ARTICLE
18 June 2024

The Turkish Data Protection Law Review 2023 | Developments In Practice Over Its Eight Years

MA
Moroglu Arseven

Contributor

Moroglu Arseven logo
“Moroglu Arseven is a full-service law firm, with broadly demonstrated expertise and experience in all aspects of business law. Established in 2000, the firm combines a new generation of experienced international business lawyers, who hold academic, judicial and practical experience in all aspects of private law.”
Explore
With reference to the Personal Data Protection Law numbered 6698, this study, written in the law's fifth year of enactment, and shared with you in a fourth edition this year, pertains specifically to
Turkey Privacy
Photo of Burcu Tuzcu Ersin, LL.M.
Photo of Burcu Güray
Photo of Ceylan Necipoğlu
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Preface

With reference to the Personal Data Protection Law numbered 6698, this study, written in the law's fifth year of enactment, and shared with you in a fourth edition this year, pertains specifically to the period between 1 January 2023 and 31 December 2023, marking its eighth year of implementation. It encompasses the aspects that require attention in relation to compliance with the Personal Data Protection Law, changes in practices, and the approach of the Personal Data Protection Board during this period. We, Moroğlu Arseven, take pleasure in presenting our work to you.

This study has been prepared based on data found in the activity report of the Personal Data Protection Board for 2022, published on 12 April 2023, and public announcements, works, and decisions published on the official website of the Personal Data Protection Board as of the date of publication.

A. MAJOR DEVELOPMENTS IN LEGISLATION AND PRACTICE

I. Overview of the Legislation on the Protection of Personal Data

Although personal data is protected by several legislative sources, including primarily the Constitution of the Republic of Turkiye, the main inclusive regulation in compliance with the international modern approach to personal data protection was adopted in Turkiye through the Law on Personal Data Protection numbered 6698 ("DP Law"). With the DP Law's coming into force, several pieces of legislation regarding personal data protection and its interpretation and practice have been clarified, primarily including the provisions of the Turkish Criminal Code numbered 5237.

Within the DP Law, the Personal Data Protection Authority ("Authority") was established as a financially and administratively autonomous public legal entity with regulatory and supervisory authority. The Authority conducts its operations through a structure comprising the decision-making body, the Personal Data Protection Board ("Board"), and the Presidency.

Secondary legislative processes have been executed subsequent to the DP Law coming into force, including the Regulation on the Data Controllers Registry; Regulation on the Deletion, Destruction or Anonymization of Personal Data; Communiqué on Application Procedures and Principles for Data Controllers; Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation to Inform; and Communiqué on Procedures and Principles Regarding Personnel Certification Mechanisms. Since then, the Authority has been leading practice in the field of personal data protection through its public announcements and decisions of the Board on its supervisory activities.

II. Legislation and Regulations on Data Protection and Privacy

In 2023, while there were no direct developments within the scope of the DP Law, several regulations were enacted in other laws and secondary legislation. The relevant changes are listed below in the order of regulations and circulars.

1. The Regulation on Issuing Identity Cards to Disabled Individuals and Establishing the National Disabled Data System

The Regulation on Issuing Identity Cards to Disabled Individuals and Establishing the National Disabled Data System, published in the Official Gazette dated 12 May 2023 and numbered 32188, aims to provide identity cards to disabled individuals and to create a National Disabled Data System to enable such individuals to benefit from rights and services. Accordingly, the regulation outlines the procedures and principles for issuing disabled identity cards ("Identity Cards") to adults with a minimum of a 40% disability rate or children with special needs, and it establishes the guidelines for the National Disabled Data System.

The Regulation on Issuing Identity Cards to Disabled Individuals and Establishing the National Disabled Data System outlines the conditions under which an Identity Card will be destroyed and mandates that the destruction process must be completed within one month. Provisions have been established to address situations such as the use of cards containing alterations, erasures, or scratches, individuals using another person's identity card, those who issue cards with incorrect information, individuals continuing to use their cards despite an obligation to return them, or those intentionally altering their cards. Penalties and criminal investigations will be initiated against individuals involved in such activities.

Within the scope of the Regulation on Issuing Identity Cards to Disabled Individuals and Establishing the National Disabled Data System, the National Disabled Data System is defined as a database where personal data regarding disabled individuals is processed when transferred from other institutions and organizations or obtained during identity card procedures. Furthermore, the necessary services for the National Disabled Data System will be provided by the Ministry of Family and Social Services, and the technical work for establishing the Data System will be conducted by the Ministry's General Directorate of Information Technologies.

Moreover, the Regulation on Issuing Identity Cards to Disabled Individuals and Establishing the National Disabled Data System comprehensively addresses the principles and procedures regarding data security, processing, and transfers of personal data within the framework of the National Disabled Data System. In alignment with these principles and procedures:

  • The transferring party assumes responsibility for ensuring the accuracy and currency of information conveyed to the National Disabled Data System.
  • As the data controller, the Ministry of Family and Social Services will take necessary measures to ensure the accuracy and currency of personal data transferred to it by other individuals, institutions, or organizations providing services to individuals with disabilities.
  • The confidentiality of personal data within the National Disabled Data System is paramount. To prevent the unlawful processing and unauthorized access to data and to ensure the preservation of personal data, the Ministry of Family and Social Services will implement all necessary technical and administrative measures to achieve an appropriate level of security. The Information Technologies General Directorate will be authorized to implement these measures.
  • The fundamental principle within the National Disabled Data System is the confidentiality of personal data. To prevent unlawful processing and unauthorized access to personal data, as well as to ensure the preservation of such data, the Ministry of Family and Social Services will undertake all necessary technical and administrative measures to establish an appropriate level of security. The Information Technologies General Directorate is authorized to oversee the implementation of these measures.
  • All processes involving personal data, including processing, transfer, deletion, erasure, and anonymization, will be conducted in accordance with the provisions of the DP Law and relevant legislation.
  • There is an obligation to sign a protocol for the transfer of data through continuous or one-time information sharing, or web service requests with the Ministry of Family and Social Services.
  • The responsibility for ensuring the confidentiality and security of personal data transferred by the Ministry of Family and Social Services will rest entirely with the requester of the data transfer, without any limitations regarding duration.
  • Personal data transferred by the Ministry of Family and Social Services cannot, under any circumstances, be made available or disclosed to third parties.
  • Special categories of personal data can only be transferred to third parties under the conditions stipulated by the DP Law, and explicit consent from the data subjects is a prerequisite for such transfers.

2. The Regulation Regarding the Amendment of the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment

The Regulation Amending the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment was published in the Official Gazette dated 25 May 2023 and numbered 21201, with the purpose of making changes to the procedures and principles related to it. It is set to become effective on 1 June 2023.

The notable details included in the relevant regulation are as follows:

  • The remote identification process will be designed in accordance with the general principles outlined in the Regulation on Banking Services Accessibility published in the Official Gazette dated 18 June 2016 and numbered 29746, ensuring accessibility to banking services. The controls specified in the Regulation Amending the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment will be tailored based on the specific conditions of individuals with disabilities.
  • In case there is a need for assistance during the video call stage of remote identification for individuals with disabilities, third-party assistance may be sought, and the customer representative can generate photos and/or screenshots showing the front and back of the identity document of the assisting third party along with the individual with disability's own identity document.
  • In determining the identity of a legal entity, the identity of the individual will be established in accordance with the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment, and the authorization to represent the legal entity will be verified. If the person's identity is already verified as a customer of the same bank and they have logged into any session through internet banking or mobile banking distribution channels, the verification through near-field communication with the identity document, as stipulated in the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment, will be considered fulfilled.
  • The authorization of an individual to represent a legal entity will be verified by matching the information obtained from the person with the current data retrieved from Central Registration System ("MERSIS") and/or the Trade Registry Gazette. If deemed necessary by the bank, the customer representative will acquire a sample of the power of attorney circular provided by the individual, demonstrating their authorization to represent the legal entity. The signature sample obtained from the power of attorney circular will be compared with the signature sample found on the individual's identity document and/or MERSIS. Additionally, the validity of the power of attorney circular will be confirmed using the date and registry number. The confirmation of the signature, as regulated by the Banking Regulation and Supervision Agency ("BRSA"), can be conducted through both MERSIS records and the signature on the individual's new ID card. Authorized individuals representing legal entities will be able to perform remote banking transactions through remote identification. In this context, inclusive changes to the definition of "Customer" in the Financial Crimes Investigation Board ("FCIB") Communiqué No:19 have been implemented following the publication of the Regulation Amending the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment.
  • Furthermore, the information obtained regarding the legal entity will be confirmed by matching with current data queried from the databases of MERSIS, the Trade Registry Gazette, and the Revenue Administration.
  • The BRSA will have the authority to determine the procedures and principles for the implementation of processes stated to be performed by customer representatives in the Regulation on Remote Identification Methods to be Used by Banks and the Establishment of Contractual Relationships in the Electronic Environment, concerning financial, factoring, and financial leasing companies using artificial intelligence-based methods in a manner similar to the remote identification processes.

3. Regulation Amending the Regulation on Pre-School Education and Primary Education Institutions of the Ministry of National Education

The Regulation Amending the Regulation on Pre-School Education and Primary Education Institutions of the Ministry of National Education was published and entered into force on the same day, as announced in the Official Gazette dated 14 October 2023. According to this amendment, photos of students taken during educational activities, social and cultural events, as well as excursions and observation activities both within and outside the school premises, cannot be shared on social media platforms and communication groups without written permission from the parents and the supervision of the guidance counselor. Consequently, photos of children in activities at pre-school education and educational institutions can only be shared on social platforms with the consent of parents or the child.

4. The Circular Regarding the Use of Open-Source Software in the Public Sector Numbered 2023/13

In order to promote the use of open-source software in the public sector and achieve savings in information technology expenses, reduce dependency on software vendors, and enhance cybersecurity, the Presidency of the Republic of Turkiye published "The Circular Regarding Use of Open-Source Software in the Public Sector numbered 2023/13" in the Official Gazette dated 29 July 2023 and numbered 32262. In this regard, the fundamental points outlined below have been set out:

  • An "Open-Source Software Transition Analysis and Roadmap Report," conforming to the template announced on the official website of the Digital Transformation Office and an "Open-Source Software Transition Analysis Guide," should be prepared, providing an inventory of commercially licensed software used in accordance with the template and submitted to the Digital Transformation Office. This report should identify which of these commercial software applications can be replaced with their open-source equivalents.
  • Measures should be taken to allocate the necessary financial resources and workforce for the activities to be carried out in accordance with the created Open-Source Software Transition Analysis and Roadmap Report.
  • During the procurement process of goods and services, preference should be given to open-source software ("OSS") alternatives instead of commercial licensed software. However, this regulation may not be applied in cases where OSS alternatives are not technically and economically feasible. In such cases, detailed technical and economic justifications for not choosing OSS alternatives for the envisaged commercial licensed software should be provided in the project proposal forms submitted to the Strategy and Budget Presidency for budget requests of this nature.
  • Existing OSS developed and customized by software companies operating in Turkiye and personnel employed in Turkiye will be considered in the OSS transition process, even if they do not use OSS licenses in terms of software licensing procedures. These software solutions will be preferred over commercial licensed software if they meet the needs of the relevant public institutions and organizations in their technical and financial aspects, and if suitable OSS alternatives are not available.

III. Documents Published by the Board in 2023

1. Academic Perspective on Personal Data Protection, DP Law Academy Compilation Study

As of 8 August 2023, the Authority has published a book titled "An Academic Perspective on Personal Data Protection: DP Law Compilation Study" consisting of works on the protection of personal data by academic experts in various fields of the law. The book covers studies related to the protection of personal data, privacy, data protection law, and the security of personal data. It includes assessments on both the fundamental concepts specified in the DP Law and evaluations related to the protection of personal data in other legal areas. The book is structured around topics such as the Right to Protection of Personal Data; Protection of Personal Data and Ethics; General Concepts; General Principles under the Personal Data Protection Law; Explicit Consent; Obligation to Respond to Applications Made by Data Subjects; Application and Complaint Procedures; Compliance with the Board's Decisions; Crimes Related to Personal Data; Current Technology and Personal Data; Deletion, Destruction, or Anonymization of Personal Data; Sustainable Personal Data Security Governance; Blockchain and the Protection of Personal Data; Evaluations on the Implementation Issues of the Personal Data Protection Law in Artificial Intelligence; Protection of Personal Data in Civil Law Relations; Processing of Personal Data in the Field of Intellectual Property; Protection of Personal Data within the Framework of Civil Procedure Law; Processing of Personal Data in Labor Law; and Processing of Personal Data in the Health Sector.

2. DP Law Bulletins

As of April 2022, the Authority has been publishing DP Law Bulletins through videos as part of awareness and information-sharing efforts with the public on personal data protection. Starting from July 2023, under the title "DP Law Bulletin," the bulletins are also being published in written form on the official website of the Authority. The DP Law Bulletin includes selected topics, opinion columns, articles, global developments, the activities of the Authority, and statistical information (complaints and reports received within a specific time frame, data breach notifications, administrative fines imposed, legal opinions, and approved commitments for transferring personal data abroad). Two bulletins have been published this year: (i) July 2023 Issue: 1 (Rethinking Privacy in the Era of Producer Artificial Intelligence), and (ii) July-September 2023 Issue: 2 (Traces Left in the Shadows: Right to be Forgotten).

3. 8. Anniversary of the Personal Data Protection Authority

The document titled "5th Anniversary of the Personal Data Protection Authority" was published on the official website of the Authority on 23 November 2022. This document provides detailed information about the organization's structure and the public announcements made by the Authority over the five years. Additionally, numerical data regarding complaints, notifications, and applications submitted to the Authority, data breach notifications, imposed administrative fines, and, finally, details on corporate promotion, awareness, and consciousness-raising activities are presented in detail in the document.

IV. Guidelines Published by the Board in 2023

1. Guide on Points to Consider in the Processing of Genetic Data

The "Guide on Points to Consider in the Processing of Genetic Data" ("Genetic Data Guide"), initially published as a draft by the Authority on 24 August 2022, was finalized and shared with the public on 13 October 2023.1 The Genetic Data Guide provides detailed information on (i) the definition of genetic data; (ii) data controllers, data processors, data subjects, and general principles in the processing of genetic data within the scope of the DP Law; (iii) the evaluation and international transfer of genetic data within the framework of the processing conditions for personal data specified in the DP Law; (iv) the responsibilities of the data controller and technical and administrative measures for the security of genetic data in the processing of genetic data; and (v) recommendations and suggestions for the processing of genetic data.

Genetic data, which is recognized as special category personal data under Article 6 of the DP Law, has gained a comprehensive definition for the first time with the Genetic Data Guide. The guide refers to the definition under the General Data Protection Regulation ("GDPR") of the European Union, ultimately stating that genetic data is "all or part of the information obtained from the living organism's genome, cell nucleus, or mitochondria, encoding all DNA, RNA, and protein sequences." Genetic data can encompass a single nucleotide polymorphism (SNP) or a comprehensive sequence of the entire genome. This information includes all hereditary or non-hereditary genomic changes obtained from DNA and/or RNA derived from a living organism. Additionally, the guide emphasizes the following points for genetic data:

  • The need for analysis to be meaningful or informative.
  • The value and significance of raw data and biological samples even before analysis, considering their potential to identifiably link to a real person.
  • The possibility of analyzing samples from deceased data subjects years later in a way that could identifiably link to a real person.

Additionally, according to the Regulation on the Deletion, Destruction, or Anonymization of Personal Data, it is generally not possible to anonymize DNA samples or genetic data truly and completely. It is emphasized that with every anonymization method used, it is not feasible to completely sever the connection between the data obtained and the data subject. Therefore, instead of using the term anonymization, the concept of de-identification may be more appropriate for genetic data.

The Genetic Data Guide highlights that Genetic Disease Evaluation Centers must obtain a license from the Ministry of Health to operate, according to the Regulation on Genetic Disease Evaluation Centers. These centers are acknowledged to be data controllers for the Ministry of Health and universities, and they are allowed to conduct genetic tests only in cases of medical necessity or for medical-purpose scientific research, provided that appropriate genetic counseling services are offered.

The Genetic Data Guide emphasizes that, in the processing of genetic data, the data of relatives with genetic connections outside the data subject can be processed. Therefore, the processing of data from other data subjects may result in a different purpose.

Genetic data should be processed in accordance with the general principles of the DP Law. Within this framework, the processed genetic data should be stored only for the necessary duration and promptly destroyed according to the personal data storage and destruction policy when no longer needed. According to the Regulation on Genetic Disease Evaluation Centers, reports and records in the centers should be kept for a minimum of 30 years, electronic records must be backed up indefinitely, and samples and slides should be stored for at least two years under appropriate conditions.

According to Article 6 of the DP Law, the processing of genetic data is possible without the explicit consent of the data subjects in the cases specified in the law only. If the processing of genetic data is limited to health reasons only, and if it aligns with the purposes of protecting public health, preventive medicine, medical diagnosis, treatment, care services, and the planning and management of health services, it can be carried out without obtaining explicit consent, but only by individuals or authorized institutions bound by confidentiality obligations.

In accordance with Article 16 of the Regulation on Personal Health Data, studies involving genetic data should be conducted using data that does not make the data subject identifiable to the extent possible (a principle of processing genetic data as a last resort). This involves minimizing the risks related to personal data security through methods such as the use of pseudonyms. Thus, it is stated that this can be considered allowable within the scope of Article 28 of the DP Law.

The Regulation on Genetic Diseases Assessment Centers specifies that the sending of samples abroad within the scope of the regulation can be carried out by being registered through licensed genetic diseases assessment centers approved by the Ministry of Health. Additionally, human-derived biological samples for examination purposes will be recorded in the Ministry of Health's tracking system. Consequently, the sending of samples abroad for non-working tests will only be allowed through the "International Biological Material Transfer System," ensuring the safety and appropriateness of the process under the control of the Ministry of Health, and only by licensed Genetic Diseases Assessment Centers and medical laboratories. Furthermore, according to the Regulation on Medical Laboratories, the authority to send samples abroad for examination purposes can only belong to licensed medical laboratories. The entry and exit of human-derived biological samples for examination purposes can only be carried out with the approval of the Ministry of Health.

In addition, the Genetic Data Guide emphasizes that providing general explanations alone is not sufficient for informing data subjects whose genetic data is processed. In this regard, data subjects must be specifically informed about which genetic data is collected for what legal reasons and purposes, the significance of this data, and the potential consequences of a breach (the risks associated with the processing of genetic data). It is crucial to provide additional information to data subjects about the processing activities and outcomes of genetic data, making it clear that processing genetic data may grant access not only to the data of the data subjects concerned but also to the data of other family members.

Moreover, it is emphasized that the concept of "informing" mentioned in the Patient Rights Regulation is distinct from the "obligation to inform" that must be carried out before processing the personal data of the patient who qualifies as the "data subject" under the DP Law, and does not substitute for explicit consent.

Additionally, data controllers processing genetic data are obligated to register with VERBİS and to take necessary technical and administrative measures. Attention is drawn to compliance with the issues outlined in the Personal Data Protection Board Decision dated 31 January 2018, numbered 2018/10, regarding "Adequate Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data." Data controllers are also advised to take the following measures specifically for processing genetic data.

Technical Measures

  • Cloud Storage of Genetic Data: The Genetic Data Guide recommends avoiding the storage of genetic data in cloud systems. If processing genetic data in a cloud is necessary, attention should be paid to the following:
    • Detailed records of the genetic data stored in the cloud should be maintained.
    • Backups should be taken outside the cloud.
    • Remote access to genetic data in the cloud should be encrypted with cryptographic methods ensuring sufficient security.
    • Standardized and secure cryptographic algorithms included in the standardized cryptographic algorithm suite should be used in applications, devices, and systems.
    • Industry standards and best practice examples for standardized and secure cryptographic algorithms should be considered.
    • If the use of cryptographic algorithms not included in the standardized cryptographic algorithm suite is necessary, an analysis and evaluation of whether they provide a sufficient security level should be conducted by an authorized crypto analysis laboratory before use.
    • The encryption and key management policy should be clearly defined.
    • Access to cryptographic keys should be restricted to authorized personnel with clearance (crypto security certificate).
    • Where possible, separate encryption keys should be used, especially for each cloud solution received.
  • When devices are delivered for maintenance, repair, or other purposes to service providers, or in cases of returning leased devices to the service providers, data storage units on the devices should be removed, or all data should be handed over to the laboratory in hard disk format. A written commitment should be obtained from the service providers stating that there is no data on the service provider's device or server.
  • Before establishing the data controller system and after any changes, test environments should ideally be used to test the system through synthetic data.
  • Data controllers should test the system in the created test environments using synthetic data before establishing it and after any modifications.
  • In testing activities where real data is used, data controllers must use genetic data in accordance with the principle of data minimization. Data controllers should implement measures that alert the system administrator in case of unauthorized access attempts and, despite all security precautions, unauthorized access to the system, as well as measures that protect and report genetic data.
  • Data controllers should use certified equipment and licensed and up-to-date software in the system, ensure patch management, prefer open-source software whenever possible, and promptly implement necessary updates in the system.
  • Data controllers should be able to monitor and restrict user operations on the software processing genetic data. All actions performed on the program/system processing genetic data should be logged in a separate system and regularly securely maintained. It is important to ensure that the administrator responsible for the log system is different from those responsible for other systems.
  • Hardware and software security tests of systems processing genetic data should be conducted periodically. Any changes made to the systems should be implemented only after the necessary security tests have been completed.
  • Data controllers must adhere to the measures outlined in the Information and Communication Security Guidelines, as per the Directive numbered 2019/12, and the Information and Communication Security Guide prepared under the coordination of the Presidency Digital Transformation Office.

Administrative Measures

  • Although not explicitly covered by Turkish legislation, the Genetic Data Guide emphasizes concepts found in the GDPR, including the establishment and management of genetic data based on the "Privacy by Design" principle and the application of Data Protection Impact Assessments.
  • Genetic data should be safeguarded in a manner that prevents access by anyone other than authorized personnel who have received relevant training and have entered into confidentiality agreements.
  • A Personal Data Processing Inventory should be prepared, and notification must be made to VERBİS.
  • Separate processing policies, emergency procedures, and reporting mechanisms should be established for genetic data processing processes.
  • Genetic data in electronic environments should be regularly backed up using a secure backup system, and data set backups must be kept off the network.
  • The obligation to inform, in accordance with the legislation, should be fulfilled in detail, and explicit consent from the data subject should be obtained if necessary.
  • Data controllers should measure and monitor their preparedness for a potential data breach continuously through internal random and periodic audits and risk analyses related to genetic data processing activities.
  • In service contracts with data processors involved in genetic data processing processes, the data controller should include security measures deemed necessary and conduct regular audits or inspections at specified intervals to ensure that the selected data processor has implemented the required technical and administrative measures.
  • The data controller should record and document their compliance with all the mentioned principles and criteria, and this information should be disclosed to the public.

The "Information and Communication Security Measures" subject, outlined in the Presidential Circular numbered 2019/12, emphasizes the secure storage of critical information and data, such as population, health, communication records, genetic, and biometric data, within the country to prevent disruption to the public order. In line with national and international standards and information security criteria, the Presidency Digital Transformation Office has published the "Information and Communication Security Guide" to ensure the security of critical data that could potentially disrupt the public order. Additionally, the "National Cyber Security Strategy," introduced through the Presidential Circular numbered 2020/15, further supports these efforts. In this regard, the Genetic Data Guide recommends implementing the following measures for genetic data:

  • Determining procedures based on the processing purposes of genetic data and making detailed regulations regarding the conditions for transfer as specified in Article 9 of the DP Law.
  • Taking necessary measures to prevent the misuse of processed genetic data's confidentiality and usage beyond its intended purpose.
  • Supporting local laboratories and conducting efforts to procure local medical devices to minimize the sending of genetic data tests abroad.
  • Making administrative regulations for the local storage of genetic data and supporting the national information infrastructure.
  • Encouraging the development of national genetic data banking for scientific purposes and the establishment of genetic data storage centers.
  • Enhancing transparency, clarity, and accountability practices during the processing of genetic data and ensuring public awareness.
  • Providing necessary training for personnel involved in genetic data processing on the protection of personal data or ensuring it is fulfilled by the "Patient Rights Unit."
  • Informing data subjects about the results when sending genetic data abroad, and increasing societal awareness.

2. Recommendations for the Protection of Privacy in Mobile Application

The Board released the "Guidelines for the Protection of Privacy in Mobile Applications" ("Mobile Application Guide") on 22 December 2023. In the Mobile Application Guide, emphasis is placed on the critical importance of safeguarding individuals' personal data in mobile applications, given the extensive use of various sensors such as microphones, cameras, accelerometers, GPS, Wi-Fi, and Bluetooth on mobile devices commonly used by users, as well as the widespread use of cloud services by mobile application developers. Accordingly, the Mobile Application Guide addresses existing and potential risks related to the protection of privacy in mobile applications and aims to provide general recommendations of a non-specific nature to data subjects and data controllers regarding the processing of personal data activities carried out through mobile applications.

In mobile applications, various types of personal data, including special categories of personal data, may be processed for purposes such as enhancing user experience, providing functionality, improving the services offered, and creating marketing strategies. This data may encompass identity information (name, surname, ID number, date of birth, etc.); membership details (username, password, etc.); contact information (home address, phone number, email address, etc.); financial information (IBAN, credit card number, etc.); online identifiers (IP address, MAC address, IMEI and IMSI numbers, fingerprint extraction through the installed application list on the device, etc.); user interactions (search history, in-app purchases, etc.); location information; phone book or friend lists in applications; biometric data (facial recognition data, fingerprint data, voiceprint biometrics, etc.); health data if the application is health-related (heart rate, sleep pattern, etc.); visual data collected by granting access to the device's camera and gallery; auditory data collected through voice commands or messaging applications; and text data collected from messaging platforms.

In mobile applications, various entities, including the application provider, application developer, advertising network, application store organization, operating system provider, library provider, and device manufacturer, are involved in the processes of processing personal data. Examples are provided in the Mobile Application Guide regarding the circumstances in which the relevant parties may be considered data controllers within the process:

  • The application provider is generally considered a data controller when they use users' personal data for their own purposes.
  • It is emphasized that there may be multiple data controllers regarding the collected personal data in mobile applications. For instance, if a third-party service provider is involved in the mobile application for implementing two-factor authentication to prevent fraud, or if a third-party service such as advertising networks is integrated into the application, multiple data controllers may arise.
  • When applications installed on a mobile device are used, the operating system provider may be considered a data controller if they aggregate data and use personal data collected from the applications on the user's device for their own purposes.
  • In a scenario where the application provider and developer are separate entities, based on the contract between the application provider and developer, if the application developer assumes only a technical role in personal data processing and does not process personal data for their own purposes, the application developer may be considered a data processor.
  • Personal data collected from mobile applications is generally stored in the cloud, and, when cloud services used by the application developer are involved, the application developer may also be considered a data processor.

Recommendations for Individuals

The Mobile Application Guide provides guidance for individuals on what to consider before installing a mobile application:

  • The application should be downloaded to the device through platforms deemed trustworthy, such as application stores.
  • Before installing an application, users should gather information about the application developer and ensure the accuracy of the application name.
  • To gain insights into the functionality and reliability of the application, users should check user reviews and the ratings received by the application from users.
  • Before downloading the application, users should check what permissions are requested for accessing data and review the application's privacy policy.
  • In cases where the application requests more personal data than is necessary for providing the service, users should assess whether there is a genuine need for this information and, if necessary, explore alternative applications.

The Mobile Application Guide also provides considerations to be aware of during the use of a mobile application:

  • It is highlighted that during the use of the application, additional permissions may be requested for accessing data that is not necessary for the specific functionality of the application. Users are advised to reject access requests and to explore alternative applications if there are concerns about the protection of privacy.
  • Permissions granting continuous access to location, audio, and visual data on mobile device tools should be evaluated based on the intended use of the data.
  • Users are advised not to use their social media accounts to log in to applications. It is noted that logging into an application using the user's social media account information may allow the application to collect information from the relevant social media account in certain situations.
  • The importance of avoiding easily guessable passwords, creating different passwords for each account whenever possible, and enabling two-factor authentication is emphasized.
  • It is recommended to keep applications up to date, as applications with outdated software are at a higher risk of being vulnerable to attacks. Therefore, it is advised to regularly update the applications in use.

Recommendations for Data Processors

i. Ensuring Compliance with General Principles

Principle of Legality and Fairness:Application developers and providers are expected to question whether there is a legal basis for processing before commencing any processing of personal data. They should maintain honesty and transparency regarding the personal data processed in mobile applications, enable individuals to exercise their rights, and implement processes and designs that support the use of these rights. It is emphasized that transparency should be maintained regarding third-party processes utilized in the mobile application, and, if there is no legal basis for processing personal data through the integrated third-party service, this service should not be used in the application. Examples of applications that violate the principle of legality and fairness are also provided:

  • In mobile applications that operate with voice commands supported by voice control assistants, transparency regarding the processed personal data is essential. For instance, it is noted that, if the feature of the mobile application is automatically activated on the device when first used, it may be contrary to the principle of legality and fairness. On the other hand, measures such as accessing the microphone only when the user actively uses the device, rather than when the mobile phone is on a table or in the user's pocket or bag, are suggested to meet the user's reasonable expectations in the processing of personal data.
  • A mobile application that tracks individuals' physical activity levels by counting steps and monitoring sleep patterns and dietary habits may process data to create statistical information about these data for the purpose of reminding users to exercise. This can be considered compatible with the intended use of the mobile application. However, it is emphasized that, if the mobile application provider offers health insurance services and uses the personal data collected through the mobile application to calculate insurance premiums, it may violate the principle of fairness due to exceeding the user's reasonable expectations.

Principle of Being Accurate and Up to Date When Necessary:Within the scope of mobile applications, it is stated that users should be provided with the opportunity to correct their personal data, and the application should be designed to facilitate this option for users. It is emphasized that outdated personal data may pose a risk of identity theft. Examples of applications that may violate the principle of accuracy and timeliness, while also compromising individual privacy, are also provided:

  • In a scenario where a user enters their email and phone number information when signing up for a mobile application, but no verification is performed for this information in the application, and users are not provided with the opportunity to update this information from within the application, a risk of personal data being disclosed to a third party is highlighted. For example, if a user accidentally enters an incorrect email address during registration, and order information related to a purchase made through the mobile application is sent to this email address, it could lead to the exposure of personal data to an unintended recipient.
  • It is emphasized that, in a situation where a user changes their phone number after some time and requests a password reset through the mobile application due to forgetting the password, there is a risk of the reset code being sent to the old phone number entered by the user during the password reset process, even if that number is no longer in use. This could pose a risk of the code being transmitted as a message to a third party.

Principles of Specific, Clear, and Legitimate Processing, and Processing Connected, Limited, and Proportional to the Purpose:In mobile applications, personal data should be processed exclusively for the purpose of the application. Furthermore, the processing of such personal data should be connected, limited, and proportional to the purpose, ensuring predictability for users. In this regard, if it cannot be explained how personal data is related to the functions or activities offered through the mobile application, such data should not be collected. Additionally, personal data obtained by the mobile application should not be subject to processing activities exceeding the intended use of the application. The Mobile Application Guide provides examples of the application of principles such as specific, clear, and legitimate processing, as well as processing being connected, limited, and proportional to the purpose:

  • A mobile application designed for contact tracing for the purpose of combating infectious diseases can achieve its intended use by only processing proximity data (information indicating how close individuals have been to each other, collected through Bluetooth technology). Therefore, tracking of the exact location and movements of the users by the application, with the aim of identifying if a user has had close contact with another user who has an infectious disease, would be unnecessary and could be considered a violation of the principle of processing being connected, limited, and proportional to the purpose.
  • In cases where processing activities within the scope of the services provided by the mobile application can be carried out using personal data stored only in the local storage of the device on which the mobile application is used, not transmitting such personal data to the data recording systems of the mobile application provider would be in accordance with the principle of processing being connected, limited, and proportional to the purpose.

Principle of Retention for the Duration Defined by Relevant Legislation or Necessary for the Purpose of Processing:For personal data processed through mobile applications, clearly defined retention and disposal periods justified by identified business needs or legal obligations should be established. These data should not be stored for a longer period than necessary. The storage period for personal data stored by a mobile application developer in the cloud should be determined, taking into account any maximum retention period specified in sector-specific legislation applicable to the use of the mobile application. If there is no such maximum retention period, a retention period connected to the purpose of processing these data should be established. Additionally, it should be stated that, once the retention period expires, the personal data are expected to be securely destroyed using all necessary technical and administrative measures. The Mobile Application Guide also gives a good practice example for compliance with the principle of retention for the duration defined by relevant legislation or necessary for the purpose of processing:

  • Depending on the nature of the service provided through the mobile application, the retention periods for the personal data of categorized active and inactive users should be determined according to their statuses. For instance, a good practice example in this regard could be the transformation of a user's status to inactive if they do not log into the application for a specific period, and a shorter retention period for the personal data of inactive users compared to active users (excluding legal obligations).

ii. Ensuring Transparency

The Mobile Application Guide emphasizes the following considerations to ensure transparency:

  • The privacy policy and, if separately prepared, the privacy notice should be positioned in a way that is easily accessible to both existing users and potential users considering downloading the application.
  • While informing users about updates related to the application, they should also be informed about any changes that concern the processing of their personal data.
  • Users should be made aware of the default privacy settings of an application, and user-friendly mechanisms with easy-to-understand interfaces should be provided to help them manage their privacy.
  • To enable users to make informed decisions about using an application, information should be provided in compliance with Article 4 of the DP Law.
  • In mobile applications provided by providers based abroad, actions such as making references to Turkiye, providing goods and services with indications that they are offered to individuals in Turkiye, presenting introductory descriptions indicating that the service is provided to people in Turkiye, offering the Turkish language option for services, and providing the option for product delivery to Turkiye are considered as targeting individuals in Turkiye. Similarly, performing activities such as behavioral advertising, online tracking through unique identifiers, and conducting geolocation activities for marketing purposes would indicate monitoring the behaviors of individuals in Turkiye. When targeting or monitoring the behaviors of users in Turkiye through mobile applications, it is important to consider the obligation of VERBİS registration and notification under Article 16 of the DP Law concerning the personal data processed through the mobile application.

iii. Processing Personal Data of Children in Mobile Applications

In relation to mobile applications targeting children or widely used by them, it is recommended to establish systems that verify the user's age and to conduct processing activities for children through a separate policy and procedure.

iv. Determining the Conditions for Processing Personal Data

The Mobile Application Guide emphasizes that determining the conditions for data processing is a prerequisite for fulfilling the obligation of ensuring transparency. In personal data processing activities carried out through mobile applications, obtaining the explicit consent of the user will be necessary when processing personal data that is not required for the main function of the application. In this regard:

  • It is stated that, unless the user gives explicit consent, the collection of the user's location data for targeted advertising purposes should not take place when there is no need to access the user's location for any feature or function of an application requested by the user.
  • Users should be allowed to use the application even if they choose to disable permissions for optional functions such as accessing the microphone or location that are not deemed necessary for the functionality of the application.

v. Ensuring Data Security

It is stated that mobile applications should be designed in accordance with the principles of privacy by design and privacy by default and should be made available in a way to ensure the protection of personal data at the highest level. In this regard:

  • The importance of privacy-focused settings being open by default when mobile applications are first used, without the need for additional action by individuals, is emphasized for compliance with the principle of honesty in the processing of personal data.
  • To prevent unauthorized access to devices where mobile applications are used, it is recommended to use authentication methods on the devices. Moreover, the creation of control mechanisms for users regarding simultaneous logins from different devices is considered a beneficial practice.
  • Users are encouraged, if possible, to use multi-factor authentication methods.
  • Regarding access to mobile applications, users are advised to create strong passwords, and implementing a password security policy by regularly changing user passwords is emphasized. Preventing the reuse of previously used passwords when creating new passwords is also considered a good practice.
  • Passwords are recommended to be stored securely with adequate security measures and to be preserved by passing through up-to-date "hashing" functions to mitigate the risk of cyber attacks.
  • Regular patch management and software update processes are recommended, and keeping the software up-to-date to address vulnerabilities in mobile applications is advised.
  • The necessity of conducting appropriate software tests before the release of developed mobile applications is highlighted.
  • Limiting the number of unsuccessful login attempts for user account logins in mobile applications and using methods such as CAPTCHA, arithmetic operations, etc., on pages with user entry as a measure against bot attacks are suggested.
  • Before the release of applications, a risk assessment is recommended, taking into account the data protection and security features of the targeted operating systems.
  • To ensure data security during the storage and transmission of personal data in mobile applications, it is suggested to use encryption with a well-configured encryption layer during network communication and to protect through encryption using secure management of relevant encryption keys.

V. Draft Guidelines

The Authority has not shared any guide drafts with the public as of the end of 2023. The guide draft of Loyalty Programs within the scope of Personal Data Protection Legislation, dated 16 June 2022 from the previous year, is still in the draft stage. It has not been finalized by the Authority and shared with the public.

VI. Public Announcements Made by the Board in 2023

In 2023, the Board released a total of seven public announcements. These public announcements cover explanations of the amounts of administrative fines for 2023, data subjects and data controllers affected by the earthquake that occurred on 6 February 2023, the data processing processes of political parties and independent candidates during election periods, the submission of complaints through a power of attorney in electronic form to the Board, investigation of data breaches in public institutions, exceptions related to the VERBIS obligation, and sending verification codes to data subjects via SMS during shopping in stores. Although these public announcements do not have legal binding force, they are significant in reflecting the Authority's legal assessments and approach regarding the respective matters.

Details regarding the published public announcements are provided below in chronological order.

1. Administrative Fines under the Law on the Protection of Personal Data numbered 6698 (for 2023 and 2024)

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Burcu Tuzcu Ersin, LL.M.
Burcu Tuzcu Ersin, LL.M.
Photo of Burcu Güray
Burcu Güray
Photo of Ceylan Necipoğlu
Ceylan Necipoğlu
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More