DPL VERSUS GDPR
Having entered into force on 7th April 2016 and affecting all persons, private and public entities in particular, Law no. 6698 on the Protection of Personal Data (DPL) holds the title of being Turkey’s first and only legislation on the protection of natural persons as to the processing of their personal data. The fact that unlike in many European countries, there had been virtually no practical dispute in Turkey regarding this subject by the time DPL was enacted, made it problematic to draft a novel set of rules, hence leading to the adoption in a large scale of the previous relevant EU legislation, Directive 95/46/EC with the intention of rendering the domestic law compatible with its EU equivalent. However, a significant gap has occurred between the domestic and EU law on personal data protection due to the repeal of this Directive by EU General Data Protection Regulation 2016/679 (GDPR) becoming enforceable as of 25th May 2018 with provisions imposing stricter conditions for processing the personal data and enabling a higher protection for it. The most notable differences consisting this gap with a potential of causing trouble in practice, take place in certain topics including but not limited to liabilities of the processor, definition of explicit consent, records of processing activities, territorial scopes, designation of Data Protection Officer, access to data and data portability, joint controllership, data protection impact assessment and protection of children’s personal data.
LIABILITIES OF THE PROCESSOR
Having approximately the same meaning within the context of DPL and GDPR, the term processor basically defines a natural or legal person processing personal data on behalf of the controller whereas the term controller refers under both legislations -though with certain deviations- to «a natural or legal person determining the purposes and means of the processing of personal data».
The controller, the main obligant under GDPR, is the sole obligant under DPL which exempts the processor from any sanction in case of its violation by the processor. In other words, while the obligations to be fulfilled for lawful processing of personal data are mainly set forth for the controller in both DPL and GDPR, the processor is fully accountable under GDPR if not as strictly as the controller and might be exposed to huge fines upon failing to comply with the regulation. Under certain circumstances for instance, the processor is supposed to maintain a record of its processing activities, though not as detailed as the controller has to do. DPL on the other hand, exempts the processor from the sanctions it stipulates in case of infringement as well as all liabilities save for the requirement to take necessary measures for data security.
The most important, default requirement these two legislations have in common for lawful processing of personal data is the explicit consent of the data subject. When compared to each other more elaborately however, DPL introduces a rather insufficient definition for consent which is bound to have certain impacts in practice. In scope of DPL, explicit consent is defined as “freely given, specific and informed and unambiguous declaration of intent” by the data subject whereas GDPR defines the term as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” As can be inferred from the wording, especially the part “by a statement or by a clear affirmative action”, GDPR requires the data subject to play an active role in giving explicit consent. The most significant difference here is about the form of the declaration of intent demonstrating explicit consent. The definition in DPL is not indicative of any requirement for the declaration of intent to be delivered with an active affirmation. Thus, GDPR shall not deem it as a valid explicit consent where a data subject visits a website and presented an informative text pops up as to the processing of personal data with that little box granting consent opted-in in advance and the data subject is presumed to have consented ab initio but has to opt-out if s/he wishes to withdraw the consent. There is no provision in DPL however, preventing such a passive way of consenting from being accepted as an explicit consent.
RECORD-KEEPING DUTY OF THE CONTROLLER AND PROCESSOR
Another issue to be considered is the comparison between the national data registry containing general information about controllers as well as their data processing activities under DPL and record-keeping duties of the controller and processor under GDPR. In contrast with general and rather superficial nature of information required for data registry under DPL, controllers employing 250 or more persons shall maintain under GDPR a detailed record of their processing activities and keep that record available at all times for further inspection by the relevant supervisory authority if the processing is not occasional or it includes special categories of data or personal data relating to criminal convictions and offences. Processors satisfying the same conditions are also subject to this liability in a milder way as in recording relatively general information.
Since the territorial scope of DPL cannot be determined from its text due to lack of a relevant provision, it is not clear whether data subjects or controllers or processors not located in Turkey shall be subject to DPL. GDPR however, is qualified to be applied worldwide considering the article stipulating that all controllers and processors offering goods or services to the data subjects in EU, or monitoring their behaviour taking place in EU, shall be subject to GDPR regardless of their location if they process the personal data of such data subjects in the context of these activities.
Moreover, the Regulation also applies when a controller or a processors has an establishment in European Union and processes personal data in scope of this establishment’s activities, no matter where the processing takes place.
DATA PROTECTION OFFICER
Unlike DPL, GDPR article 37 sets forth that controllers and processors shall designate a data protection officer if the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; or their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or their core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences. A controller or processor may employ a data protection officer internally as in designating one of its employees for this position, or externally as in transferring an independent expert or even designating an entity. GDPR article 39 declares the core tasks of a data protection officer as follows: to inform and advise the controller or the processor and the employees who carry out processing of their obligations under GDPR and other Union or Member State data protection provisions; to monitor compliance with the Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits; to provide advice where requested as regards the data protection impact assessment and monitor its performance; to cooperate with the supervisory authority and to act as the contact point for the supervisory authority on issues relating to processing.
RIGHT TO DATA PORTABILITY
Right to data portability is one of the rights GDPR grants to data subjects while there is no mention of these in DPL.
Pursuant to GDPR article 20 and other relevant provisions of it, data subjects have the right to access and obtain their personal data in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller. Besides, where technically feasible, the data subjects should also have the right to have their personal data transmitted directly from one controller to another. A practical example of this right is mobile phone users having the right to transfer and continue using their original phone numbers upon changing network operators.
Nevertheless, this right shall apply where the data subject provided the personal data on the basis of his or her consent or the processing is necessary for the performance of a contract. It should not apply where processing is based on a legal ground other than consent or contract. Therefore it shall not apply where the processing of the personal data is necessary for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the controller.
Apart from the goal to strengthen the control of data subjects over their personal data, this provision also aims at enabling small scale businesses, entrepreneurs and start-ups to participate in business competition and preventing the Regulation from imposing possible negative consequences on them. Because data is the main production factor in digital economy, companies race to collect and process as much data as possible, but digital platforms and platform providers usually keep their systems closed and keep the personal data they process in a way that even data subjects themselves can’t access their personal data, let alone the access of rival companies.
DATA PROTECTION IMPACT ASSESSMENT
Data protection impact assessment as defined pursuant to GDPR article 35 is an evaluation on the impact of the processing on the protection of personal data, carried out by the controller before employing new technologies for processing or if the processing, taking into account its nature, scope, context and purposes, is likely to result in a high risk to the rights and freedoms of natural persons. Although this liability of the controller has been drafted in GDPR in the form of a long and detailed article, DPL brings no such obligation whatsoever for controllers or any other persons. Where a data protection officer is employed, the controller is required to seek counsel of the data protection officer while preparing the assessment. Also where appropriate, the controller shall seek the views of data subjects or their representatives on the intended processing.
The controller is “a natural or legal person….who determines the purposes and means of the processing of personal data” pursuant to the definition in DPL. Considering the wording of this definition, the controller refers to a person acting alone while determining the purposes and means of processing. As regards the definition in GDPR article 4, titled “Definitions”, the controller is “a natural or legal person, …. which, alone or jointly with others, determines the purposes and means of the processing of personal data …”. Apart from this provision, joint controllership has been individually regulated under GDPR article 26. Article 26 on joint controllership shall apply to situations where more than one person determine the purposes and means of the same processing activity.
It is deduced from this article that if more than one person, each of which satisfies all conditions to be entitled as a controller, jointly participate in determining the purposes and means of a processing activity, they shall be deemed joint controllers and liable jointly for performing all obligations assigned to the controller under GDPR. That these persons take decisions in cooperation while determining the purposes and means of the processing shall suffice in regarding them as joint controllers, they are not expected to have the same roles in determining the purposes and means.
Joint controllers are supposed to make an agreement pertaining to allocation of their responsibilities under the Regulation, including clarification of processing for data subjects and to enable data subjects to learn the key points of this agreement by such means as putting the information on their websites. This agreement shall have effect only upon the relation of the joint controllers since GDPR article 26/3 provides joint and several liability of joint controllers by stating that data subjects may exercise their rights under this Regulation in respect of and against each of the controllers, regardless of the agreement as to sharing responsibilities.
PROTECTIVE MEASUREMENTS FOR CHILDREN
Another topic introduced by GDPR but not DPL is protection of children’s personal data, regulated in GDPR article 8 which renders the processing of such data subject to certain special terms. Since it cannot be expected from children to fully comprehend the importance of such issues as processing of personal data, consequences and risks entailed to it as well as necessary measurements, GDPR requires a child to be at least 16 years old to be able to consent to the processing of his/her personal data within the frame of information society services offered directly to the child. The processing of the personal data of a child below this age shall depend on the consent of the holder of parental responsibility over the child. That said, GDPR allows EU member states to drop this age limit to 13 via their domestic legislations.
The controller is also responsible for making reasonable efforts by taking into consideration available technology to verify the consent given or authorised by the holder of parental responsibility over the child under 16 as stipulated in GDPR article 8/2. It should be stressed that this article shall apply only where the service based on which the personal data is processed targets children directly.
An example to materialize this in mind could be a website providing educational information specifically for children. To be able to lawfully process the personal data of data subjects using this website, the conditions in GDPR article 8 has to be complied with, for the direct target of the website in question -as can be deduced from its content- are children.
Beside this article, GDPR also entrust national data protection authorities in EU member states to conduct more scrupulous and elaborate inspections in cases of processing the personal data of children.