Two Important Regulations in Data Protection; KVKK and GDPR

By Vesile Sarıca

As a result of technology taking a more and more central place in our lives, it is necessary to pay attention to and care about issues such as privacy of personal life and protection of personal fundamentals, rights, freedom. Nowadays, it is our fundamental right to know where, by whom and for what reason our information is stored or being used in digital world, as we manage our business and daily life by sharing all of our information with others on digital platforms.

Simultaneously, the rapid developments in data collection, data processing and storage technology have pushed authorities to create legal regulations to protect the privacy of personal data along with keeping regulations under control.

The Law on Protection of Personal Data (“KVKK”) and the General Data Protection Regulation (“GDPR”) are the regulations established for the sole purpose of regulating actions of personal data protection at this point. Also, it is a way of permitting data holders to use private data in the right way, assigning responsibilities, unifying information security. In addition, it is aimed to prevent the unlimited and haphazard collection of personal data, opening to unauthorized access, disclosure, or misuse or misuse of personal data.

Although KVKK and GDPR are legal regulations that serve the same purposes, they are born in different legal systems and contain provisions of different widths and constraints. In this article, we will examine the KVKK / GDPR as well as their most basic and noteworthy differences.

KVKK entered into force on April 7, 2016 in Turkey. It regulates the rules that should be followed by natural and legal persons who collect, process, and store personal data and to protect the fundamental rights and freedoms of individuals, especially the privacy of private life. While it sets out the procedures and principles that natural and legal persons must comply with when processing personal data, it also regulates the responsibilities that may arise as a result of not complying with these rules.

The GDPR entered into force on May 25, 2018. It aims to ensure the data security of persons residing in the European Union, in the same way as the KVKK. In addition, the Organization for Economic Co-operation an Development (OECD) at the international level has the Protection of Private Life.

KVKK’s scope of coverage due to all-natural and legal persons that handle personal data in Turkey has a narrower field of application. In terms of the scope of GDPR, there is a wider jurisdiction. The GDPR regulates all kinds of personal data operations for all companies that collect, process, and store personal data of anyone living within the borders of the European Union, regardless of where the company finds it. Thus, it can be said that the GDPR, unlike the application area of the KVKK, imposes responsibility not only on the persons who process data in the country of birth (European Union) but also on all-natural and legal persons who process the data of persons residing in the European Union.

In this respect, even if a business is processing data outside of the European Union, if it processes data of persons residing in the European Union, it is obliged to act in compliance with the GDPR. So when a resident natural person or legal entity data operations executive said in Turkey, just not enough to be in harmony with KVKK as long as the processing of personal data of persons residing in the European Union, it must demonstrate compliance with the GDPR rules.

One of the most important differences between the two arrangements seems to be in the application areas. Since the GDPR covers a wider jurisdiction compared to the KVKK, all companies that process personal data of anyone living within the borders of the European Union are obliged to comply with the GDPR, considering their location.

In addition, while the data controller in KVKK is held responsible to the Personal Data Authority (“KVK”) Board for the processing, deletion and collection of personal data, GDPR has the concept of “data controller” in line with the accountability principle instead of the data controller. Under the GDPR, the data controller is held responsible for all fundamental principles. By the KVKK, data controllers are responsible for registering with the Data Controllers Registry Information System (“VERBIS”), while GDPR does not mention such a registration information system.

One important difference is criminal liability. While the upper limit of penal obligations stipulated within the scope of KVKK is determined as 1.000.000 TL, within the scope of GDPR, the penal sanction is determined as 4% of the annual global turnover or 20.000.000 Euro, whichever is higher, that amount will be applied as a penal sanction.

It is safe to say that there is a great similarity between KVKK and GDPR, but some important differences, such as the high criminal sanctions put forward by the GDPR, are also important for all people subject to these regulations. By knowing our rights regulated by law and our data under protection, we can have a much more conscious digital experience.


High Tech Startup on Computer Vision