When the General Data Protection Regulation came into force in May, it affected every company that does business within the European Union and the European Economic Area EEA. Its main purpose is the protection of each individual’s data, but their privacy and compliance obligations have put a significant burden on companies of all sizes and across all sectors.
Similar legislation exists in Turkey, although there are distinct differences. On one notable point, however, they are in harmony: just as not complying with GDPR requirements carries substantial penalties, so does any breach of Turkish provisions. Failure to comply can lead to administrative fines and criminal penalties. As a result, every company that does in Turkey already, or which plans to do so, needs to be aware of how these laws might affect their operations.
Partly in anticipation of GDPR, Turkish Data Protection Law (DPL) was enacted in 2016. Turkey’s supervisory authority, The Personal Data Protection Board (DPB), is still publishing assorted regulations and communiqués relating to it, as well as draft versions of secondary legislation. Under these changes, data controllers who deal with personal data are subject to multiple obligations. In addition, the legislation also applies to ordinary employees, making it significant for every company operating in Turkey.
The grounds for processing under DPL are similar to GDPR – saving that explicit consent is needed when processing sensitive and non-sensitive personal data.
So when comparing DPL with GDPR, what are the differences that impact businesses operating in Turkey? Although it stems from EU Directive 95/46/EC, DPL features several additions and revisions. It does, however, contain almost all of the same fair information practice principles, except that it does not allow for a “compatible purpose” interpretation and any further processing is prohibited. Where the subject gives consent that data may be compiled for a specific purpose, the controller can then use it for another purpose as long as further consent is obtained, or if further processing is needed for legitimate interests.
The grounds for processing under DPL are similar to GDPR – saving that explicit consent is needed when processing sensitive and non-sensitive personal data. Inevitably, this is much more time-consuming. Such a burdensome obligation would initially make it seem that DPL provides a higher level of data protection compared to GDPR, but DPL’s definition of explicit consent also has to be compared to GDPR’s regular consent. ‘Freely given, specific and informed consent ‘ is common to both, while GDPR further requires ‘unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’.
While DPL consent might appear to be less onerous than GDPR, no DPB enforcement action has yet occurred: interpretation of explicit consent therefore remains uncertain. Under DPL, the processing grounds for sensitive personal data are notably more limited than under GDPR – with the exception of explicit consent, the majority of sensitive personal data can be processed, but only if it is currently permitted under Turkish law. The sole exception is data relating to public health matters.
Controllers have to maintain internal records under GDPR, whereas DPL does not make any general requirement to register with the data protection authorities.
Equally burdensome under DPL is the cross-border transfer of personal data to a third country. As determined by the DPB, the country of destination must have sufficient protection – either that, or parties must commit to provide it. DPL also states that: “In cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organisations”. Under this provision, data controllers must decide whether a transfer could cause serious harm, and if it does, they need to obtain DPL approval. However, it is unclear how these interests might be determined.
Controllers have to maintain internal records under GDPR, whereas DPL does not make any general requirement to register with the data protection authorities. Instead it has a hybrid solution: registration and record-keeping requirements. DPL specifies a registration mechanism: data controllers have to register with a dedicated registry. Under a draft DPB regulation, before completing their registration they are required to hand over their Personal Data Processing Inventory and Personal Data Retention and Destruction Policy to the DPB.
For businesses which have to comply with DPL, GDPR, or both, it would be prudent to ensure that they are not duplicating their efforts. The best way to achieve this is by aiming for a flexible compliance model that successfully meets the obligations of the regulatory authorities across multiple jurisdictions.