The General Data Protection Regulation("GDPR"), which regulates the protectionof personal data within the borders of the European Union("EU"), was passed by the EU Parliamentin 2016 and came into force in 2018. Prior to this date, the EUDirective on the Protection of Individuals With Regard to TheProcessing of Personal Data and on the Free Movement of Such Data("Directive") was in force within the EUborders. In Turkey, the Law on the Protection of Personal Data("KVKK"), which addresses the proceduresand principles regarding the protection of personal data and islargely aligned with the GDPR, was published in the OfficialGazette and came into force in 2016. While both regulations aim toprotect fundamental rights and freedoms as well as the privacy ofpersonal life, there are certain differences between the GDPR andthe KVKK, as the Directive applied in the EU prior to the GDPR wasused as the basis for drafting the KVKK. These differences will beexamined in this article.
B. Scope of Application
The scope of the KVKK is limited to data processed in Turkey.Therefore, all natural and legal persons processing personal datain Turkey are required to comply with the provisions of the KVKKwhen processing personal data. In contrast, the GDPR applies to allEU member states. In this context, when the personal data of anyindividual residing within the EU is processed, the processing mustbe carried out in compliance with the GDPR, regardless of thecountry in which the data processor is located.
The data processor can be either a natural or a legal personunder both regulations. However, the data subject must always be anatural person under both frameworks. As such, data relating tolegal entities does not constitute personal data and, therefore,falls outside the scope of both the GDPR and the KVKK.Nevertheless, it should be noted that information relating to alegal entity may also be considered personal data if it canidentify or make a natural person identifiable, either directly orindirectly. Information that, on its own, may not be sufficient toidentify or make a natural person identifiable, but when combinedwith other information, allows for the identification of thatperson, is also considered personal data.
C. The Concept of Data
Concept of data contains two subcategories which are personaldata and special categories of personal data under both GDPR andKVKK.
- Personal Data
According to the GDPR, "Personal data means anyinformation relating to an identified or identifiable naturalperson ('data subject'); an identifiable natural person isone who can be identified, directly or indirectly, in particular byreference to an identifier such as a name, an identificationnumber, location data, an online identifier or to one or morefactors specific to the physical, physiological, genetic, mental,economic, cultural or social identity of that naturalperson."On the other hand, under the KVKK, personal data is describedas "Any information relating to an identified oridentifiable natural person.". It can be clearly seenthat GDPR provides a comprehensive definition with tangibleinstances. Although such a detailed definition is not provided inthe KVKK, the rationale of the KVKK elaborates that personal data"Refers to any information relating to an identified oridentifiable natural person. It is not only information such asname, surname, date of birth, and place of birth, which candirectly identify a person, but also information concerning aperson's physical, familial, economic, social, and othercharacteristics. The identification or potential identification ofa person means that the existing data is associated with a naturalperson in any way, making that person identifiable. This includesall situations where a person can be identified through informationthat carries concrete content expressing their physical, economic,cultural, social, or psychological identity, or by being associatedwith any record, such as an identity, tax, or insurancenumber.".In this context, it can be stated that both regulations includeresembling provisions with respect to personal data, andconsequently, they safeguard similar aspects.
- Special Categories of Personal Data
According to the GDPR, the special categories of personaldata contain "Personal data revealing racial or ethnicorigin, political opinions, religious or philosophical beliefs, ortrade union membership, and the processing of genetic data,biometric data for the purpose of uniquely identifying a naturalperson, data concerning health or data concerning a naturalperson's sex life or sexual orientation." On theother hand, under the KVKK special categories of personal dataregulated as "Data concerning a person's race, ethnicorigin, political opinions, philosophical beliefs, religion orother beliefs, as well as information relating to their attire andappearance, membership in associations, foundations, or tradeunions, health, sexual life, criminal convictions, and securitymeasures, along with biometric and genetic data."Even though special categories of personal data are addressedsimilarly under both regulations, the GDPR does not containcriminal convictions, attire and appearance as special data whereasKVKK does not contain sexual orientation as special data.
D. Data Processor and Controller
Under both GDPR and KVKK, data controller is defined as anatural or legal person that determines the purpose of processingpersonal data and sets conditions for processing activities. On theother hand, a data controller is defined as a natural or legalperson that processes personal data on behalf of the processor.
The data controller has full authority over the processing ofpersonal data and can only make decisions regarding the collectionof personal data and the methods of collection, the types ofpersonal data to be collected, the purposes for which the collecteddata will be used, the individuals whose personal data will becollected, whether the collected data will be shared and, if so,with whom, and the duration for which the data will beretained.
However, if the agreement between data controller and processorallows, data processor has authority to decide the informationregarding which information technology systems or other methodswill be used for the collection of personal data, the methods bywhich personal data will be stored, the security measures to beimplemented for the protection of personal data, the methods ofdata transfer, the methods to be used to ensure the correctapplication of retention periods for personal data, and the methodsfor the deletion, destruction, and anonymization of personal data,must all be determined and clearly outlined by the dataprocessor.
As can be inferred, data controllers have more expansiveauthorization over data processing procedures than data processors.As a result, the responsibility of data controllers and dataprocessors differ depending on their authority.
Also, one of the key differences between the GDPR and KVKK inthis regard is the concept of joint controllers under the GDPR,which is regulated and assigned specific consequences. However,under the KVKK, no specific consequences are attributed in the caseof multiple data controllers. In this context, according to theGDPR, when two or more controllers jointly decide the purposes andmeans of processing, they are considered joint controllers. Theymust clearly define their respective responsibilities for complyingwith GDPR obligations, especially regarding data subject rights andproviding required information, through an agreement, unless theresponsibilities are defined by Union or Member State law. Theagreement may also designate a contact point for data subjects.
E. Inspection
The inspection procedures regarding the compliance with the GDPRand KVKK are slightly different. Under the KVKK, the datacontroller is responsible to the Personal Data ProtectionAuthority's Board for the processes of personal dataprocessing, deletion, and collection. However, under the GDPR, eachcountry is responsible for establishing its own SupervisoryAuthority and the inspections regarding the compliance with theGDPR are carried out by the Supervisory Authority.
F. Penalties
In cases of non-compliance with regulations, the sanctionsimposed under the KVKK and GDPR differ significantly. For instance,penalties under the KVKK range from 68.000 Turkish Liras to14.000.000 Turkish Liras, which may not pose a substantialfinancial burden for a company. In contrast, the GDPR imposespenalties of up to 20.000.000 Euros or 4% of the company'sannual global turnover from the preceding fiscal year, making itssanctions considerably more stringent. Clearly, the GDPR has astronger deterrent effect than the KVKK, as its penalties have thepotential to cause significant financial repercussions forbusinesses. Accordingly, it can be argued that the GDPRincentivizes data controllers and processors to comply with itsprovisions more effectively than the KVKK, thereby ensuring greaterprotection of personal data for data subjects.
G. Conclusion
To conclude, while both the KVKK and GDPR aim to protectpersonal data and ensure the privacy rights of individuals, theydiffer in several important areas. The scope of application underthe GDPR is broader, covering any entity processing personal datawithin the EU or targeting EU residents, while the KVKK isprimarily applicable within Turkey. The definitions andresponsibilities of data controllers and processors are quitesimilar in both regulations, although the GDPR offers more detailedprovisions in some respects. Furthermore, the inspection andenforcement mechanisms under the GDPR are more extensive, withclearer and more significant penalties for non-compliance, whilethe KVKK, though effective, has a relatively narrower enforcementframework. Overall, while the KVKK largely mirrors the GDPR, thereare some slight differences in application, procedural specifics,and penalties.
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.
