Turkish Personal Data Protection Law No. 6698 and European General Data Protection Regulation

January 2020 İdil Uz
% 0

Introduction

In line with the recent developments in data processing technology, the concepts of personal data and protection of this data have started to gain a legal dimension in most countries. This concept that can be adapted to the legal order of each country, is compatible with personal rights in most legal systems. For this reason, since this legal field has universal characteristics, in terms of adaptation to their own legislation, each country adapts this branch of law to their legal systems with their own revisions.

Turkish Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu (“KVKK”)) entered into force on 7 April 2016, shortly before the European General Data Protection Regulation[1] (“GDPR”). Although there are many similarities between the KVKK and GDPR, it may not be possible to say there is complete compatibility between these two, since on the wording and regulation of the KVKK, Directive No. 95/46/AT -which was in force before the GDPR- on Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data, is taken as a reference.

In this article, by mentioning the similarities and differences between the KVKK and GDPR, the obligation of the data controllers, who are the subject of these two Regulations, to comply with both Regulations, will be revealed.

In General

Both the KVKK and GDPR aim to achieve protecting the privacy of the person and ensure data security by regulating the obligations, procedures and principles to be followed by real and legal persons who process personal data. In addition, in these two Regulations, it is aimed to prevent unlimited and undiscriminated collection, access of unauthorized persons, and disclosure or violation of personal rights as a result of misuse of personal data.[2]

Despite the fact that two of the mentioned legislations regulate the same scope with the same aim, there are some differences between each legislation due to the nationalities of the legal systems.

Main Differences between KVKK and GDPR

  • Liability Arising from Data Breach. Pursuant to Article 82 of the GDPR, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” As it is clearly understood from this Article, the GDPR holds the data controller liable, as well as the data processor[3] from the damages that have arisen from a data breach. Besides, pursuant to paragraph 2 of Article 18 of the KVKK, “The administrative fines listed in this Article shall be applicable to natural and legal persons who are data controllers.” In brief, the KVKK regulates the responsibilities of data controllers and data processors, separately, and holds only the data controller liable for administrative fines that are regulated by the law. Within this scope, the recourse relationship between the data controller and the data processor is reserved.
  • Data Protection Officer and Data Protection Representative. There are two differing concepts that are not regulated in the KVKK, but are stipulated to be assigned in the presence of the conditions specified in the GDPR. These concepts are data protection officer (“DPO”) and data protection representative (“DPR”). Pursuant to Article 37 of the GDPR, it is compulsory to designate a DPO in cases where i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; ii) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or iii) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9, or personal data relating to criminal convictions and offences referred to in Article 10. Similarly, pursuant to Article 27 of the GDPR, data controllers who are not resident/established in the EU are obliged to designate a DPR who is resident/established in any of the EU countries, except for in cases where i) the data processing is rare, and this rare processing does not include large scale processing of sensitive personal data, or ii) the controller is a public authority or body.
  • Data Protection Impact Assessment. It is stipulated under the Article 35 of the GDPR that the Data Protection Impact Assessment (“DPIA”) shall be realized in case of i) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly and significantly affect the natural person; ii) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or iii) a systematic monitoring of a publicly accessible area on a large scale. There is no assessment regulated under the KVKK within this context.
  • Registry of Data Controllers. Unlike the GDPR, the KVKK imposes a registration obligation on the Data Controllers Registry, namely, VERBIS, for the data controllers apart from certain exceptions. This Registry is a part of the obligation to prepare data inventory (one of the obligations under the KVKK), and forms the framework of the data inventory which the data controller is obliged to reflect its data processing activity in the most comprehensive way. The deadline to fulfill the VERBİS registration obligation of real and legal person data controllers whose annual number of employees is more than 50, or the annual financial balance sheet total is greater than TRY 25 million, or who is resident/established abroad, is 06.2020. If the registration obligation is not fulfilled, administrative fines from TRY 20.000 to TRY 1.000.000 may be imposed.
  • Recording of Processing Activities. To the contrary of the registration obligation of the KVKK upon the Data Controllers Registry, under the GDPR, it is not regulated to publicize the processing activities on a public platform. Data controllers are obliged to keep records that contain the information specified under Article 30 of GDPR, and to show these records to the Data Protection Authority when necessary. The same obligation is stipulated as the inventory preparation obligation within the KVKK and its content is regulated under the Regulation on Data Controllers Registry.
  • Administrative Fines. Administrative fines that are regulated under the GDPR are considerably higher than those regulated in the KVKK. While the upper limit of fines under the KVKK is stipulated as between TRY 20.000 and TRY 1.000.000, the upper limit under the GDPR can be determined as EUR 20.000.000, or 4% of the annual turnover of the previous fiscal year.
  • Right to be forgotten. Even though under the rights of the data subject, the KVKK regulates the right to obtain information about the personal data subject to processing from the data controller and to request deletion, the GDPR regulates the right to be forgotten in a more detailed way. Pursuant to Article 17 of the GDPR, the data controller shall have the obligation to erase the personal data without undue delay when; i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ii) the data subject withdraws consent upon which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; iii) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); iv) the personal data have been unlawfully processed; v) the personal data have to be erased for compliance with a legal obligation in a Union or Member State law to which the controller is subject; vi) the personal data have been collected in relation to the Offer of Information Society Services referred to in Article 8(1).

Territorial Scope

Pursuant to Article 3 of the GDPR;

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether or not the processing takes place in the Union.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union, by a controller or processor not established in the Union, where the processing activities are related to:
  3. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
  4. the monitoring of their behavior as far as their behavior takes place within the Union.
  5. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

To summarize, the GDPR applies when i) data controllers and processors are located in the EU, whether or not the processing takes place in the EU; ii) personal data of the data subjects residing in the EU are processed by non-EU data controllers or data processors for goods and service delivery activities, or for monitoring behavior taking place in the EU; iii) the national law of an EU member state is applicable to the case. Consequently, all providers of goods and services with a customer base in the EU, or any website or mobile application that utilizes mechanisms of online behavioral advertising, shall realize their data processing activities pursuant to the GDPR.[4]

All the same, the KVKK is a law that covers all natural and legal persons who carry out their data operations in Turkey. Although the KVKK does not have as clear a regulation as the GDPR, pursuant to the guidelines and decisions of the Turkish Data Protection Authority Personal Data Protection Board (“Board”), it is precedented that international resident data controllers who realize their data processing operations in Turkey are obliged to register with the Data Controllers Registry, whether or not the annual number of their employees is greater than 50, or the annual financial balance sheet total is more than TRY 25 million[5]. Moreover, pursuant to Article paragraph 1,c of Article 5 of the Regulation on the Data Controllers Registry, “Data controllers who are not resident in Turkey shall register with the Registry through its representative before starting to process data.” Therefore, data controllers and data processors who are in the scope of the KVKK (which means data controllers and data processors who are realizing data processing in Turkey) are obliged to act pursuant to the KVKK and the relevant legislation, whether residing in Turkey, or not.

In addition, in a public release dated 08.11.2019 by the Board, it emphasized that in order to fulfill the requirements of the KVKK, it is not enough to be in conformity with provisions of the GDPR by saying, “In the said texts prepared for the purpose of fulfilling the obligation of clarification by the data controllers, the statements of the data controllers for compliance with the GDPR would not abolish their obligations according to Personal Data Protection Law No. 6698, and along with the references to the provisions of the GDPR, the policies and the rules stated in the said clarification texts must first be in compliance with Personal Data Protection Law No. 6698.”[6]

Conclusion

Even if the GDPR and KVKK, which are both personal data protection legislations, regulate the same scope with the same aim, there are some differences between each legislation due to the nationalities of the legal systems. Therefore, the data controllers and the data processors who are within the scope of the two legislations at the same time are obliged to adapt to both legislations fully. As well, in a public release made to this end, the Board stated that it would not be sufficient for the data controllers who fall within the scope of both legislations to state that they are only in compliance with one legislation.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC> (Access Date: 27.01.2020).

[2] Personal Data Protection Board, Implementation Guidance on Personal Data Protection Law, https://www.kvkk.gov.tr/Icerik/4197/Kisisel-Verilerin-Korunmasi-Kanununa-Iliskin-Uygulama-Rehberi (Access Date: 27.01.2020).

[3] Ünsal Özden, SevgiThe Concepts of Personal Data, Data Processor, Data Controller and Contact Person within the scope of Personal Data Protection Legislation, Erdem&Erdem Newsletter, September 2019.

[4] Uludere, EdaThe EU General Data Protection Regulation and Its Territorial Scope, Erdem&Erdem Newsletter, April 2017.

[5] https://verbis.kvkk.gov.tr/UploadedFiles/SORULARLA_VERBİS.pdfhttps://www.kvkk.gov.tr/Icerik/5545/2019-225 (Access date: 27.01.2020).

[6] https://www.kvkk.gov.tr/Icerik/6561/KAMUOYU-DUYURUSU (Access date: 27.01.2020).

All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.

Other Contents

Artificial Intelligence Act Adopted by the European Parliament
Newsletter Articles
Artificial Intelligence Act Adopted by the European Parliament

The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...

Personal Data Protection 31.07.2023
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation
Newsletter Articles
CJEU Decides That A Mere Infringement of the GDPR Is Not Sufficient for Non-Material Compensation

In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...

Personal Data Protection 31.05.2023
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation
Newsletter Articles
ChatGPT: A Grey Zone Between Privacy, Cybersecurity, Human Rights and Innovation

ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...

Personal Data Protection 30.04.2023
A Comparative Approach to Joint Controllers
Newsletter Articles
A Comparative Approach to Joint Controllers

The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...

Personal Data Protection 31.03.2023
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force
Newsletter Articles
The EU’s Digital Operational Resilience Act for Financial Services Industry Actors Entered into Force

The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...

Personal Data Protection 31.01.2023
Smartwatch Privacy: A Beginner’s Guide
Newsletter Articles
Smartwatch Privacy: A Beginner’s Guide

Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...

Personal Data Protection 31.01.2023
An Examination of Loyalty Programs Under Personal Data Protection Legislation
Newsletter Articles
An Examination of Loyalty Programs Under Personal Data Protection Legislation

The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...

Personal Data Protection 30.11.2022
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?
Newsletter Articles
Is the Missing Piece of the Puzzle Found in the Intersection Between GDPR and Antitrust Law?

The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...

Personal Data Protection 31.10.2022
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority
Newsletter Articles
Guidelines on Personal Data Protection in the Banking Sector Published by the Turkish Personal Data Protection Authority

Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...

Personal Data Protection 30.09.2022
GDPR and Mass Claims
Newsletter Articles
GDPR and Mass Claims

The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...

Personal Data Protection 31.08.2022
Briefing for the Impact Assessment of the Data Act Has Been Published
Newsletter Articles
Briefing for the Impact Assessment of the Data Act Has Been Published

In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...

Personal Data Protection 31.07.2022
The Regulation on Protection and Processing of Personal Data by the Social Security Institution
Newsletter Articles
The Regulation on Protection and Processing of Personal Data by the Social Security Institution

The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...

Personal Data Protection February 2022
A New Era: The Personal Information Protection Law of the People’s Republic of China
Newsletter Articles
A New Era: The Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...

Personal Data Protection February 2022
All Eyes of the Data Protection Authorities are on Cookies!
Newsletter Articles
All Eyes of the Data Protection Authorities are on Cookies!

In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...

Personal Data Protection January 2022
The Right to Be Forgotten
Newsletter Articles
The Right to Be Forgotten
Personal Data Protection November 2021
A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Newsletter Articles
Healthcare Sector Publishes a Guideline on Data Protection
Personal Data Protection September 2019
The General Data Protection Regulation in Force
Newsletter Articles
The General Data Protection Regulation in Force
Personal Data Protection May 2018
Destruction of Personal Data
Newsletter Articles
Destruction of Personal Data
Personal Data Protection November 2017
The EU General Data Protection Regulation and Its Territorial Scope
Newsletter Articles

For creative legal solutions, please contact us.