Insights Data Protection & Privacy

The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and Law No. 6698 on Protection of Personal Data (“DPL”) of Turkey are the key pieces of legislation applied in the relevant jurisdictions.

Genetik Verilerin İşlenmesinde Dikkat Edilmesi Gereken Hususlara İlişkin Rehber (“Rehber”), 13 Ekim 2023 tarihinde Kişisel Verileri Koruma Kurumu (“Kurum”) tarafından resmi internet sitesinde yayınlanmıştır. 6698 sayılı Kişisel Verilerin Korunması Kanunu’nda (“Kanun”) genetik veriler, ayrı bir şekilde tanımlanmamakla birlikte, özel nitelikli kişisel veri olarak kabul edilmektedir. Bu bağlamda, genetik verilerin kullanım alanları, Rehber’de (i) sağlık alanında teşhis ve tedavi amaçlı genetik analiz, (ii) üstsoy ve alt soy tespiti amaçlı genetik analiz ve (iii) genetik yatkınlık tespiti amaçlı genetik analiz olarak sıralanmaktadır.

Turkish Personal Data Protection Authority published an announcement on November 13, 2023, regarding personal data processing activities where a verification code is sent to data subjects via SMS while shopping in stores. The Announcement focuses on the data controllers’ non-compliant data processing practices during face-to-face shopping and provides several recommendations.

Genetik Verilerin İşlenmesinde Dikkat Edilmesi Gereken Hususlara İlişkin Rehber (“Rehber”), 13 Ekim 2023 tarihinde Kişisel Verileri Koruma Kurumu tarafından resmi internet sitesinde yayınlanmıştır. 6698 sayılı Kişisel Verilerin Korunması Kanunu’nda genetik veriler, ayrı bir şekilde tanımlanmamakla birlikte, özel nitelikli kişisel veri olarak kabul edilmektedir. Bu bağlamda, genetik verilerin kullanım alanları, Rehber’de (i) sağlık alanında teşhis ve tedavi amaçlı genetik analiz, (ii) üstsoy ve alt soy tespiti amaçlı genetik analiz ve (iii) genetik yatkınlık tespiti amaçlı genetik analiz olarak sıralanmaktadır.

The Guideline on Matters to Consider when Processing Genetic Data ("Guideline") was published by the Personal Data Protection Authority ("Authority") on its official website on October 13, 2023. While genetic data is not defined separately under the Law No. 6698 on the Protection of Personal Data ("Law"), it is categorized as one of the special categories of personal data.

Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a private health institution obtaining explicit consent from patients unlawfully, in its decision dated 02.05.2023 and numbered 2023/692.

Turkish Personal Data Protection Board (“Board”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787. In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.

The Personal Data Protection Board assessed a complaint against a fitness center for processing blood type information without explicit consent, a special category of personal data. The Board imposed a fine of TRY 100.000 on the fitness center for not meeting obligations under Article 12 of the Law No. 6698 on the Protection of Personal Data. The center was instructed to provide a privacy notice and explicit consent separately as per the law and related guidelines. Allegations of improper data storage and unauthorized access to security camera footage were unproven.

Bugün Resmi Gazete’de yayımlanan Kişisel Verileri Koruma Kurulu’nun (“Kurul”) 06 Temmuz 2023 tarihli ve 2023/1154 sayılı kararıyla Veri Sorumluları Sicili’ne (“VERBİS”) kayıt yükümlülüğüne istisna getirilmesine kriter olarak kabul edilmiş olan “yıllık mali bilanço toplamı” tutarında, ülkemizdeki ekonomik koşullar doğrultusunda yeniden değerlendirme yapılmıştır.

The Turkish Personal Data Protection Board amended the exemption limit for Data Controllers Registry (VERBIS) registration due to economic conditions. The new limit is 100.000.000 Turkish Liras for the annual financial balance sheet, up from the previous 25.000.000 Turkish Liras. Data controllers with less than 50 employees and an annual financial balance sheet total below TRY 100.000.000 are exempt from VERBIS registration. The effective date is 25 July 2023, and the exception applies only to local data controllers, not foreign ones.

The EU-US Data Privacy Framework received an adequacy decision by the European Commission on 6th July 2023. The decision allows the transfer of personal data between the EU and the US under certain requirements. However, concerns remain about the effectiveness and implications of the Framework. It follows previous agreements like Safe Harbor and Privacy Shield, which were invalidated by the CJEU due to concerns over US surveillance practices. Organizations must be vigilant about developments and adhere to data protection regulations for secure data transfers.

Bilindiği gibi Türkiye’de yerleşik ve ana faaliyet konusu özel nitelikli kişisel veri işlemek olmayan veri sorumluları için yıllık mali bilanço toplamlarına ve yıllık çalışan sayılarına göre VERBİS’e kayıt için bir istisna uygulanmaktaydı. Kişisel Verileri Koruma Kurulu’nun Resmi Gazetede bugün yayımlanan kararıyla istisna şartlarından “yıllık mali bilanço toplamı” şartını değiştirdi.

06.06.2023 tarihli 32213 sayılı Resmi Gazete'de yayınlanan Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği yürürlüğe girdi. Bu yönetmelikle 13.07.2017 tarihli Enerji Sektöründe Kullanılan Endüstriyel Kontrol Sistemlerinde Bilişim Güvenliği Yönetmeliği yürürlükten kaldırıldı. Enerji piyasasında lisans sahibi tüzel kişilerin (Yükümlü Kuruluşlar) endüstriyel kontrol sistemlerinin güvenliği ve güvenilirliği için belirli hükümler düzenlendi. Yönetmelikte, yetkinlik modeli, enerji alt sektörlerine göre farklılık gösteriyor ve üç temel yetkinlik seviyesinden oluşuyor. Yükümlü Kuruluşlar belirlenen seviyeye bağlanan ve zorunlu olarak gerçekleştirmeleri gereken maddeleri hedeflenen sürede tamamlamakla yükümlüdür. Yönetmelik, sektörün siber güvenlik açısından etkin koruma sağlamasını amaçlamaktadır.

The Regulation on Cyber Security Competency Model in the Energy Sector (“Regulation”) was published by the Energy Market Regulatory Authority (“Authority”) in the Official Gazette dated 06.06.2023 and numbered 32213. The Regulation has entered into force on the publishing date and the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector (“Repealed Regulation”) dated 13.07.2017 was repealed with the Regulation and that all references to the Repealed Regulation would be deemed to have been made to the Regulation.

The Personal Data Protection Board addressed a complaint about the improper processing of personal data through e-invoice sending to a data subject's email. Despite previous instructions to implement security measures, the data controller continued sending third-party invoices to the data subject. This lack of verification mechanisms and proactive approach violates the principle of accuracy and up-to-dateness under the Law on the Protection of Personal Data No. 6698. Consequently, the Board imposed an administrative fine of TRY 200,000 (approx. EUR 6,954) and instructed the data controller to prevent such data transmission in the future.

PETs encompass tools, techniques, and methodologies that prioritize data security, data minimization, and individual data control. The European Union Agency for Cybersecurity defines PETs as software and hardware solutions for privacy and data protection. PETs include technologies such as differential privacy, homomorphic encryption, zero-knowledge proofs, trusted execution environments, and more.

The Personal Data Protection Board imposed a fine of TRY 30,000 on a data controller for processing personal data without explicit consent and failing to inform the data subject. The data controller sent marketing messages without fulfilling legal obligations. Although the data controller apologized and made corrections, the Board determined a data breach and a lack of necessary security measures. The fine was imposed for non-compliance with data protection laws.

The Personal Data Protection Board assessed a complaint regarding a data controller sending unsolicited commercial emails to a lawyer's work email address without consent. The Board found that the email address was publicly available due to the lawyer's own actions, but this does not justify processing the personal data for any purpose. Since lawyers are not considered traders or merchants, prior consent is required to send commercial emails. The data controller failed to fulfill obligations under the law, resulting in a fine of TRY 150,000. The data controller must also respond to unanswered information requests and provide evidence of data deletion.

The Personal Data Protection Board addressed a complaint where a company shared a data subject's job interview information with their current employer. The Board found that this sharing violated the Personal Data Protection Law and imposed a fine of TRY 100,000 on the data controller. It was clarified that the data controller's obligation to respond to the data subject's application was not affected by an ongoing investigation. The Board also emphasized the need for the data controller to comply with the provisions of the law and warned them accordingly.

The Law on Protection of Personal Data in Turkey grants data subjects certain rights similar to those in the General Data Protection Regulation. These rights include the right to know if personal data is being processed, the purpose of processing, and the recipients of data transfers. Data subjects also have the right to rectify or erase their data, object to automated decision-making, and seek compensation for unlawful processing. The exercise of these rights is subject to specific requirements outlined in the Communiqué on The Procedures and Principles of Application to Data Controller. Valid data subject requests must contain certain information and can be submitted through various methods. Data controllers are obligated to respond to valid requests within 30 days. Failure to comply with valid requests may result in administrative fines.