Turkey: An Overview Of The Decisions And Orders Of The Turkish Data Protection Authority

Last Updated: 13 January 2020
Article by Selin Ozbek Cittone

This document sets out an overview on the implementation of the Turkish Data Protection Law no. 6698 ('TDPL') in light of the decisions and orders of the Data Protection Authority ("DPA") in Turkey. We aimed to analyze the decisions and orders published on the DPA's website1 since 2018 and provide you with an overall understanding on how the TDPL has been interpreted up until now.

The Legislative Framework in Turkey and the Turkish Supervisory Authority

In Turkey, protection of personal data is a constitutional right since 2010. Data protection was mainly regulated in the Turkish Constitution and Turkish Criminal Code until the enactment of the TDPL on 7 April 20162. The TDPL introduced a new legislative framework in Turkey. The secondary legislation promulgated under the TDPL as well as supervisory authority's decisions about implementation of the TDPL have been the key factors for the development of this new regime.

The Turkish DPA, namely Kişisel Verileri Koruma Kurumu, has been established as an independent data protection supervisory authority, with key responsibilities under the TDPL3,. The data protection board, namely Kişisel Verileri Koruma Kurulu, composed of a total of 9 members appointed as per the election procedures set forth in the TDPL, is the decision-making body of the Turkish DPA and has been actively working since January 2017 ("Board"). The President of the DPA is responsible for the administration and representation of Turkey's supervisory authority.

Under the TDPL, the Board must carry out necessary investigations on the matters falling within its scope of work upon a complaint or ex officio (Article 15 of the TDPL) and may publish its decisions as it deems necessary (Article 23/5 of the TDPL). The TDPL does not impose any mandatory form or minimum content for the Turkish DPA's decisions which must be or are published. Thus, not all Board decisions are published on the Turkish DPA's website and not all published decisions include same level of detail.

A Brief Analysis of the Board Decisions published by the Turkish DPA

Until to date, two different types of decisions are published on the DPA's website : (i) Board decisions (consisting of opinion decisions and regulatory decisions) and (ii) orders and enforcement decisions. Here, we will try to analyze the latter (including monetary fines imposed by the DPA).

The Turkish DPA published Board decisions for the first time on 2 August 2018 and since then a total of 49 decisions4 are published by the DPA. After the first publication, which contained 11 decisions, it is observed that there was a significant time gap (almost 6 months) until the second round of publication of decisions. However, this time gap has reduced over time. In 2019, the Turkish DPA published a round of decisions every month or 2 months, signaling a regular publication trend for the future. Also it is worthy to note that the Turkish DPA's recent decisions are more detailed than the previous ones. The first decisions did not include the name of the data controller or the amounts of monetary fines or even the sector names. In its more recent decisions, however, the Turkish DPA started to mention some or all of those details or specifics of the data breach.

Breakdown by Type of Breaches and Applicable Provisions

Article 18 of the TDPL lists administrative fines applicable for 4 types of infringements:

Infringement

Fine5

Breach of obligation to inform (lack of due privacy processing notice)

Art.18/1 (a) Any person who does not fulfil obligation to inform stipulated in Article 10 of the TDPL, may be imposed an administrative fine of TRY 5,000 to TRY 100,000;

Breach of obligations regarding data security

Art. 18/1 (b) Any person who does not fulfil obligations regarding data security stipulated in Article 12 of the TDPL, may be imposed an administrative fine of TRY 15,000 to TRY 1,000,000;

Non-performance of Board's decisions/orders

Art. 18/1 (c) Any person who does not fulfil decisions of the Board as per Article 15 of the TDPL, an administrative fine of TRY 25,000 to TRY 1,000,000;

Breach of obligation to register with the Data Controllers' Registry and notification

Art. 18/1 (ç) Any person who does not fulfil obligation to register with the Data Controllers' Registry and notification stipulated by Article 16 of the TDPL, an administrative fine of TRY 20,000 to TRY 1,000,000


Below table demonstrates breakdown of the Board's published decisions based on type of infringement or action taken:

Breach/Infringement

Cases

Article Applied

Board decisions based on data security breach

25*

Art. 18/1 (b)

Orders to controllers (no fines imposed)

11

-

No actions needed

6

-

Answers to opinion requests/ legislative interpretations or clarifications

4

Infringement of Board's decisions /Board's orders

2

Art. 18/1 (c)

Application of disciplinary provisions to public institutions / public authorities

3

Art. 18/3

(*) Out of 25 cases where the Board applied an administrative fine based on Article 18/1 (b), 14 cases were related to actual data security breaches and/or failure to take necessary technical and administrative measures, 11 cases were related to breach of data processing principles and lawful grounds for processing. It is worthy to note that the TDPL does not have an explicit provision imposing an administrative fine for breach of principles relating to processing of personal data (Article 4 of the TDPL) and/or infringement of article concerning lawfulness of processing (Article 5 of the TDPL). Some serious infringements of the principles or lawful grounds may arguably be scrutinized under the criminal liability provisions of the TDPL. Turkish DPA, therefore, broadly interprets first paragraph Article 12 of the TDPL regarding data security and applies administrative fines based on infringement of principles or lawful grounds for processing based on Article 18/1 (b).

(*) In 6 cases the DPA initiated an investigation on data security upon the data breach notification made by the controller.

It is no surprise that the data security provisions of the TDPL have been the major reason for the Turkish DPA imposing fines to the data controllers.

Breakdown by Sectors

Below table6 demonstrates sector breakdown of the Board's published decisions:

Sector

Number of Decision

Technology Media Telecom

(Telecom, Media, Social Media, Internet, App. etc.)

7

Finance (Bank, Asset Management Company, etc.)

5

Tourism (Travel agency, Airlines, Hotel, etc.)

5

Health (Hospital, Pharmacy, Doctors, etc.)

3

Technical Service

2

Education

2

Public Body

2

Human Resources

1

Textile

1

Enegy (Oil and Gas)

1

Grocery

1

Fitness Center

1

Online Betting

1

Legal

1

Insurance

1

Not Indicated

13

In 2018 and 2019, the TMT sector, which includes social media and internet companies, was at the top of the list. Tourism sector (which includes travel agencies, airlines, bus companies, hotels) and finance sector (which includes banks, asset management companies) was in second place. But, as almost 30% of the decisions published on the Turkish DPA's website do not include information on the concerned sector7, it is hard to deduce an exact conclusion in terms of sector rankings by simply reviewing the published decisions. This being the case, 2018 Activity Report of the Turkish DPA confirms that services (general), telecommunication, technology (informatics), and finance sectors were the top sectors in terms of complaints and applications.

When the sector breakdown is analyzed, it is observed that public legal bodies were also subject to scrutiny by the Turkish DPA. In one case, the claimant (public servant) requested deletion of his/her disciplinary file by the public authority (details unknown) and in another case the state-owned controller (details unknown) did not comply with the order of the DPA regarding a data subject request. Apart from the foregoing, in one of the finance sector decisions mentioned in the above list, the controller was a state bank, namely T.C. Ziraat Bankası A.Ş. According to 2018 Activity Report of the Turkish DPA, there were 73 out of 310 applications concerning public legal bodies in the year 2018.

Famous Cases

In only 11 cases reviewed by the Board (i.e. approximately 1/4th of the published decisions of the Board), the data controllers' names were published on the Turkish DPA's website. Especially in the early days of the TDPL, the Turkish DPA was reluctant to disclose the name of the data controller, fearing that such would negatively impact the reputation and the credibility of concerned data controllers. 6 out of 11 decisions mentioned below were published in the second half of the year 2019. Hopefully, this means that the Board may continue to disclose more data controllers' names in its future decisions.

Obviously, disclosure of the controllers' names is important for due exercise of compensation rights by the data subjects. Article 11 of the TDPL provides each data subject the right to apply to the controller to request compensation for his/her damages, if any, arising from the unlawful processing of personal data or data breach. There is no doubt that the announcement of the names of the data controllers by the Turkish DPA could make it convenient for the data subjects to exercise their rights.

The below table lists the names of the data controllers which were subject to the decisions of the Board in the said famous cases:

Controller

Fine (TRY8)

Reasoning

Complaint/Application/ Ex Officio

Facebook

1,650,000

·Data breach (re photo API bug) shows that the controllers did not take necessary technical and administrative measures to provide a sufficient level of data security.

·Turkish DPA was not notified within the shortest time regarding the data breach.

Ex-Officio

T.C. Ziraat Bankası A.Ş. (Public Bank)

Disciplinary procedure & order9

·Privacy notice not compliantwith the Communique On Principles And Procedures To Be Followed In Fulfillment Of The Obligation To Inform

Failure to answer to the formal request of information by the data subject

Complaint

Clickbus Seyahat Hizmetleri A.Ş.

550,000

·Data breach shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security.

·Turkish DPA was not notified within the shortest time about the breach.

Breach notification

Marriott International Inc.

1,450,000

·Data breach shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security.

·Turkish DPA was not notified within the shortest time about the breach.

Breach notification

Cathay Pasific Airway Limited

550,000

·Data breach shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security.

·Turkish DPA was not notified within the shortest time about the breach.

Breach notification

No Applicant name

No fine

In case of using Gmail, e-mails will be stored in the servers of Google around the world; so this means that data is transferred abroad. Therefore, data should be restored in accordance with the rules regulating data transfers to outside of Turkey (Article 9 of the TDPL).

Request of opinion

Mimar Sinan University (Public University)

Disciplinary procedure & order

·Failure to respond to data subject's information request.

·Announcement of all exam results explicitly though internet without encrypting.

Complaint

Dubsmash Inc.

730,000

·Data breach shows that the controller did not take necessary technical and administrative measures to provide a sufficient level of security.

·Turkish DPA was not notified within the shortest time about the data breach.

Breach notification

Facebook

1,600,000

·Data breach (re View As, Birthday Celebrator and Video Uploader) shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security. ·

Turkish DPA was not notified within the shortest time about the data breach. (Sending an informative e-mail to Turkish DPA does not qualify as a breach notification as no formal notification was made thereafter)

Ex-Officio

S Şans Oyunları A.Ş.

(Online Betting Co)

180,000

·Data breach shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security.

·The data subjects were not notified about the data breach.

Breach notification

Sevinç Eğitim Kurumları

(Private School)

50,000

·Sending text messages for advertising without legal grounds for processing of personal data means unlawful processing of personal data

Complaint

The above table also shows that the two known highest administrative fines were imposed by the Board to Facebook. Both decisions are based on the following two infringements: (i) data breach, which shows that the controller failed to take implement technical and administrative measures to provide a sufficient level of security (infringement of Article 12(1)) and (ii) the controller did not notify the data subjects and/or the DPA about the data breach within the legal time frame (infringement of the Article 12(5)).

Based on 19 published decisions, the Board has imposed a total amount of TRY 8,005,000 as administrative fines to controllers as of 6 November 2019. 10 11 As the DPA did not publish its 2019 Activity Report yet we do not know the total amount of fines imposed in 2019. But as per 2018 Activity Report of the Turkish DPA a total amount of TRY 870,000 was imposed to controllers as administrative fines in a total of 8 cases.

On a separate note, the Board may also decide to send an order (talimatlandırma) to data controllers for compliance with the TDPL. However, it is seen that only in 6 published decisions the Turkish DPA solely sent an order. In other 9 cases, the Turkish DPA sent an order to the controller in addition to imposition of administrative fine.

Final Note

Although the Turkish DPA is relatively young compared to its European peers, it has been working hard for due implementation of the TDPL. We are aware of few cases initiated against the Board's decisions before Turkish courts, but there are very limited court precedents on the subject matter.

There is no doubt that Board's decisions and administrative fines are two powerful tools to make certain that rules are followed and awareness is raised on data protection rights in Turkey.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions