January 2024 – In December 2023, the Turkish Personal Data Protection Authority (the “DPA”) published 31 decisions as well as its recommendations on mobile applications and announced one data breach notification.
New Decisions from the DPA
On 27 December, the DPA published 31 decisions concerning personal data processing activities across multiple sectors. The published decisions include various rulings, ranging from e-commerce and the banking sector to the health sector and gaming companies. Below we provide summaries of two of these decisions and will provide additional summaries in future editions:
Gaming Company Hit with a Fine Over Unlawful Data Processing
The DPA investigated a complaint from an individual who sought to understand the purposes for which their personal data was being processed by an online gaming company (the “Gaming Company”). As a result of the investigation, the DPA imposed an administrative monetary fine of TRY 750,000 (approx. EUR 23,440) on the Gaming Company for its non-compliance with the Data Protection Law No.6698 (“DP Law”), specifically due to unlawful use of cookies for data processing and failure to obtain explicit consent for cross-border data transfer.
Background: What was the complaint?
The complainant applied before the DPA against the Gaming Company, alleging that
- the Gaming Company’s response to their request for information was inadequate and unclear for explaining the purpose of personal data processing;
- their personal data was unlawfully obtained and transferred abroad via software used by the Gaming Company; and
- the privacy notice provided on the Gaming Company’s website was
In its defense, the Gaming Company stated that due to the foreign nationality of its shareholders, the transfer of personal data abroad is a necessity for its operational processes. However, the Gaming Company asserted that all servers used for gaming services are located in Türkiye and denied any illegal data processing activities. The Gaming Company also highlighted that collecting “email addresses and IP addresses” was essential for game registration, to fulfill its legal obligations and legitimate interest.
Evaluation of the DPA
The DPA conducted an on-site inspection at the Gaming Company’s office and the headquarters of another company from which it receives services. Upon such an examination, the DPA concluded as follows:
Compliance with the DP Law | Non-compliance with the DP Law |
• The use of surveillance software to detect fraud and deception activities (e.g., the use of bots) did not constitute illegal data processing, as they did not access personal data on the players’ computers;
• The personal data of the players was not backed up, and the game servers were located domestically with no foreign data transfer occurring. |
• The Gaming Company’s website had ambiguous terms in its privacy notice and did not comply with regulatory standards;
• Essential, functional, analytical/performance, and targeting/advertising cookies were used without a proper “opt-in” consent method; • Cross-border data transfer were detected through third-party cookies. As explicit consent was not properly obtained, this constitutes unlawful cross-border data transferring; • “Cookie Policy” and “Cookie Declaration” texts provide differing information, and thus updating these documents is necessary. |
Decision of the DPA
In light of the above evaluations, the DPA decided to impose a TRY 750,000 (approx. EUR 23,440) administrative monetary fine on the Gaming Company due to its unlawful data processing activities through cookies and its failure to properly obtain the required explicit consent. Additionally, the DPA instructed the Gaming Company to revise its Privacy Policy to comply with the applicable regulations and to take necessary actions for obtaining explicit consent for the transfer of personal data abroad via cookies.
E-Commerce Site Penalised for Storing Credit Card Details
The DPA has fined an e-commerce site (the “Site”) TRY 500,000 (approx. EUR 15,620) for storing customers’ credit card information post-payment without obtaining explicit consent.
Background: What was the complaint?
A customer complained about the Site’s requirement to store credit card details to complete transactions and claimed that the Site had no legal basis to keep their credit card information after the transaction was completed.
In its defense, the Site argued that keeping credit card details in the membership account was essential for facilitating future purchases and for fulfilling legal obligations and performance of the contract.
Evaluation of the DPA
Upon investigation, the DPA found out that the Site’s system did not allow transactions without saving the credit card information, and these details were kept even after purchases were completed. The DPA concluded that the mandatory storing of credit card details for completing a transaction and storing these details post-payment did not meet the processing conditions claimed by the Site.
In this regard, DPA concluded that:
- Storing credit card information to facilitate future purchases is a different data processing activity from the payment transaction
itself, referencing the European Data Protection Authority’s decision numbered 02/2021;
- Such storage requires an explicit consent from customers;
- The Site’s practice of initially storing card details and allowing customers to remove them later was found to be unlawful and in violation of the rule of fairness.
Decision of the DPA
As a result, the Site was fined TRY 500,000 (approx. EUR 15,620) for violating the DP Law. Additionally, the DPA instructed the Site to develop a new system to obtain explicit consent from customers for storing credit card information and to update their privacy policy accordingly.
Recommendations for Using Mobile Applications
On 22 December, the DPA released guidelines addressing the protection of privacy in mobile applications. These recommendations are designed for both individuals using mobile apps and entities obtaining personal data through app usage. The focus is on ensuring lawful processing of personal data and ensuring data security, given the diverse and substantial nature of personal data collected via mobile applications.
The guidelines highlight the responsibilities among various stakeholders involved in the implementation of mobile apps, such as application providers, developers, advertising networks, app store organisations, operating system providers, library providers, and device manufacturers. These recommendations highlight that application providers are generally considered data controllers to the extent that they use users’ personal data for their own purposes. Additionally, they also emphasise that integrating a third-party service into a mobile application may result in joint data-controllership status.
You can read the respective guidelines here (in Turkish only).
The DPA announced the following data breach notification in December:
Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
MongoDB Limited | Users/Customers | Identity,Communication, Transaction Security and Other Data | Between 130,000 and 160,000 |