In July 2022, the Turkish Personal Data Protection Authority ("Authority") announced five breach notifications and issued 12 decisions relating to various industries and sectors including insurance, health, and banking.

Here comes the decision on commercial electronic messages again

On 18 July 2022, the Authority published its decision on a data subject's complaint alleging that a data controller in the health sector sent a commercial electronic message to the data subject without obtaining their explicit consent to send messages. The Authority found that the data controller had obtained the contact data of the data subject for another purpose other than sending commercial electronic messages and therefore decided to impose a monetary fine on the data controller.

In its decision, the Authority stated that:

  • a data controller in the healthcare sector can process the contact information of data subjects (or their chaperones during patient registration, and this activity does not constitute a violation of Turkish Data Protection Law or other applicable laws;
  • the data controller in this case sent an e-mail for marketing and commercial purposes;
  • the processing of personal data to send a commercial electronic message is irrelevant to the purpose of obtaining the relevant personal data; accordingly, such data processing activity constitutes a violation of Turkish Data Protection Law.

Based on the above-mentioned evaluation, the Authority decided to impose a monetary fine of TRY 100,000 (approx. EUR 5,470) on the data controller for the unlawful data processing activity of sending a commercial electronic message to the data subject's e-mail address for advertising and marketing purposes without any legal basis. You can access the decision here (available in Turkish only).

The Authority states that data controllers cannot require a special power of attorney for data subject applications

On 18 July 2022, the Authority published its decision on a data subject's complaint alleging that an insurance company had processed their personal data without legal grounds. As a result of the examination, the Authority concluded that the insurance company had processed the individual's personal data to carry out the insurance policy executed between the data subject and the insurance company.

The most important aspect of the decision is that the Authority has highlighted that data subjects are able to apply to data controllers via a lawyer without a power of attorney involving a special authority to apply to data controllers.

During the examination, the insurance company stated in its defence that the application was made by the data subject's lawyer with a general power of attorney, but that, a special power of attorney is required to make such an application. Following its investigation, the Authority concluded that data controllers cannot seek a special power of attorney for applications made by data subjects' lawyers, as there is no provision stipulating such a requirement in Turkish law. For detailed information, please see our article here.

The Board announced the following data breach notifications in July

Data Controller Affected Data Subjects Affected Personal Data Number of Data Subjects
NeoPets Inc. Users, Members, Children Identity, Information on Communication and Transaction Security N/A
Surtas Otomotiv ve Servis Hizmetleri Sanayi Ticaret Limited Sirketi Employees, Customers, Potential Customers Identity, Communication Information and Audio and Visual Records 1200
Türkiye Elektrik Dagitim A.S. Employees, Citizens Identity, Communication Information 208,000
Knauf Insaat ve Yapi Elemanlari San. And Tic. A.S ile Knauf Insulation Izolation San. ve Tic. A.S N/A N/A N/A
Meklas Otomotiv San. ve Tic. A.S. Employees, Users, Customers, Potential Customers Identity, Information on Communication, Personnel, Transaction Security, Finance, Marketing, Audio and Visual Records, Health, Philosophical Belief, Religion 142

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.