November 2023 – In October 2023, the Turkish Personal Data Protection Authority (the “DPA”) published three data breach notifications and a guideline on genetic data processing, but did not publish any decisions.
Synergising forces: Strategic collaboration between the Turkish Competition Authority and DPA
On 26 October, the Turkish Competition Authority announced the signing of the Cooperation and Exchange of Information Protocol with the DPA. The main reason for the Protocol is the escalation of the use of big-data technologies for the processing of personal data, raising concerns about both competition and personal data protection.
The Protocol is designed to mitigate concerns about competition and the protection of personal data in the age of big data. Under the Protocol, the Turkish Competition Authority and DPA have committed to the following collaborative efforts:
- Conducting joint studies;
- Enhancing user awareness of personal data protection and competition, especially in digital markets;
- Organising combined presentation and discussion programs;
- Implementing joint training initiatives.
DPA publishes guideline on the processing of genetic data
On 13 October, the DPA published a guideline to emphasise the importance of personal data security in the processing of genetic data and to provide guidance to data controllers. The Guideline on the Processing of Genetic Data (“Guideline”) provides, for the first time, a detailed definition of genetic data and the points to be considered in the processing of genetic data. Key points from the Guideline include:
- Genetic data is defined as “all or part of the information extracted from the entire DNA, RNA and protein sequence encoded from the genome, cell nucleus or mitochondria of a living organism.”
- All data controllers collecting genetic data must implement the necessary technical and administrative measures to ensure the security of these biologic samples.
- For the lawful processing of genetic data under the Turkish Data Protection Law (“DP Law”), it is necessary to (i) have the legal basis for the processing, and (ii) comply with the general principles regulated under the DP Law.
- The concept of informed consent and information regulated under the Regulation on Patient Rights are different from the obligation to inform and explicit consent concepts regulated under the DP Law.
Alert to educators: Strict ban on sharing student images enforced!
On 14 October, an amendment was introduced through the Regulation on the Amendment of the Ministry of National Education Preschool and Primary Education Institutions Regulation published in the Turkish Official Gazette. According to this amendment, images of students taken during the following activities must not be shared on social media platforms or communication groups under any circumstances:
- Educational activities both within and outside the school environment,
- Social and cultural activities,
- Images captured during excursions and observational activities.
The publication of any relevant images is only permissible with the written consent of both the parents and the student obtained under the supervision of a guidance counsellor.
Issue 2 of the DPA Bulletin has been published!
The second edition of the DPA Bulletin, aimed at raising awareness and sharing information about personal data protection, has been released. This edition focuses on the topic of the right to be forgotten. It includes global developments and highlights advancements from July to September 2023.
- The right to be forgotten: is defined in the Bulletin as the ability of individuals to request the removal or non-publication of their previously lawfully shared and accurate information over time. This right allows people to ask for the cessation of storage of news, comments, and content that could harm their reputation, and to limit or prevent third-party access.This Bulletin states that in Turkey, while no specific legal regulation includes this right, various regulations provide mechanisms to establish it. The right to request the “erasure of personal data” under the DP Law, also a data subject right, facilitates the implementation of the right to be forgotten.
- Balancing Privacy with Digital Footprints: In the Bulletin, while discussing the right to be forgotten, attention is also drawn to requests related to the exercise of this right due to the control power of search engines over personal data. The status of search engines under the DP Law and whether they are obligated to remove links that appear in search results when an individual’s name and surname are entered in the search engine were addressed.
You can access the Bulletin here. (In Turkish only)
The DPA announced the following data breach notifications in October:
Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
Tokat Gaziosmanpaşa Üniversitesi | Students | Identity, Communication Data, Audio and Visual Recordings | Approx. 741 |
Johnson Controls Klima ve ServisSoğutmaSanayi ve Ticaret | N/A | N/A | N/A |
Havaist Taşımacılık Sanayi ve Ticaret | N/A | Communication Data | 77,000 |