hen Did KVKK and GDPR Come into Effect?
The Law on the Protection of Personal Data (KVKK) was prepared as part of efforts to comply with the European Union and was published in the Official Gazette of Turkey on April 7, 2016, coming into effect on that date. On the other hand, the General Data Protection Regulation (GDPR) came into effect on May 24, 2016, and became applicable in all European Union member states two years later. With the adoption of GDPR, Directive 95/46/EC, which regulated the processing of personal data in 1995, was repealed.
Is It Important to Identify the Differences Between KVKK and GDPR?
KVKK came into effect in our country before GDPR was adopted in the European Union. Therefore, it would be incorrect to say that KVKK is fully compliant with GDPR or that it was prepared based on GDPR. In fact, the foundational document for the preparation of KVKK was the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,” prepared by the Council of Europe and opened for signature on January 28, 1981. This convention was incorporated into domestic law by being published in the Official Gazette on March 17, 2016.
One of the reasons why KVKK is often compared to and sometimes confused with GDPR is that both are valid and currently applicable legal texts for the protection of personal data. Another reason is that GDPR’s protections and sanctions apply to individuals and legal entities acting as data controllers in our country, even though we are not a European Union member. The fact that GDPR also includes sanctions for the transfer or recording of personal data of a real person living in one of the EU member states outside the country and/or the Union creates a misconception that the regulations that a data controller in Turkey must comply with should be GDPR-compliant only. However, when examined, this is revealed to be an incorrect practice, as indicated by the communiqués published by KVKK and the Personal Data Protection Authority.
In a decision dated October 30, 2019, with the number 2019/315, the Authority stated: “It is useful to remind that the statements indicating that compliance with GDPR has been achieved in the texts prepared by the data controllers for the purpose of fulfilling the obligation of enlightenment are incorrect, that this does not eliminate the obligations of data controllers under the Law No. 6698 on Protection of Personal Data, and, therefore, that in addition to the references made to GDPR, it should be indicated that the policies and rules specified in the aforementioned enlightenment texts are primarily in compliance with Law No. 6698 on Protection of Personal Data.”
Key Differences Between KVKK and GDPR in Terms of Basic Concepts
Personal Data and Processing of Personal Data
First, it is worth looking at how “personal data,” the foundation of both regulations, is defined. The Directive, KVKK, and GDPR all include certain data belonging only to individuals under the scope of personal data. While the definitions in KVKK and the Directive are largely consistent, GDPR provides a much more detailed definition. For example, in GDPR, individuals’ mental data is regulated as personal data, whereas in KVKK, only physical health data is considered personal data. In terms of the processing of these personal data, GDPR has introduced a more comprehensive and detailed regulation. GDPR includes some concepts that are not found in the Directive and therefore not in KVKK. Some of these concepts include data sets, the posing of personal data questions, the combination of personal data, and the structuring of personal data.
Data Controller and Data Processor
According to the definition in KVKK, a data controller refers to the natural or legal person responsible for determining the purposes and means of processing personal data and for establishing and managing the data recording system. In GDPR, this issue is somewhat more complex, detailed, and addressed in greater detail than in the EU Data Protection Directive. In the EU Data Protection Directive, a data controller is defined as “a person who, alone or jointly with others, determines the purposes and means of processing personal data.” In GDPR, a three-tier data controller system is introduced. The situation of joint data controllers, which is not included in the Directive, is introduced in GDPR, resulting in a three-tier distinction. According to this, there is a division into data controller, data processor, and data recipient, and each of them is held responsible for data processing activities. Another difference in data controllers between KVKK and GDPR is the recipient of the penalties to be applied when a data breach occurs. According to GDPR, if there is a data breach, the data processor will also be held responsible and subjected to sanctions, just like the data controller. In contrast, when it comes to the application of administrative fines in KVKK, sanctions are imposed only on data controllers.
The Issue that Puts the Data Controller in Front of the Data Subject: Explicit Consent
According to KVKK, explicit consent refers to consent based on information regarding a specific subject, given with free will. While the processing conditions of personal data are listed in KVKK, explicit consent is primarily obtained. However, GDPR includes more detailed regulations. Accordingly, for this consent to be explicitly distinguishable, it must be understandable, easily accessible, and presented in clear and plain language. When evaluating explicit consent, it is considered whether the consent given is related to the processing activity to be performed. The principle of being “related to the processing activity for the purpose of being connected, limited, and proportionate to the purpose for which they are processed,” one of the processing conditions of personal data, emerges here when evaluating the consents given.
Data Protection Officer
The primary duty of a data protection officer, which is not included in KVKK, is to ensure that the personal data of employees, customers, providers, or any individual are processed in compliance with applicable data protection rules. Having such a position would facilitate the prompt and accurate fulfillment of requests related to personal data of data subjects. Data protection officers, which are often confused with contact persons, can be said to serve as a bridge between data controllers and/or data processors and the individuals concerned. When examining the regulations in our legislation, it is understood that there is no position or regulation regarding data protection officers at present.
As awareness of personal data among society increases, requests from data subjects regarding issues such as the right to be forgotten, which are not regulated in KVKK, also increase. In fact, due to the intense demands regarding the right to be forgotten, the Personal Data Protection Board had to issue a decision containing comprehensive regulations on this subject. As information and communication technologies develop faster every day, the concept of personal data also undergoes changes. Every new data defined as personal data and every new technology/technological product used leads to an increase in the measures to be taken for the protection of personal data and the development of new methods. Therefore, it is the responsibility of both data subjects and implementers to ensure that the personal data protection legislation is not rendered ineffective against GDPR and other international regulations.