In this article, GDPR will be held in perspective of specific law practices.


Following the Covid-19 pandemic, the world has witnessed a universal technological revolution.  Indeed, most of the business and non-business transactions and dealings are effected online. That is why, it remains of the utmost importance to guarantee their safety.

In Turkey, the Personal Data Protection Act (“KVKK”)  regulates the right to privacy and disclosure of   personal data. In other words, KVKK Law No. 6698 which was brought into force on April 7, 2016 in the Official Gazette governs the rules – according to which the collection, processing and storage of personal data-  must be respected in order to ensure the protection of individuals’ fundamental rights.

On a broader scale, the GDPR which came into force on May 25, 2018  came as a succession to the Directive 95/46/EC of the European Parliament and of the Council of 1995 on free movement of personal data and its protection.


Unlike KVKK which is exclusively related to Turkey,  GDPR aims to ensure data security for people residing in the European Union.  Under the GDPR, data is not only restricted to those who process personal data in the European Union, but applies to all those who process, store or collect data from people residing in the European Union regardless of their location.

That is to say, Turkish legal or natural people processing EU residents’ personal data are recquired to comply with the KVKK in the first instance, and had they processed EU resident’s personal data, GDPR regulations are to be applied as well.


GDPR : the main data controller.

It is important to highlight that the GDPR is considered to be the most prevalent set of data protection rules with 99 individual articles. Indeed, it is after 4 years of negotiations that GDPR was adopted by both the European Parliament and European Council in April 2016. Therefore, countries were allowed to amend some aspects of the GDPR in order to suit their needs.  Especially when the data protected can be classified as sensitive since it could include, racial or ethic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person’s sex life or orientation. In this vein, the UK has created the Data Protection Act (2018).


Obligations under GDPR :

Against this backdrop, seven  principles were enumerated under article 5 of the GDPR legislation, aiming to explicitly dictate how EU residents’ personnel data should be  be handled.

  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation :organisations should not collect more information that what they actually need.
  • Storage limitation.
  • Integrity and confidentiality (security) : personal data must be protected against any unlawful processing (protection against identity theft, or hacking …). .
  • Accountability : organisation are expected to report how their users’ personal data is being managed.

Indeed, the seven principles aforementioned are by no means absolute rules. Indeed, GDPR does not shed light on which security practices shall be adopted. However, they merely outline the central lines of the GDPR regime.

In this sense,  protected access and websites encryption should be implemented. Nonetheless,  it is no secret that security practices must be adapted to every organisation’s activity.  For instance, a bank should protect its information in a more vigorous way than any other type  of organisation.


What are your rights under GDPR ?

The rights to be informed :

Organisations are entitled to inform individuals as to which of their data is being collected and for what purpose.

That is to say, organizations are required to disclose the nature of all process to which their data has been subjected.


The right of access :

Every individual is in right of submitting a DSAR – Data Subject Access Requests –  which compel orgnisations to provide  individuals  with any copy of data stored on them.


The right to rectification:

An individual is entitled to discover the information an organisation holds on them, is incorrect and inaccurate.  Therefore,  he can ask for it to be rectified.

The organisation has one month to abide by the request.  – ( save that some exceptions may apply).


The right to erasure :

The right to be forgotten , can be requesetd by any individual who wishes its data to be erased . Whether the data is no longer necessary or the reason for which it was collected is no longer lawful, the right to erasure prevails.


The right to restrict processing :

Individuals can enquire  an organization to restrict how their personal data is used.


The right to data portability :

Individuals are allowed to reuse their personal data   in various services, for their own purposes.


The right to object :

Had the personal data been collected on the grounds of lawful and legitimate interest, individuals retains the right  to object their processing.

Consequently, organizations are expected to comply with the individual’s request, unless they can demonstrate the existence of legitimate grounds for overriding the individual’s interests, rights and freedom.


Rights related to automated decision-making (i.e profiling):

Given that  some decisions are reached without any human involvement,  GDPR made out provisions granting individual the right to object to the processing of their personnel data, if they believe that a breach has been committed on the organisation’s end.


Breaches and fines :

Organisations are either convicted to pay administrative fines or criminal ones.

Indeed, the Data protection Authorities ‘DPAs’ are the competent authorities determining  the types of charges and the nature of the breach based on several criterias :

  • If the organisation failed to obtain valid and express consent from its clients.
  • If the organisation failed to appoint a Data protetor Officiel while it is recquired to do so.
  • If the organisation failed to abide by the 7 GDPR principles ( mentionned above).
  • If the organisation failed to implement organisational security measures.

Accordingly, DPAs would charge the violating organisation one of the two fines made available under  the GDPR’s  83 and 84 articles.

  • The first level is  a € 10 million fine, or 2% of the global annual turnover of the company in the previous financial year.
  • The second level is a € 20 million fine , or 4% of the global annual turnover of the company in the previous financial year.

In fact, when 2% or 4% of the company’s turnover are respectively below the 10 and 20 Millions euros, the fines are then capped to the 10 and 20 millions euros fine. In contrast, if the percentage out of the turnover is higher,  the 2% and 4% of the global turnover is retained.


You can click the link to browse our other articles.

Summer Intern Nada ZARKAL

Att. Şükran Şevval KURNAZ


Follow us on Social Media

Son Yazılar

Hukuki Yardım Al

Danışmak istediğiniz her konuda bize ulaşın!