March 2023 – Adevastating earthquake with a magnitude of 7.8 struck the southern region of Turkey on 6 February. This was followed by another strong earthquake with a 7.5 magnitude, occurring about nine hours later. Due to this disaster, we could not issue our two-minute recap for January 2023.You can find more information on the devastating earthquakes from our two-minute recap here.
In this recap, we will cover recent developments in February, as well as January. During this period, the Turkish Personal Data Protection Authority ("DPA") made one public announcement and three data breach notifications.
Determination of statutory periods due to the earthquake
While the search-and-rescue operations in the earthquake regions continued, public institutions began to announce additional measures that they had taken. In this context, on 9 February, the DPA made a public announcement regarding the statutory periods to be considered by data controllers and data subjects regarding complaints, notices, data breach notifications, and other obligations within the scope of Turkish DP Law.
The DPA announced that the extraordinary conditions caused by the earthquake will be taken into consideration in the evaluation of the periods specified in Turkish DP Law and related secondary regulations for data subjects, data controllers, and lawyers who are (i) in the provinces where a state of emergency has been declared due to the earthquakes or (ii) in other provinces but are affected by the earthquakes.
Quick reminder: New amounts of fines for non-compliance to DP Law
The DPA announced the new amounts of administrative fines to be considered for 2023, according to the revaluation rate (i.e., 122.93%). Below you can find the new amounts of fines that the DPA has the authority to impose regarding misdemeanours for the year 2023:
|
Misdemeanours |
Fine Amounts for 2023 |
|
Non-compliance to fulfil obligation to inform |
TRY 29,852 — 597,191 (approx. EUR 1,500 — 29,860) |
|
Non-compliance to ensure data security |
TRY 89,571 — 5,971,989 (approx. EUR 4,480 — 298,600) |
|
Non-compliance to comply with the decisions of the DPA |
TRY 149,285 — 5,971,989 (approx. EUR 7,464 —298,600) |
|
Non-compliance with the registration obligation with the Data Controllers' Registry (VERBIS) |
TRY 119,428 — 5,971,989 (approx. EUR 5,971 —298,600) |
The DPA announced the following data breach notifications in
January:
|
Data Controller |
Affected Data Subjects |
Affected Personal Data |
Number of Data Subjects |
|
Okko Saglik Turizm Insaat San. ve Tic. |
Employees, Patients |
Identity, Communication, Audio and Visual Records, Personnel Information and Health Data |
N/A |
|
Reon Saglik Hizmetleri Ins. Tur. San ve Tic. (Özel Aktif Hastanesi) |
Employees, Patients |
Identity, Communication, Audio and Visual Records, Personnel Information and Health Data |
N/A |
|
Yalova Uzmanlar Saglik Hizmetleri San.Paz.Tic. |
Employees, Patients |
Identity, Communication, Audio and Visual Records, Personnel Information and Health Data |
N/A |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
