The European Union has adopted the General Data Protection Regulation (GDPR) in May 2016 and granted time for compliance until May 2018. That period for compliance sparked a set of queries for foreign companies dealing with activities in Turkey and companies with affiliates abroad. This circular herein is gathered intended to reveal the scope of GDPR compliance and in what way the data transmission will be handled. The companies operating in Turkey to exist within the scope of GDPR have been identified at the Article 3 titled as "Territorial Scope" of the regulation. Pertaining to that, GDPR could be implemented in three circumstances pursuant to the aforementioned article; - Within the borders of EU, It would be applicable for all personal data entered by any company concerning its operations regardless of its headquarters are located in EU countries or not. As per the first clause of concerning article, without seeking for a provision of performing the data registry activity within EU borders, it would be subject to GDPR if it's handled on behalf of an EU centered company or just the company itself.
- Concerning the Regulation herein, personal data of the related people in the European Union;
(a) Supplying goods and services to the related people within the community regardless of any requirements for making payments; or (b) It would be implemented on the data responsible or data processor operating with the aim of monitoring the attitudes within the community which is not established within the European Union. - The Regulation herein would be implemented on the Data Responsible occupied with processing data which is not established within the European Union but based on a location where Member Country Law pursuant to Public International Law is implemented.
When the matter is considered from the view point of multinational companies dealing with activities in various countries through its affiliates, companies with headquarters within the EU should be meeting certain conditions before transferring data into or out of the EU on behalf of their headquarters within EU. Personal data transfer to be made towards non-member countries –including the data transfer performed within the group of companies- is arranged in articles from 44 to 49 of GDPR in details. As per that, it's expected from an EU centered company that it should be totally sure if the conditions mentioned within the Law are met and needed level of protection required by GDPR is ensured when a data transfer to an affiliate located in a country not recognized as a safe country by the EU would be performed. In the circumstance that any contrariety in terms of maintaining the required conditions for data transfer to a non-EU country, indicated in the articles 44-49, companies will be facing administrative fines listed in the 5th clause of Article 83 within GDPR. As arranged in the concerning article, the higher amount willbe selected among 20.000.000,00-EUR or the amount equivalent to 4 % of the total global turnover for the previous fiscal year in setting the amount of penalty to be issued to the company in the circumstance that any violation is detected on terms of data transfer to third countries. The EU continuously reconsiders and renews the whole laws and regulations within this context to make its sensitivity and seriousness on GDPR obvious. Within this context, GDPR compatible cookies and the draft regulation on confidentiality has been shared on 12 January 2017. Detailed information on the concerning draft regulation is provided within our following circular. Our explanations provided above include general information on the issue. No responsibility can be claimed against
EY and/or Kuzey YMM ve Bağımsız Denetim A.Ş. due to the implications arising from the context of this document or emerging with respect to its context.
Best Regards,
Kuzey YMM ve Bağımsız Denetim A.Ş. | 
Print 
Go to Top 
