ARTICLE
3 February 2022

Data Protection Newsletter – February 2022

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership logo
Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
Explore Firm Details
We summarized the important data privacy developments of January 2021 in Turkey and from around the world.
Turkey Privacy
Ilay Yilmaz and Can Sozer
Your Author LinkedIn Connections

In January, the significant developments in the field of personal data protection are the Personal Data Protection Authority's ("Authority") new issuance of the Document on False Facts about the Law on the Protection of Personal Data; the public announcement on registration in the Data Controllers' Registry Information System (VERBIS); the Draft Guideline on the Use of Cookies; the decision on the commercial electronic messages of a satellite TV provider; and the principle decision on blacklisting in the car rental industry.

We provide summaries of the developments in January in Turkey and the world below.

Announcement - decision on commercial electronic messages sent to the mobile phone number of a data subject

In the complaint submitted to the Authority, the data subject claimed that they received calls and SMS messages regarding the campaigns of a satellite TV provider without their explicit consent.

In Decision No. 2021/1210 dated 2 December 2021, the Personal Data Protection Board ("Board"), determined that the dealer of the satellite TV services provider company subcontracted commercial electronic message services and one of its subcontractors obtained the mobile phone number of the data subject through a number derivation method. The Board assessed that the satellite TV provider is not a data controller and, since there is no instruction-based relationship in the contract between the dealer and the subcontractor, the dealer is not a data controller. Rather, the subcontractors are data controllers, as they called the data subject on their own initiative. The Board stated that since a mobile phone number is personal data, the processing of such data through calls and sending SMS messages for advertising and promotional purposes is subject to Law No. 6698 on the Protection of Personal Data ("Law").

Accordingly, the Board decided: (i) not to impose any sanctions on the satellite TV provider and the dealer; (ii) to impose administrative sanctions on the data controller subcontractors for processing personal data without any legal grounds set forth under the Law; (iii) to instruct the subcontractors to delete the data subject's phone number; and (iv) to instruct the satellite TV provider to pay due attention and care to comply with the Law in the process of acquiring new customers, and to include clear provisions regarding the data controller and data processor in contracts to be executed with dealers.

The decision is available online here (in Turkish).

Principal decision - principal decision on blacklisting in the car rental industry

The principal decision of the Authority regarding blacklisting operations in the car rental industry was published in the Official Gazette No. 31725 and dated 20 January 2022.

In the decision regarding the processing of personal data via the software used by car rental companies, the Board determined that, through this software, car rental companies record information about lessees' vehicle usage and accidents, which include the lessees' personal data. The Board stated that the information recorded in the software could be accessed not only by the relevant car rental company and software service provider, but also by various other car rental companies, in a way to be deemed a personal data transfer between companies in the industry. Lastly, the data subjects are not informed of this data transfer.

The Board stated that blacklisting data can be processed based on "the legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject" and only if the blacklisting data is processed by the lessor company. However, the Authority evaluated that the disclosure of the data to other car rental companies would not fall within the scope of legitimate interest. In addition, the Board stated that the transfer of the data to an unknown number of car rental companies is in violation of the general principles (i.e., lawfulness and fairness; processing for specific and legitimate purposes; and being relevant, limited and proportional to the purpose). The Board also noted that it is difficult for data subjects to exercise their legal rights, as they do not know the transferee companies.

Importantly, the Board concluded that since different car rental companies have access to the blacklist, these companies also have control over the data; therefore, they are considered joint controllers together with the software companies. As per the decision, the responsibilities of joint controllers can be determined by evaluating: (i) the first and last data controller that accesses the data; (ii) the data controller that registered the data on the system; (iii) the aim of the data processing; (iv) the data controller that decides the amendment, erasure or transfer of the data; and (v) the operations of the other data controllers.

In light of these evaluations, the Board decided that the relevant data controllers should take the necessary technical and administrative measures within the scope of the Law or face possible administrative fines.

Further information on the decision is available in our legal alert here. The decision is available online here (in Turkish).

Publication - new issuance of the Document on False Facts about the Law on the Protection of Personal Data

On 3 January 2022, the Authority published the second issuance of the Document on False Facts about the Law on the Protection of Personal Data.

The main issues included in the document, which consists of 64 questions and answers, are as follows: (i) data processing conditions and the validity of explicit consent; (ii) biometric data; (iii) the conditions regarding cross-border data transfers; (iv) the fulfillment of the obligation to inform; and (v) the necessary steps to be taken in case of a data breach, the applications submitted to the data controller and the explanations regarding the Board's evaluations.

The document is available online here (in Turkish).

Announcement - public announcement on registration in VERBIS

On 4 January 2022, the Authority reiterated the following points to the persons who are obliged to register with VERBIS:

  1. It emphasized that only submitting the VERBIS registration application form via the system or sending it to the Authority by mail, cargo, courier, registered email or hand delivery does not fulfill the registration and notification obligation to VERBIS. Rather, the VERBIS registration application form must be submitted to the Authority, and a "contact person" must be appointed via VERBIS. Additionally, the contact person must login to VERBIS, and the notification issued for the relevant data controller must be approved.
  2. It reiterated that incomplete applications and notifications should be completed as soon as possible. In addition, any change in the information registered in VERBIS should be notified to the Authority via VERBIS within seven days of the date of such change.

The announcement is available online here (in Turkish).

Draft - Draft Guideline on the Use of Cookies ("Draft Guideline")

On 11 January 2022, the Authority opened the Draft Guideline for public consultation until 10 February 2022. The main topics covered by the Draft Guideline are as follows:

  • The types of cookies are categorized under three main groups: (i) duration of the cookies; (ii) purpose of the cookies; and (iii) parties of the cookies.
  • As per the Draft Guideline, the Law will be applicable to information society services because, unlike EU Directive 2002/58/EC, this topic is not regulated under the Electronic Communications Law No. 5809 ("ECL"). In this context, the decision dated 27 February 2020 numbered 2020/173 is highlighted.
  • As per the Draft Guideline, the following questions should be answered to determine whether explicit consent is required for the use of cookies: either "are cookies used only for providing communication over an electronic communication network?" or "are cookies strictly necessary for the information society services that are explicitly requested by the subscriber or user?" For cases that do not fall under these two scenarios, either the explicit consent of the data subject must be obtained or another legal basis stipulated under the Law must be reliable. As stated, the explicit consent of the data subject is not required for the use of cookies if one of the legal bases set forth under the Law exists.
  • The Authority stated that requesting consent frequently may lead to "consent fatigue" and may damage the free will of the data subject. Hence, instead of obtaining consent every time a user accesses the website, it is sufficient to remind the explicit consent preference of the data subject proportionally throughout the lifetime of a cookie.

The Draft Guideline, aiming to ensure website operators' compliance with the Law when using cookies, covers only the cookies used for processing personal data. In addition to websites, the Draft Guideline is applicable to similar online applications connected to networks.

Further information on the guideline is available in our legal alert here. The Draft Guideline is available online here (in Turkish).

Significant developments from the world

  • EU: European Data Protection Supervisor (EDPS) sanctions the European Parliament for EU-US data transfers
    On 5 January 2022, the EDPS concluded its evaluations on the complaints regarding a website of the European Parliament ("Parliament") used for COVID-19 test booking purposes, which uses a third-party provider.
    As per the decision, the EDPS determined that the Parliament failed to: (i) provide sufficient guarantees for implementing the necessary technical and organizational measures; (ii) provide documents with detailed instructions to the data processors; (iii) comply with the principles of transparency, accountability and the data subjects' right to information because of the inaccurate data protection notice and cookie banner on the website; and (iv) protect the information collected and processed through cookies from the users' terminal equipment. The EDPS also concluded that the Parliament relied on standard contractual clauses even though the personal data subject to the data transfer to the US is not documented to have an equivalent level of protection.
    In light of the foregoing, the EDPS issued a reprimand and ordered the Parliament to update its data protection notices on the website subject to the decision to provide all relevant information relating to the processing of personal data within one month of the date of the decision.
    The decision is available online here.
  • EU: European Data Protection Board (EDPB) adopts Guidelines on the Right of Access
    During its January plenary session, the EDPB adopted the Guidelines on the Right of Access, which aim to analyze various aspects of the right of access and to provide more precise guidance on how the right of access has to be implemented in different situations. Among other things, the guidelines provide clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests.
  • France: French Data Protection Authority (CNIL) issues guidance on the reuse of personal data by processors for their own purposes
    The CNIL published guidance on 12 January 2022 concerning processors' reuse of data entrusted by data controllers. The guidance aims to establish a legal framework to determine if and under which conditions a processor can use personal data that it obtained from a controller for purposes broader than strictly providing services to the controller.
    You may access here the article by the Baker McKenzie Paris office where the team elaborates on the scenarios when a processor may reuse data it receives from the controller for its own purposes, the need to review existing service agreements and data processing agreements, and the CNIL's strict approach to data reuse.
  • US: New employee privacy rights in California
    As of 1 January 2022, California employers must inform job applicants and employees if they disclose personal information to third parties, unless certain data processing clauses are included in their contracts. From 1 January 2023, employers should be ready to respond to requests for data access, deletion, correction, portability and other requests from employers and employees. These will require implementing new protocols, training up human resources and compliance teams, and tightening up data retention and deletion protocols to limit the amount of information to review when handling data subjects' requests.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Ilay Yilmaz
Ilay Yilmaz
Photo of Can Sozer
Can Sozer
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More