The General Data Protection Regulation ("GDPR"), which regulates the protection of personal data within the borders of the European Union ("EU"), was passed by the EU Parliament in 2016 and came into force in 2018. Prior to this date, the EU Directive on the Protection of Individuals With Regard to The Processing of Personal Data and on the Free Movement of Such Data ("Directive") was in force within the EU borders. In Turkey, the Law on the Protection of Personal Data ("KVKK"), which addresses the procedures and principles regarding the protection of personal data and is largely aligned with the GDPR, was published in the Official Gazette and came into force in 2016. While both regulations aim to protect fundamental rights and freedoms as well as the privacy of personal life, there are certain differences between the GDPR and the KVKK, as the Directive applied in the EU prior to the GDPR was used as the basis for drafting the KVKK. These differences will be examined in this article.
B. Scope of Application
The scope of the KVKK is limited to data processed in Turkey. Therefore, all natural and legal persons processing personal data in Turkey are required to comply with the provisions of the KVKK when processing personal data. In contrast, the GDPR applies to all EU member states. In this context, when the personal data of any individual residing within the EU is processed, the processing must be carried out in compliance with the GDPR, regardless of the country in which the data processor is located.
The data processor can be either a natural or a legal person under both regulations. However, the data subject must always be a natural person under both frameworks. As such, data relating to legal entities does not constitute personal data and, therefore, falls outside the scope of both the GDPR and the KVKK. Nevertheless, it should be noted that information relating to a legal entity may also be considered personal data if it can identify or make a natural person identifiable, either directly or indirectly. Information that, on its own, may not be sufficient to identify or make a natural person identifiable, but when combined with other information, allows for the identification of that person, is also considered personal data.
C. The Concept of Data
Concept of data contains two subcategories which are personal data and special categories of personal data under both GDPR and KVKK.
- Personal Data
According to the GDPR, "Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
On the other hand, under the KVKK, personal data is described as "Any information relating to an identified or identifiable natural person.". It can be clearly seen that GDPR provides a comprehensive definition with tangible instances. Although such a detailed definition is not provided in the KVKK, the rationale of the KVKK elaborates that personal data "Refers to any information relating to an identified or identifiable natural person. It is not only information such as name, surname, date of birth, and place of birth, which can directly identify a person, but also information concerning a person's physical, familial, economic, social, and other characteristics. The identification or potential identification of a person means that the existing data is associated with a natural person in any way, making that person identifiable. This includes all situations where a person can be identified through information that carries concrete content expressing their physical, economic, cultural, social, or psychological identity, or by being associated with any record, such as an identity, tax, or insurance number.".
In this context, it can be stated that both regulations include resembling provisions with respect to personal data, and consequently, they safeguard similar aspects.
- Special Categories of Personal Data
According to the GDPR, the special categories of personal data contain "Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation." On the other hand, under the KVKK special categories of personal data regulated as "Data concerning a person's race, ethnic origin, political opinions, philosophical beliefs, religion or other beliefs, as well as information relating to their attire and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions, and security measures, along with biometric and genetic data."
Even though special categories of personal data are addressed similarly under both regulations, the GDPR does not contain criminal convictions, attire and appearance as special data whereas KVKK does not contain sexual orientation as special data.
D. Data Processor and Controller
Under both GDPR and KVKK, data controller is defined as a natural or legal person that determines the purpose of processing personal data and sets conditions for processing activities. On the other hand, a data controller is defined as a natural or legal person that processes personal data on behalf of the processor.
The data controller has full authority over the processing of personal data and can only make decisions regarding the collection of personal data and the methods of collection, the types of personal data to be collected, the purposes for which the collected data will be used, the individuals whose personal data will be collected, whether the collected data will be shared and, if so, with whom, and the duration for which the data will be retained.
However, if the agreement between data controller and processor allows, data processor has authority to decide the information regarding which information technology systems or other methods will be used for the collection of personal data, the methods by which personal data will be stored, the security measures to be implemented for the protection of personal data, the methods of data transfer, the methods to be used to ensure the correct application of retention periods for personal data, and the methods for the deletion, destruction, and anonymization of personal data, must all be determined and clearly outlined by the data processor.
As can be inferred, data controllers have more expansive authorization over data processing procedures than data processors. As a result, the responsibility of data controllers and data processors differ depending on their authority.
Also, one of the key differences between the GDPR and KVKK in this regard is the concept of joint controllers under the GDPR, which is regulated and assigned specific consequences. However, under the KVKK, no specific consequences are attributed in the case of multiple data controllers. In this context, according to the GDPR, when two or more controllers jointly decide the purposes and means of processing, they are considered joint controllers. They must clearly define their respective responsibilities for complying with GDPR obligations, especially regarding data subject rights and providing required information, through an agreement, unless the responsibilities are defined by Union or Member State law. The agreement may also designate a contact point for data subjects.
E. Inspection
The inspection procedures regarding the compliance with the GDPR and KVKK are slightly different. Under the KVKK, the data controller is responsible to the Personal Data Protection Authority's Board for the processes of personal data processing, deletion, and collection. However, under the GDPR, each country is responsible for establishing its own Supervisory Authority and the inspections regarding the compliance with the GDPR are carried out by the Supervisory Authority.
F. Penalties
In cases of non-compliance with regulations, the sanctions imposed under the KVKK and GDPR differ significantly. For instance, penalties under the KVKK range from 68.000 Turkish Liras to 14.000.000 Turkish Liras, which may not pose a substantial financial burden for a company. In contrast, the GDPR imposes penalties of up to 20.000.000 Euros or 4% of the company's annual global turnover from the preceding fiscal year, making its sanctions considerably more stringent. Clearly, the GDPR has a stronger deterrent effect than the KVKK, as its penalties have the potential to cause significant financial repercussions for businesses. Accordingly, it can be argued that the GDPR incentivizes data controllers and processors to comply with its provisions more effectively than the KVKK, thereby ensuring greater protection of personal data for data subjects.
G. Conclusion
To conclude, while both the KVKK and GDPR aim to protect personal data and ensure the privacy rights of individuals, they differ in several important areas. The scope of application under the GDPR is broader, covering any entity processing personal data within the EU or targeting EU residents, while the KVKK is primarily applicable within Turkey. The definitions and responsibilities of data controllers and processors are quite similar in both regulations, although the GDPR offers more detailed provisions in some respects. Furthermore, the inspection and enforcement mechanisms under the GDPR are more extensive, with clearer and more significant penalties for non-compliance, while the KVKK, though effective, has a relatively narrower enforcement framework. Overall, while the KVKK largely mirrors the GDPR, there are some slight differences in application, procedural specifics, and penalties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
