Insights Data Protection & Privacy

    Transferring the Health Data of a Data Subject to the Public Institution

    In its decision numbered 2022/790, the Personal Data Protection Board addressed a complaint concerning the transfer of a data subject's health data to a public institution for an ongoing administrative lawsuit. The complaint alleged that the transfer of the data subject's health data from a university hospital to the public institution constituted an unlawful processing of personal data. The Board determined that the transfer violated data protection principles and instructed the data controller to take corrective actions, including disciplinary measures and data destruction. The data subject was also advised to apply for correction through the provincial health directorate. The Board emphasized the importance of timely response to data subject requests.

    The Encryption Paradox: Messaging Apps at a Crossroads in the UK

    The proposed Online Safety Bill in the UK raises concerns that encrypted messaging app companies like WhatsApp may cease their services if the bill is not amended. The bill aims to enhance internet safety and hold companies accountable for content shared on their platforms. It grants regulatory power to the Office of Communications (Ofcom) to enforce measures against terrorism and child sexual abuse content. However, messaging apps relying on end-to-end encryption (E2EE) face challenges in complying with these regulations. E2EE ensures secure communication and data privacy, and breaking it would compromise user trust. Finding a middle ground is crucial to balance privacy and online safety.

    Processing of Personal Data of the Child without the Explicit Consent of the Parent

    The Personal Data Protection Board assessed a complaint about a marketing company processing a child's personal data without explicit parental consent. The company's self-employed entrepreneur sent a promotional brochure to an 8-year-old child, allegedly processing the child's data unlawfully. The Board clarified that the entrepreneur acted independently as a data controller, and the company had no involvement in the data processing. The argument that personal data was provided by the data subject was rejected, as it didn't meet the exception provision. Processing the child's name and address for marketing purposes didn't fulfill the conditions in the law, resulting in a fine. The company was instructed to obtain explicit consent and comply with data protection regulations.

    Transferring Personal Data Abroad Without Obtaining Explicit Consent / May 17, 2023

    In its decision, the Personal Data Protection Board addressed a complaint regarding the unauthorized transfer of personal data from a bank to an insurance company. The complaint alleged that the bank shared the data subject's phone number without explicit consent. The Board determined that the transfer violated the Law on the Protection of Personal Data and the principle of obtaining explicit consent. The data controller failed to provide evidence of informed consent or a lawful basis for the transfer. Sharing personal data without the customer's instruction, even with explicit consent, is prohibited. As a result, the Board imposed a fine on the bank for breaching data protection obligations.

    Continuing to Process Personal Data of the Employee by the Employer After the Termination of the Employment Contract

    The Personal Data Protection Board evaluated a complaint about the employer continuing to process the personal data of the data subject after the termination of their employment contract. The complaint stated that the data controller company used the data subject's photos and phone number for promotional purposes and communication with courier companies after the contract ended. The Board found that using the photos for advertising purposes and processing the phone number without proper notification violated the principle of accuracy and up-to-date information. Consequently, an administrative fine of TRY 250,000 was imposed on the data controller, and they were instructed to delete the unlawfully processed data and provide a report to the data subject's representative.

    Transferring Personal Data Abroad Without Obtaining Explicit Consent

    The Personal Data Protection Board has imposed an administrative fine of TRY 950.000 (approx. EUR 44.246) on a technology company for transferring personal data abroad without explicit consent from the data subjects, and not responding to their request within the legally specified period. The board stated that the company violated the Law on the Protection of Personal Data and failed to take necessary technical and administrative measures to ensure appropriate security level. Moreover, the company did not submit a commitment to provide adequate protection in the country to which the transfer would be made. The Board instructed the company to make necessary arrangements and inform the Board.

    Data Driven Cyber Security

    Data controllers and processors in the UK are required to implement appropriate technical and organizational measures to ensure data security in compliance with data protection regulations. The UK National Cyber Security Center recommends a data-driven cybersecurity approach to address the challenges of cybersecurity in a rapidly advancing digital landscape. By leveraging high-quality data to generate actionable insights, data-driven cybersecurity seeks to improve outcomes, transparency, and trust. The NCSC has developed a maturity model that helps organizations assess their level of data-driven cybersecurity maturity and identify gaps in their cybersecurity posture based on factors such as communication, people, security and compliance, platform and data processing tools, integration, and data structure.

    Sharing the Photos Taken During Surgery

    The Personal Data Protection Board evaluated the complaint application about sharing the photos taken during surgery of the data subject and published on the social media account by a doctor who works in the data controller hospital in its decision dated 29.06.2022 and numbered 2022/630.

    Sending Order Information to Erroneous Email Address

    The Personal Data Protection Board evaluated the complaint application regarding sending the order information of a third party from the e-commerce website which is the data controller to the data subject in its decision dated 03.08.2022 and numbered 2022/774.

    Failure to Provide the Privacy Policy and Explicit Consent Wording for Cookies

    The Personal Data Protection Board evaluated the complaint application regarding the failure of the data controller to provide the privacy policy and explicit consent wording for cookies on the website of a gaming platform in its decision dated 23.12.2022 and numbered 2022/1358.

    UK Online Safety Bill Introduces a New Online Regimen

    The Online Safety Bill was introduced to the UK parliament in May 2019 and with the latest update, published on March 27, 2023, aims to provide a safer internet for all users, particularly children.

    Differences in General Principles of APEC Privacy Framework and GDPR

    The importance of privacy has increased due to the significant increase in data processing methods and activities along with rapid technological developments and globalisation. As a result, many countries and regions have adopted privacy laws to ensure harmony for the protection of the personal data of individuals.

    EDPS, Veri Koruma Görevlilerini Denetlemek İçin EDPB'nin Koordine Yaptırım Eylemine Katılıyor

    Avrupa Veri Koruma Denetçisi Ofisi, Avrupa Veri Koruma Komisyonu'nun Veri Koruma Görevlilerinin atanması ve pozisyonuna ilişkin, Avrupa Ekonomik Alanı içerisinden 26 Veri Koruma Otoritesi’nin yer alacağı Koordine Yaptırım Eylemi’ne katılacağını duyurdu.

    EDPS is Participating in EDPB's Coordinated Enforcement Action to Supervise Data Protection Officers

    The Office of the European Data Protection Supervisor announced that it will take part in the European Data Protection Board’s Coordinated Enforcement Action on the designation and position of data protection officers, which will include 26 data protection authorities of the EU and the European Economic Area.

    ICO Fines TikTok £12.7 Million For Misusing Children’s Data

    The Information Commissioner's Office has fined TikTok Information Technologies UK Limited and TikTok Inc £12,700,000 for a series of data protection breaches, including unlawfully using children's data.

    ICO Releases New UK GDPR Certification Scheme

    Information Commissioner Office releases new certification scheme which targets training and qualification service providers. The certificate scheme aims to enable candidates wishing to apply for training programs to make informed choices with the assurance that their personal data will be processed in accordance with the UK GDPR.

    UK Re-Introduces Data Protection and Digital Information Bill

    On 8 March 2023, UK Ministry for Science, Innovation and Technology, announced the re-introduction of the Data Protection and Digital Information Bill, which was first introduced in July 2022. The new published version of the Bill will replace the previous draft.

    ICO Published Tech Horizons Report

    The Information Commissioner's Office released the Tech Horizons Report, which addresses the most significant technological developments for privacy in the next two to five years, as well as the current range of risks that may harm people's privacy and trust in these technologies.

    Epic Games, Çocuk Mahremiyeti İhlalleri ve İstenmeyen Ücretlerle İlgili FTC İddiaları Üzerine 520 Milyon Dolar Ödeme Yapacak

    US Federal Trade Commission, yakın zamanda vermiş olduğu Fortnite oyununun geliştiricisi Epic Games Inc., hakkındaki kararda, Children’s Online Privacy Protection Act kapsamındaki getirilen yükümlülüklerin ihlal edildiğini tespit etmiştir.

    Epic Games to Pay 520 Million Dollars over FTC Allegations of Child Privacy Violations and Unwanted Charges

    The US Federal Trade Commission, in a recent decision regarding the developer of the Fortnite game, Epic Games Inc., has determined that obligations arising from Children's Online Privacy Protection Act have been violated.