Author: Ecem Susoy Uygun
Introduction
The General Data Protection Regulation ("GDPR" or "Regulation")1 that was approved by the European Union ("EU") Parliament and entered into force in 2016 has started to be applied as of May 25, 2018. The GDPR lays down rules relating to the protection of natural persons ("data subjects") with regard to the processing of personal data, and rules relating to the free movement of personal data. With this Regulation, it is intended to protect the privacy of the data subjects more strictly, and to reorganize data privacy laws across Europe. Also, it is worth to note that, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.
Scope of the GDPR
Material Scope
Pursuant to Article 2 of the GDPR, the Regulation does not apply to the processing of personal data: (i) in the course of an activity that falls outside the scope of EU law; (ii) by the member states of the EU ("Member States") when carrying out activities that fall within the scope of Chapter 2 of Title V of the Treaty on European Union; (iii) by a natural person in the course of a purely personal or household activity; (iv) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
Territorial scope
The territorial scope of the GDPR is so extensive that it applies to the processing of personal data within the context of the activities of an establishment of a data controller or a data processor in the EU, regardless of whether the processing takes place in the EU or not. Also, this Regulation applies to the processing of personal data of data subjects who are in the EU by a controller or processor, not established in the EU, where the processing activities relate to the offering of goods or services, whether it is for free or not, to such data subjects in the EU, or monitoring the behavior of EU data subjects within the EU. Therefore, international companies, as well as Turkish companies, are under the obligation to comply with the GDPR, provided that their activities fall under the scope of the GDPR.
Principles relating to the Processing of Personal Data
The GDPR sets forth the principles as to how personal data shall be processed. As per Article 5 of the GDPR, the personal data shall be: (i) processed lawfully, fairly, and in a transparent manner in relation to the data subject; (ii) collected for specified, explicit, and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes; (iii) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (iv) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data, which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified, without delay. The controller shall be accountable to comply with the above-stated principles.