Feburary 2021  – In January, the most remarkable announcement of the Turkish Data Protection Board (the "Board") was in relation to the new privacy policy of the messaging and VoIP platform WhatsApp. Another important development was the Board's principle decision regarding the personal data of third parties illegally provided by data subjects. The Board also celebrated European Data Protection Day on 28 January 2021 with a conference.

The Board initiates an investigation against WhatsApp

WhatsApp, Inc.—a subsidiary of Facebook—recently announced an update to its privacy policy whereby the use of the WhatsApp application is conditional upon users' explicit consent to their personal data being shared with and transferred to Facebook and other third parties abroad. After WhatsApp, Inc. made the announcement, the Board initiated an ex officio investigation against the company in its decision numbered 2021/28 and dated 12 January 2021. The Board also stated that it will re-evaluate the matter on 8 February 2021. You can find our detailed review of the relevant decision  here.

Initially, WhatsApp, Inc. had stated that the deadline for the effective date of its new privacy policy was 8 February 2021, and that users who had not given consent by that date would not be able to benefit from WhatsApp's services, and that their accounts would be deleted. Following negative reactions by users, such as migrations to other platforms due to the new privacy policy, WhatsApp, Inc. announced that the effective date of this update is postponed to 15 May 2021.

Principle decision on the personal data of third parties illegally provided by data subjects

A principle decision regarding the personal data of third parties illegally provided by data subjects (the Principle Decision") published by the Board on 22 December 2020 was also published in the Official Gazette on 15 January 2021. We analyse the Principle Decision in detail  here.

The Principle Decision relates to the personal data of third parties illegally sent by data subjects to data controllers upon the latter's request, such as phone numbers and e-mail addresses. The Board notes that there are inaccuracies and mistakes in the information provided by the data subjects, and that also, as a result of the disclosure by data subjects of the information belonging to third parties, documents containing the personal data of such data subjects are unlawfully transmitted to third parties.

In its Principle Decision the Board aims to ensure that the necessary administrative and technical measures are taken by data controllers in order to establish mechanisms, such as a confirmation code sent to the phone number or e-mail address of the data subject, in order to confirm the accuracy of the contact information provided by data subjects. In addition to the confirmation mechanism, the Board has stated that data controllers must always keep channels open for data subjects to update and correct their personal data.

In case of a data breach, the Board may not always impose an administrative fine

The Board announced a decision, dated 9 October 2020, regarding its investigation against a company operating in the health industry, in which it did not impose an administrative fine. The company, as the data controller, had notified the Board of a data breach, which started on 30 September 2020 and ended on 5 October 2020. Within the scope of the data breach notification, the company stated that it had informed the data subjects affected by the data breach within three days following notification to the Board. In addition, the company demonstrated the technical and administrative measures it took before and after the data breach.

At the end of its investigation the Board underlined that the data breach did not arise due to a lack of precaution by the data controller, and that since an application widely used worldwide had caused the data breach, the data controller would not be reasonably expected to intervene. It also stated that the data controller reacted quickly, having taken reasonable technical and administrative measures. For this reason, the Board concluded that there were no remaining processes, such as imposing an administrative fine or instructions, apart from ensuring that the company sent notifications to data subjects affected by the data breach. In conclusion, data controllers may not face administrative fines if they take the necessary administrative and technical measures and act quickly to notify both the Board and any affected data subjects following a data breach.

The Board announced the following data breach notification in January

In January, the Board announced only one data breach notification. The breach occurred on the website of Özyeğin University. Within the scope of the announcement, Özyeğin University, as the data controller, notified the Board on 5 January 2021 that the University's website had been attacked. The data controller became aware of the violation on Monday, 28 December 2020. Several data categories of 1,665 data subjects were affected by the violation. Consequently, the Board has initiated an investigation regarding this data breach.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.