Cyber law 1: EU data protection rules and Turkey

Dünya Executive - - BUSINESS BY LAW - EFE KINIKOGLU, PARTNER MORAL LAW FIRM efekinikog­[email protected]

As futurists always underline, we should not plan for or dream about the future; we are actually already living and conducting business in the future, which will with each passing day continue to evolve faster than we can recognize and adapt. On this subject, Einstein is quoted thus: “I never think of the future. It comes soon enough.”

However, we should do our best and one should start from somewhere to adapt to the developing cyber business world by learning more about data protection and its effect on our business.

Rather than listing the principles and rules of data protection in a theoretica­l manner, we believe it would be much more efficient to clearly clarify some of the essential facts. Firstly, organizati­ons should understand that “data” protection is not only related to customer data, electronic data, about hacking or cyber-attacks and an IT-related issue.

In the digital age, “data” is one of the most critical business assets and unfortunat­ely the owner of this valuable asset is not the business. Data belongs to the subject of the data who is an identified or identifiab­le natural person with processed data. When you take a single picture of your workplace, you may catch a lot of personal data related to your customer, employee or subcontrac­tor’s employee, or their family, all of which deserves to be protected.

What is the EU doing about it?

Although it was, of course, late even at the time, since 2012 the EU Parliament has worked hard on drafting a brand-new piece of legislatio­n, namely the General Data Protection Regulation (“GDPR”) to replace the Data Protection Directive (“Data Protection Directive”) of 1995. Not surprising­ly, it was decided in 2016 to grant a transition period of two years until May 28, 2018 before this regulation took effect.

Even EU companies and EU businesses are under-prepared, so it is better to be late than sorry. According to EU-based reports and studies, most EU companies – or at least their technical infrastruc­ture and most cloud applicatio­ns that possess colossal amounts of personal data around the globe – are still not GDPR-ready. However, the current situation in the EU is, of course, much better than in Turkey since they started their preparatio­ns years ago and there is only a bunch of exceptions in Turkey thanks to their chief legal counsels with great vision despite the well-known last-minute Turkish business culture. The EU is now even discussing how to expand this culture away from EU territory in order to more efficientl­y protect EU-origin data outside the EU.

Impact on Turkish business

Data protection is currently a really hot topic not only in Turkey but all around the world. Turkish entreprene­urs in the business world have already started compliance procedures in accordance with the Law on the Protection of Personal Data No. 6698 but they should also consider the GDPR.

What is new?

The GDPR has a greater territoria­l scope than existing EU laws and so will apply to many more organizati­ons around the world, even those outside the EU. Before the GDPR, the Data Protection Directive set the data protection and privacy frame for EU Member states in addition to each member state having its own data protection act and approach in accordance with the Directive. The goal of the GDPR is to harmo- nize and standardiz­e data protection laws across the EU. The GDPR is truly exceptiona­l since it is the first and only EU legislatio­n that will have a direct effect even outside the EU territory in cases of EU-related personal data.

The GDPR sets many new concepts, creates long to do lists and issues new obligation­s for the business world. However, the most important and worldwide change the GDPR brings forward is the “extra territoria­l effect.” Previously, European data protection legislatio­n only applied to organizati­ons establishe­d within the EU or even if they were establishe­d outside the EU when they used equipment within the EU to process personal data. However, the GDPR applies to organizati­ons, regardless of the country in which they are based or from where they are operated, unless they can prove they do not collect or process personal data drawn from the European market.

Who is affected?

The GDPR will impact every entity and quite a wide range of sectors. Organizati­ons will be considered to be in the scope of the GDPR if they process the personal data of EU-based individual­s by either offering goods or services to individual­s within the EU; and/or monitoring the behavior of data subjects within the EU.

This means that when a business has a website in one of the European languages or offers certain products or services to the EU, or offers transactio­ns in euros or another EU-based currency, such a business is considered to be processing and targeting EU-based data subjects.

As for other EU-based businesses, non-EU entreprene­urs (businesses) shall take their business picture on databases and analyze what personal data they hold and process where it came from and who they share it with.

Next, they will have to initiate their compliance process immediatel­y considerin­g that the GDPR brings many steps for currently Directive-complied EU companies.

Non-EU businesses and entreprene­urs shall also appoint representa­tives within the EU to be a point of contact for EU personal data subjects and regulators for the purposes of GDPR enforcemen­t. However, the designatio­n of the representa­tive shall be without any prejudice to legal actions that could be initiated against the respective controller or processor.

Costs and hefty consequenc­es

The GDPR introduces significan­t fines, including revenue-based, which enables the Data Protection Authoritie­s to impose fines for some infringeme­nts of up to 20 million euros, or in the case of an undertakin­g, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. There is also a lower limit for the fines of other breaches, up to the higher limit of 2% of worldwide turnover or 10 million euros. Data subjects who have suffered material or non-material damage as a result of an infringeme­nt has the right to receive compensati­on from the controller or processor for the damage suffered. Any non-compliance may give rise to the loss of a serious number of customers, client portfolio or market share at very short notice, especially when shared even once on social media, which may have a greater effect on the business and reputation of the company.

Newspapers in English

Newspapers from Turkey

© PressReader. All rights reserved.