Comparison of EU Law and Turkish Law on the protection of personal data

As a result of technology becoming the central figure in our lives, more attention and care must be given to issues such as the privacy of private life and the protection of personal rights and fundamental freedom. Recent developments in data collection, processing, and storage technology have led to creating a legal regulation to protect the confidentiality of personal data and to control all the data operators with this regulation. Turkish Personal Data Protection Law No. 6698 (Kişisel Verilerin Korunması Kanunu“KVKK”) entered into force on April 7, 2016, and European Union’s General Data Protection Regulation (GDPR) entered into force on May 24, 2016 and is applicable as of May 25th, 2018 in all member states.

Turkish Personal Data Protection Law (KVKK) and the General Data Protection Regulation (GDPR) both are regulations that protect the privacy of an individual’s rights and information security. Both KVKK and GDPR have an important role to protect personal data of people and provide to data security by regulations. Although there are legal regulations that serve the same purposes in the foundations of KVKK and GDPR, they were drafted in different legal systems and have differing provisions.

We will examine the main differences between GDPR and KVKK in this article.

Differences

The Scope of Application

KVKK scope covers all-natural and legal entities in Turkey’s  personal data processing operations of personal data; therefore, it applies  to all-natural and legal entities engaged in Turkey. However, the scope of the GDPR has more broad authority than the KVKK. GDPR creates a restriction for all companies that collect, process, and store personal data of anyone living in the European Union. Therefore, if the natural person or legal entities based in Turkey process data of a person or entity located in the EU, they should not only comply with KVKK but also with GDPR.

Criminal Liability

First, KVKK stipulates that individuals and legal entities who are data controllers shall be held liable for administrative fines arising from the non-execution of personal data processing activities. The corresponding GDPR provisions state that not only data controllers but also data processors shall be held liable for administrative fines. The upper limit of the penalty obligations under the KVKK is determined as 1.000.000 TL (for the year 2020). But, under the GDPR, the penal obligation is adjusted at 4% of the annual global turnover or 20.000.000 Euro. In this case, whichever is higher will be implemented as a penal sanction. GDPR provisions are more dissuasive for many companies. 

Data Protection Officer (DPO)

One of the important concepts included in the GDPR but not in KVKK is the data protection officer (DPO). The main role of the data protection officer is to supervise a company’s data protection policy and its implementation to assure compliance with GDPR requirements. The data protection officer has a significant role among all companies to set a bridge between GDPR and companies. If the companies in the EU collect or process EU citizens’ data, DPOs are responsible for educating the company and its employees in terms of compliance, training staff involved in data processing, and conducting regular security audits. However, this concept or similar concept does not exist in KVKK yet.

Turkish Registry of Data Controllers (VERBIS)

VERBIS is a record kept by the Presidency of the Personal Data Protection Authority, and it is mandatory for individuals and legal entities who process personal data to be registered in this registry. Although this requirement is stipulated under KVKK, it is not applicable under GDPR. Within the scope of KVKK, administrative fines of up to 1.000.000,00 TL (for 2020) may be issued to data controllers who fail to fulfill the requirement to register with VERBIS. In line with the KVKK, VERBIS deadline to register ; 

  • For companies processing data of individuals and legal entities, with an annual number of employees that are less than 50 and an annual financial balance sheet of less than 25 million TL, and whose main activity is to process special personal data, the deadline is September 30, 2020.
  • For companies processing data of individuals and legal entities, with an annual number of employees that are more than 50 and an annual financial balance sheet more than 25 million TL, and whose main activity is to process special personal data, the deadline is June 30, 2020.
  • For companies which are based abroad, and processing data of individuals and legal entities based in Turkey, the deadline is June 30, 2020
  • For government institutions and organizations, the deadline is December 31, 2020.

Right to Erasure (Right to be forgotten)

The right to be forgotten is to prevent the person from being affected negatively in the future due to an event caused by himself/herself in the past. Under Article 17 of the GDPR, individuals have the right to have their personal data erased. Although KVKK has a similar arrangement, GDPR is also very comprehensive for the right to be forgotten. The provision within the scope of the right to be forgotten in KVKK is stipulated under Article 7: “Those who do not delete or anonymize personal data shall be penalized”. Also, the term “right to be forgotten” is legally solidified as a human right, as per the ruling against Google in the Costeja case by the European Court of Justice dated May 13, 2014.

Conclusion

Although GDPR and KVKK both codify the same subject of personal data protection, there are significant differences between them. In cases where personal data is obtained, processed, or transferred in both Turkey and the European Union, both GDPR and KVKK may be applicable.

You may contact us for detailed information about legal compliance with Turkish personal data regulations, KVKK, and GDPR.