The 'Right To Be Forgotten': A Comparison Between GDPR vs. Turkish Data Protection Law

• Published date: 26 August 2020
• Subject Matter: Privacy, Data Protection
• Law Firm: Cetinkaya Attorneys at Law
• Author: Mr Altug Ozgun

In Greek Mythology the river "Lethe" has a significant standing. Lethe was the underworld river of oblivion. A mere drop from the river can make someone begin to forget their whole identity. In today's social media world where nearly every life is lived online, data protection legislations also enables and defines the right to be forgotten as not a myth but a real designated right to every individual.

Right for privacy or private life arose in the European continent with the European Convention on Human Rights in 1950, with Article 8 for Right to respect for private and family life. With the improvements in technology and data transfers; Data Privacy rights have emerged under the right for privacy as a new evolving issue which deals with utilizing data while protecting individual's' privacy preferences and their personally identifiable information.

The European Commission has dedicated immense time and effort into creating a legislation that boasts a solid protection of personal data against potential violations, while imposing precautions in order to ensure the protection of fundamental rights. Since the Directive 95/46/EC (Directive), the main objective of all legislation pertaining to the protection of personal data, has been a struggle of balancing fundamental rights against rights depending on the circulation of information. In doing so, they've introduced preventative measures for foreseeable violations. The current General Data Protection Regulation (GDPR) and the Turkish Data Protection Law (TDPL) are established on identical principles. Granted that the implementation and practicality of all legislations differ once reviewed in depth. The right to be forgotten exists among these laws but the extent of the application of the right varies.

General Data Protection Regulation (GDPR):

The GDPR, published in April 2016 and effective from May 2018, provides a right to erasure of personal data. Although, the Directive had already laid down the right to be forgotten as a principle, the GDPR, undoubtedly, has given the principle flesh and bones. According to Article 17 (1) of the GDPR, 'The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay'. The article continues with a list of specific circumstances for when the data subject can invoke his or her right. These include; if the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or if the data subject withdraws consent on which the processing is based.

It is predominantly clear that the GDPR has provided a profound groundwork for how the right to erasure can be exercised. The rights of the data subject have been guarded against potential problems arising after the data has been obtained.

Article 17 (2) of the GDPR specifies that the data controller who has made the personal data public, should take reasonable steps, including technical measures to erase the data upon request of the data subject. Ergo, if the data subject has been granted the right to erasure under Article 17 (1), the data controller should do everything, including notifying all involved controllers, to make sure the data is erased from all sources along with 'any links to, or copy or replication of, those personal data'.

Scope of GDPR:

The GDPR has a universal application. According to Article 3, the territorial scope of GDPR goes as far as to include 'the processing of personal data in context of the activities of an establishment of a controller or a processor in the...