Turkey: Two-minute Recap Of Recent Developments In Turkish Data Protection Law – May 2021

June 2021 - In May 2021, the Turkish Personal Data Protection Board (the "Board") published in total four decisions and announced five data breach notifications. Our examinations of two important decisions below. The Board also organised two e-seminars in May: Evaluation of Blockchain Technology under Personal Data Protection Law and Cookies in Turkish Law in Light of European Union Data Protection Regulations (you can watch the videos of these e-seminars here in Turkish).

An insurance company pays for unnecessary explicit consent

The Board evaluated a complaint regarding an insurance company's data processing activity. The data subject made an agreement concerning an individual pension with the Insurance Company (data controller). However, the data subject had to give explicit consent to the processing of his/her data by encountering a confirmation bar when trying to access policy information regarding the pension agreement through the website of the Insurance Company.

As a result, the Board concluded that data processing activity based on explicit consent violates the "principle of compliance with the law and good faith" as another legal basis exists. For this reason, the Board imposed an administrative fine of TRL 250,000 (approximately EUR 24,000) on the insurance company.

In its decision, the Board stated as follows:

• The Board determined that data subjects approve both providing explicit consent for the processing of personal data and receiving adequate information on processing activities by ticking a single box. However, the Board stated that in the case of data processing activities based on explicit consent, the data controller must provide the text of its obligation to inform (also known as "clarification text") separately and before obtaining explicit consent.
• The Board also underlined that the data controller is required to clearly state which legal basis is valid for its data processing activity under Turkish DP Law. In the clarification text in question, the expression of the purposes of data transfer is stated as "insurance and relevant laws," which is ambiguous and therefore must be updated.
• The Board also highlighted that explicit consent must be provided with the free will of the data subject. For this reason, providing explicit consent must not be obligatory to receive a service or product.
• In this specific case, the Board determined that the clarification text and explicit consent form were prepared under the same document. However, following its examination of the Regulation on Individual Pension Agreement, the Board concluded that explicit consent is not necessary, and stated that data processing activities shall be conducted to fulfil an agreement in this regard.

Hospitals must ensure their patients' data security

The Board evaluated a data breach that occurred at a hospital. The hospital (data controller) made a data breach notification regarding a physician working at the hospital. This physician had obtained his/her patients' files from the hospital archive through hospital staff. As a result of its evaluation, the Board decided to impose a total administrative fine of TRL 600,000 (approximately EUR 58,000) on the hospital because of its inadequate technical and organisational measures and failure to fulfil the obligation to notify a data breach in time.

As to the technical and organisational measures:

• The Board determined that the security camera recording system was not controlled. For this reason, unauthorised staff may have entered the archive room where patients' health records are stored. The Board accordingly concluded that the necessary technical and organisational measures to ensure the physical security of the personal data including sensitive (health) data of the patients were not taken.
• 789 patients were affected by the violation. However, only 54 patients' files could be determined. In this respect, the personal data security for the remaining files is uncertain and the data of such patients has been lost. The Board accordingly concluded that the necessary technical and organisational measures were not taken to ensure data security.
• In addition, the Board stated that the data breach had been determined 17 days after its actual date of occurrence. This is a sign of inadequate policy and procedures of personal data security.
• As a result, the Board concluded that the hospital had not taken adequate technical and organisational measures to ensure data security, and for this reason imposed an administrative fine of TRL 450,000 (approximately EUR 43,000) on the hospital.

As to the notification made to the Authority and the data subjects:

• The hospital notified the violation to the Board 25 days from the determination date. The hospital did not notify the patients regarding the violation, except for one patient who came to the hospital.
• The Board stated that data controllers are required to notify the Board within 72 hours according to the decision regarding Procedures and Principles of Notification on Personal Data Breach. In this respect, the Board imposed an administrative fine of TRL 150,000 (approximately EUR 14,000) on the hospital because of the violation of the obligation to notify.

The Board announced the following data breach notifications in May

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.