GDPR and Data Protection: Company Responsibilities and Compliance Processes

Writer: Enes TANIK

Contents:

Introduction: The Sociological Background of the Emergence of Data Law

1. The Emergence of the GDPR.

1.1. The Main Purpose of the GDPR.

2. Why Is GDPR Compliance Critical for Companies?

2.1. Administrative Fines – Right to Compensation and Liability.

2.2. Reliability and Competitive Advantage.

3. Fundamental Responsibilities of Companies.

4. Data Protection Measures in the Context of the Obligations of the Data Controller and the Data Processor.

4.1. Responsibilities of the Data Controller.

4.1.1. Data Protection Impact Assessment (DPIA)

4.1.2. Appointment of a Data Protection Officer (DPO)

4.2. Responsibilities of the Data Processor

5. Data Breaches and Notification Obligation.

6. Artificial Intelligence Technologies and Data Privacy.

6.1 Data Compliance Processes for Companies Developing AI Technology

Introduction: The Sociological Background of the Emergence of Data Law

The Historical Development of the Concept of “Data”:

In modern societies, the need for personal data protection is not solely related to the concern of safeguarding individuals’ private lives but is also directly tied to the risks created by the data-intensive natural of the digital age. Especially since the beginning of the 21st century on a global scale:

• The growing population has led to more people integrating into the digital world and an increase in international data flows.
• With the widespread use of platforms such as e-commerce, social media, and online banking, individuals’ data began to be processed on a broader scale.
• The development of technologies like big data, artificial intelligence, and machine learning has increased both the capacity to process data and the potential risks involved.
• Changing commercial models, data collection strategies in exchange for free services, and corporate policies aimed at generating revenue from data.

Along with these developments, personal data has become an economically and strategically valuable commodity. Personal data not only identifies individuals but also functions as a source of power that can be utilized in sensitive fields such as personalized advertising and politics.

With the rapid advancement of technology and data processing techniques, the protection of personal data has also become a subject of growing importance in the legal sphere. The foundations of modern data protection law were laid in the second half of the 20th century and have reached their apex today through comprehensive regulations such as the GDPR.

1. The Emergence of the GDPR:

In the field of data protection law, the first significant legislative regulation was the “Hessian Data Protection Act,” enacted in 1970 in the state of Hesse, Germany. This law laid the foundation for modern data protection regulations and adopted the following principles:

• Processing only the data that is necessary.
• The right for individuals to be informed about how their data is processed.
• The establishment of an independent supervisory authority.
• Taking technical measures to ensure the security of personal data.

This law was revolutionary in terms of controlling data processing and protecting individual rights. However, its scope was confined to national borders and thus insufficient for the globalization of data flows.

With instruments such as the 1981 Council of Europe Convention No. 108 and the 1995 EU Data Protection Directive (95/46/EC), the European Union continued its action in this area and formed the basic framework prior to the GDPR.

Because these legal regulations were introduced gradually over time, they provided a solid foundation for companies’ compliance processes, making them more feasible in practice today. We can clearly see that countries with established foundations for data protection legislation have had a more transparent and smoother transition, whereas countries lacking such a basis and prior work have struggled with compliance. Consequently, this can lead to inadequate protection of our data—one of the most significant subjects brought forth by the digital age.

The General Data Protection Regulation (GDPR), which came into force on May 25, 2018, became the most comprehensive regulation in the European Union, setting the standards for personal data protection. Compared to previous data protection laws, the GDPR presents a broader, more modern framework with strict oversight mechanisms.

In this study, I will examine the responsibilities the GDPR imposes on companies, focusing on its fundamental aspects. As I analyze, I will learn and put my findings in writing to share with you.

1.1. The Main Purpose of the GDPR

GDPR ART.1:

1. This Regulation lays down the rules relating to the protection of natural persons with regard to the processing of personal data and to the free movement of personal data.
2. This Regulation protects the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.
3. The free movement of personal data within the Union shall not be restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

The primary purpose of the GDPR is to provide protection for individuals’ personal data during processing. In this context, the Regulation adopts both data protection and the free flow of data as core principles. Thus, we can say that the objective of the GDPR is formed around these two major pillars.

The GDPR’s aim of protecting personal data specifically focuses on the right to privacy and the security of personal data for data subjects. Data Security includes rights and freedoms such as the accuracy of personal data, the right to access data, data portability, and the right to be forgotten.

As a result of the digital age—marked by increased data processing capacity and a faster rate of international data flow—issues such as the Cambridge Analytica1 scandal have demonstrated both the importance of data and the inevitability of ensuring data security.

2. Why Is GDPR Compliance Critical for Companies?

The GDPR not only protects individuals’ rights to privacy but also imposes comprehensive obligations on companies in their data processing activities. Since May 25, 2018, under Article 3 of the GDPR, it applies not only to companies based in EU member states but also to all companies that process the personal data of EU citizens.

For this reason, complying with the rules set out in the GDPR has become a legal requirement for companies within its scope. You may have witnessed serious sanctions against companies and organizations that fail to meet these regulations.

Undoubtedly, the severity of these sanctions stems from the undeniable significance and critical role of both the “right to data” and “data” itself in modern society—one of the most important subjects the digital age has introduced to humanity, as mentioned above.

In today’s world, everyone has a unique identification number; we leave behind digital traces of our spending habits, travels, hospital visits, workplaces, and many other aspects of our lives—even if we don’t always notice it.

This is precisely why it is extremely important for companies and institutions that inevitably interact with our data to comply with international laws and regulations. Doing so ensures the protection of our fundamental rights and freedoms

2.1. Administrative Fines – Right to Compensation and Liability:

Failure by companies that process data to comply with legal obligations may result in the legal sanctions (Article 82) and administrative fines (Article 83) specified in the GDPR. When we examine these:

GDPR Article 83: The purpose of administrative fines imposed on companies under the GDPR is to ensure they are effective, dissuasive, and proportionate. In determining the penalties to be imposed, the factors listed in Article 83(2) of the GDPR are influential.

GDPR Article 83(2):

2. Administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, the measures referred to in points (a) to (h) and (j) of Article 58(2). When deciding whether to impose an administrative fine and on the amount of the administrative fine in each individual case, the following shall be taken into consideration:

In this context, factors such as:

• (a) Seriousness of the infringement
• (b) Intent or negligence
• (c) Measures taken to mitigate damage
• (d) Data security
• (e) Previous infringements
• (f) Cooperation with supervisory authority
• (g) Type of data
• (h) Notification of the infringement
• (i) Previous sanctions
• (j) Approved codes of conduct
• (k) Financial gain

are taken into account in determining fines. Articles 83(4) and 83(5) of the GDPR also set out the minimum and maximum amounts of such administrative fines.

Pursuant to Article 83(4):

• Non-compliance by the data controller or data processor with Articles 8, 11, 25 to 39, and 42 and 43;
• Non-compliance by a certification body with Articles 42 and 43;
• Non-compliance by a monitoring body with Article 41(4);

is subject to administrative fines of up to 10 million euros or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher.

Pursuant to Article 83(5):

• Fundamental Principles of Data Processing: Articles 5, 6, 7, 9
• Rights of Data Subjects: Articles 12–22
• Transfers to Third Countries: Articles 44–49
• Member State Law: Chapter IX
• Non-compliance with Supervisory Authority Decisions: Article 58(2)

is subject to administrative fines of up to 20 million euros or, in the case of an undertaking, up to 4% of its total worldwide annual turnover of the preceding financial year, whichever is higher.

GDPR Article 82:

GDPR Article 82 regulates the right of data subjects to claim compensation from the data controller or the data processor for material or non-material damages suffered as a result of personal data breaches. The data controller bears primary responsibility for the damage, while the data processor is only held liable if it acts contrary to instructions or directly violates its obligations. In breaches involving multiple parties, the data subject has the right to receive full compensation. The party that pays the compensation may claim reimbursement from the other liable parties in proportion to their share of the damage.

2.2. Reliability and Competitive Advantage:

I do not believe that the only reason the GDPR is critical for companies is the risk of fines. In today’s modern society, where the protection of data is directly related to fundamental rights and freedoms, we know that companies that fail to protect customer data—or do not place sufficient importance on it—lose users, face criticism, and risk significant penalties if a data breach occurs.

Therefore, we can say the following: GDPR compliance is a critical factor that enhances companies’ trustworthiness and offers a competitive advantage. Customers want to be assured that their personal data is processed and protected securely. A company that complies with the GDPR demonstrates respect for customer privacy and shows it takes its responsibilities regarding data security seriously. This transparent approach strengthens customer trust and bolsters brand reputation.

Consequently, strong commitments to data security and privacy help companies stand out in the market. Especially for companies operating in international markets, GDPR compliance enables them to be perceived as reliable partners in their business dealings. While data breaches and inadequate data protection practices involve the risk of severe financial penalties and reputational damage, companies that fully comply with the GDPR are protected from such risks and achieve a stronger market position. In short, GDPR compliance is a strategic necessity that enhances both reliability and competitive power.

3. Fundamental Responsibilities of Companies:

It is possible to evaluate companies’ fundamental responsibilities within the scope of the GDPR’s fundamental principles. In this regard, the points listed in Article 5 of the GDPR are of particular importance. These points also form the core principles of the GDPR.

Companies must process personal data in a lawful manner. The lawful grounds here include explicit consent, legal obligation, and contractual necessity. Data subjects must be informed of the reasons for data processing, and a transparent, fair, and balanced approach must be maintained throughout this process.

When companies collect data, they must inform the data subject transparently about the purpose of data collection; afterward, they cannot process the data for purposes contrary to that stated purpose. Archiving in the public interest, scientific and historical research, and statistical purposes—by anonymizing data in line with Article 89(1) of the GDPR—can constitute exceptions to this rule.

Under the principle of data minimization, data must be collected and processed only in a manner that is appropriate and sufficient for the purpose. Excessive or unnecessary data must not be processed.

Data minimization is a fundamental principle under the GDPR, meaning you should collect and process only the personal data that is absolutely necessary to achieve your purpose. You should implement internal procedures and routines to review this regularly.2

The accuracy of data must be checked, and any incorrect data must be promptly deleted or corrected. Once the purpose of processing ends, the data must be deleted after any required storage period has passed. Exceptions to this are outlined in Article 89 of the GDPR.

Companies must implement appropriate technical and organizational measures to ensure the security of data. Security levels must be proportionate to the risks associated with data processing. For example, measures such as encryption, access controls, multi-factor authentication, and the appointment of a data protection officer should be taken. This way, data is safeguarded, and trust in the institution increases. You can find further examples of measures companies can take in the following sections of this text.

Within the scope of the GDPR’s fundamental principles, the data controller is responsible for complying with these principles and must be able to demonstrate such compliance. Consequently, companies should keep detailed records of their data processing activities, conduct regular audits, and ensure their staff receive adequate training on GDPR compliance.

4. Data Protection Measures in the Context of the Obligations of the Data Controller and the Data Processor

For companies and employees to properly understand compliance processes, they first need to learn what certain definitions mean. Before examining the obligations of the Data Controller and the Data Processor, it is useful to clarify these concepts.

Data Controller: A Data Controller is a natural or legal person who determines the purposes and methods of processing personal data. In other words, it is the party that decides which data will be collected, how it will be processed, and with whom it will be shared.

Data Processor: A Data Processor is a natural or legal person who processes personal data in line with the instructions of the Data Controller. The Data Processor does not decide how or why the data is processed; it merely carries out the processing activities within the framework determined by the Data Controller.

4.1 Responsibilities of the Data Controller:

The Data Controller is generally responsible for ensuring compliance and taking measures to demonstrate that compliance. In order not to violate the fundamental rights and freedoms of natural persons, the Data Controller should conduct risk assessments and adopt a risk-based perspective in line with the scope, context, and purpose of the data processed. Technical and organizational measures such as encryption, pseudonymization, access controls, data classification policies, and continuous updates must be taken, and the effectiveness of these measures must be verified.

The Data Controller must develop policies related to data protection. Through these policies, the measures taken can be effectively implemented and the awareness of company employees can be increased. Examples of potential policy topics include data collection and retention procedures, access controls, employee training, and awareness programs.

A Data Controller wishing to demonstrate that it has taken the necessary measures can use the approved codes of conduct and certification mechanisms specified in GDPR Articles 40 and 42. For instance, the Data Controller may obtain an ISO 27001 certificate to support its stance on these policies.

4.1.1 Data Protection Impact Assessment (DPIA):

When the use of new technologies or the nature, scope, context, and purposes of data processing indicate a possible high risk to the rights and freedoms of natural persons, the data controller is required to take a proactive approach by assessing the potential impacts of these processes on personal data security before starting the processing. After carrying out this assessment, the data controller must seek the advice of the Data Protection Officer before beginning any processing. Article 35(3) of the GDPR specifically indicates the circumstances in which a data protection impact assessment is required. These circumstances are:

1. (a) A systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing (including profiling), on which decisions producing legal or similarly significant effects concerning natural persons are based.
2. (b) Large-scale processing of the special categories of data referred to in Article 9(1) or of personal data relating to criminal convictions and offenses referred to in Article 10.
3. (c) Systematic large-scale monitoring of a publicly accessible area.

While conducting the assessment, the data controller must consider:

• The nature, purpose, and legal basis of the processing activities;
• The alignment of these activities with their intended objective;
• The identification of risks to the rights and freedoms of data subjects;
• The measures to be taken against these risks.

If, upon completing the assessment, the data controller seeks advice from the Data Protection Officer, the controller must take that advice into account and document it.

As a result of this proactive approach, the data controller should maintain and update the assessment in response to any changes in circumstances and continue taking appropriate measures in line with the risks posed by the processing activities.

4.1.2 Appointment of a Data Protection Officer (DPO):

GDPR Article 37 stipulates that both the data controller and the data processor are required to appoint a Data Protection Officer (DPO) in certain data processing activities. The DPO is responsible for ensuring GDPR compliance and monitoring data protection processes.

3The tasks of the DPO are listed in GDPR Article 39. In summary, these include:

• Informing and advising the controller or the processor and their employees of their obligations under the GDPR;
• Monitoring the organization’s compliance with all legislation related to data protection, including audits, awareness-raising activities, and the training of personnel involved in processing operations;
• Providing advice regarding Data Protection Impact Assessments (DPIAs) and monitoring their performance;
• Acting as a contact point for requests concerning the processing of individuals’ personal data and the exercise of their rights;
• Cooperating with supervisory authorities and acting as the contact point for issues related to data processing.

A Data Protection Officer (DPO) is a significant position under the GDPR, and appointment is mandatory under specific conditions. The situations in which an organization must appoint a DPO are as follows:

1. Where the processing is carried out by a public authority or body, except for courts acting in their judicial capacity (GDPR Article 37(1)(a));
2. Where the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale (GDPR Article 37(1)(b));
3. Where the core activities of the controller or the processor consist of large-scale processing of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offenses referred to in Article 10 (GDPR Article 37(1)(c)).

A group of undertakings may appoint a single, central DPO for all its subsidiaries—for example, one DPO for all companies under a holding structure. However, in this case, the DPO must be easily accessible to each subsidiary.

Depending on their size, a single DPO may also be appointed for multiple public authorities.

Small and medium-sized enterprises (SMEs) that only process data occasionally and do not engage in large-scale or sensitive data processing, and where the conditions under GDPR Article 37(1) do not apply, are not obligated to appoint a DPO. However, appointing a DPO on a voluntary basis is recommended to enhance GDPR compliance and strengthen data protection processes. By appointing a DPO, a company increases its awareness of data protection, reduces legal risks, and bolsters its credibility.

The DPO must be an expert in data protection law and practices and must be capable of carrying out the tasks set forth in Article 39 as stated above.

4.2 Responsibilities of the Data Processor:

Under the GDPR, a data processor is defined as a party that carries out personal data processing activities in accordance with the instructions of the data controller and is subject to specific legal obligations. The GDPR sets out the responsibilities of data processors to ensure data security, protect the rights of data subjects, and maintain transparency in data processing operations.

1. Data Processing Agreement: A written data processing agreement between the data controller and the data processor is mandatory. This agreement clearly defines the purposes of data processing, data security, confidentiality, and the obligations of the data processor. Examining the processor’s obligations in the agreement, we can list them as follows:

(a) Acting according to documented instructions.

(b) Ensuring confidentiality.

(c) Taking technical and organizational measures.

(d) Conditions for engaging sub-processors.

(e) Supporting the data controller regarding data subjects’ rights.

(f) Reporting data breaches and fulfilling security obligations.

(g) Deleting or returning data to the controller when processing ends. (

h) Allowing audits and inspections.

2. Exceeding the Processor’s Authority: The data processor is required to process personal data only in accordance with the documented instructions of the data controller. If data is processed outside of these instructions, the data processor can be held directly liable.

3. Ensuring Data Security: The data processor must take technical and organizational measures to ensure the confidentiality and security of personal data. These measures may include data encryption, pseudonymization, and establishing data security policies.

4. Use of Sub-Processors: The data processor cannot work with sub-processors without the prior written consent of the data controller. If sub-processors are used, the data processor must transfer all GDPR obligations to the sub-processor and ensure the same level of security.

5. Data Breach Notification Obligation: In the event of a personal data breach, the data processor is required to notify the data controller without undue delay.

6. Assisting the Data Controller: The data processor must assist the data controller in meeting GDPR compliance by supporting data subjects’ requests, such as those related to data portability, deletion, correction, and access.

5. Data Breaches and Notification Obligations:

In the event of a personal data breach, the GDPR requires that the breach be reported to the competent supervisory authority and, when necessary, to the data subject.

The Data Controller is obliged to notify the competent supervisory authority within 72 hours of becoming aware of the breach if the breach poses a risk to the rights and freedoms of natural persons. If this 72-hour deadline is exceeded, the reason for the delay must be provided. When it is not possible to provide full notification at once, notification can be made in stages to the supervisory authority.

The notification must include details such as the nature of the breach, contact information, and possible consequences of the breach. For example:

• The types of data affected (identification data, health data).
• The approximate number of data subjects and the number of data records affected.
• The Data Protection Officer (DPO)’s details and contact points where further information can be obtained.
• Potential outcomes and effects of the breach (identity theft, data loss).
• Measures taken or planned to mitigate any potential harm.

The Data Controller must document the personal data breaches, including information about the breach, its impact, and any remedial actions taken. This documentation enables the supervisory authority to verify compliance with the GDPR (Article 33(5)).

The Data Processor, upon becoming aware of a breach, is required to notify the Data Controller without undue delay.

If the breach presents a high risk to the data subject’s rights and freedoms, the Data Controller must immediately inform the data subjects, clearly stating the nature of the breach. This notification must be transparent and understandable. The scope and nature of the breach should be explained in clear language—avoiding technical jargon—and must include the DPO’s contact information, potential consequences of the breach, and any measures taken by the controller to mitigate those risks.

To summarize the responsibilities of both the Data Controller and the Data Processor:

• Always adopt a risk-based approach toward the data and processing activities to prevent possible breaches.
• Minimize the margin of error by taking necessary precautions and conducting awareness training.
• Be capable of demonstrating the correctness of implemented policies (e.g., by obtaining relevant certifications).
• React promptly to any breaches by taking the necessary actions immediately.

Furthermore, GDPR Article 30 sets out the record-keeping obligations of both the Data Controller and Data Processor regarding personal data processing activities.

6. The Relationship Between Artificial Intelligence Technologies and Data Protection Law:

When we look back at the past decade, we see that both data law and artificial intelligence technologies have evolved at a remarkably fast pace. I describe these kinds of developments as the “2n effect.” As these phenomena advance, the lack of fully established legal foundations and the inability to apply them in parallel can undoubtedly lead to various infringements and losses of rights. The European Union established the GDPR to protect data, building on a foundation laid over approximately 50 years. Yet, the “European Union Artificial Intelligence Regulation,” which will govern AI systems that have already become part of many aspects of our lives—and will further integrate into our lives even more quickly in the coming years thanks to the 2n effect—will not come fully into force until 2027. Moreover, 50 years ago, research on this topic was limited to computer technologies. (You can click here to read my article examining the European Union Artificial Intelligence Act)

AI systems often operate using large datasets that may contain personal data. Therefore, data protection principles must be directly applied during the development and use of AI systems. Consequently, companies developing AI technology—both now and especially in the future—must comply with the GDPR and local data protection legislation more diligently. In my view, a data protection policy for an AI company should be more detailed and comprehensive than that of a standard company. Indeed, in the event of possible breaches in the future, it seems highly likely that companies will face significant fines arising from both the GDPR and the AI Act. Not to mention the reputational damage and loss of trust such companies would suffer under those circumstances.

6.1 Data Compliance Processes for Companies Developing AI Technology:

Companies developing artificial intelligence must currently pay closer attention to and implement the fundamental principles of the GDPR for compliance. In particular, they should comply with the principles of data minimization, transparency, and accountability; obtain the consent of data subjects; and implement technical and organizational measures to ensure data security. Additionally, they must act in accordance with GDPR Article 22 when engaging in automated decision-making and profiling activities, inform data subjects during these processes, and recognize their right to object. If the data used in AI systems includes sensitive data (such as health, biometric, or genetic data), explicit consent must be obtained for data processing, or the conditions for special data processing under the GDPR must be met.

A Data Protection Officer (DPO) should be appointed to ensure continuous oversight of data security. It is extremely important that the appointed DPO is not only an expert in data law but also specialized in AI and AI law.