Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – May 2023

June 2023 – In May 2023, the Turkish Personal Data Protection Authority (the “DPA”) published two data breach notifications but did not publish any decisions.

On 3 May 2023, the DPA hosted the “e-safe Personal Data Protection Summit” covering various aspects of personal data protection, including legal, sector-specific, and technological developments. The discussions also emphasised the benefits of artificial intelligence and highlighted data subjects’ rights, specifically the right to object, as outlined in the Personal Data Protection Law (the “DP Law“).

In this month’s two-minute recap, we have also compiled highlights from the 40 decisions issued by the DPA in April.

 

Ensuring Compliance: Establishing a Valid Legal Basis for Personal Data Transfers!

In its decision published on 24 April 2023, the DPA emphasised the importance of fundamental principles of explicit consent, particularly based on information and free will. In addition, the DPA issued its findings on the sharing of customer data with relevant institutions in the banking sector. With this decision, the data controller bank, which failed to (i) transfer customer data based on a valid legal basis and (ii) obtain explicit consent based on information and free will, has been subject to an administrative fine of TRY 250,000 (approx. EUR 11,200).

Background:

The data subject, which repeatedly received contact from an insurance company on their personal phone, discovered that the data controller bank had shared their phone number with the insurance company. Consequently, the data subject lodged a complaint with the DPA.

Considerations By The DPA:

The DPA evaluated a document entitled “Campaign Communication Preferences Instruction” through which the data subject granted authorisation for receiving messages. Upon examining the instruction, several issues were identified:

  1. ambiguous expressions were used concerning future actions,
  2. consent boxes were pre-selected by default, and
  • the data subject was not adequately informed about the transfer of their personal

As a result, the DPA determined that these practices contradict the fundamental principles of explicit consent, specifically the principles of being “based on information” and “based on free will”.

Despite the data controller bank asserting that (i) under Turkish banking law, it had the authority to share specific limited data with the institutions it collaborates with for services and support, and (ii) the data subject had given consent to receive commercial messages, these claims were rejected. The DPA concluded that the data controller had no valid legal basis to transfer the data subject’s contact data to the insurance company, since there was no exemption from the confidentiality obligation under Turkish banking legislation, and explicit consent for such transfer was not obtained in line with the DP Law.

What Is The Decision?

As a result, the DPA imposed an administrative fine of TRY 250,000 (approx. EUR 11,200) on the data controller due to (i) lack of a valid legal basis for the data transfer and (ii) failure to implement adequate technical and organisational measures when transferring the data subject’s contact data to a third party.

 

Enhancing Data Security: Embrace the Power of Identity Verification!

The unauthorised sharing of processed personal data with third parties through unlawful means is a matter of significant concern to both the DPA and the companies involved. The DPA has received numerous complaints on this issue and made decisions accordingly. You can find our article on these decisions here.

Based on the non-discriminatory assessments across sectors made by the DPA during the processing of personal data, data controllers should follow the following principles:

  • Accuracy and timelines: data controllers must ensure that personal data is accurate and kept up to date when
  • Periodic verification: regular verification of the communication information of data subjects and establishment of the necessary mechanisms to keep data up to date; and
  • Robust identity verification: implementation of robust identity verification mechanisms, as suggested in the relevant decisions of the DPA, in order to prevent unauthorised accessing by third parties.

 

The DPA announced the following data breach notifications in May:

Data Controller Affected Data Subjects Affected Personal Data Number of Data Subjects
 

Boyner Büyük Mağazacılık

 

Customers (Users)

 

Identity, Communication Information, Finance

 

Approx. 3,055,907

 

 

Trabzonspor Sportif Yatırım ve Futbol İşletmeciliği Ticaret

 

 

Employees, Users, Students, Customers and Potential Customers

Identity, Communication Information, Personnel Information, Customer Transaction, Finance, Professional Experience, Marketing, Visual and Audio Records and Other  

 

 

N/A

For detailed information, you may reach us:

EBRU TEMİZER

IRMAK SEYMEN VARAT

SEE More