KVKK and GDPR

Currently, various data related to individuals can be easily processed and transmitted on different platforms every day under the influence of developing technology. Although the processing of these data provides some convenience and advantages for individuals and those providing goods and services, it also brings the risk of data abuse. Therefore, it becomes a necessity to establish a legal infrastructure in order to protect personal data. At the core of personal data protection is the protection of personality.

From this point of view, the right to protection of personal data aims to protect the individual's fundamental rights and freedoms during the processing of personal data in order to protect the honor and personality of the person as a special form of the right to privacy and to develop his personality freely.

For this purpose, by establishing control mechanisms for the processing of personal data, it is aimed to prevent these data from being processed illegally... The Law does not limit the processing of personal data, on the contrary, it regulates the procedures and principles for the processing of personal data in order to be more competitive in the data-based economy.

 

Comparison on Personal Data Protection Law "KVKK" and General Data Protection Regulation "GDPR"

As a result of technology gaining a more and more central place in our lives, it is necessary to pay more attention and care to issues such as privacy of private life and protection of personal fundamental and rights freedoms. It is among our fundamental rights and freedoms to know where, by whom and for what purpose our information is used, and to decide on this in today's world where we share almost all of our information with others on a digital platform and conduct our business and daily life. At the same time, the rapid developments in data collection, processing and storage technology have led to a legal regulation to protect the privacy of personal data and to control all data operations with this regulation.

The Law on Protection of Personal Data ("KVKK") and the General Data Protection Regulation ("GDPR") are also regulations that take action at this point and observe the protection of the right to privacy and information security. In addition, it is aimed to prevent the unlimited and haphazard collection of personal data, their access to unauthorized persons, their disclosure, or the violation of personal rights as a result of misuse or misuse. Although KVKK and GDPR are legal regulations that serve the same purposes, they are born in different legal systems and contain different widths and constraints.  It is designed to examine the most basic and important differences between KVKK and GDPR and to shed light on real or legal persons who may be subject to KVKK and / or GDPR.

 

Overview of KVKK and GDPR Regulations and Basic Principles
When examining the similarities and differences between KVKK and GDPR, first of all, the purpose, scope and legal systems they are subject to should be understood.

KVKK numbered 6698 entered into force after being published in the Official Gazette on April 7, 2016, and it regulates the rules to be followed by real and legal persons who collect, process and store personal data, and to protect the fundamental rights and freedoms of individuals, especially the privacy of private life. While the law sets out the procedures and principles that natural and legal persons must comply with when processing personal data, it also regulates the obligations that may arise as a result of not complying with these rules.

The GDPR, which entered into force on May 25, 2018, aims to ensure data security of persons residing in the European Union in parallel with the KVKK. In the pre-GDPR period, the European Parliament and the Council of Europe Directive on the Protection of Individuals in terms of Processing and Free Movement of Personal Data, numbered 95/46/EC, which emerged in 1995, was implemented as the basic regulation. From the point of view of the KVKK, it also seems that this Directive was largely taken as a basis. At the international level, there are also the Organization for Economic Cooperation and Development (OECD) Guidelines (1980) on the Protection of Private Life and Cross-Border Flow of Personal Data.

 

Scope of Application 

As the scope of KVKK covers all individuals and legal entities that process personal data in Turkey, we strongly recommend that all individuals and legal entities that conduct personal data operations in Turkey receive advice on the compliance process in order to avoid non-compliance situations and sanctions that are the legal result of them. In terms of the scope of the GDPR, there is a wider jurisdiction. The GDPR regulates all kinds of personal data operations for all companies that collect, process and store personal data of anyone living within the borders of the European Union, regardless of where the company finds it, including the sharing and use of personal data.
 

Based on this, it can be said that GDPR, unlike the application area of KVKK, imposes responsibility not only on persons who process data in the country of birth (European Union), but also on all natural and legal persons who process data of persons residing in the European Union.

In this respect, even if an enterprise does its data processing outside the European Union, if it processes the data of persons residing in the European Union, it is obliged to act in accordance with the GDPR. Therefore, in the case of a natural person or legal entity residing in Turkey conducting data operations, it is not only sufficient to be in compliance with the KVKK as long as it processes the personal data of persons residing in the European Union, but also must comply with the GDPR.

 

Important Differences Between KVKK and GDPR Rules 

One of the most important differences between the two arrangements seems to be in the application areas. Since the GDPR is given a wider jurisdiction compared to the KVKK, all companies that process the personal data of anyone living in the European Union are obliged to comply with the GDPR regardless of their location.

In addition, while the data controller is held responsible to the Personal Data Authority ("KVK") Board for the processing, deletion and collection of personal data in the KVKK, the concept of "data controller" has been introduced in the GDPR instead of the data controller in line with the principle of accountability.

Under the GDPR, the data controller is held responsible for all fundamental principles. While data controllers are obliged to register with the Data Controllers Registry Information System ("VERBIS") in accordance with KVKK, GDPR does not mention such a registration information system. Another critical difference arises under the heading of criminal liability. While the upper limit of penal obligations stipulated within the scope of KVKK is determined as 1,000,000 TL, within the scope of GDPR, the penal sanction is determined as 4% of the annual global turnover or 20,000,000 Euro, whichever is higher, that amount will be applied as a penal sanction.

Undoubtedly, the importance of compliance with the GDPR in order for all companies subject to GDPR provisions to avoid such large criminal sanctions is once again emphasized by this provision. It will be an appropriate view that there is a great similarity between the KVKK and the GDPR, but some critical differences, such as the high penal sanctions imposed by the GDPR, are also important for all persons subject to these regulations. At this point, you can contact us via the following information for detailed information and compliance study consultancy service for KVKK, GDPR or both.

 

Volkan ALHAN