Turkey: What Is European Union General Data Protection Regulation (‘GDPR')?

The concept of personal data protection is based on much older dates in the European Union countries ('Union' / 'EU') compared to other countries. The reason for this is that technological developments and the associated danger of data breach were foreseen early. The underlying reason for this foresight is the legal awareness and sensitivity to the technological developments within the Union. In this context, studies were started in the 1990s with the aim of protecting the fundamental rights and freedoms of real persons, especially the right to personal privacy, regarding the processing of personal data. In line with these studies, on October 24, 1995, ''Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data'' (96/46/EC) was published. Since the European Union directives will not be applied directly to the all countries, it was expected that the rules in the Directive will be transferred to national laws (member countries' own domestic laws). However, this transfer phase failed due to the discretion of the countries and the lack of uniformity. In this direction, the need for a new regulation has arisen and the Union has aimed for a regulation where differences do not arise during the implementation of the new rules to EU Member State's own domestic law system.

After the process following the publication of the Directive, strengthened understanding of a necessity of going for a new regulation emerged and this mainly derived from two important decision of EU Court of Justice which are: "Max Schrems v. Data Protection Commissioner (CJEU - "Safe Harbor")" and ¹ Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources"².

Therefore, as a result of concrete events and court decisions, the new regulation, GDPR ('Regulation'), was approved by the European Parliament on May 24, 2016, and the date of effect was determined as May 25, 2018, as a consequence of the urgent aim of ensuring uniformity in the Union.

The reason why the Regulation format was chosen instead of the Directive is an important point to be covered. The Directive has drawn the basic lines regarding the protection and transfer of data and left the remaining parts to the internal structure and discretion of the member countries. However, the Regulation, which aims free data circulation within the European Union countries, is directly applicable without requiring any internal legislation by the member states in terms of its application in the relevant fields. The most important difference of the Regulation from the Directive made prior to it, is that GDPR gathers the European Union personal data protection law under one roof by arranging it in a manner that is as detailed as possible.³ In this direction, the scope of application of the Regulation has been expanded and the road was paved for GDPR to affect the countries outside the European Union. In addition to the regulatory approaches that were not established in the prior Directive, Regulation, includes pre-existing topics in a detailed and concretized manner. ⁴ Another important point is the penalties foreseen for institutions and organizations that cannot comply with GDPR. For the institutions that does not comply with the Regulation, GDPR foresees an upper limit penalty of 20 million Euro's or 4% of the annual turnover of non-compliers/violators. 

What is the Scope and Purpose of GDPR?

The scope of GDPR is diversified in terms of both the collection of the obtained data and the storage/protection of the data obtained. The GDPR basically aims to support the right to personal data protection envisaged both in article 8/1 of the European Union Declaration of Rights and article 16/1 of the Treaty on the Functioning of the European Union. First of all, it is imperative to understand the concept of 'Consent', based on the explicit consent of the owner, which is brought as a pre-condition for the processing activities of personal data. In GDPR, The concept of consent, which is very important for the processing of personal data is defined as: '''consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;'' Another important point is the concept of "The Right to be Forgotten". In accordance with Article 17 GDPR, provided that the conditions determined by the Regulation are met, the data subject will have the right to request the data controller to remove the data concerning the individual without undue delay (Right to be Forgotten). The conditions are regulated as; ''losing the necessity for the purposes for which personal data is obtained or processed, disappearance of legal cause for processing and retraction of consent by the data subject, unlawful processing of personal data,   mandatory deletion according to the legislation of the European Union or member state to which the data owner is subject to, personal data obtained for submission to information society services'' and if the conditions are met, the right to be forgotten will come into question. Another point to be noted in the Regulation is that though it has not been subject to a regulation before, is the concept of 'Data Privacy by Design' which existed in principle for many years. In accordance with this concept, the Regulation obliges institutions and organizations subject to GDPR to take the necessary measures in order to protect the privacy by design. The final point we want to draw attention to is the issue of 'Data Transfer outside the European Union' which is regulated in article 45/3 of GDPR. Accordingly, entities will be able to transfer data outside the European Union only if appropriate and comprehensive legal remedies and appropriate security measures are present in the subject third state. In this context, the European Union Commission has the right to decide whether a third state, a region within that state, or one or more sectors or an international organization can provide adequate protection conditions.

What are the Effects of GDPR on Institutions/Organizations Residing in Turkey?

In accordance with the 2nd paragraph of the 3rd article of GDPR named Territorial Scope; Even if a company established outside the European Union is not a subject to any payment, if the referred entity monitors the behavior of a natural person residing in the European Union through the product and service offered to that person (data subject) living in the Union, that entity will be subject to GDPR and will be obligated to take the necessary measures accordingly.⁵ Namely, Institutions that provide goods or services to personal data owners or monitor the behavior of data subjects that reside in the European Union, are considered to be responsible for compliance with the GDPR. The term "monitoring behavior" used in the GDPR text will be understood as monitoring the activities of individuals on the internet with technical methods to determine their consumption preferences and habits. It would be fair to say that companies targeting the European Union consumer despite operating outside the European Union will be subject to GDPR.

Thus, in the existence of the above-mentioned conditions, the necessity of complying with GDPR for institutions and organizations residing in Turkey will come to the fore. Therefore, Turkish institutions and organizations that provide goods or services to European Union member countries and act on monitoring the behavior of data subjects in the European Union will be obliged and responsible to fulfill the requirements of the GDPR as well as the Personal Data Protection legislation in force in Turkey.

For example; if you offer services and products on your company's website in one of the languages spoken in the European Union or if you collect people's information from a contact page and offer them a price list in European currencies it means that you engage with an online activity subject to GDPR through your commercial actions. Additionally, determining the information of individuals, analyzing their profiles, searching their habits, and obtaining their IP addresses through a website or different methods will also be considered within the scope of GDPR. On the other hand, you will also be subject to GDPR if you are engaged in importing, exporting or any other commercial activities with European Union member countries.

As a result, regardless of whether the transaction takes place within the boundaries of the European Union or not, Turkish institutions and organizations which process the data of European Union citizens are required and expected to comply with GDPR

Footnotes

1. Max Schrems v Irish Data Protection Commissioner (Safe Harbor), (2016)

2. DRI Brings Legal Action over Mass Surveillance, Digital Rights Ireland (09/14/ 2006

3. Smriti Ganotra, GDPR Compliant or Not, 5 CT. UNCOURT 2 (2018).

4. Smriti Ganotra, GDPR Compliant or Not, 5 CT. UNCOURT 2 (2018).

5. Goddard, M. (2017) 'The EU General Data Protection Regulation (GDPR): European Regulation that has a Global Impact', International Journal of Market Research, 59(6), pp. 703–705.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.