On our article, we aim to provide guidance on best practices in the area of personal data protection, in the context of the 41 decisions published by the Personal Data Protection Board ("the Board") between 1 January and 24 April 2023, with the summaries and the highlights of the decisions. The decisions in question are taken as a result of the complaints submitted to the Turkish Data Protection Authority ("the Authority") by the data subjects and that most of the decisions resulted in administrative fines. In addition to administrative fines, there are also decisions that orders the data controller to carry out a certain transaction and to submit the information about this transaction to the Authority.
You may find the general principles that can be filtered from the published decisions below:
- While making the assessment to determine if a natural or legal person is a data controller or a data processor; the assessment should be based on who is the party that determines the purposes and means of the processing personal data, and not on the characterization in the provisions of the contract between the parties. Accordingly, the Board stated that the definition of data controller in The Personal Data Protection Law ("the Law") should be used as a basis when determining the data controller in each concrete case.
- Although the Law does not specify the terms for processing personal data of persons in the sensitive age group, the Board found it risky to process the personal data of persons in the sensitive age group without their eligible parents has given the consent for it.
- Personal data may be transferred abroad only with the explicit consent of the data subject, unless a separate authorisation is obtained from the Board for written undertakings by the data controllers to provide adequate protection, or unless the country is on the list of countries with adequate protection that will be published by the Board.
- When obtaining explicit consent from the data subjects through the website or mobile application, explicit consent should be obtained using the "opt-in" mechanism, which means that cookies shall not be active as a default setting and that the data subjects shall give their consent through their voluntary active actions.
- Where the data controllers process personal data on their websites or mobile applications through the cookies, the notice to data subjects must be made at the time of users' first visit to the website or mobile application.
- The lawfulness of the employer's control over the communication tools provided to the employees by the employer, should be assessed on a case-by-case basis, by balancing the employee's right of protection of their personal data and the employer's interest on the control.
- Personal data previously made public and disclosed by the data subject may only be processed in connection with and limited to the purposes of the data subject's public disclosure by data controllers.
- Data controllers have an active duty of care to ensure that the personal data they process is accurate and, where necessary, up to date, and in this context, they should establish mechanisms to confirm the accuracy of the personal data and to check from the data subject that if the personal data still is up to date.
- The processing of communication data which is not used as the main channel of communication between the controller and the data subject and which, if not processed, would not disrupt the services provided by the data controller, is contrary to the 'data minimisation' principle.
- In the case of unlawful request, if the data controller does not inform the data subject that the application is not in accordance with the legislation by treating it as a lawful request, and if the data controller claims that the data subject's request is unlawful in the subsequent examination carried out by the Board, this will be contrary to the data controller's obligation to "act in accordance with the rules of good faith".
- In the case of request submitted to the Administration, although the Administration's failure to respond to the request is deemed as an implied refusal, the Administration must respond to the request in question within thirty days at the latest, in accordance with the law.
- The limits of the data subject's right of access to his or her personal data shall be determined by considering whether the exercise of this right has an impact on the rights and freedoms of third parties and whether the rights and freedoms of others prevail over the data subject's right.
- In order for personal data obtained by the controller in accordance with the law to be processed for a new purpose, it is necessary to rely on a legitimate reason for processing as it has started for the first time. Accordingly, in the event of a change in the purpose of the processing, data controllers should re-establish the legitimate reason for the data processing activity in question.
- Where explicit consent is obtained from data subjects, data controllers must carry out the obtaining process separate from the notice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.