Actually, we need to ask this question more broadly and in detail; In case of breach of personal data, can European Union laws impose a sanction on Turkish companies that are not located within the borders of the EU but do business there? Can he punish directly or indirectly for this violation? Does being outside the EU affect the situation positively or negatively? What can they do, what can happen to a Turkish company that commits a data breach? Before answering these questions, it will be explanatory to look at the output of the KVKK and GDPR concepts:
The “Convention on the Protection of Real Persons During the Automatic Processing of Personal Data” was adopted by the Council of Europe, of which Turkey is a member, in 1981. Turkey is one of the first countries to sign this Convention. However, as the law was not published, the approval procedure was suspended. Subsequently, the relevant legislation entered into force by being published in the Official Gazette on 07.04.2016 based on the European Union Directive 95/46/EC on the processing of personal data in the European Union and the protection of individuals regarding the free movement of such data. A 2-year adaptation period has been determined for passing and preparation. The end of the compliance period is 07.04.2018. For the time being, public or private institutions that process and preserve data, all natural and legal persons, in short, all companies without exception are within the scope of this law.
Situation in the European Union:
The European Union parliament, after a 4-year preparation and discussion process, put this regulation into effect under the name of EU General Data Protection Regulation (GDPR) on April 14, 2016, and this law is 25th in all European Union countries. 05. It has entered into force as of 2018, covering very severe penalties in case of very serious violations.
This legislation, which we can translate into Turkish as the European Union General Regulation on the Protection of Personal Data, has been included in the European Union laws in line with the 95/46/EC Personal Data Protection Directive and regulation in all European Union countries. As a result of this, personal data and the security of this data have been implemented very strictly, and it has become a legislation that must be followed by European Union-based companies, EU citizens and all stakeholders doing business and shopping with European Union countries, even if they are outside the EU.
Even if the country of origin is not a member of the EU, institutions that provide goods or services to personal data owners or monitor the behavior of data subjects in the EU are considered to be responsible for GDPR. In short, even though they operate outside the European Union, companies that do business with the EU, produce services and target EU consumers are also subject to GDPR.
GDPR is an aggressive regulation that is different from the legal regulations seen so far. Violation of the legislation and violation of obligations have very severe sanctions. When we look at the GDPR provisions in detail, there are many penalties, but it is enough to even include one here;
For example, Article 83 of the GDPR. 5 of the article. The provision in the paragraph is exactly as follows; “….Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher….” In Turkish, it is stated that in case of breach of GDPR obligations, a fine of up to 20 million EURO or a penalty of 4% of the global turnover of the company, which is the subject of the penalty, has to be paid, whichever is higher.
A fine of 4% over the global turnover of the company, and 20.000.000-EURO fine if the annual turnover is lower, is a very high penalty beyond the penalties in our country. However, it is an important parameter in terms of showing the European Union’s view of the concept of personal data and the importance it attaches to the rights and freedoms of individuals and their personal data.
In this case, we can easily say that we are faced with a legal regulation that requires Turkish companies doing business in EU countries to be very, very careful, even if they are not resident there. Full compliance with both KVKK and GDPR provisions is required for companies originating from the European Union and investing in Turkey with foreign capital, but the same is true for Turkish companies trading with EU countries. As with any personal data breach, the possible penalty is unbelievable. At this point, Turkish companies, which have not yet done any work within their own body, should immediately put the issue of KVKK and GDPR on the agenda, harmonize with these laws and, when properly done, allocate budget and time for this long-lasting harmonization project and start doing the necessary work.
