General Data Protection Regulation (GDPR)

Are you looking to do business internationally, or do you dream of selling products or services to a company abroad?

Before you can make any of this a reality, there is a crucial regulation you need to be aware of: the European Union’s General Data Protection Regulation (GDPR). This regulation, which also forms the basis for the recent amendments to Türkiye’s Law No. 6698 on the Protection of Personal Data, has fundamentally transformed the way personal data is processed, protected, and transferred worldwide.

What Is the GDPR?

The European Union’s General Data Protection Regulation (GDPR) was published on May 4, 2016, and entered into force on May 25, 2018.

This regulation, which comprehensively governs the processing, protection, transfer, and storage of personal data, has impacted everyone who handles data related to European Union citizens.

It could also be said that this regulation, known as the GDPR, has rewritten the rules of the game for all companies seeking to do business within the European Union.

Who Does the GDPR Apply To?

The GDPR applies only to natural persons with regard to the protection of personal data. However, the regulation extends beyond the borders of the European Union to cover all organizations that process the personal data of EU citizens, regardless of whether they are established within the European Union.

Establishment and targeting are the two key criteria here.

Establishment Criterion

If a data controller or data processor operates within the borders of the European Union, it is subject to the provisions of the GDPR.

Targeting Criterion

Any company that offers goods or services to European Union citizens is required to comply with the provisions of the GDPR.

The GDPR’s impact beyond the borders of the European Union is also shaped by these two criteria.

Processing of Personal Data Under the GDPR

The processes of processing and protecting personal data impose significant obligations on data controllers and data processors. It is also worth noting that the scope of the concept of personal data is quite broad.

Processing of Personal Data

Anyone responsible for processing data under the GDPR must conduct and manage the process in accordance with the seven fundamental principles set forth in Article 5 of the Regulation.

1. Compliance with the principles of lawful data processing, fairness, and transparency
2. Processing of data limited to specific, explicit, and legitimate purposes
3. Conducting data processing activities only to the extent that is adequate and necessary
4. Ensuring that processed personal data is accurate and up-to-date
5. Storing data for specific periods
6. Implementing necessary technical and organizational measures to ensure data security
7. Being able to account for audit and control processes

Legal Bases Under the GDPR

Personal data may be processed under the GDPR based on the six different legal bases specified in Article 6. The relevant legal bases can be summarized as follows:

1. Explicit consent
2. Performance of a contract
3. Compliance with a legal obligation to which the controller is subject
4. Vital interests of a natural person
5. Public interest
6. Legitimate interests of the organization that do not infringe upon the fundamental rights and freedoms of the individual

Rights of Data Subjects

Under the GDPR, individuals have the right to request the following from the data controller during the processing of their personal data.

1. Right to information
2. Right of access
3. Right to rectification
4. Right to erasure (right to be forgotten)
5. Right to restriction of processing
6. Right to data portability
7. Right to object

Under the GDPR, the data controller is designated as the primary party responsible for processes related to the processing and protection of personal data. While data processors are also subject to certain obligations, the primary responsibilities rest with the data controller.

There are two additional points that all relevant institutions and organizations, particularly companies, must pay close attention to under the GDPR. First, a data protection impact assessment must be conducted prior to any data processing activities that involve the use of new technological tools and pose a “high risk” to individuals. Second, public institutions and organizations, as well as entities processing sensitive data, are generally required to appoint a data protection officer within their own organization.

GDPR Sanctions and Administrative Fines

The GDPR requires data controllers to notify the relevant authority within 72 hours of becoming aware of a personal data breach that could pose a risk to individuals’ fundamental rights and freedoms.

In cases where personal data is processed in violation of the rules and obligations set forth in the GDPR, significant administrative fines are imposed on data controllers.

For example, the 1.2 million euro administrative fine imposed on Meta by the Irish Data Protection Authority in 2023 stands as the highest-ever administrative fine issued under the GDPR.

Conclusion

It can be said that the GDPR has fundamentally reshaped the landscape of data privacy by introducing highly detailed regulations for any organization seeking to operate in connection with the European Union. Given the detailed nature of the requirements data controllers must comply with and the high amounts of administrative fines imposed for non-compliance, it is essential to work with specialized teams in this field.