Turkish Personal Data Protection Law: KVKK
ON THIS PAGE
- Similarities Between KVKK and GDPR
- Differences Between the KVKK and the GDPR
- The Liability of the Data Breach
- The Presence of the Data Protection Officer and Data Protection Representative
- The GDPR requires a Data Protection Impact Assessment in Some Cases
- The KVKK Requires the Registration of Data Controllers
- The GDPR Requires the Recording of Processing Activities
- Fines Are Higher Under the GDPR
- The Data Subject’s Right to Control Their Data
- The Scope of Both Laws
- Understanding Compliance
The Turkish Personal Data Protection Law No. 6698, also known as the KVKK, came onto the books in April of 2016, shortly before the European Union’s GDPR.
Both laws were tailored to their region’s court systems and maintain similar objectives. They share some distinct similarities and differences in the way that they are structured, and companies that serve customers in both regions are required to follow both.
Similarities Between KVKK and GDPR
The big-picture objectives of both the KVKK and GDPR cover similar ground. Both regulations aim to protect the personal information and privacy of data subjects, as an increasing number of businesses collect and process their personal information.
The regulations address and try to prevent the indiscriminate collection of data, and the access of unauthorized people to that data. The regulations differ in their approaches to this common objective.
Differences Between the KVKK and the GDPR
The Liability of the Data Breach
The GDPR holds both the data controller and the data processer liable for any damages that may arise from a data breach, while the KVKK draws a separate distinction for the responsibility within these roles.
Below is the text from Article 82 of the GDPR:
“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”
In Article 18 of the KVKK, they address liability for data breaches:
“The administrative fines listed in this article shall apply to natural persons and private law legal persons who are controllers.”
The KVKK treats the processors and controllers separately and issues fines only to the controller.
The Presence of the Data Protection Officer and Data Protection Representative
The GDPR requires the presence of either a data protection officer (DPO) or a data protection representative (DPR) under specific circumstances, while the KVKK does not.
GDPR compliance maintains that the controller and processor shall designate a data protection officer in any cases where:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing operations which, by their nature, their scope, and/or their purposes require regular and systematic monitoring of data subjects on a large scale.
- The core activities of the controller or the processor consist of processing on a large scale of special categories of data under Article 9or personal data relating to criminal convictions and offenses referred to in Article 10.
When data controllers do not operate in the EU, they must designate a DPR in any of the EU countries, except when data processing is a rare occurrence or doesn’t involve sensitive data.
The GDPR requires a Data Protection Impact Assessment in Some Cases
Article 35 of the GDPR requires a data protection assessment in certain specific cases. According to the article, assessments are required when:
- A systematic and extensive evaluation of personal aspects relating to natural persons is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing on a large scale of special categories of data referred to in Article 9, or of personal data relating to criminal convictions and offenses referred to in Article 10.
- Systematic monitoring of a publicly accessible area on a large scale.
The KVKK does not include any such requirement in Turkey.
The KVKK Requires the Registration of Data Controllers
Data collectors in Turkey are required to enlist on the Data Collectors Registry, VERBIS. This falls under the obligation of businesses to prepare data inventory and requires businesses to take a comprehensive approach to their data collection.
The requirement is for businesses with more than 50 employees, a financial balance sheet over TRY 25 million, or the registration is established abroad. If the business does not register, a fine of TRY 20.000 to TRY 1.000.000 may be imposed, depending on the specifics surrounding the situation.
The GDPR Requires the Recording of Processing Activities
Under Article 30 of the GDPR, the organizations must document their processing activities, and show them to the Data Protection Authority whenever required. In the KVKK, these recordings are regulated by the Data Controllers Registry.
Fines Are Higher Under the GDPR
The EU fines for non-compliance with data regulations are consistently higher than their Turkish counterparts. As stated above, KVKK non-compliance fines range from TRY 20.000 to TRY 1.000.000. Fines in the EU can reach as high as EUR 20.000.000 or 4 percent of the last fiscal year’s turnover.
The Data Subject’s Right to Control Their Data
In the KVKK, the data subject maintains the right to inquire about what the data controller can process or use and request its deletion. The GDPR provides more detail to the rights of the data subject.
According to Article 17, these are the circumstances when data must be erased without delay:
- The personal data are no longer necessary about the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
- The data subject objects to the processing according to Article 21(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing according to Article 21(2).
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected about the offer of information society services referred to in Article 8(1).
The Scope of Both Laws
The easiest way to think about the scope of the GDPR is that if your business has a customer base in the EU, or you are collecting marketing or advertising data of European residents, those activities should be done within compliance with the GDPR.
All-natural and legal residents of Turkey are similarly covered by the KVKK protections. All international data controllers that conduct data processing in Turkey must register with the country’s Data Controller’s Registry no matter their size or profits.
While there are some significant differences between both the European and Turkish data regulations, both are molded around the characteristics of the relevant legal systems. Both keep the rights of their data subjects at heart.
Businesses with European or Turkish markets need to understand the relevant compliance requirements. International companies that do business in both regions may be likely required to fall into compliance with both regulations.