In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Yusuf Mansur Özer compares Turkey's Data Protection Law with the GDPR.
Turkey, as the European Union, has been experiencing data protection hype. Last year, Turkey ratified Convention 108 of the Council of Europe and passed into law a framework law on the protection of personal data.
The Turkish Data Protection Law originates from the European Union Directive 95/46/EC, with a number of its original add-ons and revisions. Although the DPL is rather new and there are no enforcement actions as of yet, the Personal Data Protection Board, the national supervisory authority in Turkey, has published the draft versions of the secondary legislation, as well as some booklets providing guidance on the implementation of the DPL, allowing us to have somewhat of an understanding on how the brand-new data protection legislation will work.
With the above in mind, let us point out the key differences between the General Data Protection Regulation and the Turkish Data Protection Law (DPL). But before we do, it is worth noting here that the below only focuses on what I believe to be the most prevalent variations as the differences are extensive in nature, similar to those between the Directive 95/46/EC and the GDPR.
The purpose limitation principle remains to be the cornerstone of data protection legislation around the world since the fair information practice principles set out by the well-known Records, Computers, and the Rights of Citizens report. The DPL embodies almost all the fair information practice principles, but purpose limitation is the one most worth noting.
The DPL requires that personal data must be processed for specified, explicit and legitimate purposes while being kept relevant, limited and proportionate to the same purposes. The key difference here is that the DPL does not allow for a “compatible purpose” interpretation and strictly prohibits any further processing. This is evident from its recitals, where the Justice Commission expresses that if any other purposes were to arise following the collection of the data, processing for such new purposes will need to be based on one of the processing grounds as if the controller is processing the data for the first time. This means that if the data is collected for a purpose based on the consent of the data subject, the controller will be able to utilize the same data for another purpose on the condition that it obtains further consent or if it can base the further processing on another ground such as its legitimate interests.
Processing grounds and consent
Processing grounds available under the DPL are similar to those of the GDPR with two major exceptions: First is that the DPL requires consent to be explicit both for the processing of nonsensitive and sensitive personal data, and second, it is considerably more burdensome to process sensitive personal data without consent under the DPL.
The wording of the DPL clearly stipulates that personal data, whether sensitive or nonsensitive, must be processed with the “explicit consent” of the data subject. That is, of course, if another processing ground is not available. At first sight, it might seem excessive that DPL requires explicit consent even for the processing of nonsensitive personal data. This very excessiveness seems to be interpreted by the DPB, in one of its booklets, to mean that the DPL provides an even higher level of protection to the data subjects as opposed to that of the European Union. However, things get a little bit interesting when we dive into the definition of “explicit consent” under the DPL and compare it to the GDPR’s, as well as the directive’s definition of regular “consent.”
Below is a table providing a summary of the definitions of “consent” and “explicit consent” under the DPL, the directive and the GDPR.
|DPL||•||“freely given specific and informed consent”|
|Directive 95/46/EC||“freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”||•|
|GDPR||“freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”||•|
According to these definitions, the consent required by the DPL for the processing of nonsensitive personal data has, in fact, lower standards than that of the GDPR, as well as the directive. In other words, “explicit consent” within the meaning of the DPL amounts to an even lesser regular “consent” within the meaning of the GDPR. Having said this, it is important to remember that this interpretation is based on the wording of the DPL, and as there is no enforcement action by the DPB yet, it is still early to form a conclusive opinion on exactly where Turkish “explicit consent” would correspond on a European Union spectrum.
Turning to another difference, the processing grounds available for sensitive personal data under the DPL are highly limited in comparison to those of the GDPR. Accordingly, apart from the “explicit consent” of the data subject, sensitive personal data, except for data concerning health and sexual life, can be processed if it is permitted under a Turkish law. On the other hand, personal data concerning health or sexual life can only be processed for the purposes of protection of public health and planning or sustaining health care services by an authorized body or persons who are under the obligation of confidentiality. As can be seen, the processing grounds are quite limited for sensitive personal data, particularly when the data concerns health or sexual life.
The DPL regulates the cross-border transfer of personal data in coherence with its processing. Accordingly, both nonsensitive and sensitive personal data can be transferred outside Turkey based on any of their respective processing grounds. As mentioned above, because the processing grounds available for sensitive personal data are very limited under the DPL, transfer of sensitive personal data to a third country is equally burdensome.
Further, in cases when the grounds for processing is one other than the explicit consent of the data subject, the DPL additionally requires that:
- the destination country must have an adequate level of protection, which is to be determined by the DPB; or
- both sides of the transfer must commit, in writing, to provide an adequate level of protection and the approval of the DPB must be obtained.
So far, the cross-border transfer mechanism under the DPL is quite similar to that of the GDPR. Nevertheless, one of the original provisions of the DPL provides the following:
“Save for the provisions of international agreements, in cases where interests of Turkey or the data subject will be seriously harmed, personal data shall only be transferred abroad upon the approval of the Board by obtaining the opinion of relevant public institutions and organizations.”
The wording of this provision seems to hold the controller liable if a cross-border transfer, within the meaning of the DPL, seriously harms the interests of Turkey or the data subject. In other words, this provision does not only authorize the DPB to halt cross-border transfers if the interests of Turkey or the data subject will be seriously harmed but imposes an obligation on the data controller to evaluate whether such transfer seriously harms the interests of Turkey or the data subject and obtain the approval of the DPB if it does. It should be obvious by now why this provision was quite controversial when the DPL was first passed into law and has been subject to heavy scrutiny ever since by practitioners and academics alike.
Unfortunately, the recitals of the provision do not offer much explanation and neither do the guidance booklets published by the DPB. At this point, it is still uncertain as to how the “interests of Turkey or the data subject” will be or, as a matter of fact, can be determined.
There is no general requirement under the GDPR to register with the data protection authorities but instead, controllers must maintain internal records of their processing activities. The DPL, on the other hand, provides a mixture of the registration requirement under the directive and the record-keeping requirements under the GDPR.
First and foremost, the DPL stipulates a strict registration mechanism in that it requires data controllers to register with a publicly available data controllers’ registry before commencing their processing operations. Second, according to the draft version of the regulation on the data controller’s registry published by the DPB, the controllers will need to hand over their “Personal Data Processing Inventory” and “Personal Data Retention and Destruction Policy” to the DPB in order to complete their registration with the data controllers’ registry. This means that the data controllers will need to adhere to a certain type of recordkeeping requirements as part of their registration obligations under the DPL.
Enactment of the DPL marks a new era for personal data protection in Turkey, as does the GDPR in the European Union — and over the globe for that matter. However, it goes without saying that legislative reforms are never easy, particularly when they have the potential to alter the core functioning of a business.
Businesses who are caught in the territorial scopes of the DPL and the GDPR should carefully design their compliance efforts in order to avoid any duplication. In this respect, it is best to adopt a multilateral compliance approach and account for all applicable sets of legal rules before making any effort toward compliance. In today’s globalized world where data flows are superfluous, the aim should be to achieve a versatile compliance model that would satisfy the expectations of numerous supervisory authorities in diversified jurisdictions.
If you want to comment on this post, you need to login.