December 2022 – In November 2022, the Turkish Personal Data Protection Authority ("DPA") announced six data breach notifications but did not publish any decisions.
Constitutional Court: Even if a phone is for business, private conversation is private
The Constitutional Court of Turkey, in its decision published on 15 November, ruled that an examination of an employee's private messages on the employee's allocated business phone by the employer violated the right to respect for private life and the freedom of communication. You can read more about this decision here (in Turkish only).
Background
An employee filed a lawsuit before a local court to demand (i) re-employment after the termination of the employment agreement because the employer read messages on the employee's business phone and (ii) protection of its personal data, since the business phone can contain private messages.
The employer, on the other hand, claimed that the business phone was examined to access customer contact information and that the employment agreement was terminated after defamatory statements about other employees were revealed during the examination of the phone.
Contrary to the decision of the Constitutional Court, both the local and the appellate court concluded that the employer was justified in reading personal messages, as the employer gave the mobile phone to the employee, and as a result ruled that the termination of the employment agreement was lawful.
Evaluation of the Constitutional Court
As a result of the employee's application, the Constitutional Court ruled that:
- the powers and rights of employers are not unlimited, and that fundamental rights must be respected;
- it should be determined whether there are legitimate grounds for employers to inspect the communication tools and contents made available to its employees;
- the process of surveillance of employee communication should be carried out transparently;
- the interference with the fundamental rights and freedoms of employees should be aimed at the purpose sought to be achieved by the intervention.
The DPA announced the following data breach notifications in November:
|
Data Controller |
Affected Data Subjects |
Affected Personal Data |
Number of Data Subjects |
|
Shangai Moonton Technology Co Ltd |
User and Website Member |
Identity, Communication, Transaction Security Data, and Other |
3,375 |
|
Pamukkale Belediyesi |
Students and Others (Tradesman) |
Identity and Communication Data |
11,000 |
|
Aliza Otelcilik Turizm ve Tic. |
Employees, Customers, Children and Natural Person Suppliers |
Identity, Communication, Personnel Data, Information on Legal Processes, Customer Transaction, Transaction Security, Finance, Professional Experience, Marketing, Health and Criminal Conviction and Security Measures |
N/A |
|
AES Otelcilik Turizm ve Ticaret |
Employees, Customers, Children and Natural Person Suppliers |
Identity, Communication, Personnel Data, Information on Legal Processes, Customer Transaction, Transaction Security, Finance, Professional Experience, Marketing, Health and Criminal Conviction and Security Measures |
N/A |
|
Aktif İnş, Taşımacılık |
Employees, Customers, Children and, Natural Person Suppliers |
Identity, Communication, Personnel Data, Information on Legal Processes, Customer Transaction, Transaction Security, Finance, Professional Experience, Marketing, Health and Criminal Conviction and Security Measures |
N/A |
|
Baykar Motorlu Araçlar |
Employees, Users, Customers and Potential Customers |
Identity, Communication, Personnel Data, Information on Legal Processes, Identity, Communication, Personnel Data, Information on Legal Processes, Audio and Visual Recordings, Health and Criminal Conviction and Security Measures |
N/A |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
