General Data Protection Regulation (hereinafter referred to as “GDPR”), which came into force in 2018 and aims to provide a uniform data protection system in the European Union (hereinafter abbreviated as “EU”) region aims to establish a relationship between data controllers and data controllers. It includes provisions regarding the appointment of the Data Protection Officer (hereinafter referred to as “DPO”) and the Data Protection Representative (hereinafter referred to as “DPR”) among the obligations of the processor[1]. Therefore, one of the obligations of Turkish companies within the jurisdiction of the GDPR as data controllers and/or data processors is to appoint a DPO/DPR.
The answer to the question under what conditions companies’ GDPR obligations begin is found in the provision of the article that discusses the scope of territorial jurisdiction of the GDPR. According to the relevant regulation[2]:
- Regardless of where the processing takes place, operational activities are carried out within the EU (e.g., the company’s headquarters are located within the EU),
- Providing goods or services to data subjects in the EU,
- Conducting monitoring activites/studies on the behavioral profiles of data subjects in the EU.
In case of one of the situations specified above, it will be revealed that companies are bound by the legal obligations in the GDPR. Companies that determine that they are subject to GDPR should initiate compliance processes with GDPR legislation without delay. Otherwise, they will face administrative fines for not fulfilling their obligations arising from the GDPR[3].
Following the determination that companies are within the scope of authority of the GDPR, the issue of DPO/DPR appointment, which has an important place among the actions they need to take, should be examined. Because the most accurate way to provide a quick and systematic solution to the risk of criminal sanctions that we have mentioned above is to develop a systematic road map to determine how the compliance process organization will be carried out. General job description and function of DPO/DPR according to GDPR: within the framework of its technical and legal knowledge and competencies, it is to ensure the compliance of data processing activities with the relevant data protection legislation, especially the GDPR content, and to manage the implementation process of appropriate operations and policies to be developed in this context[4]. This process acts as a bridge between the data protection authorities and the data controller and/or data processor, and includes completing the deficiencies that need to be eliminated and structuring action management accurately and accurately at all stages in the process.
At this point, it would be appropriate to explain the difference between DPO and DPR. As follows, in accordance with the GDPR, it is required to appoint a DPO if the data processing process of the data controller or data processor is systematic, in a broader scope, or includes special categories of personal data[5]. However, for companies whose data processing process is not so comprehensive and systematic, assigning a DPR is sufficient and necessary in any case. It is understood that the distinction in question is based on the fact that each company’s data processing processes differ from each other.
Companies should be reminded that a selection that requires being as meticulous as possible for DPO/DPR positions, where they need to follow up the work sensitively by evaluating the complaints, warnings and legal sanctions they may encounter, should be made. During the appointment of DPO/DPR, two alternative processes are encountered in practice. The first of these options is to undergo a comprehensive training process for an employee determined within the company to gain the relevant theoretical and technical knowledge stipulated by the GDPR and requiring the possession of a DPO/DPR, and to try to obtain the necessary qualifications. The other alternative is to obtain outsourced service support, especially due to the high professionalism level of the qualifications required for the position in question. Although both options we have mentioned have successful examples in practice, the alternative of choosing an outsourced DPO/DPR is less costly, more reliable and secure than in-house personnel selection. Because, when appointing internal personnel, an interview process should first be conducted in the context of the qualifications of the relevant personnel for this position, and a detailed evaluation process should be completed regarding what training is required as part of the scope of the company’s data protection process. Additionally, in practice, in order to serve as a DPO/DPR, one of the certificates called CIPP/E, CIPP/US or CIPM issued by IAPP (originally known as the “International Association of Privacy Professionals”) is required[6]. The fact that there is always the possibility that the relevant personnel who are selected to be DPO/DPR and who have undergone intensive training and subsequent certification process as mentioned above, may leave their job for various reasons and continue to work in another institution should always be taken into consideration. In this context, it may be necessary to resort to a measure such as training more than one person for this task, which means an extra budget that the relevant institution must allocate[7]. Therefore, by appointing an outsourced DPO/DPR, it is possible to proceed with a more economical budget by not going through a very gradual training (and certification) process. Similarly, as a result of the professional experience of an outsourced DPO/DPR, much more accurate, effective and rapid solutions will be produced on issues such as what the GDPR provisions have in practice, what the demands and evaluations of various data protection authorities are, and how the risks borne by companies can be eliminated[8].
As a result, by appointing outsourced DPO/DPR, it will be possible to obtain a high level of professionalism in legal and technical terms required by the relevant position by following a much more economical, result-oriented, fast and effective process.
References
IAPP, [Website], https://iapp.org/certify/, Online, (02.04.2024).
The EU Parliament and of the Counsil, General Data Protection Regulation, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, Online, (02.04.2024).
Turan, Hasan Selçuk, “Kişisel Verileri Koruma Görevlisi (KVKG)”, [Blog], https://kisiselveri.com/kisisel-veri-koruma-gorevlisi-kvkg, Online, (02.04.2024).
[1] Also see. The EU Parliament and of the Counsil, General Data Protection Regulation, §80 and Part 4 Article 34 vd., https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, Online, (02.04.2024).
[2] Also see. The EU Parliament and of the Counsil, General Data Protection Regulation, Part 1 Article 3, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, Online, 02.04.2024).
[3] Also see. The EU Parliament and of the Counsil, General Data Protection Regulation, Part 8 Article 83, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, Online, (02.04.2024).
[4] Also see. The EU Parliament and of the Counsil, General Data Protection Regulation, §80 and Part 4 Article 34 vd., https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, Online, (02.04.2024).
[5] Also see. The EU Parliament and of the Counsil, General Data Protection Regulation, Part 4 Article 37, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN, Online, (02.04.2024).
[6] For more explanations and details also see. IAPP, [Website], https://iapp.org/certify/, Online, (02.04.2024).
[7] For similar explanations also see. Turan, Hasan Selçuk, “Kişisel Verileri Koruma Görevlisi (KVKG)”, [Blog],
https://kisiselveri.com/kisisel-veri-koruma-gorevlisi-kvkg, Online, (02.04.2024).
[8] For similar explanations also see. Turan, Hasan Selçuk, “Kişisel Verileri Koruma Görevlisi (KVKG)”, [Blog],
https://kisiselveri.com/kisisel-veri-koruma-gorevlisi-kvkg, Online, (02.04.2024).
