Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – April 2023

In April 2023, the Turkish Personal Data Protection Authority (the "DPA") published 40 decisions and announced one data breach notification.

On 24 April 2023, the DPA published 40 decisions on various topics on its website. These decisions pertain to data controllers operating in diverse sectors such as banking, technology, and e-commerce and address critical aspects concerning data processing activities in compliance with the Personal Data Protection Law No. 6698 ("DP Law"). We summarise the most significant decisions below, with further details on the remaining decisions to follow. You can access the decisions here (in Turkish only).

First determine legal grounds before using foreign-based cloud systems!

With its decision published on 24 April 2023, the DPA emphasises the importance of regulations on cross-border data flows and ensuring adherence to the DP Law. The DPA stressed that cross-border data transfers without legal grounds are prohibited and imposed an administrative monetary fine of approx. TRY 1 million (approx. EUR 45,000) on the respective data controller.

What happened in the background?

A data subject, a member of the data controller's website (a tech company), realised the absence of a cookie policy and the unauthorised transfer of personal data abroad without obtaining explicit consent. Subsequently, the data subject made an application to the tech company in this regard but received no response within the legally mandated 30-day period, prompting a complaint to the DPA.

What the DPA considered?

Despite the tech company's assertions that (i) the data subject's application remained unanswered due to an oversight, (ii) they utilised foreign-based cloud service technologies to provide consumer services resulting in data transfers abroad, and (iii) a written undertaking application to the DPA was imminent for approval, the DPA concluded that the complaint was valid and that the data controller's actions violated the DP Law.

The DPA emphasises that employing foreign-based cloud services and servers constitutes cross-border data transfers and that prior to using such technological infrastructure data controllers must establish legal grounds under the DP Law. Accordingly, the DPA advised the respective data controller that they could only conduct these transfers by obtaining explicit consent from data subjects or by submitting a written undertaking to the DPA for their approval.

What is the decision of DPA?

The DPA determined that the tech company had failed to implement the adequate technical and administrative measures to ensure an appropriate level of data security and that personal data had been unlawfully transferred abroad in a systematic manner. Consequently, the DPA imposed an administrative monetary fine of TRY 950,000.00 (approx. EUR 44,000) on the data controller.

In addition to the fine, the data controller was cautioned to (i) ensure compliance with the DP Law for personal data transfers abroad, and (ii) effectively and lawfully address data subject applications.

Another fine for cookie implementation

On 24 April 2023, the DPA published a decision concerning cookie implementation. In line with previous DPA decisions and guidelines, this decision emphasised the importance for website operators to establish valid legal grounds for cookie placement. The DPA found that a game platform data controller's website had unlawfully utilised cookies, resulting in a fine of TRY 300,000.00 (approx. EUR 13,921).

What was the background?

A user of the game platform website filed a complaint with the data controller, alleging that (i) information on cookies used on the website was not provided, (ii) explicit consent for non-essential cookies was not obtained, and (iii) information on the processing of identity and communication data for members was not provided. Unsatisfied with the data controller's response, the data subject complained to the DPA.

What the DPA considered?

Although the game platform contended that (i) they own the website while operations in Turkey are managed by a separate company, (ii) a clarification text is available on their website, and (iii) personal data processing is essential for executing agreements and fulfilling legal obligations, the DPA determined that they were not in compliance with the DP Law.

The DPA emphasised that, aside from strictly necessary cookies that facilitate the proper functioning of a website or application, explicit consent from users is required for the operation of (i) functional cookies, (ii) performance-analytical cookies, and (iii) advertising/marketing cookies on data controllers' websites or mobile applications, unless there is another legal basis. Consequently, data controllers should implement an "opt-in" mechanism that presumes cookies are disabled by default.

What is the outcome of the investigation?

As a result, the DPA observed that various cookies were present during a visit to the website, and no information was provided in this regard. Furthermore, the data controller did not obtain explicit consent for non-essential cookies tracking user activities for purposes such as advertising or statistics. Therefore, the data controller was penalised with an administrative monetary fine of TRY 300,000 (approx. EUR 13,921) for failing to take adequate technical and administrative measures for processing personal data.

In addition, the game platform was instructed to (i) comply with its obligation to inform on the processing of personal data via cookies and to (ii) revise existing clarification text on personal data processing during website registration form filling in line with the legislation.

The Board announced the following data breach notification in April: