Since the Turkish Data Protection Law ("DPL") entered into force on 07.04.2016, data protection legislation has not extended back a long time in Turkey. However, the Turkish Data Protection Authority ("Authority") has introduced several regulations and communiqués in a short span of time. In parallel with these fast-moving legislative developments, the Turkish Data Protection Board ("Board") keeps rendering decisions and imposing administrative fines in order to ensure compliance with data protection legislation and shed light on how the rules will be applied. In this regard, the Board announced three new decisions on the official website of the Authority on 18.02.2019 which we will summarize below.
1) The decision on the necessity of not destroying the personal data in the personal files since the reasons require processing have not ceased to exist
In the beginning of its first decision dated 28.06.2018, the Board stated that the complaint was made upon the non-fulfilment of a public officer's request on destruction of the documents relating to the investigation files had been initiated against him/her within his/her incumbency period by public authorities.
The Board first cited the Article 7 of the DPL which stipulates that the personal data which is processed in accordance with the DPA or relevant legislation shall be deleted, destroyed or anonymised either ex officio or upon the request of the data subject in case the reasons require data processing cease to exist. On the other hand, the Board also cited several laws, communiqués and regulations, e.g. Civil Servants Law no. 657 and General Communiqué on Public Officers, stipulating that personal files of public officers shall be kept after the employment relationship.
Therefore, the Board concluded that the non-fulfilment of the complaint's request by the public authority is appropriate considering that the reasons require processing have not ceased to exist since the documents requested to be destroyed must be kept by the public authority as per the abovementioned legislation.
2) The decision on failing to perform the obligation to prevent unlawful access to personal data
In its second decision dated 26.07.2018, the Board indicated that the complainant, who has shopped on an online clothing shopping site, first requested the data controller to delete, destroy and anonymize its personal data and also to have its personal data deleted and destroyed within the companies in Turkey or abroad which have been provided with the complainant's personal data because its personal data such as delivery place, name, surname and phone number has become accessible to third parties who shop on the same website. The complainant found the company's response inadequate and lodged a complaint before the Authority.
The Board first cited the Article 7 of the DPL same as the above decision. In addition, the Board referred to the Article 11 which sets out the data subject's right to know the third parties which the personal data of the data subject is transferred to and right to request its personal data to be deleted or destroyed in accordance with the Article 7 of the DPL. The Board also stated that data controllers are obliged to take all necessary technical and organizational measures to ensure an appropriate security level in order to prevent unlawful processing of personal data, prevent unlawful access to personal data and ensure the retention of personal data as per the Article 12 of the DPL.
The Board concluded to (i) impose an administrative fine on the company on the grounds that it did not take the necessary technical and organizational measures to ensure an appropriate security level in order to prevent unlawful access to personal data and ensure the retention of personal data before the incident considering that the complainant's personal data has become available to other customers and that the explanations of the company stating that the company has become aware of the issue upon the complaint and determined that the incident occurred due to a systematic error, and (ii) instructed the company to provide the complainant with explanations and probative documents regarding the actions that have been taken upon the complainant's request to have its personal data deleted, destroyed and anonymized and also to have its personal data deleted and destroyed within the companies in Turkey or abroad which have been provided with the complainant's personal data, within 30 days of the receipt of the decision.
3) The decision on transferring health data to a third party without existence of the processing conditions of special categories of personal data
In its third decision, the Board indicated that the complaint was made upon transferring health data of the data subject, who has used medication under the supervision of a doctor, by the pharmacy, which the medication were bought from, without existence of the processing conditions.
The Board stated that health data, which is one of the special categories of personal data, shall not be processed without explicit consent of the data subject except for processing by any person or authorised public institutions and organizations that have confidentiality obligation for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and nursing services, planning and management of health-care services as well as their financing as per the Article 6/3 of the DPL. The Board also stated that special categories of personal data shall not be transferred without explicit consent of the data subject unless the conditions set out under the Article 5/2 or Article 6/3 of the DPL exist.
In addition, the Board indicated that data controllers are obliged to take all necessary technical and organizational measures to ensure an appropriate security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data and ensure the retention of personal data. Lastly, the Board stated that data controllers and data processors shall not use personal data for the purposes other than the intended processing purpose and not disclose the personal data to third parties in a manner contrary to the DPL.
In light of the foregoing, the Board decided to impose an administrative on the pharmacy on the ground that it transferred health data to a third party without existence of the conditions set out under the Article 5/2 or Article 6/3 of the DPL.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
