy the data or to make a complaint to the institution. application and complaint management module, whether the user's data is shared abroad and whether it is sensitive data. open consent inquiry module, the status of the data to the users' references about their data. automatic response to application that automatically responds with action or information request Includes generation module.

In the invention, to start the relevant process by the user or systemically The process starts (1) and triggered. In the mass inventory recording process, inventories In order to be processed into the system, parameter definitions are required for the maintenance in the system. Parameter management maintenance tables are filled in by step (2) is performed. Personal data inventories, inventories line by line in table logic It is added to the system and saved to the system in bulk (3). the process ends (29).

Creating a new inventory record in the system during the single inventory registration process A new inventory record request can be made by any user for It is created and performed in (4) processing steps. Questions to the user with survey logic creating personal data inventories by directing questions are answered and performed in (5) process steps. Request information (5.1) The given information is given (6). With the provision of the requested information (6), within the processes any information request can be recorded through the system is provided. Survey questions for inventory registration with the inform (6.1) operation answered (5) and recorded. At the end of the inventory review process If there is an inventory record that needs to be updated, the process starts (7). automatically keeps inventory up to date. Controlling critical inventory records Is administrator approval required for inventory recording in order to be able to do so? (8) question is asked. If yes, the administrator checks the new inventory record (9). admin approval If not, it is returned (9.1), otherwise it is confirmed (9.2). Company KVKK Law responsible for answering the survey questions (10) and thus taking place in the inventory survey. legal questions are answered. Additional approval where approval is required is requested (10.1), the approval request is evaluated (11) and responded (11.1), so evaluation results are systematically recorded. logged in According to the result of the open consent search algorithm based on the information, by the system Is explicit consent sought? (12) and it is an inventory that requires express consent. result is produced. If explicit consent is not sought, the process is terminated (29). express consent whether the express consent of the personal data processed for a wanted inventory record has been completed. Will express consents be completed so that incompleteness can be recorded? (13) is asked. If an inventory record requires explicit consent, the system The open consent process starts automatically for the completion of the explicit consents. (14). Data is collected by the system for the implementation of the company's destruction policy. For destruction, the data destruction process starts (15) and then the process ends (29).

In the open consent process, the inventories that are required to be completed are selected and Inventory selections are made in order to complete the explicit consent of the relevant inventory (16).

Explicit consent texts are sent to the relevant persons in order to complete the express consent (17) and the requested information is given (6). Explicit consent after completion of explicit consents (17.1) process ends (29).

In the inventory review process, updating the inventory or destroying the company Is there any data that the policy should be applied to regularize the control? Inventory update and destruction depending on the automatically depending on the period defined in the system to start the processes. the process begins (18). In the system for an inventory that needs review the inventory review process by any user. It is provided that it can be started and the requested review here inventory selection is made (19). Inventory by the inventory manager Does it need updating or is there any personal data that needs to be destroyed (20) It is checked for processing into the system and the requested information is given in this process. (6). Inventory record that needs updating or personal items that need to be destroyed if there is an inventory update (21.2) after the data decision has been checked (21) the inventory update process starts (7) and the process ends (29). After check If there is data that needs to be destroyed, data destruction decisions are made during the data destruction (21.1) process. The company is controlled by KVKK Legal Officers (22). If decisions are rejected (22.1), the process ends (29). If the decisions are approved (22.2), which must be destroyed the data is destroyed by the responsible persons from the environments where the data is stored (23) and the process ends (29).

In the application and complaint management process, applications and complaint requests to companies application by the relevant person via the web portal in order to be transmitted digitally. or a complaint request is forwarded (24). For manual application and complaint requests the request is created through the system (25). Authentication by contact person done (26). Responses to the application and complaint by the contact persons the creation of it can be followed over the system and the relevant person is the subject. automatically to applications or complaints based on inventories. answers are prepared (27). In the meantime, the requested information is given (6). Data destruction (21.1) If desired, the data destruction process is started (15). Confirmation requested (27.1), confirmation request It is evaluated (11) and the result of the evaluation (27.2) is prepared. to the applicant The responses generated through the system are forwarded to the person making the request (28) and the process ends (29).

The open consent inquiry process can be systematically or triggered by the user. basses (30). Is the processed personal data shared abroad? (31) answer to the question If yes, is the shared country safe? (32) is determined. Data abroad sensitive data if not shared with and if the shared country is secure. Is there any sensitive data for the result whether there is data or not? It is controlled by the question (34).

If the shared country is not secure, KVK board permission and the other party adequate protection do you have a commitment? With the question (33) it is sought whether this commitment exists or not. Such a If there is no commitment, explicit consent is sought. Is there explicit consent? (41) proceeds to the process step.

If there is a commitment, is it sensitive data? (34) with the question Is controlled. If there is sensitive data, check if there is any health and sexual data. Do you have health and sexuality to do? (35) is asked. Health and sexual data Is there any exception? The answer to the question (36) is sought. If there is an exception, approval and warning text is displayed “Only within the scope of article 6.3 of the law this information can work, do you approve?” (37). If there is no exception, explicit consent is sought, there is explicit consent me? (41) proceeds to the process step. Has it been approved or not? (38) determined by the question. If consent is not given, explicit consent is sought. Is there consent? (41) proceeds to the transaction step. If consent has been given, check whether there is a retention period for the data. Is there a retention period for viewing? (39) is asked. There is a retention period data can be stored for as long as the data retention period specified in the relevant law (40). Data If there is no storage period, explicit consent is sought. Is there any explicit consent? (41) to the transaction step is passed. If the user has express consent to the processing or use of the data data may be stored depending on the data retention period specified in the express consent (42).

If there is no explicit consent, a data destruction policy should be implemented or explicit consent should be obtained (43).

Will you take action to obtain mandatory express consent? The answer to the question (44) is yes. If not, the explicit consent process is triggered (45), and if no, the data destruction process is triggered (46). Sensitive If there is no data and exception or there is no health and sexual data and there is an exception, the data is relevant. data can be stored for as long as the data retention period specified in the law (48).

The automatic response generation process to the application, systemically or user It starts by triggering (30). Is it a request for information or an action of the request subjects? my request is checked (52). Action request (52.1); requested data destruction, Assignments to the officials who will take action for update, transfer cancellation issues structures are recorded (60) and then the data destruction process is triggered (46). Information request (52.2); To check for associated inventory Is there any associated inventory? (53) is asked. no associated inventory on the other hand, the result is produced that no personal data is kept (54). associated If there is an inventory, the requested questions are checked (55). data abroad or If there is information (55.1) that it is shared with third parties, the inventories are visited and the related The data transfer information of the inventories is singularized and the answer text is in the form of a table. converted (59). There is information about how long personal data is kept (55.2) On the other hand, the data storage periods of the related inventories are singularized by browsing the inventories. For the same data types, it is converted into response text based on the longest durations (58).

If there is information (55.3) about the purpose for which personal data is kept, inventories The data processing purposes of the related inventories were singularized and the answer text was written. converted (57). If there is information (55.4) about data processing activities, by browsing the inventories and deduplicating the data processing activities of the related inventories. converted to the answer text (56).

Claims (8)

REQUESTS 1- Invention, within the scope of KVKK (Personal Data Protection Law); Processing, sharing, destroying personal data that are obliged to institutions, obtaining explicit consent for these issues, archiving, creating and managing personal data inventories (add, update, deletion), management of the digital platforms where personal data is kept within the institution with the specified functions, and at the same time, the customer It is related to the KVKK compliance standards management system, which was developed in order to receive and finalize the applications of external stakeholders such as suppliers, employees and employees within this scope. - collective inventory recording module that allows recording of multiple data at once, - single inventory recording/update that allows recording of a single data - open consent module where user's data processing permissions are made, - inventory review module where personal data is updated or destroyed, - about personal data Application and complaint management module, which allows to obtain information, destroy data or make a complaint to the institution, - the open consent inquiry module in which the user questions whether the data is shared with abroad and whether it is sensitive data, - the users' applications about their data, the status of the data automatically, and the request for action or information. It contains an automatic reply generation module to the application that responds with 2- According to claim 1, it is related to the KVKK compliance standards management system and method, and its feature is; - triggering by the user in the collective inventory module or with the process start (1) to start the systemically related process, - parameter definitions in order to process inventories into the system during the collective inventory recording process, making parameter management maintenance tables in the system (2), - personal Data inventories are characterized by the inventories being recorded in the system by adding line by line in the table logic (3) and ending the process (29) process steps. 5 3- According to claim 1, it is related to the KVKK compliance standards management system and method, and its feature is; - in the single inventory registration / update module, the process starts (1) for the user or to initiate the systemically related process (1), - any user can make a request for a new inventory record to be created in the system 10 in the single inventory registration module, - creating personal data inventories by asking questions to the user with the logic of the survey and answering the survey questions for inventory recording (5), 15 - requesting information (5.1) and providing the requested information to be recorded by providing any information request through the system during the processes (6 ), - answering the survey questions for the inventory record with the inform (6.1) process (5) and recording, 20 - keeping the inventory up-to-date with the start of the process (7), if there is an inventory record that needs to be updated at the end of the inventory review process, - controlling the critical inventory records Admin approval required for inventory posting on behalf of or? (8) asking the question, 25 - if the manager's approval is required, the manager checks the new inventory record and if the manager does not approve, it is sent back (9.1), otherwise it is approved (9-2), - the company KVKK Legal officer answers the survey questions (10) and 30 inventory surveys are completed. answering the legal questions in the list, - requesting additional approval in cases where approval is required (10.1), evaluating the approval request (11) and giving a response (11.1), thus systematically recording the evaluation results, resulting in the open consent search algorithm based on the information entered. According to the system, is explicit consent sought by the system? (12) to produce the result of whether there is an inventory where explicit consent is required, to terminate the process if explicit consent is not sought (29) and to record whether the express consent of the personal data processed for an inventory record for which explicit consent is sought is completed, will the express consents be completed? (13) asking the question and if it is an inventory record where explicit consents must be obtained, the system automatically initiates the explicit consent process for the completion of the explicit consent (14), the data destruction process begins for the destruction of the data by the system for the implementation of the company destruction policy (15) and then The termination of the process (29) is characterized by the fact that it includes process steps. 4- According to claim 1, it is related to the KVKK compliance standards management system and method, and its feature is; In the open consent module, the process starts (1) to initiate the relevant process by the user or systemically, if it is an inventory record that requires explicit consent, the open consent process is automatically started by the system for the completion of the explicit consent (14), the inventories desired to be completed are selected and the relevant inventory is entered. making inventory selections to complete their explicit consent (16). It is characterized by the fact that it includes the steps of sending explicit consent texts to the relevant persons to complete the explicit consent (17) and providing the requested information (6), terminating the explicit consent process after the completion of the explicit consents (17.1) (29). 5- According to the request, it is related to the KVKK compliance standards management system and method, and its feature is; In the inventory review module, in order to initiate the relevant process by the user or systemically, the process starts (1), the control is regularized if there is any data that needs to be updated in the inventory or the company destruction policy should be applied, and the inventory update and destruction processes are started depending on the result of the control, in a defined period in the system. Automatic process start (18), inventory review process can be started by any user in the system for an inventory that needs review, and selecting the inventory requested to be reviewed here (19), does the inventory need to be updated or destroyed by the inventory manager Is there any personal data required (20) to be checked for processing into the system and to provide the requested information in this process, to check the inventory record that needs to be updated or the personal data decision to be destroyed (21), to update the inventory (21.2) if any, the inventory update process starts (7) and the process ends (29), if there is data that needs to be destroyed after the control, the data destruction decisions are checked by the company KVKK Legal representatives during the data destruction (21.1) process (22), if the decisions are rejected (22.1), the process ends (29) is characterized by the fact that if the decisions are approved (22.2), the data that needs to be destroyed is destroyed by the responsible persons from the environments where the data is stored (23) and the process is terminated (29) includes the process steps. 6- According to claim 1, it is related to the KVKK compliance standards management system and method, and its feature is; In the application and complaint management module, in the inventory review module, the process starts for the user or to initiate the systemically related process (1), the application or complaint request is submitted by the related person via the web portal in order to send the application and complaint requests to the companies through the digital environment (24), manual creation of a request for application and complaint requests via the system (25), identity verification by the contact person (26), the creation of the answers regarding the application and complaint by the contact persons on the system, and automatic application or complaint depending on the inventories of the relevant person. preparing responses to requests (27) and providing the requested information (6), if data destruction (21.1) is requested, initiating the data destruction process (15), requesting approval (27.1), evaluation of approval request (11) and evaluation result (27.2) preparation, production to the applicant through the system. It is characterized by the fact that the answers received are forwarded to the person making the request (28) and the process is terminated (29). 7- According to claim 1, it is related to the KVKK compliance standards management system and method, and its feature is; In the open consent inquiry module, systemically or triggered by the user (30), is the processed personal data shared with abroad? Asking the question (31) and if the answer is yes, is the shared country safe? (32) Is there any sensitive data for the conclusion of whether there is a sensitive data if it is determined whether the data is not shared with abroad and if the shared country is secure? (34) to be checked with the question, if the agreed country is not safe, is there a KVK board permission and adequate protection commitment from the other party? Asking whether this commitment exists or not with the question (33), if there is no such commitment, explicit consent is sought. Is there explicit consent? (41) proceeding to the transaction step, if there is a commitment, is there any sensitive data, is there any sensitive data? Checking with the question (34), if there is sensitive data, is there health and sexual data to check if there is a health and sexual data? Is there an exception if the question (35) contains health and sexual data? Searching for the answer to the question (36), and if there is an exception, the confirmation and warning text is displayed. (37) For the process step, if there is no exception, explicit consent is sought. Is there explicit consent? (41) Is it given to proceed to the process step, whether it is approved or not? If it is determined by the question (38) and if approval is not given, explicit consent is sought. Is there explicit consent? (41) Is there a retention period to view whether the data has a retention period, if proceeding to the processing step and consent is given? Asking the question (39), if there is a retention period, the data can be stored for as long as the data retention period specified in the relevant law, (40) if there is no data retention period, explicit consent is sought. Is there explicit consent? (41) proceeding to the processing step, if the user has explicit consent in the processing or use of the data, the data can be stored depending on the data retention period specified in the explicit consent (42), if there is no explicit consent, the data destruction policy is operated or explicit consent is obtained (43), mandatory explicit consent Will you take action to obtain consent? If the answer to the question (44) is yes, triggering the explicit consent process (45), if no, triggering the data destruction process (46), if there is no sensitive data and exception, or if there is no health and sexual data and there is an exception, the data can be stored for the data retention period specified in the relevant law. (48) is characterized by including process steps. 8- According to claim 1, it is related to the KVKK compliance standards management system and method. starting the application systemically in the automatic response generation module or triggered by the user (30), checking whether the request subjects are information requests or my action request (52), if it is an action request (52.1); Assigning duties to the authorities who will take action for the requested data destruction, updating, transfer cancellation issues, keeping records (60) and then triggering the data destruction process (46), information request (52.2); Is there any associated inventory to check for associated inventory? Asking the question (53), producing a result that no personal data is kept if there is no associated inventory (54), checking the requested questions if there is an associated inventory (55), if there is information that the data is shared abroad or to third parties (55.1), converting the data transfer information of the related inventories into the answer text in the table structure by browsing through the inventories (59), if there is information about how long the personal data is kept (55.2), the data storage times of the related inventories are individualized by browsing the inventories and the response text is based on the longest periods for the same data types. (58), if there is information about the purpose for which personal data is kept (55.3), transforming the related inventories into an answer text by singularizing the data processing purposes by visiting the inventories (57), if there is information about data processing activities (55.4), if there is information about the data processing activities (55.4), the inventories can be visited and the related inventories can be processed for data processing. to singularize activities k is characterized by converting it to the answer text.