Turkey: Turkish Data Protection Authority's New Decisions Published On July 17, 2019

Turkish Personal Data Protection Board ("Board") published five (5) new decision summaries on the Data Protection Authority's ("DPA") website on July 17, 2019.

I. Use of Private E-Mail Services for Corporate E-Mail Addresses (Board's Decision 2019/157)

Board's decision of May 31, 2019 with number 2019/157 has been rendered in response to a request from a data controller for Board's guidance on the matter of whether a private e-mail service, provided by a foreign company, can be used for corporate e-mail addresses obtained through an open source e-mail service.

The Board stated that the e-mail messages sent or received through the relevant e-mail addresses using the relevant private e-mail service's infrastructure might be stored in data centers located in different parts of the world and therefore, personal data would be deemed to be transferred abroad. Accordingly, the Board concluded that data controllers willing to use the relevant private services shall do so in compliance with the rules on transfer of personal data abroad under Turkish data protection laws (Article 9 of Law No. 6698 on Protection of Personal Data ("DPL")).

Moreover, the Board stated that storage services obtained through data controllers/data processors whose servers are located abroad shall also be in compliance with Article 9 of DPL.

II. Sending Commercial Electronic Communications without Data Subject's Explicit Consent (Board's Decision 2019/162)

Board's decision of May 31, 2019 with number 2019/162 concerns a complaint filed by a data subject on the grounds that commercial electronic communications has been sent to his/her mobile phone number without his/her explicit consent.

The individual claimed that (i) he/she does not know from where and how his/her personal data has been obtained, (ii) he/she did not explicitly consent to receiving such communications and (iii) he/she contacted the data controller to request information but did not receive a response from the data controller in the legal time period.

The data subject requested the following information from the Board: (i) whether data controller has his/her explicit consent to send commercial electronic communications, (ii) whether his/her personal data has been processed and if yes, for which purposes, (iii) to whom his/her personal data has been transferred in Turkey, (iv) whether his/her personal data has been transferred abroad, and if yes to whom, (v) whether data controller is aware of the commercial electronic communications that are sent to him/her.

The Board evaluated the complaint and concluded that sending commercial electronic communications to the data subject's mobile phone number is a data processing activity and in the case at hand, such processing is not based on any of the legal reasons listed in DPL. As a result, the Board imposed an administrative fine of TL 50,000 on the data controller for failing to take technical and administrative measures in order to ensure an adequate level of security to safeguard and prevent unlawful processing of and access to personal data.

III. Processing of Biometric Personal Data by Fitness Centers (Board's Decisions 2019/81, 2019/165)

Board's decisions of March 25, 2019 with number 2019/81 and of May 31, 2019 with number 2019/165 relate to processing of biometric personal data by two different data controllers, which are both operating fitness centers, during entrances and exits of their members. Data subjects made multiple notifications to the Board indicating their concerns regarding safe storage of their biometric information including hand and palm prints as well as practices as such public display of their photos and hour of their last visit at the facilities on television screens.

The Board stated that although biometric data is not listed among the special categories of personal data under DPL, GDPR defines "biometric data" as personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.

Moreover, the Board also referred to GDPR's Recital and a decision rendered by the Turkish Council of State defining and setting out certain criteria regarding biometric personal data and indicated that the data controllers in question are processing special categories of personal data by using biometric information for member identifications.

Referring to other Council of State and European Court of Human Rights decisions and Article 29 Working Party's opinion on developments in biometric technologies as well as the principles set forth under the DPL for legal processing of personal data such as proportionality, the Board concluded that data controllers' practice of requiring their members to use hand and finger print scanning method as the obligatory and only way of obtaining the services provided in the relevant fitness centers is not proportionate.

On the issue of whether explicit consent has been obtained by the data controllers, the Board (i) emphasized that members are required to give their explicit consents for the palm print method under the online membership agreement for the fitness centers, (ii) stated that it appears as though the members would not be able to receive the services provided by the data controllers unless they give their explicit consent and therefore, explicit consent is being presented as a precondition for the provision of services by the data controllers and (iii) thus, concluded that it is not possible to say that explicit consents are given with free will, in the case at hand.

In light of the foregoing, the Board decided to impose an administrative sanction on data controllers for (i) non-compliance with the principle that personal data must be relevant, limited and not excessive in relation to the purposes for which they are processed (Article 4(2) of DPL) since there are alternative methods of member identification and entrance controls, (ii) failing to take all technical and administrative measures in order to ensure an adequate level of security to prevent unlawful processing of personal data considering that the explicit consents have not been duly obtained by the data controllers and (iii) failing to abide by the principle decision rendered by the Board regarding counters, cash desks and tables (2017/62) since data controllers did not take the technical and administrative measures in order to prevent third parties from seeing members' personal information.

The Board also ordered the data controllers (i) to adopt alternative methods for entrance checks and immediately cease processing of biometric information and (ii) to immediately remove hand, finger and palm print information previously obtained and being stored in accordance with DPL and relevant secondary legislation and inform the third parties to whom the relevant personal data has been transferred, if any, regarding the removal activities undertaken by the data controllers.

IV. Sending a Message Containing Irrelevant Content to the Data Subject's Phone Number (Board's Decision 2019/166)

Board's decision of May 31, 2019 with number 2019/166 is rendered upon a complaint claiming that a lawyer sent a text message to his/her phone number with contents relating to a another person (who also happens to be the complainant's nephew/niece).

The complainant indicated that he applied to the data controller regarding the incident and the data controller explained that the incident took place as a result of an employee error, as the employee mistyped one digit in the relevant phone number and consequently, the text message has been sent to the wrong person. However, the complainant argued that the incident could not have resulted as described by the data controller, as his/her number and the nephew/niece's phone number do not only differ by only one digit.

The Board stated that, in the case at hand, the following two data processing activities resulted from one act: (i) name, surname and service number of the third person (niece/nephew of the complainant) being sent to the complainant and (ii) a text message being sent to the complainant and therefore, complainant's personal data being processed without any of the legal reasons listed under DPL.

In light of the foregoing, the Board imposed an administrative fine of TL 50,000 on the data controller for failing to fulfill its obligation to prevent illegal processing of personal data.

V. Sending Multiple Messages on the Same Matter to Data Subject's Phone Number (Board's Decision 2019/159)

Board's decision of May 31, 2019 with number 2019/159 concerns an asset management company which sent a text message on the data subject's phone number on multiple occasions regarding the same matter without obtaining the data subject's explicit consent.

The data subject stated that (i) the text messages did not include an opt-out option, (ii) he/she does not know from where, whom and how his/her personal data has been obtained by the data controller and (iii) he/she applied to the data controller but did not receive a response in the legal time period.

On the matter of failing to respond to the data subject's application, the Board decided not to take action regarding the data controller as the data controller proved through post records that the response has been sent and received by the data subjects in the legal period and also that the response covered all of the areas addressed by the data subject.

The Board also decided not to take action in terms of the contents of the text messages by explaining that the messages has been sent in compliance with banking legislation and rules on financial agreements after the data subject's debt to a bank has been duly transferred to the data controller to ensure that the data subject pays his/her debt to the correct addressee along with explanations regarding payment of the debt. Therefore, the Board concluded that the data processing activity in this case may be carried out without obtaining the explicit consent of the data subject.

On the other hand, the Board stated that the data controller misused its right to send messages by sending the messages with the same contents on different dates and imposed an administrative sanction of TL 20,000 on the data controller for failing (i) to process personal data processed lawfully and fairly and (ii) to take all technical and administrative measures in order to ensure an adequate level of security to prevent unlawful processing of personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Esin Attorney Partnership
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Practice Guides
by Mondaq Advice Centres
Relevancy Powered by MondaqAI
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Esin Attorney Partnership
Related Articles
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions