Data Protection & Privacy 2023 Guide for Turkey - 2

Law and Practice

2.3. Online Marketing

Online marketing is governed by the Law on Regulation of Electronic Commerce No 6563 (“E-Commerce Law”), the By-Law on Commercial Communication and Commercial Electronic Messages (“By-Law on Commercial Communication”) as well as the DP Law. According to the E-Commerce Law and the By-Law on Commercial Communication, the recipient’s prior explicit consent must be obtained to make calls or send SMS or emails for marketing purposes (marketing communication). The DP Board also seeks data subjects’ consent for controllers to send push messages. However, it is permissible to make a marketing communication without prior consent in the business-to-business (B2B) model, unless the receiver opts out. The contents of a marketing communication must include certain identification information of the sender, as well as an option to opt out. The Message Management System (MMS) is an online platform where receivers can manage their consents for receiving marketing communications and withdrawals from the same (ie, opt-outs). All senders of marketing communications must register with the MMS and upload the information regarding the consents/withdrawals for this purpose. Any consent or withdrawal received by the sender must be uploaded to the MMS within three business days upon their receipt. There are no specific provisions for behavioural and targeted advertising under Turkish law. Therefore, the relevant processing activities are subject to general provisions of the DP Law. In this regard, based on the DP Board’s approach to this matter, it may be argued that – in order to carry out behavioural or targeted advertisement – prior consents of the data subjects must be obtained.

2.4. Workplace Privacy

Privacy in the workplace is not specifically regulated in Turkish law but can be considered within the scope of the DP Law. On the other hand, there are provisions regarding this matter in various laws, for example:

• pursuant to Article 419 of the TCO, an employer can use the personal data of their employee only to the extent that it is necessary for the employee’s employability or the performance of the employment contract;
• pursuant to Article 75 of the Turkish Labour Law, an employer is obliged to use the information obtained about their employee in accordance with the rules of good faith and law, and not to disclose any information that the employee has a justified interest in keeping confidential; and
• pursuant to Article 15(5) of the OHCL, health data must be kept confidential in order to protect the private life and reputation of the employee who has undergone a medical examination.

Monitoring Workplace Communications

According to the decisions of the Constitutional Court and DP Board, an employer is entitled to monitor the work computers, work mobile phones and other electronic devices, which it provides to its employees, provided that it fulfils the following conditions:

• employees should be informed in advance that their correspondence and transactions in electronic devices may be monitored by clearly stating the purposes, legal basis of the monitoring (eg, by way a privacy notice addressed to the employees);
• there should be a legitimate purpose for accessing/monitoring the devices (eg, a compliance investigation based on a reasonable doubt); and
• access/monitoring should be proportional to the legitimate purpose (eg, if it is clear from the subject of the email/file that it is a personal email/file, then it should not be opened and reviewed).

The principles above shall also be applied to the implementation of cybersecurity tools and insider threat detection and prevention programs.

Processing Special Categories of Personal Data

As a general principle for processing special categories of employees’ personal data, the explicit consent of employees must be obtained unless a justifying ground is provided by laws; see 2.2 Sectoral and Special Issues. The DP Board decided that the processing of employees’ biometric data for security purposes breaches data minimisation (proportionality) principles. However, a case-by-case analysis of that principle is necessary – for instance, where high-security precaution is needed due to the quality of the data, processing biometric data of the relevant employees might not be violating the data minimisation (proportionality) principle.

2.5. Enforcement and Litigation

Regulators

Under the DP Law, the DP Board has extensive enforcement powers, as described in 1.3 Administration and Enforcement Process. The DP Board may be considered to have a higher tendency for imposing administrative fines compared to its EU counterparts, in particular for data breaches. So far, the DP Board has investigated and fined several national and international companies, including Marriot International Inc, Facebook, Amazon Türkiye, WhatsApp and TikTok. There are four types of violations that are set forth in the DP Law; the amounts of administrative fines for these violations are subject to adjustment each year. The amounts of administrative fines which apply in 2023 are as follows:

• failure to inform data subjects of processing activities may be subject to an administrative fine of TRY29,852 to TRY597,191;
• failure to take the necessary technical and organisational measures (interpreted very broadly, including unlawful data transfer abroad, breach of fundamental principles) may be subject to an administrative fine of TRY89,571 to TRY5,971,989;
• failure to comply with the decisions issued by the DP Board may be subject to an administrative fine of TRY149,285 to TRY5,971,989; and
• failure to comply with the obligation to register with VERBIS and not submitting information to VERBIS may be subject to an administrative fine of TRY119,428 to TRY5,971,989.

The highest fine issued by the DP Board so far is TRY1.95 million, which was issued to WhatsApp. The DP Authority is also entitled to decide to cease certain data processing activities or personal data transfers (see also1.3 Administration and Enforcement Process).

Criminal Sanctions

There are also criminal sanctions that are regulated under TCrC, as follows:

• unlawful recording of personal data is subject to imprisonment of one to three years;
• unlawful transfer, publication or acquisition of personal data is subject to imprisonment of two to four years – if these are realised by exploiting the advantages of a profession or art, such actions are subject to imprisonment of three to six years; and
• failure to destroy personal data after the retention period set forth in the law has been passed is subject to imprisonment of two to six years.

The investigation may commence without the need for any complaint – ie, ex officio by public prosecutors. However, there is no established jurisprudence on how criminal sanctions will be applied in harmony with the DP Law.

Private Litigation

Right to seek compensation is clearly stated as one of the data subject rights under the DP Law. Moreover, data subjects can seek compensation and ask the court to prevent a threatened infringement, to cease an existing infringement, to make a declaration that an infringement is unlawful, as per Articles 24–26 of the TCiC and Article 49 of the TOC. The controller is jointly liable for the lack of technical and organisational measures which must be taken by the processor from a civil law perspective. There is no class action concept under the Turkish legal system.

3. Law Enforcement and National Security Access and Surveillance

3.1. Laws and Standards for Access to Data for Serious Crimes

The following activities are among those excluded from DP Law coverage:

• processing of personal data by judicial authorities or execution authorities regarding the investigation, prosecution, judicial or execution proceedings; and 
• processing of personal data by public institutions and organisations duly authorised and assigned by law regarding maintaining national defence, national security, public security, public order or economic security within the scope of preventive, protective and intelligence activities.

The Turkish Law of Criminal Procedure (TLCP) is the primary source with respect to law enforcement’s access to data for the investigation of serious crimes.

Other relevant laws are as follows:

• the Law on Police Duty and Authority;
• the Law on Gendarmerie Organisation Duty and Authority; and 
• the Law on Governmental Intelligence Services and National Intelligence Agency.

Law enforcement authorities may request information on personal data to investigate criminal offences.

However, in certain situations, an independent judicial decision is necessary for public prosecutors and law enforcement officers to interfere with IT systems or intercept communications.

In the case of peril in delay, the public prosecutor or law enforcement officer may interfere with IT systems or intercept communications by the public prosecutor’s order, which must be approved by a court afterwards.

3.2. Laws and Standards for Access to Data for National Security Purposes

Very similar rules to those discussed in 3.1 Laws and Standards for Access to Data for Serious Crimes apply in the field of national security. In these cases, the authorities can demand information if it is necessary for the prevention of imminent threats. The National Intelligence Agency is authorised to request any information within its powers and duties, including any personal data. Those who fulfil these requests cannot be held legally or criminally liable.

3.3. Invoking Foreign Government Obligations

The provisions of the DP Law do not provide a clear legitimate basis for invoking a foreign government’s request for collecting or transferring data. However, since the fulfilment of a foreign government’s request may lead to data transfer abroad, the rules on data transfer abroad set forth in the DP Law must be complied with (see also 4.2 Mechanisms or Derogations That Apply to International Data Transfers). On the other hand, Türkiye is a signatory in many bilateral or multilateral agreements which aim to promote co-operation between states, especially on issues related to judicial co-operation and extradition requests. Personal data processing activities that arise from these obligations are not exempted from the scope of the DP Law, and public institutions are also obliged to comply with DP Law (see also 2.1 Omnibus Laws and General Requirements, 2.2 Sectoral and Special Issues and 4.2 Mechanisms or Derogations that Apply to International Data Transfers). Türkiye does not participate in a Cloud Act agreement with the USA.

3.4. Key Privacy Issues, Conflicts and Public Debates

One of the key privacy issues is inadequate and uncertain regulations about governmental access to data. Although the DP Law is applicable to data processing activities of governmental bodies, the exceptions set forth in the DP Law are of a broad range. The DP Law is criticised due to the broadness of exceptions about the application of the DP Law, because this causes the application of the DP Law within governmental bodies to be interpreted as extenuated, which does not facilitate accurate implementation. Indeed, especially compared to the GDPR, many issues are completely left out of the scope of the DP Law. This is criticised under Turkish data protection practice.

4. International Considerations

4.1. Restrictions on International Data Issues

International transfer of personal data is subject to the DP Law. Data transfer abroad is restricted unless:

• explicit consent of the data subject is obtained;
• the importing country provides adequate level of data protection; or
• regulatory approval of DP Board is obtained.

See 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

The DP Law also states that provisions on data transfer abroad in other laws are reserved. On the other hand, sector-specific regulations may impose further restrictions regarding data transfer abroad (see also 4.4 Data Localisation Requirements).

Based on its decisions, the DP Board seems to consider direct collection of personal data by data controllers located abroad, also as data transfer abroad, which is, in the authors’ view, a debatable approach.

4.2. Mechanisms or Derogations That Apply to International Data Transfers

According to DP Law, the transfer of personal data abroad is permissible if the data subject’s explicit consent is obtained for such transfer. In the event that the exporter relies on any legal basis other than explicit consent, then the following applies.

• The foreign country to which the personal data will be transferred must have an adequate level of protection for personal data. These countries will be determined and announced by the DP Board (ie, the “Whitelist”).
• In case there is not an adequate level of protection, an exporter controller in Türkiye and data importer abroad must execute a standard-form written undertaking to commit to provide an adequate level of protection, similar to Standard Contractual Clauses in GDPR practice (ie, “undertaking”). Then, such undertaking must be submitted to the DP Board, and the approval of the DP Board must be obtained for the relevant data transfer.
• If data transfer abroad is only within multinational group companies, a data exporter located in Türkiye may obtain approval from the DP Board for binding corporate rules (BCR).

As any Whitelist has not yet been announced by the DP Board, only consent, undertaking, BCR remain for controllers to transfer data abroad. On the other hand, the DP Board states in its several decisions that “the provision of a service cannot be made conditional upon consent”. This principle is based on the argument that if the provision of a service is made conditional upon obtaining consent for data processing (including transfer), such consent is deemed to be not freely given, hence may be considered as invalid. On the other hand, in one of its recent decisions, the DP Board has accepted that an employer located abroad may rely on explicit consent of its employees in Turkey to collect personal data (which the DP Board seems to consider as data transfer aboard), as consent is the only option for an employer located abroad to collect personal data of its employees in Turkey. Although obtaining valid explicit consent has its own challenges, obtaining regulatory approval from the DP Board is just as challenging. Only five data controllers have managed to obtain regulatory approval by executing an undertaking with the importers since the enactment of the DP Law.

4.3. Government Notifications and Approvals

As mentioned in 4.2 Mechanisms or Derogations that Apply to International Data Transfers, undertaking and BCRs require the DP Board’s approval. On the other hand, as per Article 9(5) of the DP Law, without prejudice to the provisions of international agreements, in cases where the interest of Türkiye or the data subject shall be seriously harmed, personal data may only be transferred abroad upon permission of the DP Board. The DP Board must obtain the opinions of relevant public institutions and organisations before it grants its permission. It should be noted that sector-specific regulations may seek further notifications or approvals regarding data transfer abroad (see also 2.2 Sectoral and Special Issues).

4.4. Data Localisation Requirements

Even though there is no data localisation requirement in the DP Law, there are certain sector-specific regulations that have been set forth for specific sectors in Türkiye.

Banking and Finance Entities The following entities must keep their primary and secondary information systems in Türkiye:

• banks;
• payment institutions and electronic money institutions;
• insurance and private pension companies (except for services such as email, teleconference, or videoconference);
• certain public companies, as well as certain capital markets institutions; and
• financial lease, factoring and finance companies.

Electronic Communication Providers In principle, electronic communication providers cannot transfer traffic data and location data abroad due to national security reasons. However, in certain cases, such data may be transferred abroad by obtaining the explicit consent of the data subject.

Social Network Providers (SNPs) SNPs, whose daily access is more than 1 million, must take necessary measures to retain data of their Turkish users in Türkiye.

4.5. Sharing Technical Details

Public or private institutions that will use coded/encrypted electronic communication within their electronic communication services must apply to the ICTA and obtain permission in order to be authorised in accordance with the ICTA’s regulations. A copy of the code/encryption must be provided to the ICTA with this application.

4.6. Limitations and Considerations

There are no specific limitations or considerations that apply to an organisation for collecting or transferring data in connection with foreign government data requests and foreign litigation proceedings. Please see 3.3 Invoking Foreign Government Obligations and 4.2 Mechanisms or Derogations that Apply to International Data Transfers.

4.7. “Blocking” Statutes

Türkiye does not have specific “blocking” statutes, but there are general statutory provisions that prevent the disclosure of matters relating to national interests.

5. Emerging Digital and Technology Issues

5.1. Addressing Current Issues in Law

The DP Authority issued its Recommendations on AI in September 2021. It is noteworthy that the Recommendations on AI do not provide a detailed view on artificial intelligence technologies, even though it succeeds in covering a number of fundamental topics. Biometric data has been a point of further discussion in the field of data protection and the processing of biometric data has been assessed extensively in both DP Authority-issued documents and DP Board decisions (see also 2.4 Workplace Privacy for the use of biometric data in an employment context).

5.2. “Digital Governance” or Fair Data Practice Review Boards

Establishing protocols for digital governance and fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies are not mandatory and/or common practices in Türkiye.

5.3. Significant Privacy and Data Protection Regulatory Enforcement or Litigation

Due to various news stories and complaints, the DP Board has initiated an investigation and fined TikTok for the following reasons (the decision was published on 1 March 2023).

• TikTok updated its privacy policy in January 2021 and changed the default privacy setting to “private” for users aged between 13-15. However, before this update, the profiles of minors were publicly viewable by default, which posed a risk with respect to this vulnerable age group.
• Prior to this update, the personal data of minors under the age of 13 was viewable, and minors’ data was collected by TikTok without appropriate parental consent.
• Although TikTok’s privacy policy includes the legal bases for processing, there is a lack of clear information on what personal data is processed for what purpose and on which legal basis.
• Users are deemed to have accepted TikTok’s terms of service and privacy policy while creating an account. However, the terms of service have not yet been translated into Turkish, and thus, it may not be possible for users to understand it clearly.
• Although TikTok provides its privacy policy to users to fulfil its obligation to inform, it uses the same document also to obtain users’ explicit consent. However, the privacy policy and explicit consent text should be presented to data subjects separately.
• TikTok does not obtain explicit consent from users for the use of cookies for profiling purposes.

Accordingly, TikTok was fined TRY1.75 million and instructed to translate the terms of service into Turkish and revise its privacy policy to be compliant with DP Law.

5.4. Due Diligence

Carrying out a due diligence over a target entity is considered to be on the legal basis of “legitimate interest”. On the other hand, when requesting and sharing personal data during a due diligence process, “proportionality” and “data minimisation” principles must be taken into consideration. In the event that a due diligence process requires data transfer abroad, then the controller must comply with data transfer abroad provisions. It should be noted that using virtual data rooms, whose servers are located abroad, would constitute a data transfer abroad (see also 4.2 Mechanisms or Derogations that Apply to International Data Transfers.)

5.5. Public Disclosure

The Turkish Data Controllers Registry (VERBIS) is an online public registry, which shows the personal data processing inventory of controllers who have registered with, and submitted information to, VERBIS (see also 2.1 Omnibus Laws and General Requirements). The information, which is submitted to VERBIS and is hence publicly available, is as follows:

• the categories of personal data;
• the data processing purposes for each data category;
• retention periods of each data category;
• data subjects for each data category;data transferees;
• information on data transfer abroad, for each data category; and
• technical and organisational measures.

The relevant capital markets regulations impose an obligation on the companies, which will make a public offering, to state the risks of the business before such public offering. Although there is no specific requirement to state the risks on data protection and cybersecurity, since these may also include risks regarding data protection, such risks should be mentioned in the course of a public offering.

5.6. Digital Technology Regulation/Convergence of Privacy, Competition and Consumer Protection Laws

In the course of 2022, E-Commerce Law and its secondary legislation was amended with the aim of maintaining an effective and fair competition environment on e-commerce platforms. Most of these amendments have entered into force as of 1 January 2023.

These amendments impose significant obligations on e-marketplaces and e-sellers. Some of these obligations reflect certain principles brought by the Digital Services Act.

According to these amendments, e-marketplaces:

• shall remove unlawful content submitted by the seller;
• shall not lower the seller’s position in the ranking or recommendation system without any objective criteria set forth in the agreement executed with the seller;
• shall not use the data obtained from sellers and buyers with a purpose other than providing intermediary services, in particular to compete with sellers; and
• provide technical facilities, free of charge, to the seller for transferring the data they collected through their sales and for accessing the processed metadata.

The amendment has adopted an incremental system based on total transaction number and net transaction volume per year for the obligations, and non-compliance with these obligations is subject to administrative monetary fines. These fines vary between TRY10,000 and TRY40 million and certain fines are calculated on a percentage basis, varying between 0.05% and 10% of the net sales amount of the preceding year.

Although not in force yet, significant amendments are expected in the Law on Protection of Competition No 4054. Most of the amendments brought by the draft amendment reflect the ex-ante approach of the Digital Market Act and include certain definitions introduced by the same. Although these amendments have not entered into force yet, they may be considered as a significant step to ensure further compliance with the European omnibus model.

5.7. Other Significant Issues: There are no other significant issues.

To read the first part of this article series, please click on Data Protection & Privacy 2023 Guide for Turkey - 1

First published by Chambers & Partners on 03.03.2023

Tagged with: Yazıcıoğlu Legal, Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Simge Yüce, Merve Betül Baltürk, Data Protection, Data Privacy