Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – September 2023

October 2023 – In September 2023, the Turkish Personal Data Protection Authority (the “DPA”) published six data breach notifications but did not publish any decisions.

 

Countdown begins: Turkish DP Law to undergo amendments to align with GDPR standards

Turkey is set to change its data protection rules, as outlined in the Medium-Term Program announced on 6 September 2023. In this respect, the Turkish Data Protection Law (“DP Law”) will be amended within the next year, with the changes expected to take effect in the fourth quarter of 2024. These amendments aim to bring the DP Law in line with the European Union’s General Data Protection Regulation (GDPR) and other EU legislation.

 

Highlights from the 3rd Personal Data Protection Summit

On 20 September 2023, the 3rd Personal Data Protection Summit was held, focusing on “global developments in data governance”. During the summit, the President of the DPA announced the initiation of a study on artificial intelligence within the context of personal data protection. Key statistics and achievements since 2017 were also shared, including:

  • Out of 35,592 notifications, applications and complaints, the DPA has resolved 33,639.
  • The DPA received 1,189 data breach notifications, with 277 published on the DPA’s website.
  • As a result of the investigations, a total administrative fine of approximately TRY 291 million (approx. EUR 10 million was imposed.
  • The DPA provided 1,040 legal opinions within the scope of the DP Law.
  • The DPA approved seven written undertakings with sufficient qualifications for the transfer of personal data abroad.

 

September agenda of the DPA

The DPA had a packed agenda in September, hosting several insightful seminars:

  • On 6 September, the seminars “Personal Data Security and Protection of Privacy in IoT Applications” and “Personal Data Security in Cloud Computing” delved into the increasing integration of IoT applications in daily The seminar emphasised the importance of prioritising individual privacy in IoT use and addressed data security issues in cloud computing, especially when using foreign infrastructure-based cloud services.
  • On 26 September, the seminar “The Position of Lawyers under the DP Law” clarified the DPA’s unique evaluation of each legal The main criterion for determining if a lawyer acts as a data controller is their role in the data processing activity and their independent authority in decision making regarding that activity. Concerning the data controllers’ obligation to inform, the seminar stressed the need to provide information before initiating data processing.
  • On 27 September, the seminars “Risk-Based Approach” and “Evaluation of Targeted Advertising Practices in terms of DP Law” addressed the definition of risk from the data protection perspective and emphasised the importance of a risk -based approach. The concept of targeted advertising was also highlighted, underscoring the importance of considering the DP Law’s provisions to empower data subjects against targeted advertising practices.
  • On 29 September, the event Data Security in the Threat Ecosystem” at the Information and Communication Technologies

Authority discussed the DPA’s Guidelines on Personal Data Security as a roadmap. The seminar covered

 

The Board announced the following data breach notification in September:

 

Data Controller Affected Data Subjects Affected Personal Data Number of Data Subjects
Hotiç Ayakkabı Sanayi ve Ticaret Customers Communication Data 1,926,889
Doğan Trend Otomotiv Ticaret Hizmet ve Teknoloji  

N/A

 

N/A

 

N/A

 

Suzuki Motorlu Araçlar Pazarlama

 

N/A

 

N/A

 

N/A

 

Defacto Perakende Ticaret

 

Customers

 

Identity, Communication and Customer Transaction Data

 

Approx. 2,686

 

Elca Kozmetik

 

Customers and Potential Customers

 

Identity and Communication Data

 

Approx. 83,185

Telcoset İleri Teknoloji Stratejik İş Geliştirme Danışmanlık Employees, Employees of Legal Person (Customers, Potential Customers and Suppliers), Suppliers and Supplier’s Authorised Person Identity, Communication, Personnel Information, Legal Transaction, Transaction Security, Professional Experience, Health Data and Convictions and Security Measures Data Approx. 1,000

For detailed information, you may reach us:

EBRU TEMİZER

IRMAK SEYMEN VARAT

SEE More