Within the EU borders, companies or enterprises which provide goods or services to data subjects or observe their behaviors are liable to comply with the General Data Protection Regulation (GDPR).

The term "monitoring behaviors" used in the GDPR refers to monitoring activities of the data subjects on the internet by technical or automated methods for determining consumption on preferences and habits of the subjects. It is also stated that, although the companies which operating outside the EU and targeting EU consumers are liable under the terms of GDPR.

Regarding this, the major changes and approach gaps between the Turkish Personal Data Protection Law (DPL) and GDPR are as follows;

1) Material and Territorial Scope

The provisions of DPL shall apply to natural persons whose personal data are processed and natural or legal persons who process such data wholly or partly by automatic means or otherwise than by automatic means which form part of a filling system.

GDPR shall apply; if the data processing are carried out by the data controllers or data processing organizations which are not included in the EU, the data processing are related to the data subjects within the EU by the provision of goods or services or the data processing are carried out by the EU in the event that the movements of the EU data subjects are within the EU.

2) Definitions

All definitions in DPL already exist in the GDPR. The following definitions are not existing in DPL; restriction of processing, profiling, pseudonymisation, personal data breach, genetic data, biometric data, data concerning health, representative, enterprise, group of undertakings, binding corporate rules, relevant and reasoned objection, information society service.

3) Principles

Both regulations are similar in terms of principles. Differently, in the GDPR accountability has been regulated.

4) Explicit Consent

The most important difference in the processing conditions of personal data is that explicit consent is regulated as a rule in DPL and other conditions are taken into the scope of exceptions. In GDPR each condition is arranged at the same value.

5) Processing of Special Categories of Personal Data

It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject. However besides of personal data relating to health and sexual life, personal data indicated above may be processed without obtaining the explicit consent if processing is permitted by any law. According the GDPR, even if the explicit consent of the data subject is obtained, processing of special categories of personal data is prohibited.

6) Rights of the Data Subject

In the context of GDPR, the rights of the data subjects are same with DLP. Nevertheless, the rights mentioned below are not exist in DPL; right of access by the data subject; right to be forgotten; right to restriction of processing; right to data portability (to other consented data controller).

7) Administrative Fines

If data controllers do not fulfill; obligation to inform data subjects, an administrative fine of 5.000 TL to 10.000 TL; obligation regarding data security, an administrative fine of 15.000 TL to 1.000.000 TL; decisions of the Board of Personal Data Protection, an administrative fine of 25.000 TL to 1.000.000 TL; obligation to register with the Data Controllers Registry, an administrative fine of 20.000 TL to 1.000.000 TL

The administrative fine for the most severe violations is up to 20,000,000 euros or about 4% of the global turnover of the relevant organization. This sanction will be imposed under these circumstances; non-compliance with the principles prevailing in processing operations, non-compliance with the law, violation of the data holder's rights, non-compliance with the requirements of transfers outside the EU

8) Penalties

According to DPL, with respect crimes relating to personal data which are committed by data controllers or data processors, provisions of articles 135 to 140 of Turkish Criminal Code shall apply for them. Also if data controllers or data processors do not delete or anonymise personal data contrary to article 7 of DPL, shall be punished in accordance with article 138 of Turkish Criminal Code.  According to GDPR, Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive.  In contrast with DPL, penalties applicable to infringements have not been regulated in GDPR. It means every present case shall be examined in compliance with relevant Member State's legislation

9) Cross-border Transfers

The cross-border transfer mechanism under the DPL is quite similar to that of the GDPR. Nevertheless, one of the original provisions of the DPL provides the following: "Save for the provisions of international agreements, in cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organizations." In the GDPR, under some circumstances "The Data Protection Authority" may prohibit the cross-border transfer even if the explicit consent of data subject is obtained.

10) Other Differences

  • In DPL, data controllers and data processors are not mutual responsible for unlawful processing, unlawful access or safeguard personal data. The mutual responsibility is legislated only for taking data security measures. In the context of GDPR, the responsibilities of data controllers and data processors have been increased. In many aspects of data processing they have mutual responsibilities.
  • In DPL, the obligations of data processors are not legislated yet. In GDPR, the obligations of data processors are detailed.
  • According to DPL, all data controllers shall be registered to the Data Controller's Registry which is conducting under the supervision of the Turkish Personal Data Protection Board. GDPR has no provisions in this respect.
  • According to GDPR, all data controllers and processors shall assign a Data Protection Officer (DPO). The main duty of DPO's is; execution of data processing operations that require regular and systematic monitoring of data owners in accordance with their nature, scope and purpose.
  • Within GDPR, data controllers may organize periodic audits to their data processors.
  • To increase the suitability with GDPR, all data controllers are obliged to fulfill this assessment
  • Some items located in GDPR are not included in the DPL, These, defining the right of to be forgotten; privacy and design from the beginning of impact assessment; data portability right which allows the data subjects to transfer their personal data from actual data controller to another data controller; parental consent for children personal data, compensations.
  • Approval for children must be given by the parent or guardian of the child and must be verifiable (Article 8). Data Controllers must prove "opt-in" and consent can be withdrawn at any phase.

In both regulation, the main idea is personal data processed shall be deleted, destroyed or anonymised either upon request by the data subject in case the reason necessitating their processing to cease to exist. According to DPL, provisions of other laws relating to deletion, destruction and anonymization of personal data are reserved. Also GDPR, gives permission to data controllers about determining the deletion, destruction and anonymization periods in accordance with their provisions of local law.

www.cukuryilmaz.av.tr

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.