ARTICLE
8 April 2022

Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – March 2022

GT
Gen Temizer

Contributor

Gen Temizer logo
Gen Temizer is a leading independent Turkish law firm located in Istanbul's financial centre. The Firm has an excellent track record of handling cross-border matters for clients and covers the full bandwidth of most complex transactions and litigation with its cross-departmental, multi-disciplinary and diverse team of over 30 lawyers. The Firm is deeply rooted in the local market with over 80 years of combined experience of the name partners while providing the highest global standards of legal services.
Explore
In March 2022, the Turkish Personal Data Protection Board (the "Board") published one decision and announced two data breach notifications.
Turkey Privacy
Photo of Ceren Ceyhan
Photo of Hatice Nur Arslan
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

In March 2022, the Turkish Personal Data Protection Board (the "Board") published one decision and announced two data breach notifications.

The Board also organised a seminar in March regarding smart profiling technologies, biometric data surveillance, and privacy. During the seminar, subjects such as "targeting advertisement based on online behaviours", "transparency on algorithms" and "stages of processing biometric data for identity verification" were discussed.

Ship your data to shop...

In March the Board evaluated a notification regarding a shopping mall (as a data controller) and decided to impose an administrative fine of TRY 300,000 (approximately EUR 18,500) against the shopping mall, as it found that it had violated Turkish Data Protection Law.

The Board initiated its investigation against the shopping mall based on an anonymous notification, which alleged that the shopping mall had requested the official e-government system passwords of data subjects in order to complete the sales process with a promissory note. Although the shopping mall stated in its defence that a screenshot submitted as evidence has the nature of a .jpg file and that they did not collect the relevant data, the Board determined that the screenshot submitted as part of the notification was removed immediately from the website by the shopping mall. In addition, the shopping mall requested the ID number of data subjects for their website membership registration, and the shopping mall is able to verify the ID numbers inserted, as well.

As a result, the Board determined in its decision as follows:

  • Invalid explicit consents: Explicit consents collected from data subjects are invalid, as the data subjects had no free will, i.e., their e-government password was requested as compulsory to access the shopping mall's services and to complete orders;
  • Inadequate measures: The shopping mall did not take adequate measures to protect its databases, as it was revealed that a data subjects' address information can be displayed when their ID number is entered, and therefore third parties might have unlawful access to the personal data collected;
  • No legal grounds: The shopping mall did not have legal grounds to process the ID numbers and e-government passwords of data subjects under Turkish Data Protection Law;
  • Unambiguous purposes:  The shopping mall explained that its purpose to process such personal data is to verify the ability to pay for the targeted products. However, the Board considered that this explanation has a general nature and is ambiguous, and as a result, the relevant data processing activity constitutes a violation of Turkish Data Protection Law

The Board also determined that when an account holder (user) inserts an ID number for the second time on the account creation page, the shopping mall's system displays the address information of the relevant registered data subject. Accordingly, this security deficiency may enable unlawful access to the personal data by a third party. As a result, this situation triggered the obligation to notify the Board of a data breach. As the shopping mall failed to notify the Board of such a data breach, the Board launched an ex officio investigation.

In conclusion, the Board decided to impose an administrative fine of TRY 300,000 (approximately EUR 18,500) against the shopping mall. The Board also instructed the shopping mall to destroy all e-government passwords and ID numbers collected and requested that it eliminate the display of data subjects' data.

Constitutional Court Reminder: Ensuring data privacy is everyone's responsibility, including the State's

The Constitutional Court has issued a decision regarding a case where a spouse requested access to his/her spouse's health data. The Constitutional Court ruled that the spouse had obtained the health data of his/her spouse unlawfully, and that the protection of personal data within the scope of the right to privacy had been violated by the public authorities' failure to comply with their positive obligations.

As background, during divorce proceedings:

  • The Applicant's spouse obtained the Applicant's health status, including migraines and their psychological situation before their marriage, and submitted these documents to the court in an effort to disprove the allegations of the Applicant (as part of divorce proceedings).
  • The Applicant plaintiff first turned to the Public Prosecutor on the grounds that his/her spouse had unlawfully accessed his/her health data.
  • The Public Prosecutor rejected the complaint on the grounds that a spouse, as a first-degree relative, has the right to access the personal and health data of the other spouse. The Applicant then applied to the Constitutional Court.

The Constitutional Court decided that the public authorities have positive obligations such as (i) taking adequate measures and (ii) conducting effective investigations to prevent the unlawful intervention of third parties to fundamental rights and freedoms. The Constitutional Court also highlighted that the evaluation that a first-degree relative has the right to access personal and health data of another first-degree relative is incorrect, as the Applicant did not provide his/her health records before their marriage to his/her spouse, and the Applicant did not provide his/her explicit consent to share such data with his/her spouse, and this constitutes a violation of the right to privacy.

Anniversary of the Turkish Privacy Shield

On 7 April 2016, Turkish Data Protection Law numbered 6698 was published in the Official Gazette and entered into force, ushering in a new era for privacy in Turkish privacy law.

In order to raise awareness among youth of the importance of the protection of personal data, the Ministry of National Education of the Republic of Turkey has decided to celebrate 7 April as "Personal Data Protection Day".

The Board announced the following data breach notifications in March

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Marti Ileri Teknoloji A.S.

N/A

N/A

N/A

Yonca Saglik Hizmetleri Ltd. Sti.

Employees, Patients

Identity Information, Communication, Personnel Information, Professional Experience, Finance, Marketing Information

500,000


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ceren Ceyhan
Ceren Ceyhan
Photo of Hatice Nur Arslan
Hatice Nur Arslan
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More