EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU

Turkey adopted its new Data Protection Law (“Law”) on 7 April 2016 as part of its efforts to harmonize its legislations with the European Union. The Law has followed the principles set forth in the Data Protection Directive (95/46/EC) (“Directive”) and aimed to adopt vastly the principles thereunder.

This has been a big step for Turkey as the draft data protection law was waiting in the Turkish parliament for almost a decade. Some scholars criticized the Law for not following the EU General Data Protection Regulation (“GDPR”) which is expected to enter into force in the EU in early July 2018.

But frankly Turkish entities, regulators as well as the judiciary has a lot to learn about the basic principles of data privacy and security, thus opting to follow the Directive instead of the GDPR seems to be the right path to follow for now. 

During the summer of 2016 we are expecting amendments to certain provisions of the Law which significantly deviated from the Directive. For example, exemptions to obtain explicit consent when processing sensitive data are to be extended. These first amendments to the Law will primarily aim to successfully conclude the data privacy chapter with the EU. But the legislative efforts of Turkey to harmonize its regulations with EU will continue and Turkish entities that do business with the EU will need further take into account the impacts of the GDPR to their businesses.

Our colleagues in the Greenberg Traurig Cybersecurity and Crisis Management group stressed that the most important thing to note about the GDPR is that if your company does any business in Europe or collects any personal data relating to European residents, the GDPR is likely to apply to your company, wherever it is located. Thus, any website or mobile application that promotes goods or services and is available for access by EU/EEA based individuals – for example, if prices are provided in Euros - is within the scope of the GDPR. Such is also the case of any website or mobile application that contains code that allows the collection of data intended to be used for interest-based advertising.

To this end, we think that understanding the Directive and the GDPR will be essential for Turkish practitioners in the upcoming days and years to come. For those who are interested to know more about the GDPR’s possible impact for businesses established outside the EU, Greenberg Traurig Cybersecurity and Crisis Management group’s article is a great source of information.  View Media