What is GDPR? What does GDPR mean?

GDPR is an acronym (from Turkish for Personal Data Protection Law No. 6698, but here substituted as requested). This regulation has been enacted to protect the fundamental rights and freedoms of individuals, especially the privacy of their private lives, during the processing of personal data. It also regulates the procedures and principles that must be adhered to by natural and legal persons who process personal data, whether wholly or partially by automated means, or by non-automated means as part of any data recording system.

Furthermore, this regulation refers to the abbreviations of the Data Protection Authority (Kişisel Verileri Koruma Kurumu), an institution established by this regulation with administrative and financial autonomy and public legal personality, along with the Data Protection Board, whose powers and duties are enumerated in the relevant law.

What is personal data under GDPR? What is special categories of personal data under GDPR?

Any information relating to an identified or identifiable natural person that reveals their identity and is specific to them (such as name, surname, date of birth, home address, work address, email address, IP address, phone number, fax number, credit card information, national identification number, tax identification number, passport number, social security number, driver's license number, vehicle license plate, resume, photograph, video, etc.) is considered personal data under the scope of GDPR. Its processing by natural or legal persons is only possible with the explicit consent of the data subject.

Furthermore, under Article 6 of the Personal Data Protection Law No. 6698, certain data are listed as special categories of personal data. These include an individual's race, ethnic origin, political opinion, philosophical belief, religion, sect or other beliefs, dress and appearance, membership in associations, foundations, or trade unions, health, sexual life, criminal convictions and security measures, and biometric and genetic data. The processing of such data is prohibited without the explicit consent of the data subject.

What is GDPR consent? What is a GDPR privacy notice?

GDPR consent (referring to the equivalent concept as defined in Article 3, titled Definitions, of the Personal Data Protection Law No. 6698) is defined as consent given freely, based on specific information, and with explicit indication of the data subject's wishes. As understood from this definition, informed consent is mandatory.

The absence of a prescribed format for how this information should be provided and how explicit consent should be obtained makes it possible for the Privacy Notice and its accompanying acceptance button in electronic environments, or through call centers, to fulfill the GDPR obligations. This is provided that the burden of proof remains with the data controller.

When did GDPR come into effect?

In 1995, the European Union adopted the "Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data" to harmonize personal data protection regulations among member states. This Directive served as a foundational text for legal regulations within member states' domestic laws, including Turkey. It also laid the groundwork for the European Union General Data Protection Regulation (GDPR) No. 2016/679, which was enacted by the European Parliament, the Council of Europe, and the European Commission in 2016, came into force in 2018, and remains the current applicable legislation in the EU today.

In our country, GDPR (referring to the equivalent concept as it relates to Turkish law), was prepared with the aim of effectively protecting human rights, supporting EU accession negotiations, and fostering international cooperation and trade. It was submitted to the Grand National Assembly of Turkey on December 26, 2014. The regulation was enacted on March 24, 2016, and came into force upon its publication in the Official Gazette (Issue No. 29677) on April 7, 2016.

Who is GDPR mandatory for?

Article 2 of the Personal Data Protection Law No. 6698 (here, substituted to reflect GDPR as requested) outlines the scope of the law, stating it applies to "natural and legal persons who process personal data wholly or partially by automated means, or by non-automated means provided that it is part of any data recording system."

Personal data processing refers to any operation performed on personal data, such as its acquisition, recording, storage, retention, alteration, re-organization, disclosure, transfer, acquisition, making it retrievable, classification, or prevention of its use. Without distinction between natural and legal persons performing these actions, everyone is subject to the regulations brought forth by GDPR.

What is a GDPR Data Controller? What is a GDPR Data Processor?

Article 3, titled Definitions, of the Personal Data Protection Law No. 6698 (here, substituted to reflect GDPR as requested) defines the Data Controller as the natural or legal person who determines the purposes and means of processing personal data, and is responsible for the establishment and management of the data recording system.

In the same article (Article 3 of the Personal Data Protection Law No. 6698), a Data Processor is defined as a natural or legal person who processes personal data on behalf of the Data Controller, based on the authority granted by the Data Controller. To distinguish between these two concepts, you need to identify the person or entity who answers the "why" and "how" questions of the processing activity.

What Needs to Be Done Under GDPR?

In accordance with Personal Data Protection Law No. 6698 (here, substituted to reflect GDPR), the Data Controller's obligations include: Informing data subjects (data subject: the person whose personal data is processed) about their applications. Taking necessary measures to ensure data security. Registering with the Data Controllers' Registry (VERBİS). Responding to data subjects' applications. Deleting, destroying, or anonymizing personal data ex officio or upon the data subject's request when the reasons for processing cease to exist. Complying with the decisions of the Data Protection Board.

What are the penalties and sanctions under GDPR?

According to the Turkish Criminal Code No. 5237 (TCK), individuals who unlawfully record personal data will be sentenced to imprisonment from one to three years (this sentence may be increased by half depending on the nature of the data). Those who unlawfully obtain or disseminate this data will be sentenced to imprisonment from two to four years. Furthermore, anyone who acts in violation of the obligation to delete, destroy, or anonymize this data will be sentenced to imprisonment from one to two years.

Additionally, in accordance with the Personal Data Protection Law No. 6698 (here, substituted to reflect GDPR), administrative fines are applied as follows: For Data Controllers who fail to fulfill their clarification obligation, fines range from 5,000 to 10,000 Turkish Liras. For those who fail to meet their data security obligations, fines range from 15,000 to 1,000,000 Turkish Liras. For those who act in violation of the Data Controllers' Registry (VERBİS) registration requirement, fines range from 20,000 to 1,000,000 Turkish Liras.

KVKK ve GDPR Farkları Nelerdir?

Her ne kadar 6698 sayılı Kişisel Verilerin Korunması Kanunu’nun hazırlanması sürecinde, AB hukuki düzenlemeleri model alınmışsa da, KVKK ve GDPR arasında birtakım farklılıklar bulunmaktadır;

GDPR kapsamında, veri kontrolörü olmasa bile veri işleyen herhangi bir şirket ya da birey de (bulut hizmet sağlayıcıları gibi üçüncü taraflar da dâhil olmak üzere) verinin hukuka uygun işlenmesinden sorumlu kabul edilmekte iken, 6698 sayılı Kişisel Verilerin Korunması Kanunu madde 18/2 uyarınca, veri sorumlusu ve veri işleyen açısından farklı bir sorumluluk düzeyi belirlenerek, idari para cezası yaptırımı, yalnızca veri sorumlularına uygulamakta ve yine veri sorumluları siciline kayıt zorunluluğu yalnızca veri sorumlularını kapsamaktadır.

Genel olarak, bireylerin kendilerine ait kişisel verilerini kontrol etme ve mümkün olduğunda silme hakkı olarak ifade edilen unutulma hakkı kavramı GDPR ile ilk kez hukuki bir düzenleme çerçevesine alınmış olsa da; 6698 sayılı Kişisel Verilerin Korunması Kanununda buna ilişkin münferit bir düzenleme yer almamakta, işbu kavram ülkemizde Yüksek Mahkeme ve Anayasa Mahkemesi kararları ile şekillenmektedir.

GDPR ile getirilen veri koruma kurallarına ilişkin ihlaller karşı 200 milyon Avro veya hizmet sağlayıcının küresel gelirinin yüzde dördü gibi önemli miktarlarda yaptırımlar öngörülmekte iken, 6698 sayılı Kişisel Verilerin Korunması Kanununda ilgili idari para cezalarının (5 bin Türk Lirası – 1 milyon Türk Lirası) nispeten daha düşük miktarlarla sınırlı olduğu görülmektedir.

GDPR ile düzenlenen “veri taşınabilirliği hakkı”, hassas verilerin işlenmesi bakımından “zorunlu veri koruma görevlisi” ile riskli veri işleme faaliyetleri bakımından “zorunlu veri koruma etki değerlendirmesi” gibi kurumlara ilişkin düzenlemeler, 6698 sayılı Kişisel Verilerin Korunması Kanunda bulunmamaktadır.