The General Data Protection Regulation (GDPR), which entered into force on May 25, 2018 is a regulation that is valid and directly binding in all member states of the European Union and regulates the procedures and principles for the protection of personal data of EU citizens. Even though the GDPR entered into force in 2018, there were studies in the field of data protection in the European Union since the 1990s before the entry into force of the GDPR. On October 24, 1995 "Directive 96/46/EC of the European Parliament and of the Council of Europe on the Protection of Individuals with regard to the Processing and Free Movement of Personal Data" was published.
The GDPR concerns all organisations that process personal data of citizens within the European Union, regardless of whether they are resident or established within the European Union, and provide goods and services to European Union member countries.
Although the KVKK and GDPR are legal regulations that serve the same purposes, they were born in different legal systems and contain provisions of different scope. Therefore, although there are many differences between KVKK and GDPR, one of the most important and striking differences is related to the fines arising as a result of violations.
Main Differences Between KVKK and GDPR
- While the upper limit of the fine among the current administrative fines published by the KVKK is 2.678.863 TL; in case of non-compliance with the obligations determined by the GDPR, the upper limit of the fine is determined as 4% of the annual turnover of the Data Controller in question or up to 20 million Euros.
- The GDPR includes the definition of "Data Protection Officer". The duty of the Data Protection Officer is to ensure that the personal data of the data subjects are processed in accordance with data security and data protection rules, while following the legal obligations of the Data Controller. Although there is no such concept in the KVKK, a programme regarding the Data Protection Officer certification exam has been published by the Authority in recent months. At the same time, the Authority made a public announcement explaining that the definition of Data Protection Officer does not have the same meaning as the Data Protection Officer ("DPO") in the GDPR.
- According to the KVKK, the decision-making mechanism responsible for the creation and management of the data recording system is considered as the "Data Controller". Data Controller natural or legal persons are obliged to register with VERBIS if they meet certain criteria. There is no such Data Controller Registry Information System in the GDPR.
- According to KVKK, only the Data Controller is the addressee of administrative fines. In the GDPR, in the event of a data breach, the Data Processor is also liable as the Data Controller and may be subject to sanctions.
The KVKK and the GDPR are largely similar, but some critical differences, such as the high criminal sanctions introduced by the GDPR, are of great importance for all persons subject to these regulations.
