The General Data Protection Regulation in Force
Introduction
The General Data Protection Regulation (“GDPR” or “Regulation”)[1] that was approved by the European Union (“EU”) Parliament and entered into force in 2016 has started to be applied as of May 25, 2018. The GDPR lays down rules relating to the protection of natural persons (“data subjects”) with regard to the processing of personal data, and rules relating to the free movement of personal data. With this Regulation, it is intended to protect the privacy of the data subjects more strictly, and to reorganize data privacy laws across Europe. Also, it is worth to note that, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.
Scope of the GDPR
Material Scope
Pursuant to Article 2 of the GDPR, the Regulation does not apply to the processing of personal data: (i) in the course of an activity that falls outside the scope of EU law; (ii) by the member states of the EU (“Member States”) when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union; (iii) by a natural person in the course of a purely personal or household activity; (iv) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Territorial scope
The territorial scope of the GDPR is so extensive that it applies to the processing of personal data within the context of the activities of an establishment of a data controller or a data processor in the EU, regardless of whether the processing takes place in the EU or not. Also, this Regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor, not established in the EU, where the processing activities relate to the offering of goods or services, whether it is for free or not, to such data subjects in the EU, or monitoring the behavior of EU data subjects within the EU. Therefore, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.
Principles relating to the Processing of Personal Data
The GDPR sets forth the principles as to how personal data shall be processed. As per Article 5 of the GDPR, the personal data shall be: (i) processed lawfully, fairly, and in a transparent manner in relation to the data subject; (ii) collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (iv) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data, which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified, without delay. The controller shall be accountable to comply with the above-stated principles.
Data Controller and Processors
Data Controller
The data controller is a natural or legal person, public authority, agency or other body which, solely or jointly with others, determines the purposes and means of the processing of personal data. In other words, the organization that determines ‘why’ and ‘how’ the personal data should be processed, is called the data controller. The data controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.
Data Processor
The data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. Data processors shall process personal data only upon the instruction of the data controller. The processor shall not engage with another processor without having prior written authorization of the data controller. The responsibilities of the processor shall be governed by a contract or other legal act under the EU or Member State law. Also, the data processor, along with the data controller, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. When a personal data breach occurs, the data processor is obligated to notify the data controller without undue delay after becoming aware of such breach.
Representatives of Data Controllers or Processors not established in the EU
Provided that Article 3(2)[2] of the Regulation applies, the data controller, or the data processor who are not established in the EU, shall designate, in writing, a representative in the EU. The representative shall be established in one of the Member States where the data subjects are located. For instance, if a company offers products and services to data subjects who are in the EU, or monitors their behavior within the EU, while not being established in the EU, the GDPR requires such company to appoint a representative in the EU as a contact person.
Transfers on the basis of an Adequacy Decision
The European Commission (“Commission”) has the authority to decide whether a country outside the EU or an international organization ensures that an adequate level of protection for the transfer of personal data exists. Pursuant to Article 45(3), after assessing the adequacy of the level of protection, the Commission may decide, by means of implementing an act, that a third country, a territory, or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection within the meaning of paragraph 2 of this Article (45(2)). A list of the third countries, territories, and specified sectors within a third country and any international organizations that the Commission has decided that an adequate level of protection is, or is no longer ensured, shall be published in the Official Journal of the European Union, as well as on its website. Thus far, the Commission has recognized Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as countries that provide adequate protection.[3]
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights, and effective legal remedies for data subjects, are available.
Imposing Administrative Fines
For the purpose of empowering the enforcement of the rules of the GDPR, the administrative fines to be imposed in the event of any infringement of this Regulation are firm. Taking into consideration the tiered system under Article 83, each supervisory authority shall ensure that the imposition of administrative fines in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall, in each individual case, be effective, proportionate and dissuasive.
The amount of the fine is regulated under paragraph 5 of Article 83 for certain types of infringements, which can be as high as EUR20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year. The infringements that results in the highest fines are: breach of requirements relating to (i) the principles with respect to the processing of personal data, lawfulness of processing, conditions for consent, processing of special categories of personal data; (ii) the data subjects" rights pursuant to Articles 12 to 22; (iii) the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49; (iv) any obligations pursuant to a Member State law adopted under Chapter IX; (v) non-compliance with an order, or a temporary or definitive limitation on processing, or the suspension of data flow by the supervisory authority pursuant to Article 58(2), or failure to provide access in violation of Article 58(1). Other identified infringements under paragraph 4 of Article 83 shall result in administrative fines up to EUR10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.
Conclusion
The long-waited GDPR that brings with it significant changes on the protection of personal data is currently in force. With the GDPR, it is intended to protect the privacy of the data subjects more strictly, and to reorganize data privacy laws across Europe. Also, the high euro amount of administrative fines to be imposed in the event of any infringement of this Regulation must be daunting for data controllers and processors. Lastly, it is worth to note that, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.
[1] Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 (Access date: 28.05.2018).
[2] Please see Article 3(2) of the Regulation, as follows: “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior, insofar as their behaviour takes place within the Union.”
[3] Please see. https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en (Access date: 01.06.2018).
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...