EXPERT INSIGHT 70 WWW.LAWYER-MONTHLY.COM | MAY 2022 About Batu Kınıkoğlu Batu Kınıkoğlu is a partner at Hamzaoğlu Hamzaoğlu Kınıkoğlu Attorney Partnership (HHK). He advises clients on a wide range of issues including data protection, information privacy, cybersecurity, fintech and telecommunications law. His expertise also includes copyright law and opensource software licensing. He is a Legal 500 Recommended Lawyer in the IT & Telecoms and Intellectual Property practice areas and was selected as a Global Leader and a Thought Leader in Data Privacy & Protection by Who’s Who Legal. He is also a lecturer at Sabancı University and Istanbul Bilgi University, teaching graduate courses on European Data Protection Law and Cybersecurity Law. About HHK HHK is an Istanbul-based law firm specialising in technology law, helping its clients transform their companies in line with the challenges and opportunities brought by technology and the digital world. Working across sectors and with a variety of clients ranging from innovative startups to large multinational corporations, HHK has been selected as a leading firm by Legal 500 in the IT & Telecoms category every year since its establishment. Batu Kınıkoğlu Partner Hamzaoğlu Hamzaoğlu Kınıkoğlu Attorney Partnership Koşuyolu Mah. Koşuyolu Cad. No:64/2 34718 Kadıköy/İstanbul Tel: +90 216-807-1445 E: firstname.lastname@example.org www.hhklegal.com Law such as Article 3 of the GDPR. The Turkish Data Protection Authority states that data controllers must comply with the DP Law if they process personal data of data subjects in Turkey, regardless of where they are established. With no clear criteria such as the establishment or targeting/ monitoring criteria envisaged in the GDPR, any data controller processing personal data of a data subject in Turkey can fall within the scope of the DP Law and the jurisdiction of the Turkish Data Protection Authority. This has several consequences for data controllers established abroad. First, any data controller processing personal data of data subjects in Turkey must register to the data controllers’ registry called VERBIS, which is managed by the Turkish Data Protection Authority. These companies must appoint a representative, which must be a legal entity established in Turkey or a Turkish citizen. The Turkish Authority has the power to issue administrative fines to companies for failing to register to the registry. Second, in the case of a data incident, these companies must notify the Data Protection Authority within 72 hours if the data of data subjects in Turkey have been breached. Because the Turkish Authority can act ex-officio and investigate any data incident without the notification of the data controller, there have been cases where the Turkish Authority issued administrative fines to foreign data controllers both for the data incident involving data subjects in Turkey and not dully notifying the Authority about the incident in time. I do not think that principles such as privacy must necessarily create a barrier for organisations to best utilise the data they process. What do you see in the future of data privacy in Turkey? What challenges will have to be overcome for organisations both domestically and internationally? Data privacy regulations provide both challenges and opportunities for corporations in Turkey. Six years after the enactment of the first general data protection law in Turkey, corporations have built up the necessary knowhow and continue to create awareness among their employees and business partners. We see companies re-think their business models to cope with the digital age, and the only way they can bet realise the value of data is if they acquire and process personal data lawfully in the first place. I do not think that principles such as privacy must necessarily create a barrier for organisations to best utilise the data they process. Corporations can transform into data-driven organisations and respect the related data privacy principles at the same time. The past years have shown us that this respect can even be used as a competitive advantage.