In order to make Europe fit for the new digital era and reflect the digital world we are living in, the European Commission enacted the General Data Protection Regulation (the GDPR). For the preparation of the GDPR the EU codified European standard practices concerning processing of personal data. The GDPR is a new set of rules, including implications for businesses and individuals in Europe. The data subjects, such as consumers, receive more rights concerning control about their personal data and more rights to protect them. The GDPR is applicable immediately for all member states because it’s a European regulation, not just a guided line. The GDPR became effective on May 25, 2018.
The Turkish Law on the Protection of Personal Data (the Turkish DPL) became fully effective on 7 October 2016 and was enacted in accordance with the European Directive 95/46/EC from 1995 and the GDPR. Data protection is a fundamental right in both Turkey and the EU. The European Commission supported the Turkish Parliament in the legislation of the Turkish DPL. The ambition and function of the DPL are same as the in the GDPR: data subjects get more rights concerning processing of their personal data, and get their data controlled in a more efficient way.
Art. 1 of the GDPR names the ambition of the law: at first the right to protection of personal data while processing, but also the basic principle of the data flow. ‘Personal data‘ is defined in Art. 4 GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. ‘Processing’ means any procedure with personal data such as “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. The GDPR also differentiates the ‘processor‘ and the ‘controller‘. ‘Processor‘ means a natural or legal person, public authority, agency or another body, which processes personal data on behalf of the controller. ‘Controller‘ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. An organisation can be both: controller and processor, but not necessarily both.
Art. 2 of the Turkish DPL defines personal data as ‘all information relating to an identified or identifiable natural person’. Furthermore, art. 6 defines race, ethnicity, political view, religion, appearance, memberships to associations, foundation or trade unions member, health condition, sexual life, biometric and genetic information of a person as a ‘special category’ of sensitive data. Under the DPL, ‘processing‘ is defined as any kind of processing of personal data such as collection, recording, storage, retention, alteration, re-organisation, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof. Furthermore, the art 9 of the GDPR includes a description of ‘processing a special category of personal data‘, which means data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, health data or data concerning sexual life of a person or sexual orientation. Processing of these kinds of personal data shall be prohibited. To sum it up, the Turkish definitions are similar, almost identical to the European ones, although the definition of personal data in the Turkish regulation leaves room for interpretation.
Scope of application
The Turkish DPL applies to all Turkish agencies and companies. It shall be applicable also to natural persons as well as to natural or legal persons whose personal data are processed by fully or partly automatic systems. The GDPR in turn applies to every agency or company which has an establishment in the Union and which processes personal data. Furthermore, the regulation applies not only to EU-based agencies or companies; the reach of the GDPR goes further than the border of the European Union. Any international company, which is based outside the EU, but processes personal data of people who are in the territory of the EU, must comply with the GDPR, if it (1) offers goods or services or (2) monitors the behaviour of the EU citizens, even if they have no business presence within the EU. Entities, which are most affected by the GDPR are software companies, financial services, online services, online retailers and technology agencies. This means any business which interacts and processes data of people who either live or stay temporarily in the Union. In such kind of case, the regulation applies also to the processing of personal data entirely or partly by automated systems and to the processing other than by automated systems of personal data which form part of a data set system or are intended to form part of a data set system.
Even though there have been data protection standards in the EU before, the GDPR is a large innovation. It is an innovation established against the big data trends, of which the focus is on collection and analysing as much data as possible in order to get new insights of what consumers purchase and to get information of their behaviour. One of the biggest tenets of the GDPR is the principle of data minimisation, which means that the data collected from data subject is relevant for the specific purpose, limited to what is necessary but still sufficient to fulfil the purpose for which it was collected.
The fundamental principles of the GDPR are similar to the Turkish DPL. According to section 4 of the Turkish DPL, any data processing (a) must be conducted lawfully and in good faith, (b) have to be accurate and up to date when necessary, (c) must have specific, clear and legitimate purpose, (c) must be limited to, moderate and relevant with the purpose for which they are processed and (d) must be retained for the time necessary for the purpose and required under the relevant legislation. In terms of the GDPR, personal data shall be (a) processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’), (b) collected for specified, explicit and legitimate purposes (‘purpose limitation‘), (c) adequate, relevant and limited on what is necessary (‘data minimisation‘), (d) accurate and when necessary kept up to date; additionally, inaccurate data must be deleted or rectified without delay (‘accuracy’), (e) kept in form which permits identification of the data subject for no longer than is necessary for the purpose for which the personal data is processed (‘storage limitation‘), (f) processed in a manner that ensures appropriate security of the personal data (‘integrity and confidentiality‘). As it appears, fundamental principles of the two regulations have approximately the same content.
Rights of a data subject
Article 7 of the Turkish DPL includes the instruction to delete personal data or to make them anonymous if the reason for the processing of data is repealed. According to section 11 (1) each person has the right to request information about the processing of his or her personal data, know the purpose of the processing and get information of the third parties to whom the personal data is transferred, request the rectification of incomplete or inaccurate data and request erasure or destruction of his personal data under the conditions of article 7. The data subject has also right to object processing. As for the GDPR, it provides exactly the same rights for data subjects. However, art 17 of the GDPR determines requirements for how to erase personal data, and unlike the Turkish DPL, the article sets a long list of situations, in which personal data can be erased. This article also recognises the ‘right to be forgotten‘, which has not been mentioned in the Turkish DPL.
Data Protection Officer
In accordance with art. 37 of the GDPR, it is necessary to designate a data protection officer (DPO) for certain companies. Every controller or processor shall engage a DPO in case (1) the processing is carried out by a public authority or body or (2) the core activities of the controller or processor consist in data processing operations. Every DPO should have professional experience of data protection law, and such experience should be proportionate to operations which the organisation carries out. The DPO can be part of the organisation or externally appointed. In addition, one DPO can be appointed for more than one company or agency. The tasks of the DPO are termed in article 39 GDPR. The DPO informs and advises the controller, processor and the employees of their obligations and rights. Additionally, he or she monitors compliance with the GDPR, cooperates with the supervisory authority and acts as a contact point. There is no similar character in the Turkish DPL.
According to article 51 GDPR, every member state of the EU shall provide one or more independent public authorities to control the application of the GDPR; they are called supervisory authorities. All supervisory authorities shall cooperate with each other and the European commission, and they shall contribute to a consistent application of the regulation. They are also part of the European Data Protection Board (the EDPB). The EDPB in turn is independent and not bound by instructions of any governmental body. Its function is to advise in application of data protection in the EU. The EDPB is authorised to develop guidelines and methods to data protection issues. Every director of the national public authorities shall be set in the EDPB as a member. Additionally, the European Data Protection Supervisor is part of the EDPB.
The Turkish DPL established the Personal Data Protection Authority, which is responsible for following the latest developments, giving recommendations and cooperating with public institutions. The law established also the Personal Data Protection Board, which will act as an independent supervisory body to ensure compliance with the DPL. The council of nine people decides about important cases in the field of data protection. Five of these people are elected by the Turkish Parliament, two by the President of Turkey and two by the Council of Ministers. The notable difference concerning the two regulation is that in accordance with the Turkish DPL, president of Turkey is the head of the Authority and the Board.
The exceptions are named in article 28 of the Turkish DPL. It includes cases where personal data is processed for preventive or protective activities by public institutions and organisations who are assigned and authorised for providing national defence, national security, public safety, public order or economic safety or in the case where criminal investigations, prosecutions or cases are performed by judicial bodies and execution offices. Furthermore, processing conducted purely for personal activities or for official statistics, research, artistic, historical or scientific purposes is also allowed. Art. 2 (2) GDPR mentions similar exceptions: the regulation does not apply to the processing of personal data by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Personal activities and processing for household purposes are also excluded from the scope of application. However, the recital 159 of the GDPR states that processing for e.g. scientific research falls, unlike in the Turkish DPL, within the scope of application of the GDPR. Therefore, the list of exceptions in the Turkish DPL is longer than in the GDPR, but the things mentioned therein are corresponding with the GDPR.
Breaches and hacks
According to art. 33 and 34 GDPR, organisations will be obliged to report any hacks or breaches, which are likely to result in a risk to the rights and freedoms of individuals affected by the hack or breach. The company will be obliged to cease such breaches. Companies will also be obliged to deliver a breach notification including the categories of data, the number of individuals and potential consequences of the data breach. Sub article 1 of article 12 Turkish DPL in turn sets the obligation to prevent the illegal processing of and unauthorised access to personal data. Companies need to take necessary technical and administrative measures to provide the proper security level. This indicates that the aim has been to have the same security levels in both regulations; however, the GDPR sets more requirements, whereas the Turkish DPL does not require companies or organisation e.g. to do a breach notification.
According to article 17 of the Turkish DPL, criminal sanctions for breaches are named in articles 135-140 of Turkish Criminal Code No. 5237. That constitutes of actions such as illegally collecting, transferring or making personal data available. Besides the reference to the Criminal Code, the law provides administrative sanctions: fines imposed can be between 5.000 TRL to maximum of 1.000.000 TRL, which is approximately 187.000 euros. Penalties may be imposed if companies are non-compliance with the information notice requirements, the data security obligations, the data protection authority orders or data controller’s registry requirements.
The maximum fine of 20 million euros or four percent of worldwide turnover is regulated in art. 83 (5) of the GDPR, which includes examples, such as breaches against the fundamental principles for processing, unauthorised international transfer of personal data, non-compliance with the orders given by the supervisory authority or refusal to let a data subject to access for his or her data. This can mean billions for some companies. A lower fine of maximum 10 million euros or two percent of worldwide turnover named in art. 83 (4) will be applied to for example controllers or processors of companies who fail to comply with the obligations of the GDPR. Therefore, there is a clear difference between the regulations when it comes to the amounts of the fines. Even though both regulations regulate about the possible fines that may be imposed as a result of a non-compliance, the GDPR certainly works as a more powerful deterrent.
In summary, the Turkish DPL is basically in line with the GDPR. There are a lot of similarities in the definitions, procedure and methods concerning data protection. Both have the target course in the new digital era while they both aim to contribute to the free movement of data. The fundamental principles of lawful, transparent and accurate processing, minimisation and legitimation of personal data are also corresponding in the both regulations. However, there are some differences: for example, the GDPR instructs the DPO, who is an liaison agency between companies, agencies and the supervisory authorities, and who monitors compliance with the GDPR in organisations and agencies. The national public authorities are independent agencies that control application of the GDPR. Furthermore, on the European scale, the EDPB, an independent European authority, was established to advise and control data protection in the EU. The DPOs, public authorities and European Data Protection Supervisor are highly qualified and supported by the European Union in their exercise of functions. Therefore, unlike in the Turkish DPL, the guarantee of the compliance of the GDPR is ensured in multiple ways by all these independent institutions. Additionally, the right to be forgotten has not been mentioned in the Turkish DPL.
Overall, the Turkish DPL is altogether less comprehensive and more abstract than the GDPR. Turkish DPL consists of 33 articles, whereas the GDPR comprises 99 articles. The GDPR is very detailed when it comes to definitions and differentiation of certain stipulations.
Harmonising the personal data regulations with the EU was clearly one of the aims of the Turkish DPL. If the Turkish DPL is applied in a Turkey-based company, it is easy for such company to be compliant with the GDPR due to the similarities of the two regulations. However, since there are few differences in the regulations, Turkish companies having customers or doing business in the EU should be aware of the differences and comply also with all the requirements of the GDPR.