Turkey's Personal Data Protection Board Has Published The Summaries Of Its Recent Decisions

MA
Moroglu Arseven

Contributor

“Moroglu Arseven is a full-service law firm, with broadly demonstrated expertise and experience in all aspects of business law. Established in 2000, the firm combines a new generation of experienced international business lawyers, who hold academic, judicial and practical experience in all aspects of private law.”
The request on legal person's data should not be evaluated under the DP Law.
Turkey Privacy

Turkey's Personal Data Protection Board ("Board") clarified certain matters regulated under the Law on Personal Data Protection ("DP Law") with the decision summaries published on 3 April 2019.

The Board's decisions and events subject to them are as follows:

The applications regarding unauthorized online disclosure of personal data and document including personal data on the internet by unknown person/persons: The Board decided that:

  • Notices and complaints related to the subjects within the judicial authorities' remit will not be inspected as per Article 15 of the DP Law.
  • There is no need to conduct any proceedings since the subject matter incidents involve crime elements and both were submitted to judicial authorities.

Application regarding the failure to fulfil data subject's request related to the erasure of personal data stored by the data controller bank: By considering banks' legal retention obligations, the Board found no need to conduct any proceedings based on the fact that ten years retention period has not expired.

Application regarding the transfer of legal entity's data: The Board decided that:

  • The request on legal person's data should not be evaluated under the DP Law.
  • The rights regulated under Article 11 of the DP Law may only be used by the data subject himself/herself or his/her legal representative.

 

Application upon the non-provision of a sufficient answer following the application to the data controller regarding personal data's erasure: The Board instructed a public establishment as a data controller:

  • To erase the personal data of which the retention period is expired,
  • To inform the complainant regarding deletion transactions and
  • Not to process the subject matter personal data except for the purpose of retention

and gave 30 days to data controller to comply with the decision. However, the data controller did not fulfill the necessary steps in due time and did not comply with all the instructions of the Board while informing the data subject. Therefore, the Board decided

  • To impose administrative fine and to initiate disciplinary proceedings.
  • To instruct the data controller to inform the data subject in a sufficient manner already instructed.

Application for the examination of the personal data processing of group companies receiving job application via online platform: The Board detected that the confirmation of the read of the privacy notice and obtaining of the explicit consent is carried out through clicking the same checkbox. Hereupon, the Board decided to instruct the data controller for separation of mechanisms to receive confirmation that privacy notice has been read and obtain explicit consent, in accordance with Article 5 of the Communiqué on Procedures and Principles to be Followed for the Data Controller's Obligation to Inform.

You may reach the full texts of the summaries of decisions through below links (only available in Turkish):

"Information first published in the  MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More