Turkey's adoption of Convention 108 and the introduction of its Data Protection Law (DPL), also known as Kişisel Verileri Koruma Kanunu (KVKK), mark significant strides in data protection, much like the EU's GDPR.
This article delves into the nuances of Turkey's KKVK, its origins from the EU Directive 95/46/EC, and its key differences from the GDPR.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. What is Turkey's KVKK?
- 2. Analyzing the Differences between Turkey's KKVK and the GDPR
- 2.1. Data Categories
- 2.2. Responsibilities of Data Controllers and Processors
- 2.3. The Rights of Data Subjects
- 2.4. Protection of Personal Data
- 2.5. The Data Protection Officer
- 2.6. Cross-Border Data Transfers
- 2.7. Obligations for Data Controllers to Register with Data Protection Authorities
- 2.8. Complaints and Remedies
- 2.9. Fines for Non-compliance
- 3. Summary
What is Turkey's KVKK?
Turkey's Personal Data Protection Law No. 6698, or Kişisel Verileri Koruma Kanunu (KVKK), represents a key milestone in Turkish legal history.
Coming into effect on April 7, 2016, just prior to the European Union's General Data Protection Regulation (GDPR), it was the first dedicated legislation for personal data protection in Turkey.
Prior to KVKK's implementation, data security and protection in Turkey were mainly governed by a single provision in the Turkish Constitution and several Turkish Penal Code provisions, with no specific data protection law in place.
This changed with the enactment of the KVKK, which mandated legal obligations for both entities and individuals dealing with personal data.
In 2017, to ensure effective enforcement of the KVKK and boost public awareness about personal data protection, the Turkish Data Protection Authority (TDPA) was created as an independent supervisory authority with financial and administrative autonomy.
Despite the KVKK's alignment with the EU's Directive 95/46/EC, it bears noting that the directive was subsequently replaced by the GDPR shortly after the KVKK was enforced. As a result, substantial differences exist between the KVKK and the GDPR.
These disparities arise not only because the KVKK is modeled on GDPR's predecessor but also due to unique requirements intrinsic to the Turkish data protection law.
Let's delve deeper into these distinctions.
Analyzing the Differences between Turkey's KKVK and the GDPR
Now, let's juxtapose the data categories defined by GDPR and KVKK, offering a detailed comparison and discussion of their distinctive features.
Both the GDPR and KVKK categorize personal data under two primary types. These include:
- Ordinary personal data, and
- sensitive personal data
The sensitive data sub-categories are also alike, with one notable divergence.
Both laws include personal data related to criminal convictions as a form of sensitive data.
Responsibilities of Data Controllers and Processors
Though both DPL and GDPR give the roles of data controllers and processors similar weight, there's a stark contrast when you dig into the details of their obligations. For instance, the KVKK isn't as meticulous as the GDPR.
It doesn't explicitly recognize joint controllership, nor does it thrust upon data controllers the duty to appoint data protection officers. Similarly, when it comes to processors appointing sub-processors, the KVKK doesn't lay down hard rules.
In contrast, the GDPR has all of that covered in black and white. It's important for you to understand these distinctions if your business is straddling both territories. You want to make sure you're ticking all the right legal boxes.
The Rights of Data Subjects
The GDPR and DPL both set out protections for data subjects' rights, but they don't quite line up. The GDPR actually goes a step beyond, offering additional privileges, like the right to data portability, that isn't clearly defined in the DPL.
Protection of Personal Data
Both the KVKK and GDPR underscore the necessity of technical and administrative strategies for personal data protection.
However, a significant distinction exists. The KVKK is relatively ambiguous about specifics. In fact, clarifications are only made through board decisions.
In contrast, the GDPR provides a much more clear understanding, supplying concrete examples not found in the KVKK.
If your operations fall under both jurisdictions, you need to ensure you're meeting the required data protection standards.
The Data Protection Officer
Contrary to the GDPR, the DPL does not demand the appointment of a data protection officer.
Cross-Border Data Transfers
Cross-border data transfer under Turkey's KVKK shares common threads with the GDPR, but it's in the details where we see significant differences.
Like the GDPR, the KVKK outlines a framework for cross-border personal data transfers. Both non-sensitive and sensitive personal data can be moved outside Turkey under the same grounds that allow for their processing.
However, the KVKK's processing grounds for sensitive personal data are quite restrictive, which makes the transfer of this type of data to third countries challenging.
In situations where the grounds for processing isn't the explicit consent of the data subject, the KVKK adds two prerequisites for data transfer:
- The receiving country must offer a satisfactory level of protection, as assessed by the Data Protection Board (DPB), or
- Both parties involved in the transfer must commit in writing to providing adequate protection, and this must receive the DPB's stamp of approval
So far, the cross-border transfer mechanism under the KVKK aligns closely with the GDPR. But here comes the curveball: one unique provision in the KVKK could have a significant impact on cross-border data transfers.
This provision states that barring international agreement stipulations; if a data transfer would seriously harm Turkey's interests or the data subject's interests, it can only proceed with the DPB's approval after seeking the opinion of relevant public institutions and organizations.
This clause not only empowers the DPB to block transfers that could significantly harm Turkey's or the data subject's interests, but it also requires the data controller to evaluate whether such harm would occur and seek DPB approval if it would.
Since the introduction of the KVKK, this provision has been a hot topic, stirring considerable debate among practitioners and scholars.
Unfortunately, there's a lack of clarity around this provision.
Neither the KVKK's explanatory text nor the DPB's guidance provides a clear understanding of how the "interests of Turkey or the data subject" will be or can be determined. As of now, how this provision will be implemented and interpreted remains uncertain.
Navigating these differences requires a nuanced understanding of both the KVKK and GDPR's provisions on cross-border data transfers.
Obligations for Data Controllers to Register with Data Protection Authorities
Turkey's Personal Data Protection Law (KVKK) and Europe's General Data Protection Regulation (GDPR) take notably different approaches to the obligation for data controllers to register.
Under the GDPR, there's no broad requirement for data controllers to register with data protection authorities. Instead, it mandates the maintenance of internal records of processing activities, shifting the focus to self-accountability.
The KVKK, however, blends a registration requirement similar to the now-repealed directive and the GDPR's record-keeping stipulation. The law requires data controllers to register with a publicly accessible data controllers' registry before they initiate processing operations - a far more rigid approach.
In the draft regulation of the data controller's registry shared by the Data Protection Board (DPB), there's an added layer of obligation. The controllers need to submit their "Personal Data Processing Inventory" and "Personal Data Retention and Destruction Policy" to the DPB for successful registry registration.
Consequently, under the KVKK, data controllers are obligated to maintain specific records as part of their registration duties. This key distinction underscores the more stringent regulatory environment created by the KVKK.
Complaints and Remedies
Unlike the GDPR, the KVKK outlines a unique roadmap for lodging a complaint with the data protection authority. It's a two-step dance.
- Step one: The data subject must initially engage with the data controller
- Step two: They're permitted to take their complaint to a data protection authority only if they're met with an inadequate response or no response at all
Fines for Non-compliance
The KVKK and GDPR handle non-compliance penalties differently, with the GDPR potentially levying significantly steeper fines. The KVKK stipulates administrative fines between TRY 9,834 (approx. EUR 1027) and TRY 1,966,862 (approx. EUR 205,428).
In stark contrast, the GDPR mandates penalties up to a staggering EUR 20,000,000 or 4% of the global annual revenue from the previous financial year of the offending data controller/processor.
This underlines the high cost of non-compliance in the digital age.
Turkey's Data Protection Law, Kişisel Verileri Koruma Kanunu (KVKK), marks a crucial development in data protection akin to the EU's GDPR. Although KVKK borrows elements from the now-repealed EU Directive 95/46/EC, key distinctions exist.
- Data Categories: KVKK and GDPR both categorize data as ordinary and sensitive. However, GDPR regulates data related to criminal convictions under a separate article, unlike KVKK.
- Responsibilities: The GDPR explicitly defines joint controllership and requires data controllers to appoint data protection officers. KVKK does not provide such specific requirements.
- Data Subjects' Rights: GDPR provides additional rights, such as data portability, not explicitly defined in KVKK.
- Cross-Border Data Transfers: KVKK has a unique provision requiring the Data Protection Board's approval for transfers potentially harmful to Turkey or the data subject's interests.
- Obligations for Registration: GDPR does not require broad registration with data protection authorities, while KVKK necessitates registration with a public data controller registry.
- Complaints and Remedies: KVKK requires data subjects to apply to the data controller first before lodging a complaint with the data protection authority.
- Fines: GDPR's penalties for non-compliance are substantially higher than KVKK's.
If you operate within Europe and Turkey, you must tread carefully. Navigate the legal labyrinth with a broad-spectrum compliance strategy, not just to sidestep unnecessary duplication but to erect a robust compliance framework that keeps pace with today's global data currents.