Introduction

The General Data Protection Regulation ("GDPR" or "Regulation")1 that was approved by the European Union ("EU") Parliament and entered into force in 2016 has started to be applied as of May 25, 2018. The GDPR lays down rules relating to the protection of natural persons ("data subjects") with regard to the processing of personal data, and rules relating to the free movement of personal data. With this Regulation, it is intended to protect the privacy of the data subjects more strictly, and to reorganize data privacy laws across Europe. Also, it is worth to note that, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.

Scope of the GDPR

Material Scope

Pursuant to Article 2 of the GDPR, the Regulation does not apply to the processing of personal data: (i) in the course of an activity that falls outside the scope of EU law; (ii) by the member states of the EU ("Member States") when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union; (iii) by a natural person in the course of a purely personal or household activity; (iv) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 

Territorial scope

The territorial scope of the GDPR is so extensive that it applies to the processing of personal data within the context of the activities of an establishment of a data controller or a data processor in the EU, regardless of whether the processing takes place in the EU or not. Also, this Regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor, not established in the EU, where the processing activities relate to the offering of goods or services, whether it is for free or not, to such data subjects in the EU, or monitoring the behavior of EU data subjects within the EU. Therefore, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR. 

Principles relating to the Processing of Personal Data 

The GDPR sets forth the principles as to how personal data shall be processed. As per Article 5 of the GDPR, the personal data shall be: (i) processed lawfully, fairly, and in a transparent manner in relation to the data subject; (ii) collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (iv) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data, which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified, without delay. The controller shall be accountable to comply with the above-stated principles.

Data Controller and Processors

Data Controller

The data controller is a natural or legal person, public authority, agency or other body which, solely or jointly with others, determines the purposes and means of the processing of personal data. In other words, the organization that determines 'why' and 'how' the personal data should be processed, is called the data controller. The data controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with the Regulation.

Data Processor

The data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller. Data processors shall process personal data only upon the instruction of the data controller. The processor shall not engage with another processor without having prior written authorization of the data controller. The responsibilities of the processor shall be governed by a contract or other legal act under the EU or Member State law. Also, the data processor, along with the data controller, shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. When a personal data breach occurs, the data processor is obligated to notify the data controller without undue delay after becoming aware of such breach.

Representatives of Data Controllers or Processors not established in the EU

Provided that Article 3(2)2 of the Regulation applies, the data controller, or the data processor who are not established in the EU, shall designate, in writing, a representative in the EU. The representative shall be established in one of the Member States where the data subjects are located. For instance, if a company offers products and services to data subjects who are in the EU, or monitors their behavior within the EU, while not being established in the EU, the GDPR requires such company to appoint a representative in the EU as a contact person.

Transfers on the basis of an Adequacy Decision

The European Commission ("Commission") has the authority to decide whether a country outside the EU or an international organization ensures that an adequate level of protection for the transfer of personal data exists. Pursuant to Article 45(3), after assessing the adequacy of the level of protection, the Commission may decide, by means of implementing an act, that a third country, a territory, or one or more specified sectors within that third country, or the international organization in question, ensures an adequate level of protection within the meaning of paragraph 2 of this Article (45(2)). A list of the third countries, territories, and specified sectors within a third country and any international organizations that the Commission has decided that an adequate level of protection is, or is no longer ensured, shall be published in the Official Journal of the European Union, as well as on its website. Thus far, the Commission has recognized Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework) as countries that provide adequate protection.3

In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights, and effective legal remedies for data subjects, are available. 

Imposing Administrative Fines

For the purpose of empowering the enforcement of the rules of the GDPR, the administrative fines to be imposed in the event of any infringement of this Regulation are firm. Taking into consideration the tiered system under Article 83, each supervisory authority shall ensure that the imposition of administrative fines in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall, in each individual case, be effective, proportionate and dissuasive.

The amount of the fine is regulated under paragraph 5 of Article 83 for certain types of infringements, which can be as high as EUR20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year. The infringements that results in the highest fines are: breach of requirements relating to (i) the principles with respect to the processing of personal data, lawfulness of processing, conditions for consent, processing of special categories of personal data; (ii) the data subjects' rights pursuant to Articles 12 to 22; (iii) the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49; (iv) any obligations pursuant to a Member State law adopted under Chapter IX; (v) non-compliance with an order, or a temporary or definitive limitation on processing, or the suspension of data flow by the supervisory authority pursuant to Article 58(2), or failure to provide access in violation of Article 58(1). Other identified infringements under paragraph 4 of Article 83 shall result in administrative fines up to EUR10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year.

Conclusion

The long-waited GDPR that brings with it significant changes on the protection of personal data is currently in force. With the GDPR, it is intended to protect the privacy of the data subjects more strictly, and to reorganize data privacy laws across Europe. Also, the high euro amount of administrative fines to be imposed in the event of any infringement of this Regulation must be daunting for data controllers and processors. Lastly, it is worth to note that, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.

(Authored by Ecem Susoy Uygun and first published by Erdem & Erdem on June 2018)

1 Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),  (Access date: 28.05.2018).

2 Please see Article 3(2) of the Regulation, as follows: "This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behavior, insofar as their behaviour takes place within the Union."

3 Please see.  (Access date: 01.06.2018).

---------------