Ercüment Erdem Att. Idil Uz

Turkish Personal Data Protection Law No. 6698 and European General Data Protection Regulation

January 2020

Introduction

In line with the recent developments in data processing technology, the concepts of personal data and protection of this data have started to gain a legal dimension in most countries. This concept that can be adapted to the legal order of each country, is compatible with personal rights in most legal systems. For this reason, since this legal field has universal characteristics, in terms of adaptation to their own legislation, each country adapts this branch of law to their legal systems with their own revisions.

Turkish Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu (“KVKK”)) entered into force on 7 April 2016, shortly before the European General Data Protection Regulation[1] (“GDPR”). Although there are many similarities between the KVKK and GDPR, it may not be possible to say there is complete compatibility between these two, since on the wording and regulation of the KVKK, Directive No. 95/46/AT -which was in force before the GDPR- on Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data, is taken as a reference.

In this article, by mentioning the similarities and differences between the KVKK and GDPR, the obligation of the data controllers, who are the subject of these two Regulations, to comply with both Regulations, will be revealed.

In General

Both the KVKK and GDPR aim to achieve protecting the privacy of the person and ensure data security by regulating the obligations, procedures and principles to be followed by real and legal persons who process personal data. In addition, in these two Regulations, it is aimed to prevent unlimited and undiscriminated collection, access of unauthorized persons, and disclosure or violation of personal rights as a result of misuse of personal data.[2]

Despite the fact that two of the mentioned legislations regulate the same scope with the same aim, there are some differences between each legislation due to the nationalities of the legal systems.

Main Differences between KVKK and GDPR

  • Liability Arising from Data Breach. Pursuant to Article 82 of the GDPR, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.” As it is clearly understood from this Article, the GDPR holds the data controller liable, as well as the data processor[3] from the damages that have arisen from a data breach. Besides, pursuant to paragraph 2 of Article 18 of the KVKK, “The administrative fines listed in this Article shall be applicable to natural and legal persons who are data controllers.” In brief, the KVKK regulates the responsibilities of data controllers and data processors, separately, and holds only the data controller liable for administrative fines that are regulated by the law. Within this scope, the recourse relationship between the data controller and the data processor is reserved.
  • Data Protection Officer and Data Protection Representative. There are two differing concepts that are not regulated in the KVKK, but are stipulated to be assigned in the presence of the conditions specified in the GDPR. These concepts are data protection officer (“DPO”) and data protection representative (“DPR”). Pursuant to Article 37 of the GDPR, it is compulsory to designate a DPO in cases where i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; ii) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or iii) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9, or personal data relating to criminal convictions and offences referred to in Article 10. Similarly, pursuant to Article 27 of the GDPR, data controllers who are not resident/established in the EU are obliged to designate a DPR who is resident/established in any of the EU countries, except for in cases where i) the data processing is rare, and this rare processing does not include large scale processing of sensitive personal data, or ii) the controller is a public authority or body.
  • Data Protection Impact Assessment. It is stipulated under the Article 35 of the GDPR that the Data Protection Impact Assessment (“DPIA”) shall be realized in case of i) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly and significantly affect the natural person; ii) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or iii) a systematic monitoring of a publicly accessible area on a large scale. There is no assessment regulated under the KVKK within this context.
  • Registry of Data Controllers. Unlike the GDPR, the KVKK imposes a registration obligation on the Data Controllers Registry, namely, VERBIS, for the data controllers apart from certain exceptions. This Registry is a part of the obligation to prepare data inventory (one of the obligations under the KVKK), and forms the framework of the data inventory which the data controller is obliged to reflect its data processing activity in the most comprehensive way. The deadline to fulfill the VERBİS registration obligation of real and legal person data controllers whose annual number of employees is more than 50, or the annual financial balance sheet total is greater than 25 million TL, or who is resident/established abroad, is 06.2020. If the registration obligation is not fulfilled, administrative fines from 20.000 Turkish Liras to 1.000.000 Turkish Liras may be imposed.
  • Recording of Processing Activities. To the contrary of the registration obligation of the KVKK upon the Data Controllers Registry, under the GDPR, it is not regulated to publicize the processing activities on a public platform. Data controllers are obliged to keep records that contain the information specified under Article 30 of GDPR, and to show these records to the Data Protection Authority when necessary. The same obligation is stipulated as the inventory preparation obligation within the KVKK and its content is regulated under the Regulation on Data Controllers Registry.
  • Administrative Fines. Administrative fines that are regulated under the GDPR are considerably higher than those regulated in the KVKK. While the upper limit of fines under the KVKK is stipulated as between 20.000 TL and 1.000.000 TL, the upper limit under the GDPR can be determined as 20.000.000 TL, or 4% of the annual turnover of the previous fiscal year.
  • Right to be forgotten. Even though under the rights of the data subject, the KVKK regulates the right to obtain information about the personal data subject to processing from the data controller and to request deletion, the GDPR regulates the right to be forgotten in a more detailed way. Pursuant to Article 17 of the GDPR, the data controller shall have the obligation to erase the personal data without undue delay when; i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; ii) the data subject withdraws consent upon which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; iii) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); iv) the personal data have been unlawfully processed; v) the personal data have to be erased for compliance with a legal obligation in a Union or Member State law to which the controller is subject; vi) the personal data have been collected in relation to the Offer of Information Society Services referred to in Article 8(1).

Territorial Scope

Pursuant to Article 3 of the GDPR;

  1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether or not the processing takes place in the Union.
  2. This Regulation applies to the processing of personal data of data subjects who are in the Union, by a controller or processor not established in the Union, where the processing activities are related to:
    1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
    2. the monitoring of their behavior as far as their behavior takes place within the Union.
  3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

To summarize, the GDPR applies when i) data controllers and processors are located in the EU, whether or not the processing takes place in the EU; ii) personal data of the data subjects residing in the EU are processed by non-EU data controllers or data processors for goods and service delivery activities, or for monitoring behavior taking place in the EU; iii) the national law of an EU member state is applicable to the case. Consequently, all providers of goods and services with a customer base in the EU, or any website or mobile application that utilizes mechanisms of online behavioral advertising, shall realize their data processing activities pursuant to the GDPR.[4]

All the same, the KVKK is a law that covers all natural and legal persons who carry out their data operations in Turkey. Although the KVKK does not have as clear a regulation as the GDPR, pursuant to the guidelines and decisions of the Turkish Data Protection Authority Personal Data Protection Board (“Board”), it is precedented that international resident data controllers who realize their data processing operations in Turkey are obliged to register with the Data Controllers Registry, whether or not the annual number of their employees is greater than 50, or the annual financial balance sheet total is more than 25 million TL[5]. Moreover, pursuant to Article paragraph 1,c of Article 5 of the Regulation on the Data Controllers Registry, “Data controllers who are not resident in Turkey shall register with the Registry through its representative before starting to process data.” Therefore, data controllers and data processors who are in the scope of the KVKK (which means data controllers and data processors who are realizing data processing in Turkey) are obliged to act pursuant to the KVKK and the relevant legislation, whether residing in Turkey, or not.

In addition, in a public release dated 08.11.2019 by the Board, it emphasized that in order to fulfill the requirements of the KVKK, it is not enough to be in conformity with provisions of the GDPR by saying, “In the said texts prepared for the purpose of fulfilling the obligation of clarification by the data controllers, the statements of the data controllers for compliance with the GDPR would not abolish their obligations according to Personal Data Protection Law No. 6698, and along with the references to the provisions of the GDPR, the policies and the rules stated in the said clarification texts must first be in compliance with Personal Data Protection Law No. 6698.”[6]

Conclusion

Even if the GDPR and KVKK, which are both personal data protection legislations, regulate the same scope with the same aim, there are some differences between each legislation due to the nationalities of the legal systems. Therefore, the data controllers and the data processors who are within the scope of the two legislations at the same time are obliged to adapt to both legislations fully. As well, in a public release made to this end, the Board stated that it would not be sufficient for the data controllers who fall within the scope of both legislations to state that they are only in compliance with one legislation.

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC> (Access Date: 27.01.2020).

[2] Personal Data Protection Board, Implementation Guidance on Personal Data Protection Law (Access Date: 27.01.2020).

[3] Ünsal Özden, Sevgi: The Concepts of Personal Data, Data Processor, Data Controller and Contact Person within the scope of Personal Data Protection Legislation, Erdem&Erdem Newsletter, September 2019.

[4] Uludere, Eda: The EU General Data Protection Regulation and Its Territorial Scope, Erdem&Erdem Newsletter, April 2017.

[5] https://verbis.kvkk.gov.tr/UploadedFiles/SORULARLA_VERBİS.pdf, https://www.kvkk.gov.tr/Icerik/5545/2019-225 (Access date: 27.01.2020).

[6] https://www.kvkk.gov.tr/Icerik/6561/KAMUOYU-DUYURUSU (Access date: 27.01.2020).