General Data Protection Regulation (GDPR) of EU and Turkey’s Personal Data Protection Law (KVKK) are sharing the same origin called EU 95/46/EC Directive. Still, GDPR and KVKK differ on some critical topics of personal data protection. I am sharing certain practical differences between GDPR and KVKK below that I find important.
Data Controllers’ Registry
GDPR abolished the requirement of registering to data protection authorities for controllers before commencing personal data processing. Instead, GDPR introduced record keeping requirements in article 30. Another change is that the record keeping requirements become also applicable for processors as well. It should also be noted that some EU countries still keep their registries.
KVKK introduced a data controller registry in Turkey. Both data controllers residing in Turkey or abroad must register before commencing data processing activities or the deadline (as of the date of this article, the deadline is 31 December 2019) of transition period given by the local DPA. if those entities fall within the scope of KVKK. Registering requires submitting information about data processing activities such as data subject categories, data categories, processing purposes, retention periods, and security measures.
Processor Liabilities
Apart from holding controller and processor severally liable for taking data security measures, KVKK does not have any articles for processors. On the contrary, GDPR introduces detailed articles for processors.
GDPR holds processors liable from implementing appropriate technical ang organizational security measures. GDPR also requires processors to notify controllers in case of a data breach, appoint a data protection officer, and comply with record keeping requirements. Finally, GDPR regulates the relationship between controllers and processors by requiring a written contract that includes all conditions listed under the article 28.
GDPR mandates processors to process personal data in accordance with the instructions of controllers. Even if this is not explicitly regulated under KVKK, acting otherwise may lead consideration of the processor as the controller.
Data Subject Rights
Comparing to KVKK, GDPR strengthens data subjects more by granting them additional rights as right to restriction of processing, right to data portability. Further, GDPR allows data subjects to challenge controllers’ reasoning behind their claims of legitimate interest for personal data processing activities.
Without a doubt, GDPR puts data subjects in control of their personal data more strongly than KVKK does.
Administrative Fines
Amount of maximum administrative fines in GDPR are 20,000,000.00 EUR or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. KVKK’s maximum administrative fine limit is approximately 230,000.00 EUR (this may change depending on the currency rates). Because of the higher administrative fines, breaching GDPR poses much greater risk.
Fatih Burak Uzun