Turkish DPA: Compliance with GDPR Does Not Mean Compliance with Turkish Data Protection Law
On November 6, 2019 the Turkish Data Protection Authority ("DPA") published a statement on its website stating;
1- DPA reviewed privacy notices in several websites and notices that there are references to GDPR,
2- Privacy notices and relevant policies contain wording suggesting that the data controller is acting in line with the GDPR,
3- Such wording is not sufficient for compliance with Law on Protection of Personal Data ("KVKK") and
4- Privacy notices and relevant policies should firstly state that the controller is acting in line with the KVKK instead of GDPR.
Further, the DPA once again reminded the minimum content requirements for privacy policies which are
a- Identity of the data controller and its representative if any,
b- Purpose of processing,
c- Transfer of data to third parties and purpose of such transfer,
d- Method of data collection and legal basis for processing (by specifically stating any of the statutory justifications mentioned in Articles 5 and 6 of the KVKK)
d- Rights of the data subject under KVKK Article 11,
In light of the above, the Turkish DPA clearly states that compliance with the GDPR does not mean compliance with the KVKK, therefore specific compliance steps should be taken for KVKK.