Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – August 2022

September 2022 - In August 2022, the Turkish Personal Data Protection Authority ("Authority") published guidelines on the protection of personal data in the banking sector, opened draft guidelines on the processing of genetic data, and announced two data breach notifications.

New Guidelines for the Banking Sector

On 5 August 2022, the Authority published guidelines on the processing of personal data in the banking sector ("Guidelines"), which evaluates personal data processing in detail. You can access the Guidelines here (available only in Turkish).

In summary, the Guidelines determine the status of banks. Accordingly, within the scope of activities stipulated in Article 4 of Turkey's Banking Law, banks are considered to be data controllers. In cases where banks act as an agency (e.g., in insurance services) or an intermediary institution, it is necessary to evaluate the conditions of each specific case when deciding whether the bank is a data controller or a data processor.

Another important point is that the Guidelines also explain the legal grounds for data processing in detail by giving good practice examples. Accordingly:

Examples of data processing based on legal grounds except explicit consent

The following data processing activities can be carried out based on:

1. Fulfilling a legal obligation or (ii) where it is explicitly provided for by law. E.g.:
   • risk assessment activities for those applying for a loan;
   • obtaining a criminal record of a data subject during request processes for a chequebook; or
   • providing personal data to authorised institutions.
3. Establishment or conclusion of an agreement. E.g.:
   • data processing to provide loan services.
4. Legitimate interest. E.g.:
   • data processing for the purpose of applying rewards and bonuses to increase employee loyalty;
   • data processing to detect unusual behaviour of customers to prevent fraud within the scope of information security; or
   • data processing for customer segmentation or satisfaction to offer the right product/service to the existing customer.
5. Necessary for the establishment or protection of a right. E.g.:
   • data processing for use in administrative and legal proceedings for the collection of receivables.

Upcoming Guidelines Alert on Genetic Data Processing!

On 24 August 2022, the Authority published draft guidelines on the processing of genetic data ("Draft Guidelines") and announced that the Draft Guidelines will be available for public opinion until 24 September 2022. The Draft Guidelines define the concept of "genetic data" elaborately for the first time in Turkish data protection law. You can access the Draft Guidelines here (available only in Turkish).

The Draft Guidelines highlight that:

• Data controllers collecting biological samples are required to take adequate technical and organisational measures (e.g., encrypting data using cryptographic methods) to ensure genetic data safety.
• Since it is not entirely possible to prevent the connection between genetic data and the data subject, data controllers must use the method of de-identification of genetic data rather than anonymising it.
• Data controllers may process genetic data without obtaining the explicit consent of the data subject only if the data controller uses such data for medical diagnosis and treatment, and the relevant data processing activity must be explicitly stipulated in the law.
• Data controllers need to (i) ensure that the data subject has a clear understanding of its genetic data processing activity and its implications; (ii) inform the data subject that such data processing activity may include the personal data of persons who share with them the same lineage; and (iii) inform the data subject on possible risks in tracking genetic data in case they are transferred to third parties, especially for cross-border transfer.

The Board announced the following data breach notifications in August: