Turkish Law Blog
Data Protection in Turkey - 2019 Year in Review
It has been three years since the framework law on protection of personal data (Turkish Data Protection Law – “TDPL”) was introduced to Turkey. In this 3-year introduction process, high interest, in particular, of practitioners and academicians in the subject contributes to the creation of bilateral awareness. In one hand, while data controllers embark on compliance process, data subjects begin to have knowledge through, in particular, activities of media and Turkish Personal Data Protection Board (“Board”).
Even though awareness level is still far below the desired level for both parties, we can say that 2019 has been a more successful year when compared with previous years in terms of protection of personal data in Turkey. The data in this article in which I analyze, in this year in Turkey, what regulations were made related to the subject, what was held by the Council of State and the Constitutional Court, compliance processes, the process of registration to Data Controllers’ Registry (“VERBIS”), and decision of Turkish Personal Data Protection Board, are collected fully from open sources.
A. New Secondary Legislation
After the second times of suspension by the Council of State, “Regulation on Health Data” was published in the Official Gazette for the third time and came into force on 21 June 2019.
In 2019, “Regulation on Personal Data Protection Authority Discipline Supervisors” concerning the directly internal operation of the Authority came into force.
B. The Constitutional Court and the Council of State Decisions
The right to protection of personal data which has been provided for in the Constitution as a human right since 2010 has been the subject matter of many decisions of the Constitutional Court in this year.
The Constitutional Court has realized two crucial abstract review of norms related to this right. The Court with its decision published in the Official Gazette on 13 November 2019, considered the claim which asserted annulment of the regulation provided by a decree-law, which authorizes the Information and Communication Technologies Authority (“BTK”) to request personal data from all institutions and organizations. The Court, as a result of its consideration, rejected this claim of annulment with a majority of votes for the reason that this authorization is within the scope of the duty of the Authority to ensure cybersecurity, and that the objective, scope, and boundaries in obtaining personal data are explicitly set out in the Law.
In another decision by the Constitutional Court, which was published in the Official Gazette on 29 November 2019, the Court considered the claim for annulling the stipulation, which was provided for by a decree-law again, that requires “to have security clearance and archive research check” in entering public office. As a result of the consideration made by the Court, the Court annulled these provisions, concluding that the stipulation thereof which “allows to receive and use personal data without providing by law any safeguards and fundamental principles for receiving, using and processing information that has a personal data nature, which will be taken as a basis for employing in a public service as a result of security clearance and achieve research check.” do not comply with Articles 13, 20 and 128 of the Constitution.
The Constitutional Court has so far decided on 108 individual applications related to Article 20 of the Constitution, which includes the right to protection of personal data. From these chosen applications, only four applications are made for directly protection on personal data (See Table 1). The Court holds this right is violated in two applications and provides an inadmissibility decision for two applications because they are manifestly ill-founded.
|THE NAME OF THE APPLICATION||THE SUBJECT MATTER OF THE APPLICATION||CONSEQUENCE||CASE NR.|
Decision as to the application of
|The application is concerned with allegations on the violation of presumption of innocence as there are statements about committing the crime in question on the verdict of administrative court because of the fact that personal data which must not be disclosed by law are disclosed to administrative authorities and these are taken as a basis for security clearance check.||Ruling (Violation)||2014/15365|
Decision as to the application of
|The application is concerned with an allegation on the violation of right to respect to privacy because of the fact that personal data which must no be disclosed by law are disclosed to administrative authorities and these are taken as a basis for security clearance check.||Ruling (Violation)||2014/7256|
Decision as to the application of
|The application is concerned with an allegation on the violation of the right to protection on personal data because of the fact that no effective criminal investigation is made for the complaint regarding personal data is recorded unlawfully.||Inadmissibility||2015/18988|
Decision as to the application of
|The application is concerned with an allegation on the violation of the right to protection on personal data because of the fact that no effective criminal investigation is made for the complaint regarding personal data is recorded unlawfully.||Inadmissibility||2015/19298|
TABLE—1: Individual Application Decisions of the Constitutional Court Published in 2019 Concerning the Right to Protection of Personal Data
The fact that that “opinion of the Personal Data Protection Board has to be taken”, has been emphasized by the Council of State again this year. With the ruling of 15th Judicial Chamber of Council of State, the execution of Clause 3 of Article 19 of Regulation on Private Healthcare Organizations of Ambulatory Diagnosis and Treatment was suspended on that ground. This stable attitude of the Council of State has set forth again that legislation drafts to be drawn up by other governmental organizations should be presented to the Board for its opinion.
C. Turkish Personal Data Protection Board Decisions
The Personal Data Protection Board, which plays a key role in the advancement of protection of personal data, has published 37 decisions, 9 regulatory acts and resolutions and 28 individual acts.
1. Regulatory Acts and Resolutions
In some of the decisions that can be classified as regulatory acts and resolutions, the Board regulates registration times to VERBIS and its exemptions, and in other decisions, the Board aims to resolve hesitations on crucial issues in the application. These decisions are as follows:
|CASE NR.||DATE||SUBJECT||RELEVANT ARTICLES of TDPL|
|2019/009||24.01.2019||Regarding Calculation of Data Controller Application and Board Complaint Durations||13/1, 14/1,|
|2019/010||24.01.2019||Regarding Procedures and Principles of Personal Data Violation Notification||12/1, 12/5,|
|2019/125||02.05.2019||Regarding the form in determining countries where enough protection exist||9|
|2019/225||23.07.2019||Upon a request for opinion on registration obligation of branch and liaison offices of legal entities operated abroad in Turkey to the Registry||TTK 40, GDPR 3, GDPR 4,|
|2019/265||03.09.2019||Regarding Extension of VERBIS (Data Controllers’ Registry) Registration Periods||N/A|
|2019/271||18.09.2019||Regarding minimum components that should be in data violation notifications by data controller to relevant person||12/1,|
|2019/308||18.10.2019||Regarding Software/Program/Applications which enable to inquire Personal Data such as identity and contact information of citizens on unlawfully obtained data||12/1, 18, CMK 158,|
|2019/353||26.11.2019||Regarding Exemption of Registration to Data Controllers’ Registry Obligation of Societies, Charity Foundations and Trade Unions||16/2,|
|2019/387||27.12.2019||Regarding Dates determined by the Board as to Data Controllers’ Registry Registration Obligation||16, Provisional 1|
|2019/078||25.03.2019||Regarding use of personal data that data controller process in order to fulfill its legal obligation for legitimate interests||4, 5/2-F|
|2019/157||31.05.2019||Regarding whether or not corporate email service can be used on Google(gmail) again with the same extension||9|
TABLE—2: Decisions of Turkish Personal Data Protection Board as that can be Classified as Regulatory Acts/Resolutions Published in 2019
Upon a request for opinion on registration obligation of branch and liaison offices of legal entities operated abroad in Turkey to the Registry, the Board decided (i) data controller abroad is obliged with getting registered to the Registry even if it processes data with its branch office, (ii) branches are obliged with getting registered to the Registry when they meet data controller criteria independent of their company and comply with standards of determined employee number and financial balance sheet, (iii) Registration obligation of liaison offices of legal entities operated abroad to the Registry can be only possible under specific circumstances (2019/225).
The framework of notification obligation set out in Clause 5 of Article 12 of the Law has been determined this year. The Board set procedures and principles severally in its resolutions how data controller notifies committed breaches to the Board (2019/10) and the data subject (2019/271).
Besides, the Board has determined this year scope and criteria of legitimate interest, which constitutes an exemption for explicit consent (2019/78), and the position of having email service from abroad under the scope of the Law (2019/157) with its decisions according to opinion requests submitted to it.
2. Individual Acts (Decisions Involving Administrative Fines)
Turkish Personal Data Protection Board applied approximately three and half million TRY in total administrative fines from it came into the office until 2018. This amount exceeded 8 million TRY in 2019. In other words, fine applications of the Board in 2019 has increased nearly by 120% in comparison with the past two years.
|CASE NR.||DATE||SUBJECT||AMOUNT of FINE||REASONING||RELEVANT ARTICLES of TDPL||CONCLUSION|
|2019/047||01.03.2019||Regarding a complaint of a person on another person with an allegation that this person reaches personal information of himself and his family unlawfully and without his content and transfers these to third parties||N/A||Not covered by the Law||N/A||There is no action taken by the Board|
|2019/082||25.03.2019||Regarding denunciations and complaints concerning loyalty card application of a chain market||N/A||N/A||Geçici 1/3, 3||There is no action taken by the Board|
|2019/122||02.05.2019||Regarding T.C. Ziraat Bankası A.Ş which does not respond the application of relevant person and whose informing text published on its website does not comply with conditions regulated in legistation||N/A||N/A||5, 6||18/3,|
|2019/188||01.07.2019||Regarding the application of Mimar Sinan Fine Arts University which publish exam results of students in the internet environment||N/A||15/3,||N/A||18/3,|
|2019/296||01.10.2019||Regarding rejection of the electronical application data subject by operator company on grounds that this person does not make identity confirmation in his application||N/A||N/A||13/1, 11,||N/A|
|2019/081||25.03.2019||Regarding that data controllers who give sport hall services make entrance and exit control of the members processing biometric data||not declared||12/1,||4/2, 6/3,||15/7, 18/1-B, 18/1-C|
|2019/165||31.05.2019||Regarding that data controllers who give sport hall services make entrance and exit control of the members processing biometric data||not declared||12/1,||4/2, 6/3,||15/7, 18/1-B, 18/1-C|
|2019/104||11.04.2019||Regarding Facebook||₺1.650.000||12/1, 12/5||4/2-A, 4/2-Ç,||18/1-B|
|2019/269||18.09.2019||Regarding Facebook||₺1.600.000||12/1, 12/3, 12/5||N/A||18/1-B|
|2019/143||16.05.2019||Regarding Marriott International Inc.||₺1.450.000||12/1, 12/5||N/A||18/1-B|
|2019/222||17.07.2019||Regarding Dubsmash Inc.||₺730.000||12/1, 12/5||N/A||18/1-B|
|2019/141||16.05.2019||Regarding Clickbus Seyahat Hizmetleri A.Ş.||₺550.000||12/1, 12/5||N/A||18/1-B|
|2019/144||16.05.2019||Regarding Cathay Pasific Airway Limited||₺550.000||12/1, 12/5||N/A||18/1-B|
|2019/255||27.08.2019||Regarding a tourism company||₺500.000||12/1, 12/3, 12/5||N/A||18/1-B|
|2019/254||27.08.2019||Regarding S Şans Oyunları A.Ş||₺180.000||12/1, 12/5||N/A||18/1-B|
|2019/023||14.02.2019||Regarding reaching personal data of different persons via changing last digits of the forms/tracking numbers given by a technique service company||₺150.000||12/1,||N/A||18/1-B, 15/7|
|2019/277||18.09.2019||Regarding misuse of data subject’ mobile phone number by a bank out of its purpose||₺100.000||12/1,||4/2-C, 4/2-Ç,||18/1-B|
|2019/294||01.10.2019||Regarding the data controller who requests front/back ID card image from relevant person who has requested to change his user name and password related to loyalty program presented by an airline carrier company||₺100.000||12/1,||4/2-Ç, 5, 6,||18/1-B|
|2019/331||07.11.2019||Regarding processing a personal data which is made public by relevant person inconsistently with its purpose||₺100.000||12/1,||5/2-D||18/1-B|
|2019/204||08.07.2019||Regarding processing the phone number of data subject without relying on any data processing conditions by an investment company and calling this person for promotional/information purpose||₺75.000||12/1,||5/1, 5/2, Turkish Crim. Code 136||18/1-B|
|2019/052||14.02.2019||Regarding reaching personal data of different persons via changing last digits of the forms/tracking numbers given by a technique service company||₺50.000||12/1,||15||18/1-C|
|2019/162||31.05.2019||Regarding a stock company (data controller) sending data subject electronic commercial message without his explicit consent||₺50.000||12/1,||5, 6||18/1-B|
|2019/166||31.05.2019||Regarding sending data subject’s phone the content which does not belong to him||₺50.000||12/1,||N/A||18/1-B|
|2019/276||18.09.2019||Regarding sending by Sevinç Education Organizations short message for promotional purpose to relevant person’s phone without personal data processing conditions||₺50.000||12/1,||5/1, 5/2,||18/1-B|
|2019/332||07.11.2019||Regarding processing phone number of data subject by a doctor without relying on any data processing condition and sending a message with promotional/information content||₺50.000||12/1,||5/1, 5/2||18/1-B|
|2019/159||31.05.2019||Regarding sending by an asset management company several messages on the same subject to data subject||₺20.000||12/1,||4/2-A||18/1-B|
TABLE—3: Decisions of Turkish Personal Data Protection Board as that can be Classified as Individual Act Published in 2019
Facebook is the leading data controller who is imposed most on Board’s administrative sanctions. In two different decision, 3,250,000 TRY fine is imposed on Facebook by the Board. The fact that four out of the five highest fine are imposed on foreign companies is significant.
In the present picture, although the Board has the Authority of imposing up to 2 million TRY fine, that it applies fine even not amounting to 200,000 TRY is a significant indication, in my opinion. My comment on this fact would be that the Board tries to maintain its approach, which is declared in early days of its foundation “we don’t want to be remembered with fines.” However, in the following years, while awareness of the protection of personal data is developed and compliance processes for data controller are progressed, I think it wouldn’t be wrong to say sanctions will be more deterrent.
D. Compliance Processes and the Registration to VERBIS
On the matter of compliance processes before data controllers, the Board has clarified a hesitation. Accordingly, informing the data subject in accordance with the GDPR will not release data controllers from their obligations in terms of Turkish Law. For that reason, primarily, it is stated that they have to make informing in accordance with Turkish Law.
Expiry dates as to registration to VERBIS obligation, which causes many data controller to learn about the Law has been postponed twice with three month-intervals this year. In the second postponing decision, there are reasons for delaying such as that erroneous notifications are made by data controllers, thinking registry notifications are completed. Another important reason which is not stated in the decision is, of course, although they have the obligation of registering to the Registry, there are many data controller who even does not have user name and password on VERBIS.
E. Data Breach Notifications
As part of the obligation of notifying data breaches set out Article 12 of the Law, the Board has published 37 data breaches notifications which influence at least 800,000 people in 2019.
After the completion of 2019 with these developments, I hope bilateral awareness in the field of protection of personal data will reach much better levels in 2020. I wish a successful year for those who study in this field.
I would like to thanks to Res. Assist. Bilâl Toprak and Buğra Rahmi Bardakçı for their contributions to the article.