• +90 212 251 75 71 +90 212 330 03 65
  • info@cvghukuk.com
  • Monday - Friday 9:00 - 18:00
linkedin

GDPR and REGIONAL IMPLEMENTATION GUIDE

GDPR and REGIONAL IMPLEMENTATION GUIDE

EDPD , which was established with the GDPR, which was newly added to the data protection legislation in Europe , is responsible for issuing guidelines and regulations for the implementation of the GDPR. The institution, which has published 3 Guides on this subject so far, has most recently published a guide on regional protection (“ Guide ”) regulated under Article 3 of the GDPR. Before proceeding with the review of the Guide, we need to give a brief explanation of what territorial protection is. First of all, it is clearly regulated in the first paragraph of Article 3 that data controllers and data processors within the union are regionally liable within the scope of GDPR. However, in addition, it is stated in the second paragraph of Article 3 that GDPR can be applied to data controllers and data processors outside the union for two different cases. These situations;

a) Provision of goods or services to such relevant persons within the Union, regardless of whether payment is required, or

(b) Monitoring their conduct to the extent that their conduct occurs in unity.”

It was expressed as. However, before proceeding with the review of the guide, it is necessary to examine Article 27 of the GDPR, which regulates the appointment of representatives of those who are not in the union. Namely; In parallel with regional protection, Article 27 regulates the representation of data controllers and processors that are not in the European Union. Such as registration in the registry of data controllers in Turkey according to Article 27, 3.2. According to the article, data controllers and processors carrying out data processing are required to have a representative within the European Union.

Since these issues are not clearly understood in our country and Europe, the necessity of interpreting the article has already been expressed in the legal community, and EDPD has published a guide for this understanding. The guide is grouped under 4 main headings. If we need to list the topics examined; Firstly, the concept of "establishment" and then "targeting" concepts were emphasized, and in the next stage, the explanation of processing and representations was started and an attempt was made to put forward a solution by stating this with current examples.

  1. Evaluation of the Establishment Concept (Evaluation of Article 3-1)

First of all, the concept of "establishment" in Article 3.1 of the GDPR was evaluated in the Guide and it was stated that the enterprise does not mean having a legal personality but operating within the union with consistent regulations. As an example, it has been stated that the branch and office of an automotive manufacturing company established in the United States in Belgium will be considered a business within the scope of its activities. To give an example from Turkey, the branch of a textile company established in Turkey located in Romania and in which it has shares is a business evaluated within the scope of GDPR Article 3.1. However, we must point out that this processing activity must be within the framework of the "activities" of the data controller. These activities are also listed in the Guide. The guide foresees two situations regarding these activities. To give an example, if we take the example of a textile company in Turkey, there is an “inextricable” connection between the company in Turkey and the branch in Romania in terms of processing activities, or the processing activities are based on increasing revenue. In this regard, it affects many processes. In another section, an issue that concerns relevant persons in Turkey rather than Turkish data controllers has been evaluated. To explain with examples, if a food service application that only serves Turkey is established in Italy, it must be evaluated within the scope of GDPR, and the relevant persons will be able to benefit from the rights listed under GDPR. However, by exacting the example given within the scope of the guide, if a pharmaceutical company within a Union conducts clinical trials on subjects in Turkey, the relevant persons in Turkey will be able to benefit from the rights under the GDPR.

Within the scope of this regulation, the data controller relationship that processes data is additionally regulated. This issue particularly concerns many software and service companies in Turkey, and will require companies operating in the mentioned sectors to regulate this issue in detail in the contracts they have made and will make. According to the Guide, if a data controller within the Union uses a data controller from outside the Union, the data processor must also comply with the legal and technical standards specified in Article 28/3 of the GDPR and this situation must be set forth in the contract. For this reason, data processing companies that want to serve Europe in particular must be GDPR compliant and be prepared for the obligations within the scope of this Regulation, which is a factor that will increase their competitiveness in commercial relations. In addition, data controllers in Turkey have the right to demand compliance with the standards specified in 28.3 if they work with data processors in Europe, and it is recommended to continue with a contract in this way. In this regard, a detailed contract regime should be prepared and an appropriate environment should be provided for the benefit of the data controller or processor, depending on the nature of the processing activity.

  • Evaluation of the Concept of Targeting and Monitoring (Evaluation of Article 3.2)

Targeting is the issue that needs to be evaluated for data controllers in Turkey and is the most controversial issue in terms of the implementation of GDPR. Within the scope of the guide, first of all, the relevant persons within the Union are defined. In this definition, an interpretation has been made that can be explained as not only residing in the union but also having access within the union while targeting within the union. To give an example; A "start-up" based in Ankara sells personalized walking programs in London and Paris through the watches it sells and makes advertisements for these. If the service provided for this purpose targets not only Turkish customers but also the whole world, we can talk about the necessity of the company established in Ankara to be GDPR compliant in terms of this activity. However, if it is a service only for Turkish customers, the situation we will look at will be "KVKK".

Secondly, the provision of goods or services to people within the union was evaluated, regardless of whether payment was required. At this point, the working group previously known as "Working Party 29" and various judicial decisions were relied upon. I am quoting the example given in the Guide verbatim. Our country is already mentioned in the guide, and the activities of a data controller in Turkey who makes, edits and sells photo albums are evaluated. This data controller provides this service to 3 countries, its website is in 3 different union countries' languages ​​and it receives payments in various different currencies. It has been stated that this website is within the scope of application of Article 3.2 of the GDPR, and that this company must have a representative office in accordance with Article 27 of the GDPR.

  • Concept of Monitoring

In the last stage, the concept of monitoring the behavior of the relevant persons is mentioned. It has been stated that monitoring requires not only processing of individuals' data but also some additional elements. In general terms, these additional elements are; It is grouped under two main headings: behavioral analysis or profiling methods. And by giving some examples within the scope of the guide, behavioral advertising practices, user tracking with "cookies" or other methods, market research or other behavioral studies are listed as a few tracking methods. If a marketing or software company in Turkey monitors the movements of people in a shopping mall in Sweden via Wifi tracking and provides an analysis, the processing activity must be evaluated within the scope of GDPR and this company must be a representative within the meaning of Article 27. 

  • Evaluation of the Concept of Representative (Evaluation of Article 27)

If a data controller or data processor falls within the scope of GDPR 3.2 and the processing activity is based on an activity that involves regular and sensitive data, there is an obligation to appoint a representative. At this point, a Turkish company with the examples mentioned above must appoint a representative under its control. It has been stated that this representative appointment can be made within the scope of a service contract and that the conditions must be determined in the service contract and that this representative is different from the DPO introduced by the GDPR. It has also been stated that the information of this representative should be stated to the relevant persons in the companies' privacy policies or disclosure texts. It is recommended by EDPD that this representative be appointed in the country where the company provides the most data processing activities. To list the duties of the representative; Expressions such as being the answer point regarding the rights between the relevant persons and the data controller or processor, keeping records regarding the data processing activities provided by the data controller, and ensuring communication with data protection authorities are published in the Guide. However, it has been clearly stated that the main purpose of appointing a representative is to ensure the implementation of penalties. For this reason, representatives will have joint and several responsibilities in the implementation of administrative fines, and therefore, the existence of this purpose should be taken into account when making a service contract.

  • Conclusion

To summarize all these things;

  • Within the scope of GDPR, if the data of the relevant persons who are Turkish citizens and live in Turkey are processed by a data controller within the Union, we will be able to benefit from the rights in the implementation of the Law.
  • Even if companies that are data processors, especially those working in fields such as software, consultancy and technology, are data processors, if the company in which they carry out data processing is obliged to GDPR, these companies are indirectly obliged to GDPR. This situation will increase the competitiveness of many companies located in Turkey.
  • If a data controller established in Turkey has taken European Union citizens into its radar as a target, at this point the GDPR responsibility is at a high level and it must comply with the GDPR obligations and appoint a representative within the union in accordance with Article 27 of the GDPR.
  • A data controller who monitors customers through various technological means or classical means under the conditions stated above is also within the scope of GDPR, and must comply with GDPR obligations and appoint a representative within the union within the scope of Article 27 of GDPR.

There are various conditions for appointing a representative, and these issues must be evaluated and this process must be carried out with an appropriate contract. In addition, EDPD also states in its latest information note that it will start inspections soon and that data controllers should comply with these guidelines as soon as possible.

Current Articles

Copyright © 2019
CVG Hukuk ve Danışmanlık – Law Firm

linkedin

Links

Our Fields of Activity

Contact Information

CVG Law & Consultancy Office
Gümüşsuyu Mah. İnönü Cad. No:23 Park Palas D:7
Gümüşsuyu, 34437 Beyoğlu/İstanbul
+90 212 251 75 71
+90 212 330 03 65
info@cvghukuk.com

The information on this site has been prepared in accordance with current legislation and is for general information purposes only. The information contained in the content does not contain any advertising, an offer to provide services, or legal or other professional advice, and this information should in no way be considered a substitute for professional advice.

Turkish WordPress Cookie Plugin by Real Cookie Banner