Turkish Law Blog

Data Protection in Turkey - 2019 Year in Review

Furkan Güven Taştan Furkan Güven Taştan/ Ankara Yıldırım Beyazıt University
15 January, 2020
705

It has been three years since the framework law on protection of personal data (Turkish Data Protection Law – “TDPL”) was introduced to Turkey. In this 3-year introduction process, high interest, in particular, of practitioners and academicians in the subject contributes to the creation of bilateral awareness. In one hand, while data controllers embark on compliance process, data subjects begin to have knowledge through, in particular, activities of media and Turkish Personal Data Protection Board (“Board”).

Even though awareness level is still far below the desired level for both parties, we can say that 2019 has been a more successful year when compared with previous years in terms of protection of personal data in Turkey. The data in this article in which I analyze, in this year in Turkey,  what regulations were made related to the subject, what was held by the Council of State and the Constitutional Court, compliance processes, the process of registration to Data Controllers’ Registry (“VERBIS”), and decision of Turkish Personal Data Protection Board, are collected fully from open sources.

A. New Secondary Legislation

After the second times of suspension by the Council of State, “Regulation on Health Data” was published in the Official Gazette for the third time and came into force on 21 June 2019.

In 2019, “Regulation on Personal Data Protection Authority Discipline Supervisors” concerning the directly internal operation of the Authority came into force.  

B.  The Constitutional Court and the Council of State Decisions

The right to protection of personal data which has been provided for in the Constitution as a human right since 2010 has been the subject matter of many decisions of the Constitutional Court in this year. 

The Constitutional Court has realized two crucial abstract review of norms related to this right. The Court with its decision published in the Official Gazette on 13 November 2019, considered the claim which asserted annulment of the regulation provided by a decree-law, which authorizes the Information and Communication Technologies Authority (“BTK”) to request personal data from all institutions and organizations. The Court, as a result of its consideration, rejected this claim of annulment with a majority of votes for the reason that this authorization is within the scope of the duty of the Authority to ensure cybersecurity, and that the objective, scope, and boundaries in obtaining personal data are explicitly set out in the Law.

In another decision by the Constitutional Court, which was published in the Official Gazette on 29 November 2019, the Court considered the claim for annulling the stipulation, which was provided for by a decree-law again, that requires “to have security clearance and archive research check” in entering public office. As a result of the consideration made by the Court, the Court annulled these provisions, concluding that the stipulation thereof which “allows to receive and use personal data without providing by law any safeguards and fundamental principles for receiving, using and processing information that has a personal data nature, which will be taken as a basis for employing in a public service as a result of security clearance and achieve research check.” do not comply with Articles 13, 20 and 128 of the Constitution.       

The Constitutional Court has so far decided on 108 individual applications related to Article 20 of the Constitution, which includes the right to protection of personal data. From these chosen applications, only four applications are made for directly protection on personal data (See Table 1). The Court holds this right is violated in two applications and provides an inadmissibility decision for two applications because they are manifestly ill-founded.

THE NAME OF THE APPLICATIONTHE SUBJECT MATTER OF THE APPLICATIONCONSEQUENCECASE NR.

Decision as to the application of

TURGUT DUMAN

The application is concerned with allegations on the violation of  presumption of innocence as there are statements about committing the crime in question  on the verdict of administrative court because of the fact that personal data which must not be disclosed by law are disclosed to administrative authorities and these are taken as a basis for security  clearance check.   Ruling (Violation) 2014/15365

Decision as to the application of

FATİH SARAMAN

The application is concerned with an allegation on the violation of right to respect to privacy because of the fact that personal data which must no be disclosed by law are disclosed to administrative authorities and these are taken as a basis for security  clearance check.   Ruling (Violation) 2014/7256

Decision as to the application of

EROL KUMCU

The application is concerned with an allegation on the violation of the right to protection on personal data because of the fact that no effective criminal investigation is made for the complaint regarding personal data is recorded unlawfully.Inadmissibility  2015/18988

Decision as to the application of

ALİ ÇIĞIR

The application is concerned with an allegation on the violation of the right to protection on personal data because of the fact that no effective criminal investigation is made for the complaint regarding personal data is recorded unlawfully.Inadmissibility  2015/19298

TABLE—1: Individual Application Decisions of the Constitutional Court Published in 2019 Concerning the Right to Protection of Personal Data 

The fact that that “opinion of the Personal Data Protection Board has to be taken”, has been emphasized by the Council of State again this year. With the ruling of 15th Judicial Chamber of Council of State, the execution of Clause 3 of Article 19 of Regulation on Private Healthcare Organizations of Ambulatory Diagnosis and Treatment was suspended on that ground. This stable attitude of the Council of State has set forth again that legislation drafts to be drawn up by other governmental organizations should be presented to the Board for its opinion.

C.  Turkish Personal Data Protection Board Decisions

The Personal Data Protection Board, which plays a key role in the advancement of protection of personal data, has published 37 decisions, 9 regulatory acts and resolutions and 28 individual acts.

1. Regulatory Acts and Resolutions

In some of the decisions that can be classified as regulatory acts and resolutions, the Board regulates registration times to VERBIS and its exemptions, and in other decisions, the Board aims to resolve hesitations on crucial issues in the application. These decisions are as follows: 

CASE NR.DATESUBJECTRELEVANT ARTICLES of TDPL
2019/00924.01.2019Regarding Calculation of  Data Controller Application and Board Complaint Durations13/1, 14/1,
2019/01024.01.2019Regarding Procedures and Principles of Personal Data Violation Notification12/1, 12/5,
2019/12502.05.2019Regarding the form in determining countries where enough protection exist9
2019/22523.07.2019Upon a request for opinion on registration obligation of branch and liaison offices of legal entities operated abroad in Turkey to the RegistryTTK 40, GDPR 3, GDPR 4,
2019/26503.09.2019Regarding Extension of VERBIS (Data Controllers’ Registry) Registration PeriodsN/A
2019/27118.09.2019Regarding minimum components that should be in data violation notifications by data controller to relevant person12/1,
2019/30818.10.2019Regarding Software/Program/Applications which enable to inquire Personal Data such as identity and contact information of citizens on unlawfully obtained data 12/1, 18, CMK 158,
2019/35326.11.2019Regarding Exemption of Registration to Data Controllers’ Registry Obligation of Societies, Charity Foundations and Trade Unions16/2,
2019/38727.12.2019Regarding Dates determined by the Board as to Data Controllers’ Registry Registration Obligation16, Provisional 1
2019/07825.03.2019Regarding use of personal data that data controller process in order to fulfill its legal obligation for legitimate interests4, 5/2-F
2019/15731.05.2019Regarding whether or not corporate email service can be used on Google(gmail) again with the same extension9

TABLE—2: Decisions of Turkish Personal Data Protection Board as that can be Classified as Regulatory Acts/Resolutions Published in 2019

Upon a request for opinion on registration obligation of branch and liaison offices of legal entities operated abroad in Turkey to the Registry, the Board decided (i) data controller abroad is obliged with getting registered to the Registry even if it processes data with its branch office, (ii) branches are obliged with getting registered to the Registry when they meet data controller criteria independent of their company and comply with standards of determined employee number and financial balance sheet, (iii) Registration obligation of liaison offices of legal entities operated abroad to the Registry can be only possible under specific circumstances (2019/225).

The framework of notification obligation set out in Clause 5 of Article 12 of the Law has been determined this year. The Board set procedures and principles severally in its resolutions how data controller notifies committed breaches to the Board (2019/10) and the data subject (2019/271).   

Besides, the Board has determined this year scope and criteria of legitimate interest, which constitutes an exemption for explicit consent (2019/78), and the position of having email service from abroad under the scope of the Law (2019/157) with its decisions according to opinion requests submitted to it.  

2.   Individual Acts (Decisions Involving Administrative Fines)

Turkish Personal Data Protection Board applied approximately three and half million TRY in total administrative fines from it came into the office until 2018. This amount exceeded 8 million TRY in 2019. In other words, fine applications of the Board in 2019 has increased nearly by 120% in comparison with the past two years.   

CASE NR.DATESUBJECTAMOUNT of FINEREASONINGRELEVANT ARTICLES of TDPLCONCLUSION
2019/04701.03.2019Regarding  a complaint of a person on another person with an allegation that this person reaches personal information of himself and his family unlawfully and without his content and transfers these to third partiesN/ANot covered by the LawN/AThere is no action taken by the Board
2019/08225.03.2019Regarding denunciations and complaints concerning loyalty card application of a chain marketN/AN/AGeçici 1/3, 3There is no action taken by the Board
2019/122 02.05.2019Regarding T.C. Ziraat Bankası A.Ş which does not respond the application of  relevant person and whose informing text published on its website does not comply with conditions regulated in legistationN/AN/A5, 618/3,
2019/188 01.07.2019Regarding the application of Mimar Sinan Fine Arts University which publish exam results of students in the internet environmentN/A15/3,N/A18/3,
2019/29601.10.2019Regarding rejection of the electronical application data subject by operator company on grounds that this person does not make identity confirmation in his applicationN/AN/A13/1, 11,N/A
2019/08125.03.2019Regarding that data controllers who give sport hall services make entrance and exit control of the members processing biometric datanot declared12/1,4/2,  6/3,15/7, 18/1-B, 18/1-C
2019/16531.05.2019Regarding that data controllers who give sport hall services make entrance and exit control of the members processing biometric datanot declared12/1,4/2,  6/3,15/7, 18/1-B, 18/1-C
2019/104 11.04.2019Regarding Facebook₺1.650.00012/1, 12/54/2-A, 4/2-Ç,18/1-B
2019/26918.09.2019Regarding Facebook₺1.600.00012/1, 12/3, 12/5N/A18/1-B
2019/14316.05.2019Regarding Marriott International Inc.₺1.450.00012/1, 12/5N/A18/1-B
2019/222 17.07.2019Regarding Dubsmash Inc.₺730.00012/1, 12/5N/A18/1-B
2019/141 16.05.2019Regarding Clickbus Seyahat Hizmetleri A.Ş.₺550.00012/1, 12/5N/A18/1-B
2019/144 16.05.2019Regarding Cathay Pasific Airway Limited₺550.00012/1, 12/5N/A18/1-B
2019/25527.08.2019Regarding a tourism company₺500.00012/1, 12/3, 12/5N/A18/1-B
2019/25427.08.2019Regarding S Şans Oyunları A.Ş₺180.00012/1, 12/5N/A18/1-B
2019/023 14.02.2019Regarding reaching personal data of different persons via changing last digits of the forms/tracking numbers given by a technique service company₺150.00012/1,N/A18/1-B, 15/7
2019/27718.09.2019Regarding misuse of data subject’ mobile phone number by a bank out of its purpose₺100.00012/1,4/2-C, 4/2-Ç,18/1-B
2019/29401.10.2019Regarding the data controller who requests front/back ID card image from relevant person who has requested to change his user name and password related to loyalty program presented by an airline carrier company₺100.00012/1,4/2-Ç, 5, 6,18/1-B
2019/33107.11.2019Regarding processing a personal data which is made public by relevant person inconsistently with its purpose₺100.00012/1,5/2-D18/1-B
2019/20408.07.2019Regarding processing the phone number of data subject without relying on any data processing conditions by an investment company and calling this person for promotional/information purpose₺75.00012/1,5/1, 5/2, Turkish Crim. Code 13618/1-B
2019/05214.02.2019Regarding reaching personal data of different persons via changing last digits of the forms/tracking numbers given by a technique service company₺50.00012/1,1518/1-C
2019/16231.05.2019Regarding a stock company (data controller) sending data subject electronic commercial message without his explicit  consent₺50.00012/1,5, 618/1-B
2019/16631.05.2019Regarding sending data subject’s phone the content which does not belong to him₺50.00012/1,N/A18/1-B
2019/27618.09.2019Regarding sending by Sevinç Education Organizations short message for promotional purpose to relevant person’s phone without personal data processing conditions₺50.00012/1,5/1, 5/2,18/1-B
2019/33207.11.2019Regarding processing phone number of data subject by a doctor without relying on any data processing condition and sending a message with promotional/information content₺50.00012/1,5/1, 5/218/1-B
2019/15931.05.2019Regarding sending by an asset management company several messages on the same subject to data subject₺20.00012/1,4/2-A18/1-B
   ₺8.005.000   

TABLE—3: Decisions of Turkish Personal Data Protection Board as that can be Classified as Individual Act Published in 2019

Facebook is the leading data controller who is imposed most on Board’s administrative sanctions. In two different decision, 3,250,000 TRY fine is imposed on Facebook by the Board. The fact that four out of the five highest fine are imposed on foreign companies is significant.  

In the present picture, although the Board has the Authority of imposing up to 2 million TRY fine, that it applies fine even not amounting to 200,000 TRY is a significant indication, in my opinion. My comment on this fact would be that the Board tries to maintain its approach, which is declared in early days of its foundation “we don’t want to be remembered with fines.” However, in the following years, while awareness of the protection of personal data is developed and compliance processes for data controller are progressed, I think it wouldn’t be wrong to say sanctions will be more deterrent.

D.  Compliance Processes and the Registration to VERBIS

On the matter of compliance processes before data controllers, the Board has clarified a hesitation. Accordingly, informing the data subject in accordance with the GDPR will not release data controllers from their obligations in terms of Turkish Law. For that reason, primarily, it is stated that they have to make informing in accordance with Turkish Law.

Expiry dates as to registration to VERBIS obligation, which causes many data controller to learn about the Law has been postponed twice with three month-intervals this year. In the second postponing decision, there are reasons for delaying such as that erroneous notifications are made by data controllers, thinking registry notifications are completed. Another important reason which is not stated in the decision is, of course, although they have the obligation of registering to the Registry, there are many data controller who even does not have user name and password on VERBIS.  

E.  Data Breach Notifications

As part of the obligation of notifying data breaches set out Article 12 of the Law, the Board has published 37 data breaches notifications which influence at least 800,000 people in 2019.  

***

After the completion of 2019 with these developments, I hope bilateral awareness in the field of protection of personal data will reach much better levels in 2020. I wish a successful year for those who study in this field. 


I would like to thanks to Res. Assist. Bilâl Toprak and Buğra Rahmi Bardakçı for their contributions to the article.

Leave a comment

Please login or register to comment

Comments