In December 2022, the Turkish Personal Data Protection Authority (“DPA”) announced one data breach notification but did not publish any decisions.
In December, Turkey's Constitutional Court continued to conclude cases on personal data protection. In this respect, the Constitutional Court published two decisions, which we have summarised below.
Decisions on the right to request personal data protection
Recording a private conversation
On 1 December, the Constitutional Court ruled that the applicant's right to request the protection of their personal data was violated and that the state did not fulfil its positive obligations in terms of protecting this right. You can read more about this decision here (in Turkish only).
Background
The applicant filed a complaint with the Prosecutor's office regarding the unlawful recording of their non-public conversation and demanded the protection of their personal data. The Prosecutor's office decided not to pursue the matter, stating that (i) no information relating to private life was recorded, and (ii) the person who recorded the conversation did not intend to commit a crime but had the intention to present evidence.
Evaluation of the Constitutional Court
The Constitutional Court stated that (i) the applicant's privacy was violated through the recording, as they had a rightful expectation of preserving their privacy; (ii) using such a recording without the applicant's consent and recording it in a non-public environment constitutes a serious attack on personal data; and (iii) the state must prevent attacks on the right to privacy against individuals.
Requesting information about a private phone
On 20 December 2022, the Constitutional Court decided that a telecommunications provider (the “operator company”) violated the right to request the protection of personal data by rejecting the applicant's request for information about their phone. You can read more about this decision here (in Turkish only).
Background
The applicant requested various types of information, such as internet data, log records, IMEI information, and IP numbers regarding the telephone number that they used from the relevant operator company. The operator company refused this request by stating that they could not provide this information unless a court requests it. The applicant filed a case before the first instance and appeal courts; however, they were refused.
Evaluation of the Constitutional Court
The Constitutional Court referred to the right to respect for private life and emphasised that it was mandatory to determine an effective and accessible procedure that would enable individuals to access any information concerning them.
In this respect, the Constitutional Court considered the information that the applicant requested to access as personal data and stated that this request needs to be examined in terms of the applicant's right to request the protection of personal data. As a result, the Constitutional Court ruled that the rejection of the applicant's request by the first instance and appeal courts violated the right to an effective application in connection with the right to request the protection of personal data.
The DPA announced the following data breach notifications in December:
Data Controller |
Affected Data Subjects |
Affected Personal Data |
Number of Data Subjects |
|
Sitil Çizgi İnşaat Turizm ve Tekstil |
Employees, Customers |
Identity, Contact, Transaction Personnel and Customer Transaction Data |
N/A |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.