December 2023 – In November 2023, the Turkish Personal Data Protection Authority (the “DPA”) published five data breach notifications and a public announcement.
DPA Reminder: Caution Against SMS Codes During Sales Finalisation
On November 13, the DPA issued a public announcement addressing concerns related to common practices in shopping centers. Numerous complaints revealed that customers’ phone numbers were being collected by cashiers, who subsequently sent a verification code via SMS during checkout process.
This code was reportedly necessary for completing payments, generating invoices, delivering invoices to a communication address, or updating personal details. However, it has come to light that this code was used to obtain consent without adequately informing customers. Consequently, customers complained about receiving marketing messages from the store.
In its announcement, the DPA reminded its previous announcement[1] on this SMS method, and highlighted the following points:
- For an explicit consent to be freely given, individuals must be fully informed about what they are consenting to;
- The element of free will is compromised when obtaining an explicit consent is presented as a precondition for offering a product or service.
In order to ensure compliance with Turkish DP Law in personal data processing activities within stores, the DPA stated the following measures:
- Provide layered clarification regarding the (i) purpose of the SMS sent to individuals’ phones and (ii) consequences of providing the code transmitted via this SMS.
- Discontinue practices that consolidate different processing activities, such as using the verification code sent by SMS during payment processes for approving membership agreements, and obtaining explicit consent for marketing messages.
- Request explicit consent of individuals after the completion of the shopping rather than as a mandatory phase for completing a purchase.
DPA’s November Agenda
- Symposium on the Protection of Personal Data and the Right to Information on the 100th Anniversary of the Republic of Türkiye:
On November 1, 2023, a symposium was organized jointly by the DPA and the Right to Information Assessment Board. It featured two sessions titled “Evaluation of the Right to Request Protection of Personal Data within the Framework of the Right to Information” and “The Right to Request Protection of Personal Data in the Context of the Right to Information.”
- 2nd International Congress on the Protection of Personal Data:
On November 16-17, 2023, a congress focused on personal data protection was held with the main theme “A Priority in the Digital Age: Privacy.” The congress discussed recent developments related to technology, privacy, and artificial intelligence applications in the field of personal data protection.
- Event on the Protection of Personal Data in the Mediation Process:
On November 20, 2023, in collaboration with the Ankara Chamber of Commerce, an event was organized focusing on the protection of personal data in mediation processes. The relationship between the protection of personal data and a fair and effective mediation process was addressed.
The DPA announced the following data breach notifications in November:
Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
VavaCars Turkey Otomotiv | Employees, Users, Subscribers/Members, Customers And Potential Customers | Identity, Communication, Finance, Customer Transaction, Other (Vehicle Related) Data | Approx. 32.589 |
Demirkol Otel İşletmeciliği Turizm ve Tic. | N/A | Identity, Communication, Location, Personnel Information, Legal Process, Customer Transaction, Transaction Security, Risk Managament, Finance, Professional Experience, Marketing, Audio and Visual and Race and EtnicOrigin Data | 5 |
BS Bizim Servis Personel Danışmanlık Hiz. | Employees, Customers And Potential Customers | Identity, Personnel Information, Legal Process, Transaction Security, Union Membership and Criminal Conviction and Security Measures Data | N/A |
Kaymek Kayseri Mesleki Eğitim ve Kültür AŞ | Students | Identity, Communication, Location, Personnel Information, Race and EtnicOrigin Data | 7186 |
Türkiye Ziraat Odaları Birliği | N/A | Identity Data | 162.000 |