Comparison on Personal Data Protection Law (Will be referred as “KVKK") and General Data Protection Regulation (Will be referred as “GDPR”)
a. Record-Keeping Duty of The Controller and Processor
b. Data Protection Officer
c. Data Protection Impact Assessment
d. Protective Measurements for Children
e. Privacy Notice
f. Data Retention Policies
III.Public Announcement Dated 08.11.2019
Since the territorial scope of KVKK cannot be determined from its text due to the lack of a relevant provision, it is not clear whether data subjects or controllers, or processors not located in Turkey shall be subject to KVKK. GDPR, however, is suitable to be applied worldwide considering the article stipulating that all controllers and processors offering goods or services to the data subjects in the EU, or monitoring their behaviour taking place in the EU, shall be subject to GDPR regardless of their location if they process the personal data of such data subjects in the context of these activities. Within the scope of these activities, they process the personal data of such data owners
Moreover, the Regulation also applies when a controller or a processor has an establishment in the European Union and processes personal data in the scope of this establishment’s activities, no matter where the processing takes place. Nevertheless, it is important to remember that KVKK will be applied to all firms established under Turkish Laws, and all legal persons processing personal data inside the Turkish borders.
a. GENERAL PRINCIPLES
b. CONDITIONS FOR PROCESSING PERSONAL DATA
Even though the above-mentioned differences between these two legislations regarding the general principles and conditions for processing data are seemingly very minimal, communiques and by-laws listed in the “Further Reading” section establish extensive obligations that will be explained in later subparagraphs.
c. RECORD-KEEPING DUTY OF THE CONTROLLER AND PROCESSOR
Another issue to be considered is the comparison between the national data registry containing general information about controllers as well as their data processing activities under KVKK and the record-keeping duties of the controller and processor under GDPR.
Controllers employing 250 or more persons shall maintain, under GDPR, a detailed record of their processing activities and keep that record available at all times for further inspection by the relevant supervisory authority if the processing is not occasional or it includes private data or personal categories.
Under the KVKK, the controllers who meet the specified conditions (50 or more employees, a certain amount of company assets, etc.) are required to register to a national data registry as well as keep a similar detailed record listing all personal data processing activities, and they are also required to update any changes.
d. DATA PROTECTION OFFICER
Unlike KVKK, GDPR article 37 sets forth that controllers and processors shall designate a data protection officer if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or their core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
e. DATA PROTECTION IMPACT ASSESSMENT
Data protection impact assessment as defined pursuant to GDPR article 35 is an evaluation on the impact of the processing on the protection of personal data, carried out by the controller before employing new technologies for processing or if the processing, taking into account its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons.
Although this liability of the controller has been drafted in GDPR in the form of a long and detailed article, KVKK brings no such obligation whatsoever for controllers or any other persons, only mentioning that all technical and administrative measures to achieve adequate safety must be taken.
f. PROTECTIVE MEASURES FOR CHILDREN
Another topic introduced by GDPR but not KVKK is the protection of children’s data, regulated in GDPR article 8 which renders the processing of such data subject to certain special terms. Since it cannot be expected for children to fully comprehend the importance of such issues as the processing of personal data, consequences and risks entailed to it as well as necessary measures, GDPR requires a child to be at least 16 years old to be able to consent to the processing of his/her data within the frame of information society services offered directly to the child. The processing of the personal data of a child below this age shall depend on the consent of the holder of parental responsibility for the child. There is no comprehensive regulation regarding children’s data under KVKK.
g. PRIVACY NOTICE
As it is seen in the “Public Announcement Dated 08.11.2019” section, the obligation to inform should be exercised primarily for the KVKK because of “The Communique on Principles and Procedures to Be Followed in Fulfilment of the Obligation to Inform”. This legislation set extensive rules to accomplish the obligation to be informed. For example, legal basis for the processing should be mentioned in the privacy notices by referring to Article 5 and 6’s subparagraphs.
As stated in the Decision of the Personal Data Protection Board dated 30.10.2019 and numbered 2019/315 GDPR centred privacy notices prepared by data controllers does not remove the obligations of data controllers to the Law on Protection of Personal Data No. 6698 (KVKK). In this respect, it is useful to remind that, in addition to the references to GDPR, the policies, and rules specified in the privacy notices must primarily state that they comply with the Law on the Protection of Personal Data No. 6698.
h. DATA RETENTION POLICIES
Under the KVKK, there are a couple of mandatory legal text to be prepared such as Privacy Notices, Policy Regarding the Processing of Personal Data with Special Nature, and if the data controller is required to register the National Registry of Data Processors (50 or more employees, a certain amount of company assets, etc.), the data controllers are also required to have a Data Retention Policy. The personal data retention and destruction process is regulated under the By-Law on Erasure, Destruction, or Anonymization of Personal Data.
The By-Law regulates the retention periods, how to keep records of the destroyed personal data, etc. As this whole process is very detailed and thorough, using GDPR centred policy and procedure would not be able to cover the whole process and legal compliance issues may rise.
PUBLIC ANNOUNCEMENT DATED 08.11.2019
As it is known, Article 10 of the Law on the Protection of Personal Data No. 6698, titled “Obligation of Controller to Inform”, states that “(1) Whilst collecting personal data, the controller or the person authorised by him is obliged to inform the data subjects about the following: a) the identity of the controller and of his representative, if any, b) the purpose of data processing; c) to whom and for what purposes the processed data may be transferred, ç) the method and legal reason of collection of personal data, d) other rights referred to in Article 11.”
In the examinations made by our institution, it is seen that the European General Data Protection Regulation (GDPR) is directly referred to in the explanations regarding the policies and rules applied regarding the processing of personal data in the clarification texts presented on the internet pages of various institutions/organizations/firms etc.
In this context, in accordance with the Decision of the Personal Data Protection Board dated 30.10.2019 and numbered 2019/315; The inclusion of statements regarding compliance with GDPR in the privacy notices prepared by data controllers does not remove the obligations of data controllers to the Law on Protection of Personal Data No. 6698. In this respect, it is useful to remind that, in addition to the references to GDPR, the policies and rules specified in the privacy notices must primarily state that they comply with the Law on the Protection of Personal Data No. 6698.
In the privacy notices published by the data controllers, the following matters should be clearly stated, and vague and ambiguous expressions should be avoided in accordance with the provisions of Article 10 of the Law and Article 4 of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Privacy Notices;
Identity of the data controller and its representative, if any,
For what purpose personal data will be processed,
To whom and for what purpose personal data can be transferred,
Method and legal reason for collecting personal data (explicitly specifying which of the processing conditions in Articles 5 and 6 of the Law is based)
Other rights of the data subject concerned as listed in Article 11 of the Law
It is announced to the public with respect.
To finalize, it is understood that KVKK, which is the main legislation in the protection of personal data law in Turkey, is largely in line with the GDPR when evaluated together with its purpose, scope and provisions. While there are some significant similarities between both the European and Turkish data regulations as both are moulded around the characteristics of the relevant legal systems, there are some technical and administrative differences that must be kept in mind when conducting a legal compliance program.