A Comparative Approach to EU's GDPR and the Turkish Personal Data Protection Law
The Turkish Personal Data Protection Law became effective on April 7th 2016 and in its creation took the old directive "Directive No. 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" as a reference. But with GDPR becoming effective on May 25th 2018, Turkish Personal Data Protection Law would need some modifications to comply with GDPR. In this paper you will find general key terms of both regulations for in a comparative approach that would help you to understand the main differences.
The liability; In Turkish Personal Data Protection Law (PDPL) the liability is on the data controllers; but in addition to that, GDPR also holds accountable the data processors and the people who processes those data hence creating a joint liability. If there is an infringement GDPR penalty is much higher than the Turkish PDPL in this regard.
The fines; In Turkish PDPL the administrative fines are up to TRY 1 million but with GDPR , authorities can fine companies up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
The right of compensation; GDPR gives a right to a compensation for data subjects who suffer a loss while their personal data was processed.
Data transfer; GDPR does not allow a data transfer out of EU if there is no guaranty by the transferee of a proper protection of data, even there is a given consent regarding the transfer to the data controller. The evaluation regarding the efficiency of the third party on data protection is made by "Data Protection Authorities"(DPA).
Request for information; If the data subjects require an information about which data is being stored about them, then it should be provided to them in 20 days.
Breach notification; Data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report the data breach to the data subjects as soon as possible. Data processors must also notify data controllers of the data breach as soon as possible.
Right to be forgotten ; The data subject can request an erasure of their data.
Data Protection Officer (DPO); any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law.
Data Protection Impact Assessments; should be made by data controllers for the adaptation to GDPR.
Data Protection by Default & Data Protection by Design; the data controllers are responsible to ensure their internal policies are compatible to those principles.
Filing System: "Any recording system through which personal data are processed by structuring according to specific criteria", this definition on the PDPL matches up with GDPR.
Data Controller: "Natural or legal person who determines the purposes and means of the processing of personal data and who is responsible for establishment and management of filing system", this definition on the PDPL matches up with GDPR.
Data Processor:"Natural or legal person who processes personal data based on the authority granted by and on behalf of the data controller", this definition on the PDPL matches up with GDPR.
PDPL has a different level of liability regarding the data processor and data controller, where on GDPR they are both responsible in case of a breach on personal data. PDPL has administrative fines only to the data controllers and also it is sufficient that there is only information regarding the data controllers on the data controller record.
Explicit Consent: on the PDPL the consent needs to be freely given specific and informed and it is sufficient that it has been given to personal data collecting, processing and storage; where according to the GDPR the consent can be given through an action specifies as an approval, the consent needs to be freely given, specific, clear, informed and certain. Even though PDPL has a similar definition of explicit consent, GDPR extended the scope of requirements.
Anonymization: "Rendering personal data by no means identified or identifiable with a natural person even by linking with other data" is the definition on PDPL. GDPR also added a new term "pseudonymisation”; personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information.
The PDPL has no difference between the private sector and the public sector and it is binding for both. The data controllers’ obligations are determined without a division between those two. GDPR holds accountable any company who processes data, so the cloud service provider or the natural person can be held accountable for the processing of the data according to the regulation. In this context GDPR liability can be brought to anyone who is responsible for a breach and all their actions towards personal data related matters. This means the service providers serving to EU citizens but outside of EU can be held accountable according to GDPR.
GDPR gives their data subjects the right to be forgotten, this right is not been brought up on PDPL. The right to be forgotten; the data subjects can demand their data to be erased without any delays and the data controller is responsible for the erasure.
The data subject also has the right on GDPR, to demand the transportation of their data to another data controller, there is no such right on PDPL.
The GDPR also requires; The Data Protection Officer (DPO) ,on the processing of sensitive data and for the risky data processing there needs to be a Data Protection Impact Assessment.
The articles regarding the privacy matters of data such as; the augmented liability of data processors, the right to be forgotten, increased fines, data portability and impact assessment, is not mentioned on PDPL.