KN & Partners’ M Burak Küçüki̇slamoğlu and İ Can Nari̇n on the importance of Turkey-based international companies following the GDPR and PDPL
As is known, with the development of technology and digitalisation, personal data processing activities have increased considerably. In addition to this, through softwares it has become possible to reach almost unlimited personal data. Consequently, this situation raises concerns for individuals in terms of the scope of principle of privacy. In this context, in order to prevent damages that may affect the individual, in other words in order to protect the personal rights and privacy of individuals and to determine the sanctions to be applied in case of violation, it has become necessary to take some precautions. At this point, while General Data Protection Regulation (GDPR) is accepted among the contries in the European Union; here in Turkey, we encounter a similar regulation: Personal Data Protection Law (PDPL).
In fact, firstly, both laws are based on human rights. The first step that was taken in this regard was the European Convention on the Protection of Human Rights and Freedoms, 1953. In Europe, the concept of ‘personal data’ has emerged rapidly and in relation to these human rights and freedoms, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Numbered 108 was adopted in 1981, separating them. It is clear that, this way, the first regulations were made on personal data. Finally, ‘Directive 95/46/EC of the European Parliament and Council on the Protection of Individuals in the Processing of Personal Data and the Free Movement of Such Data’ dated 1995, was adopted by the Council of Ministers and in order to eliminate the differences in legislation and practice between member states, the EU GDPR was accepted in 2016. With the GDPR, stricter rules were introduced in data transfer and the concept of the ‘right to be forgotten’ came into force for the first time.
The difference in Turkey emerges at this point: the ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ dated 1981, was signed immediately but ratification was held on 10 February 2016. Therefore, the PDPL, which entered into force in 2016, is based on a sub-version of the GDPR.
If the scope is reduced to Turkey, the first general protection in terms of personal data is within the framework of ‘Personality Rights’ regulated in the Turkish Civil Code (TCC) article 23 et al., under the title ‘Crimes Against Private Life and the Secret Area of Life’ in the Turkish Penal Code (TPC) article 135 et al. and finally under the title of ‘Privacy of Private Life’ with the amendment made in the Turkish Constitution, it has been included in the scope of protection with article 20.
The right to protect personal data has taken its place as a ‘separate’ right in Turkish law with the enactment of the ‘Personal Data Protection Law No. 6698’ on 24 March 2016. In the Law, detailed regulations have been made on the general principles of the processing of personal data, processing conditions, personal data of special nature and their processing, deletion, destruction or anonymisation of personal data, transfer of personal data and transfer of personal data abroad.
Differences in the Scope of Application
The GDPR applies to all kinds of personal data operations for all persons who process personal data of anyone living within the borders of the EU, regardless of whether they are established within the borders of the EU and in this context, it differs from PDPL as PDPL only applies to the personal data processing activities within the borders of Turkey. Therefore, although the GDPR is apparently an EU regulation, it binds every company in any commercial activity with the companies in the EU, due to its regional scope.
In any case, it seems that PDPL is limited, compared to the GDPR. Thus, it is understandable for the countries subject to the main and bigger cluster, which is the GDPR, not to accept Turkey, which is subject to PDPL, as a safe country.
However, it should not be forgotten that there are provisions in PDPL and related regulations that are clearer than the GDPR, hence, these two laws should indeed be regarded as separate intersection clusters rather than a subset of each other. It is possible to give the following two examples to give concrete form to this issue:
1. There is no clear regulation in our local law regarding the ‘Right to be forgotten’ which was mentioned in article 17 of the GDPR. However, similar regulations exist both in the PDPL and in the ‘Regulation on Deletion, Destruction or Anonymisation of Personal Data’. Even though they serve the same purpose in terms of content, it is obvious that there is a difference between the two regulations.
2. As PDPL is a part of Turkish law, it is based on Turkish people and their lifestyle and unlike the GDPR, it has regulations regarding personal data of special nature within the PDPL; within this framework, categories such as association and foundation membership, sect, other beliefs and clothing are also regulated. This again, shows the difference between the two regulations and despite the broader scope of the GDPR, it is proof that the PDPL and other related legislations contain different provisions.
Choosing applicable law for the International Companies Headquartered In Turkey
In this context, it is clear that companies that are based in Turkey but are branching out in countries subject to GDPR, must comply with the GDPR while continuing its commercial activities. And as data transfers will be made from the branch to the headquarters, if the company’s headquarters is in Turkey, processing, preservation (storage), deletion-destruction-anonymisation and all of the transfer should be held in accordance with both the PDPL and the GDPR. If it is taken into consideration that the transferred data emerges from the countries subject to the GDPR and considering the spirit of the law, in other words, the main purpose being the protection of personal rights. Since the personal rights of foreigners living in the mentioned countries will be protected under the GDPR, it will be concluded that the headquarters must comply with the GDPR along with the PDPL.
In addition, within the scope of the GDPR, if a person residing in a country subject to the GDPR, arrives in Turkey, all the Turkish or foreign-based companies that process the personal data, the ‘data controller’, needs to ensure compliance with both PDPL and GDPR.
Choosing applicable law for the International Companies Setting Up Branches In Turkey
On the other hand, it is obvious that a company headquartered in a country subject to the GDPR, must comply with GDPR within its headquarters. One might think that the Turkey branch of the company should only comply with the PDPL and should not be responsible for the rest of the GDPR provisions. However, as having commercial activities with any company subject to GDPR will require complying with the GDPR, compliance with both legislation should be ensured as mentioned above because in most cases, a company’s headquarters has the title of the main data controller and being the first degree data controller, Turkish law is the law that should be applied to the Turkish branch. However, in the context of data transfer, the responsibility arising in terms of the data to be sent to the headquarters, will be within the scope of the GDPR. It should be underlined that neither the PDPL nor the GDPR are prohibitive but regulatory. They ensure the establishment of data security and data privacy, they are the assurance of personal data. It is possible to transfer personal data abroad, provided that the regulations in the law and legislation are complied with. Thus, if a healthy data processing is achieved in the company’s Turkey branch, there will not be any obstacles in terms of PDPL regarding the data transfer abroad and besides, the data must be processed, protected (stored), deleted-destroyed, anonymised and transferred complying with the GDPR.
Even though the PDPL is based on the Convention for the Protection of Individuals Against Automatic Processing of Personal Data (Numbered 108) that came into force in 1981, it is not true to say that either the GDPR or the PDPL is superior to the other. In this context, PDPL is a different law that is based solely on the developments in the EU. And as the GDPR binds any company that engages in commercial activity with the companies in the EU, in terms of its scope of application, it will be concluded that companies with international branches must comply with both regulations.
2019. AVRUPA BİRLİĞİ BAĞLAMINDA TÜRKİYE’DE KİŞİSEL VERİLERİ KORUMA KURUMU. [online] 2019-AB bağlamında Türkiye’de KVKK. Available at: https://afyonluoglu.org/PublicWebFiles/Reports/PDP/akademik/tr/2019-AB%20ba%C4%9Flam%C4%B1nda%20T%C3%BCrkiye’de%20KVKK.pdf
2021. KİŞİSEL VERİLERİN KORUNMASI ALANINDA ULUSLARARASI VE ULUSAL DÜZENLEMELER. [online] Available at: https://www.kvkk.gov.tr/Icerik/4183/Kisisel-Verilerin-Korunmasi-Alaninda-Uluslararasi-ve-Ulusal-Duzenlemeler