REGISTER LOGIN

The Importance of Personal Data Protection Law Within the Scope of ESG

08.04.2024
DL Attorneys at Law

Hande Çağla Yılmaz co-authored this article.

I. Introduction


The Corporate Sustainability Reporting Directive (“CSRD”) entered into force in the European Union (“EU”) on 5 January 2023 and in this regard, on 22 December 2023 the first document of the European Sustainability Reporting Standards (“ESRS”) was adopted. The CSRD and ESRS regulate companies' reporting processes in accordance with ESG which expands as Environmental, Social and Governance. Regardless of which sector they operate in, companies within the scope of the CSRD must comply with the ESRS Standards as of 1 January 2024.

 

Also, the Turkish Public Oversight Authority focuses on the field of corporate sustainability and makes laws, considering CRSD and ESRS, in the scope of Turkish Commercial Law Art. 88. Therefore, reports of ESG and compliance processes have begun to gain importance for companies in Türkiye.

 

ESG criterias are defined as a set of standards that show the vision, mission and behavior of a company in terms of sustainability. Under the Environmental criteria, how the company protects the environment, its compliance with environmental legislation and whether sustainable environmental policies are implemented are considered. Under the Social criteria, how the company manages its relationships with its employees, suppliers, customers and all stakeholders in its ecosystem are reviewed. Under the Governance criteria, the corporate structure of the company within the scope of ESG, the duties and responsibilities of managers, and the processes of ensuring internal and external controls are considered.


II. Data Protection Law Within the Scope of ESG

 

There are points where ESG criteria coincide. These are “data” and “data security”. Examples of the relationship between ESG criteria and data security may be given as follows:




All these issues mentioned above are regulated within the scope of data protection legislation in Türkiye. Such legislation is the PDPL and its secondary legislation, the Turkish Personal Data Protection Authority (“Authority”) guides, opinions, and announcements and the Turkish Personal Data Protection Board (“Board”) decisions (together referred to as “Data Protection Legislation”). The obligations of the data controllers, which most of the companies are consider as in the PDPL, obligations are summarized as follows:




In addition, carrying out the compliance process with personal data protection law reduces costs and minimizes existing risks in data governance processes.  In other words, failure to comply with the principles of personal data protection law results in large costs for companies. For example, within the "data minimization" principle, which is one of the important principles in terms of both the GDPR and the PDPL, companies do not collect and process data they do not need. Therefore, companies do not need to invest in these data processing processes. However, the implementation of this principle may be achieved only by carrying out a data protection compliance process. From another perspective, in terms of both GDPR and PDPL, companies are considered as data controllers in most processes and may face large number of administrative fines in case of violation of these regulations. This situation also can be only prevented by carrying out the data protection compliance process.

 

In line with all this information, we would like to mention some actions to be taken for the protection of personal data within the scope of ESG including but not limited to the following:


- PDPL and GDPR Compliance Process,

- Compliance Process of Data within the Scope of ESG,

- Drafting Corporate Policies,

- Ethical Evaluation of Processes Processing Personal Data.

 

III. Conclusion


Protecting personal data and ensuring data security is one of the steps that companies should take within the scope of ESG. In this context, PDPL and its secondary legislation are an integral part of companies' ESG journey. Therefore, compliance studies must be carried out in order to fulfill the obligations within the PDPL, and audits must be carried out to determine whether the compliance is sustainable and included in the business processes of the companies.

 

This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.

Popular Articles on Data Protection & Privacy

Kişisel Verileri Koruma Kurulunun 2023/134 Sayılı Kararı Doğrultusunda Tiktok Hakkında 1.750.000 TL İdari Para Cezası Uygulanmasına Karar Verildi
Data Protection & Privacy 2023 Guide for Turkey - 2
Data Protection & Privacy 2023 Guide for Turkey - 1
Epic Games, Çocuk Mahremiyeti İhlalleri ve İstenmeyen Ücretlerle İlgili FTC İddiaları Üzerine 520 Milyon Dolar Ödeme Yapacak
Guide to Direct Marketing Using Live Calls Published By ICO

Latest Insights from DL Attorneys at Law

Veri Koruması İçin Yöntemler: Anonimleştirme ve Psödönimleştirme Hakkında Bir İnceleme
Safeguarding Data: A Review of Anonymization and Pseudonymization
The Importance of Personal Data Protection Law Within the Scope of ESG
ÇSY Kapsamında Kişisel Verilerin Korunması Hukukunun Önemi
Kişisel Verileri Koruma Hukuku Güncel Gelişmeler - Mart 2024
Ready to stay ahead of the curve?
Share your interest anonymously and let us guide you through the informative articles on the hottest legal topics.
|
Successful Your message has been sent