April 2023 – In March 2023, the Turkish Personal Data Protection Authority (the "Authority") published three public announcements and announced five data breach notifications.
On 30 March 2023, the Authority announced that the Authority approved the application regarding cross border data transfers submitted by Otokoç Otomotiv Ticaret ve Sanayi Anonim Sirketi.
Attention must be paid to personal data during on-site inspections!
A decision issued by Turkey's Constitutional Court on 30 March 2023 ("Decision") regarding the annulment of various provisions of the Law on the Protection of Competition ("Competition Law") includes sensitive findings related to personal data. In its Decision, the Constitutional Court did not accept the request for the annulment. However, the Decision is noteworthy, as it states that the data of legal entities is included within the scope of personal data protection, as it may involve the personal data of real persons.
What was the application?
On 24 June 2020, an amendment was introduced to Article 15 of the Competition Law regarding the authority of the Turkish Competition Authority to conduct on-site inspections at undertakings, allowing for the collection of copies and physical samples of any data and documents held in physical and electronic formats, including information systems.
The application subject to the said Decision requested the annulment of the provision regarding the collection of copies and physical samples of data belonging to undertakings during on-site inspections by the Turkish Competition Authority on the grounds that the provision did not include sufficient safeguards for the processing of personal data and was disproportionate.
What did the Constitutional Court consider?
The Constitutional Court stated that the right to demand the protection of personal data enshrined in the Constitution is not limited to real persons but also includes legal entities, and thus it covers data related to the legal entity undertakings. With this evaluation, the Constitutional Court determined that the relevant provision in the Competition Law limits the right to protect the personal data of undertakings. However, the Constitutional Court did not find the respective provision unconstitutional as it is (i) regulated by law, (ii) has a legitimate purpose, and (iii) is not disproportionate.
Furthermore, the Constitutional Court emphasised that the Competition Board is subject to the obligations set forth in the Personal Data Protection Law ("DP Law") when collecting copies and physical samples of data belonging to both real persons and legal entity undertakings during on-site inspections.
Attention to personal data processing activities during the election period!
The upcoming election in Turkey is also on the agenda of the Authority. On 23 March 2023, the Authority stated that the sensitivity of the personal data processing activities that will occur during the period of the parliamentary and presidential elections to be held on 14 May 2023 should be considered. The information note shared with the public within the scope of the announcement includes the following points:
- Political parties are data controllers within the scope of Turkish DP Law, thus they have obligations to provide information to data subjects and ensure data security. However, political parties are exempt from the VERBIS registration obligation.
- Political parties will be able to process personal data and sensitive data in accordance with the relevant laws, especially the Constitution and the Political Parties Law, and explicit consent of the data subjects is not required for the processing of special categories of personal data if it is based on a provision of law.
The data subject complaint module has been upgraded.
On 27 March 2023, the Board announced that electronic complaint by proxy is possible for data subjects to assert their rights.
Previously, the complaint module provided on the official website of the Authority was not active for complaints to be made on behalf of someone else. According to the announcement, complaints submitted by proxy can now also be made electronically via the Authority's website. In this respect, the complaint module enables attorneys to files applications as well. The related complaint module can be accessed at https://sikayet.kvkk.gov.tr.
The Board announced the following data breach notifications in March
|
Data Controller |
Affected Data Subjects |
Affected Personal Data |
Number of Data Subjects |
|
Marifet Saatçilik Kuym. Teks. Tur. Gida Ins. Taah. San. ve Tic. |
N/A |
Communication Information |
N/A |
|
Akbank |
Bank Customers |
Identity, Customer Transaction and Finance, Information |
5.847 |
|
Destek Bilgisayar ve Iletisim Hizmetleri |
Employees, Customers and Potential Customers |
Finance, Marketing Information, Visual and Audio Records |
N/A |
|
Getir Perakende Lojistik and Bitaksi Mobil Teknoloji |
Getir Users and Getir Couriers |
Identity, Customer Transaction, Transaction Security, Visual and Audio Records, Other |
5098 |
|
Sahibinden Bilgi Teknolojileri Paz. ve Tic. |
Partnership Company Users |
Identity, Customer Transaction, Transaction Security, Location, Other |
71.422 |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
