Comparing privacy laws: GDPR v. LPPD
Sanjay Shintre
CEO & ServiceNow Digital Transformation Leader | IRM, ITAM, ITOM, CMDB, FinOps, AI Expert | Empowering Global Enterprises with Innovation & Strategic Expertise
On 25 May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') came into effect and replaced the Data Protection Directive (Directive 95/46/EC). The Law on Protection of Personal Data No. 6698 ('the LPPD') was published in the Official Gazette of Turkey on 7 April 2016, numbered 29677 and entered into force.
The LPPD is the first general data protection law in Turkey and is largely based on the former European Data Protection Directive. Secondary legislation introduced in Turkey in the form of regulations and communications have, though, led to a similar development as the changes in the EU brought about by the GDPR.
There are several areas in which the GDPR and the LPPD bare a strong similarity, including, for instance, their material scope. Both the GDPR and the LPPD provide comparable definitions for key concepts such as 'processing', 'personal data' and 'sensitive data', and apply to the processing of personal data by automated means or non-automated means if the data forms part of a filing system.
In addition, the GDPR and the LPPD correspond in respect of the general responsibilities they set out for both data controllers and data processors, such as obligations relating to several data subject rights, data breach notifications, and data security measures. These parallels are particularly close in some instances; for example, both the GDPR and the LPPD provide for a 72-hour timeframe for a breach notification to the competent supervisory authority. Nevertheless, there are some key differences between the GDPR and the LPPD.
In particular, while the GDPR expressly provides that data controllers and data processors maintain a record of the processing activities, the LPPD does not establish such an obligation. The LPPD, however, and unlike the GDPR, requires data controllers to register in the Data Controller's Registry System ('VERBIS').
In their application to VERBIS, data controllers subject to the LPPD must provide information similar to that which data controllers are required to include in their records of processing activities under the GDPR. Further differences can be found in relation to requirements for Data Protection Impact Assessments ('DPIAs'), data protection officers ('DPOs'), children's data, and pseudonymised data.
The LPPD is also less explicit than the GDPR in relation to its extraterritorial scope and provides a more varied set of mechanisms for cross-border data transfers
Click this link to get full details....
