DPA releases English versions of SCCs

On 29 August 2024 the DPA published English versions of standard contractual clauses (“SCC”), one of the appropriate safeguard methods for cross-border data transfer under the new data transfer regime which began on 1 September. The four English SCCs – Controller to Controller, Controller to Processor, Processor to Processor and Processor to Controller – can be viewed here.

Random number dial market research data clarified

On 26 August 2024 the DPA published its announcement on data processing of telephone interviews utilizing random number dialing methods (used primarily by market research companies).

Since such research does not qualify as official statistics, the law’s exemption provisions do not apply. In the relevant cases subject to complaints, it was determined that research companies kept the data for two years using pseudonymization. Since these data are not anonymized, they also shall not be considered within the scope of the law’s exemption.

Companies employing such practices must comply with the principles of privacy by design and privacy by default and ensure that the applicable software only performs data processing activities necessary for the purpose of processing.

The law requires that the following conditions be met for the processing of this personal data to be considered as based on “legitimate interest”: (i) The interest and fundamental rights and freedoms of the data subject are competitive; (ii) data processing is necessary for the interest; (iii) the interest is already existing, specific and clear; (iv) the data subject will benefit if the interest is obtained; (v) this benefit would not arise without data processing; (vi) the interest is subject to transparent and accountable criteria; (vii) the data subject is not subject to any danger; (viii) all technical and administrative measures are taken; (ix) compliance with general principles; (x) application of a balancing test between the rights and freedoms of the data subject and the legitimate interest.

Clarification of the personal data processing requirement

On 5 August 2024 the DPA published the “Information Note on the Personal Data Processing Requirement Stipulated by Law” which includes evaluations under both Turkish and EU law. It underlines that the administration has discretionary power regarding interpretation of the condition specified in the Article of the Law.

VERBIS fines announced

The DPA announced that, as of 1 August 2024, a total of EUR 14 million in administrative fines have been imposed on data controllers who failed to fulfill their obligations under the Data Controllers Registry Information System (“VERBIS”).

Approximately 136,000 data controllers found to have VERBIS registration and notification obligations were investigated with fines imposed on 16,350. The DPA also stated that administrative fines continue to be imposed on those based on the algorithm table prepared according to the annual financial balance sheet’s total assets.

The announcement specified data controllers’ obligations and reiterated the amounts of the administrative fines. Pursuant to the Article of the Law, it also warned that the Board continues to conduct ex officio examinations on data controllers regarding their VERBIS obligations.

DPA signs cooperation protocol with Ministry

The signing of a cooperation protocol between the Ministry of Trade and the DPA was announced on 28 August 2024. The cooperation aims to raise public awareness of targeted advertising and deceptive commercial design practices; to harmonize adherence to international regulations and practices in common areas, such as digital advertising, digital applications, and the use of personal data; and to produce joint policies against existing and potential violations.

The DPA announced the following data breach notifications in August: