Notification Module Launched
The DPA has announced the launch of its "standard contract notification module" which will allow users to submit standard contracts for cross-border data transfers. The DPA stated that the module has been designed so that data controllers and data processors can fulfill their notification obligations in a faster and more efficient manner.
You can find our detailed article on this topic here.
Data Protection Authority Shares Statistics
As of 2024, at the 4th Personal Data Protection Summit, DPA president Faruk Bilir shared the following statistics with the public:
- 44,322 notifications, complaints and applications made (42,714 of which were finalized).
- 1530 data breach notifications submitted to the DPA (346 of which were publicized).
- EUR 22,000,000 in administrative fines was imposed.
- 10 undertakings regarding the transfer of personal data abroad were approved.
- 717 standard contracts regarding the transfer of personal data abroad were approved.
Harmonization with GDPR is the Goal
The 2025 Presidential Annual Program has stated that harmonization of Turkish DP Law with EU law, particularly the GDPR, will be completed in 2025. The effect of EU digital regulations on the export of goods and services will be examined and a road map created to determine the next steps.
Constitutional Court Personal Data Ruling
The Turkish Constitutional Court ("Court") has ruled that rights of access to justice were violated when a lawsuit was rejected after failure to provide defendants' Turkish ID numbers ("TRIN") and addresses. The court of first instance determined that failure to meet a deadline to provide the missing information meant that the lawsuit was not filed. The applicant appealed arguing that the requested information was not mandatory and, on rejection of its appeal, made an individual application to the Court.
The Court requested an opinion from the ministry which argued that Article 2 of the Attorney Law stipulates lawyers must consider the relevant factors. In response the applicant argued that the TRIN was personal data. The Court concluded there was no legal basis to grant a definite period for completion of the information (which is not mandatory) nor for deeming the lawsuit not filed at the end of this period. Moreover, obtaining this information unlawfully would be a criminal act. It therefore ruled that access to the court was prevented under the right to a fair trial and that the consequences of the violation were eliminated.
The DPA Announced the Following Data Breach Notifications in October:
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.