Baran Baş
In an era dominated by technological advancements and a digital landscape, the intersection of data privacy and competition law has become increasingly vital for businesses striving to achieve compliance. This information note explores the nuanced relationship between data privacy considerations in competition law compliance projects, shedding light on key aspects that demand meticulous attention from compliance practitioners and businesses alike.
Businesses across various industries are crafting approaches to access and utilize data effectively. Accordingly, the regulation of personal data collection and utilization is intensifying across numerous sectors, including health, finance, transport, and tourism. Gathering and leveraging consumer data has become a fundamental part of many companies’ operations, enabling them to introduce innovative services and products. In this evolving landscape, the interplay between competition law and personal data protection is receiving heightened scrutiny, underscoring the need for a nuanced approach to ensure both competitive fairness and privacy safeguards.
In the light of the information above, understanding the complex web of data protection and competition laws is fundamental: Under Turkish law, the main legislations tackling these fields are the Law No. 6698 on the Personal Data Protection and the Law No. 4054 on the Protection of Competition.
In fact, this intersection encourages the relevant administrative authorities to co-operate, such as the Turkish Competition Authority and Turkish Personal Data Protection Authority, which have signed a “Cooperation and Information Sharing Protocol” on 26.10.2023[1]. Collaborations between competition and data protection authorities, as observed in other countries like France, underscore the essential nature of their partnership in addressing the complexities of modern business practices. This demonstrates the critical need for cooperation between data protection and competition regulatory bodies to navigate the intricate landscape of all markets, and digital markets in particular, effectively.
In this respect, the recent Meta v. Bundeskartellamt ruling by the Court of Justice of the European Union (CJUE) is highly instructive. Meta v. Bundeskartellamt decision by the CJUE highlights the intertwined roles of competition and data protection authorities in the digital economy. The court recognized that access to and processing of personal data are crucial competitive factors, indicating that competition and data protection laws cannot operate in isolation. It affirmed that national competition authorities can consider GDPR infringements when assessing abuses of dominant positions and emphasized the importance of consent validity in cases of dominant data controllers, illustrating how data protection principles can influence competition analysis.
Data Collection and Processing in Competition Compliance Projects
Competition law compliance projects often involve the processing and collection of vast amounts of personal data and in some cases, sensitive personal data. The discussion extends beyond mere competition parameters to include the establishment and reinforcement of market power, notably the ability to affect prices to the detriment of consumer welfare. It also scrutinizes corporate behaviour that imposes conditions unfavourable to users for commercial gain, particularly in the context of personal data processing. This approach underscores the need for vigilant oversight of practices that may exploit consumer data to consolidate market dominance and/or restrict competition.
Within the scope of a competition compliance project, compliance practitioners (whether in-house or outsource) gain access to written communications (e-mails, chat correspondences, sector specific communication channels such as Bloomberg chat etc.) of the relevant undertakings’ employees which respond to specific keyword search. Although the preparation of keyword lists in such projects usually involve generic keywords such as “competition” or “competitor” it is not unusual for compliance officers to extend the scope of the keyword list to specific competitor names (e.g. “X Company Ltd”). As work related written communication channels are sometimes used for personal communication, compliance practitioners may come across to personal data such as information on identity of an employee, location and even, personal preferences. In this respect, addressing how this data is handled, ensuring compliance with data protection principles, and securing the necessary consents become paramount.
Data Security Measures:
Given the sensitive nature of the information involved in competition law compliance projects, robust data security measures are imperative. Employing encryption, access controls, and regular risk assessments can fortify the protection of data, reducing the likelihood of breaches that could lead to legal repercussions.
Privacy by Design and Default:
Integrating privacy considerations into the very fabric of competition law compliance projects through a ‘privacy by design and default‘ approach is not just good practice – it’s a legal obligation. Proactively embedding privacy measures minimizes the risk of non-compliance and ensures that data protection is at the forefront of every project stage.
Data Retention and Deletion Policies:
Clearly defined data retention and deletion policies are integral to compliance. Striking a balance between retaining necessary information for compliance purposes and respecting individuals’ rights to have their data deleted is essential. This meticulous approach aligns with both competition and data protection laws.
Continuous Compliance Monitoring:
Compliance with data privacy and competition laws is an ongoing process. Therefore, carrying out a single compliance project and then leaving the undertaking on its own is not a viable option. Implementing mechanisms for continuous monitoring and adapting to evolving legal landscapes is key. Regular audits, staff training, and updates to policies demonstrate a commitment to compliance and minimize legal risks.
Conclusion:
As undertakings navigate the intricate landscape of competition law compliance projects, a holistic understanding of data privacy considerations is non-negotiable. By intertwining the principles of data protection with the requirements of competition laws, undertakings active in Türkiye can not only meet legal obligations but also foster a culture of trust and responsibility in the digital age.
As Baş | Kaymaz Law Firm, we offer comprehensive consultancy and representation services in the fields of data protection and privacy and competition law to both national and multinational clients with our specialized and experienced lawyers.
For further information, please contact Attorney Baran Baş here.
[1] Please see the announcements made at the Turkish Competition Authority’s official website here.
Please also see the announcement made at the Turkish Personal Data Protection Authority’s official website here.