Menu

    Lawyers Ebru Gümüş Karasu

    Ebru is an Associate at Özdağıstanli Ekici. She mainly focuses her time on privacy, prize promotions and technology.

    Ebru has also been involved in important telecommunication projects and technology transactions during her training with the firm.


    Practice Areas & Work Department

    Technology, Media and Telecom

    Data Protection

    Intellectual Property

    Electronic Commerce

    Fintech

     

    Languages

    Turkish

    English

     

    Memberships

    Istanbul Bar Association

    Obligations under the Distance Contracts Regulation are Postponed

    On August 23, 2022, important regulations regarding sellers’ obligation to inform consumers’ preliminarily and consumers’ right of withdrawal were introduced (“Amendment”) in the Distance Contracts[1] Regulation, for which the effective date was determined to be January 1, 2024.
    Ebru Gümüş Karasu

    Çevrimiçi Tüketici Yorumları Artık Denetime Tabi

    Reklam Kurulu'nun 12 Eylül 2023 tarih ve 337 sayılı kararına istinaden Tüketici Yorumları Hakkında Kılavuz (“Kılavuz”) 19 Eylül 2023 tarihinde T.C. Ticaret Bakanlığı internet sitesinde yayımlandı. Bu Kılavuz ile Ticari Reklam ve Haksız Ticari Uygulamalar Yönetmeliği'nde düzenlenen genel hususlar örneklerle açıklanmış ve Reklam Kurulu'nun kararlarındaki yaklaşımı somutlaştırılmıştır.
    Ebru Gümüş Karasu

    Online Consumer Reviews are Now Subject to Audit

    On September 19, 2023, the Turkish Ministry of Trade published the Consumer Reviews Guide, based on the Turkish Advertising Board's recent decision (dated September 12, 2023, and numbered 337). This comprehensive guide elaborates on key aspects of the Commercial Advertisement and Unfair Commercial Practices Regulation. It defines consumer reviews, outlines their scope, and sets rules for their publication. The guide mandates that reviews should be objective, date-stamped, and available for at least a year. It prohibits misleading health claims and misleading reviews for benefits. Furthermore, it requires transparency in publishing criteria and imposes responsibilities on various stakeholders to ensure fair consumer reviews.
    Ebru Gümüş Karasu

    Turkish Data Protection Board Fines a Private Healthcare Institution for a Mandatory Checkbox

    Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a private health institution obtaining explicit consent from patients unlawfully, in its decision dated 02.05.2023 and numbered 2023/692.
    Ebru Gümüş Karasu

    Turkish Data Protection Board Fines a Private Hospital for Making Videos about Patients’ Treatments

    Turkish Personal Data Protection Board (“Board”) evaluated a notice regarding a private hospital obtaining explicit consent from patients for processing personal data, including health data, within the scope of advertising and promotion activities in its decision dated 11.05.2023 and numbered 2023/787. In the notice, the data subject demanded action to be taken by stating that the private hospital data controller, through the patient consent forms, request explicit consent from the patients in order to share their photographs and videos with the contracted media organs for advertising and promotion purposes.
    Ebru Gümüş Karasu

    A Fitness Center Processing Data Subject’s Blood Type

    The Personal Data Protection Board assessed a complaint against a fitness center for processing blood type information without explicit consent, a special category of personal data. The Board imposed a fine of TRY 100.000 on the fitness center for not meeting obligations under Article 12 of the Law No. 6698 on the Protection of Personal Data. The center was instructed to provide a privacy notice and explicit consent separately as per the law and related guidelines. Allegations of improper data storage and unauthorized access to security camera footage were unproven.
    Ebru Gümüş Karasu

    VERBIS'e Kayıt Şartlarında Değişiklik

    Bugün Resmi Gazete’de yayımlanan Kişisel Verileri Koruma Kurulu’nun (“Kurul”) 06 Temmuz 2023 tarihli ve 2023/1154 sayılı kararıyla Veri Sorumluları Sicili’ne (“VERBİS”) kayıt yükümlülüğüne istisna getirilmesine kriter olarak kabul edilmiş olan “yıllık mali bilanço toplamı” tutarında, ülkemizdeki ekonomik koşullar doğrultusunda yeniden değerlendirme yapılmıştır.
    Ebru Gümüş Karasu

    Changes to the Requirements for Registration to VERBIS

    The Turkish Personal Data Protection Board amended the exemption limit for Data Controllers Registry (VERBIS) registration due to economic conditions. The new limit is 100.000.000 Turkish Liras for the annual financial balance sheet, up from the previous 25.000.000 Turkish Liras. Data controllers with less than 50 employees and an annual financial balance sheet total below TRY 100.000.000 are exempt from VERBIS registration. The effective date is 25 July 2023, and the exception applies only to local data controllers, not foreign ones.
    Ebru Gümüş Karasu

    Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği

    06.06.2023 tarihli 32213 sayılı Resmi Gazete'de yayınlanan Enerji Sektöründe Siber Güvenlik Yetkinlik Modeli Yönetmeliği yürürlüğe girdi. Bu yönetmelikle 13.07.2017 tarihli Enerji Sektöründe Kullanılan Endüstriyel Kontrol Sistemlerinde Bilişim Güvenliği Yönetmeliği yürürlükten kaldırıldı. Enerji piyasasında lisans sahibi tüzel kişilerin (Yükümlü Kuruluşlar) endüstriyel kontrol sistemlerinin güvenliği ve güvenilirliği için belirli hükümler düzenlendi. Yönetmelikte, yetkinlik modeli, enerji alt sektörlerine göre farklılık gösteriyor ve üç temel yetkinlik seviyesinden oluşuyor. Yükümlü Kuruluşlar belirlenen seviyeye bağlanan ve zorunlu olarak gerçekleştirmeleri gereken maddeleri hedeflenen sürede tamamlamakla yükümlüdür. Yönetmelik, sektörün siber güvenlik açısından etkin koruma sağlamasını amaçlamaktadır.
    Ebru Gümüş Karasu

    Regulation on Cyber Security Competency Model in the Energy Sector

    The Regulation on Cyber Security Competency Model in the Energy Sector (“Regulation”) was published by the Energy Market Regulatory Authority (“Authority”) in the Official Gazette dated 06.06.2023 and numbered 32213. The Regulation has entered into force on the publishing date and the Regulation on Information Security in Industrial Control Systems Used in the Energy Sector (“Repealed Regulation”) dated 13.07.2017 was repealed with the Regulation and that all references to the Repealed Regulation would be deemed to have been made to the Regulation.
    Ebru Gümüş Karasu

    Sending Invoices Issued to Third Parties to a Data Subject’s E-Mail Address

    The Personal Data Protection Board addressed a complaint about the improper processing of personal data through e-invoice sending to a data subject's email. Despite previous instructions to implement security measures, the data controller continued sending third-party invoices to the data subject. This lack of verification mechanisms and proactive approach violates the principle of accuracy and up-to-dateness under the Law on the Protection of Personal Data No. 6698. Consequently, the Board imposed an administrative fine of TRY 200,000 (approx. EUR 6,954) and instructed the data controller to prevent such data transmission in the future.
    Ebru Gümüş Karasu

    Sending SMS for Marketing Purposes Without Explicit Consent

    The Personal Data Protection Board imposed a fine of TRY 30,000 on a data controller for processing personal data without explicit consent and failing to inform the data subject. The data controller sent marketing messages without fulfilling legal obligations. Although the data controller apologized and made corrections, the Board determined a data breach and a lack of necessary security measures. The fine was imposed for non-compliance with data protection laws.
    Ebru Gümüş Karasu

    Sending Commercial Electronic Message Without Obtaining Consent

    The Personal Data Protection Board assessed a complaint regarding a data controller sending unsolicited commercial emails to a lawyer's work email address without consent. The Board found that the email address was publicly available due to the lawyer's own actions, but this does not justify processing the personal data for any purpose. Since lawyers are not considered traders or merchants, prior consent is required to send commercial emails. The data controller failed to fulfill obligations under the law, resulting in a fine of TRY 150,000. The data controller must also respond to unanswered information requests and provide evidence of data deletion.
    Ebru Gümüş Karasu

    “.tr” Uzantılı Alan Adlarında Uyuşmazlık Çözüm Mekanizması

    TRABİS’in faaliyete geçmesi ile birlikte, “.tr” uzantılı alan adlarının hak ihlaline sebep olacak şekilde tahsis edilmesi halinde, uyuşmazlık çözüm mekanizması aracılığıyla uyuşmazlıklar hızlıca sonuçlandırılabilmektedir. Bunun için, başvuru usulüne ve sürelerine dikkat etmek ve şikâyetin taraflarınca iddiaların ve savunmaların düzgün bir şekilde ortaya konması oldukça önem arz etmektedir.
    Ebru Gümüş Karasu

    Dispute Resolution Mechanism for “.tr” Domain Names

    The allocation of ".tr" domain names in Turkey transitioned from the Middle East Technical University to the Information Technologies and Communications Authority (BTK) and the .tr Network Information System (TRABIS) in 2022. This shifted domain name allocation to a "first come, first served" principle, prompting issues about domain name disputes. To address this, Turkey implemented a system similar to the Uniform Settlement Policy of Domain Name Disputes (UDRP) of the World Intellectual Property Organization. Disputes are resolved within approximately a month by Dispute Resolution Service Providers (DRSPs).
    Ebru Gümüş Karasu

    Sharing Statements Received from a Data Subject During a Job Interview

    The Personal Data Protection Board addressed a complaint where a company shared a data subject's job interview information with their current employer. The Board found that this sharing violated the Personal Data Protection Law and imposed a fine of TRY 100,000 on the data controller. It was clarified that the data controller's obligation to respond to the data subject's application was not affected by an ongoing investigation. The Board also emphasized the need for the data controller to comply with the provisions of the law and warned them accordingly.
    Ebru Gümüş Karasu

    Turkey Cracks Down on Rise of Greenwashing in Ads

    Greenwashing is the practice of presenting a product, brand, or institution as environmentally friendly through misleading ads and claims. It challenges transparency in consumer decision-making. In Turkey, misleading ads are regulated under the Regulation on Commercial Advertising and Unfair Commercial Practices, forbidding misleading information on environmental impact. The Advertisement Board oversees and sanctions commercial advertising, including cases of greenwashing. Recent examples include fines imposed on companies for unproven energy-saving claims, false plant-based product statements, unverified CO2 emission savings, and misleading eco-friendly packaging claims. Compliance with regulations and transparency are essential to avoid penalties and protect consumers.
    Ebru Gümüş Karasu

    Transferring the Health Data of a Data Subject to the Public Institution

    In its decision numbered 2022/790, the Personal Data Protection Board addressed a complaint concerning the transfer of a data subject's health data to a public institution for an ongoing administrative lawsuit. The complaint alleged that the transfer of the data subject's health data from a university hospital to the public institution constituted an unlawful processing of personal data. The Board determined that the transfer violated data protection principles and instructed the data controller to take corrective actions, including disciplinary measures and data destruction. The data subject was also advised to apply for correction through the provincial health directorate. The Board emphasized the importance of timely response to data subject requests.
    Ebru Gümüş Karasu

    Processing of Personal Data of the Child without the Explicit Consent of the Parent

    The Personal Data Protection Board assessed a complaint about a marketing company processing a child's personal data without explicit parental consent. The company's self-employed entrepreneur sent a promotional brochure to an 8-year-old child, allegedly processing the child's data unlawfully. The Board clarified that the entrepreneur acted independently as a data controller, and the company had no involvement in the data processing. The argument that personal data was provided by the data subject was rejected, as it didn't meet the exception provision. Processing the child's name and address for marketing purposes didn't fulfill the conditions in the law, resulting in a fine. The company was instructed to obtain explicit consent and comply with data protection regulations.
    Ebru Gümüş Karasu

    Transferring Personal Data Abroad Without Obtaining Explicit Consent / May 17, 2023

    In its decision, the Personal Data Protection Board addressed a complaint regarding the unauthorized transfer of personal data from a bank to an insurance company. The complaint alleged that the bank shared the data subject's phone number without explicit consent. The Board determined that the transfer violated the Law on the Protection of Personal Data and the principle of obtaining explicit consent. The data controller failed to provide evidence of informed consent or a lawful basis for the transfer. Sharing personal data without the customer's instruction, even with explicit consent, is prohibited. As a result, the Board imposed a fine on the bank for breaching data protection obligations.
    Ebru Gümüş Karasu