The General Data Protection Regulation (“GDPR”) finally came into force in May – as every business in Europe knows. Turkey has similar legislation, although some differences exist. Fail to comply with GDPR and you pay a substantial penalty; likewise, breach Turkish provisions and there are administrative fines as well as criminal penalties. Companies doing business in Turkey need to know how these laws work in practice.
Enacted in 2016, Turkish Data Protection Law (“DPL”) is accompanied by other regulations and communiqués, while draft versions of secondary legislation have been published by Turkey’s supervisory authority, the Personal Data Protection Board (“DPB”). Under these changes, data controllers have to comply with multiple obligations when dealing with personal data, while the legislation also affects every employee, making it important for companies operating in Turkey to understand the consequences of compliance failure.
In examining the differences between DPL and GDPR, the key point is how they affect businesses operating in Turkey. Originating from EU Directive 95/46/EC, DPL features various additions and revisions. Although it contains nearly all the same fair information practice principles, DPL does not allow for a “compatible purpose” interpretation while any further processing is strictly prohibited. If data is compiled for a purpose where the subject has given consent, the controller can use it for another purpose, provided that additional specific consent is given, or if further processing is needed for what are deemed to be legitimate interests.
Grounds for processing under DPL are comparable to those which apply for GDPR, save that explicit consent is required when sensitive and non-sensitive personal data is processed – a much more time-consuming exercise. At first blush, such a burdensome obligation should give DPL a higher level of data protection than GDPR. However, DPL’s definition of explicit consent needs to be set against GDPR’s regular consent. Both require “freely given, specific and informed consent” but GDPR also provides that there has to be “unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
So is DPL consent therefore less onerous than GDPR? The answer is unclear because no DPB enforcement actions have taken place which would provide some benchmark for the exact meaning of explicit consent. Without doubt, DPL’s processing grounds for sensitive personal data are much narrower than GDPR: save for explicit consent, most sensitive data can be processed if it is currently permitted under Turkish law, excepting any data concerning public health matters.
Under DPL, the cross-border transfer of personal data to a third country is similarly troublesome: the country of destination has to have sufficient protection, according to criteria decided by the DPB. Alternatively, parties must commit to provide sufficient protection that meets DPB approval. But DPL also includes the following: “In cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organisations.” This obliges data controllers to evaluate whether a transfer might possibly cause serious harm, and if it does, they need to obtain the DPB’s approval. However, it is unclear how such interests are to be determined.
GDPR requires controllers to maintain internal records, although there is no general requirement to register with the data protection authorities, whereas DPL provides a hybrid solution, combining registration and record-keeping requirements: a registration mechanism mandating data controllers to register with a data controllers’ registry. The draft DPB regulation requires them to hand over their Personal Data Processing Inventory and Personal Data Retention and Destruction Policy to the DPB before completing their registration.
For any business that is subject to both DPL and GDPR, the best way to avoid duplication of compliance effort is to formulate a flexible compliance model that satisfies the demands of regulatory authorities in multiple jurisdictions.
Duygu Doğan, Partner