ARTICLE
14 January 2025

Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law

GT
Gen Temizer

Contributor

Gen Temizer is a leading independent Turkish law firm located in Istanbul's financial centre. The Firm has an excellent track record of handling cross-border matters for clients and covers the full bandwidth of most complex transactions and litigation with its cross-departmental, multi-disciplinary and diverse team of over 30 lawyers. The Firm is deeply rooted in the local market with over 80 years of combined experience of the name partners while providing the highest global standards of legal services.
A prison sentence of more than two years imposed on a call center employee for unlawful recording of personal data has been upheld by the 12th Criminal...
Turkey Privacy

Large fine for Meta

The DPA has imposed a fine of approx. EUR 319,000 on the parent company of Instagram, for violating the DP Law in relation to child accounts.

An investigation arose from claims that Instagram allowed conversion of accounts created by minors (under-18s) to public business accounts making personal data, including email addresses and phone numbers, publicly accessible. Said investigation revealed that the applicable personal data was displayed via Instagram's HTML source code. The DPA therefore determined that Meta failed to implement adequate technical security measures thus putting minors at risk.

Meta was fined approx. EUR 70,000 for its failure to implement necessary technical and administrative safeguards. An additional penalty of approx. EUR 250,000 was imposed for its failures to verify users' age when converting to business accounts or ensure parental oversight.

The DPA Clarifies Penalty Timings Under New Amendments

An information note published on 19 December 2024 has clarified the application of penalties for data protection breaches in light of recent amendments. Key points include the time of the offence and whether it was continuous or instantaneous crime.

For more details on interpretation of the law and its impact please refer to our full article here.

Constitutional Court Rules on Right to Access Personal Data in Employment Records

The Constitutional Court issued a 17 December ruling on violation of the right to request protection of personal data. The case arose after the Ministry of Foreign Affairs rejected multiple requests from a public employee to access their employment records.

The Court confirmed that individuals have a constitutional right to access employment records as part of the right to respect for private life. (emphasizing that this right cannot be restricted unless specifically regulated by law). The Ministry's refusal was therefore deemed unlawful and the applicant awarded approx. EUR 800 in moral compensation.

For further details please refer to our article on the case.

DPA Announces 2024 Stats

The DPA imposed a total of approx. EUR 15 million in administrative fines and resolved 6,598 of 8,186 complaints and notifications received. It also issued 110 legal opinions; approved three commitments for the transfer of personal data abroad; received 1,345 standard contracts; and publicized 63 of 281 data breach notifications processed. The announcement also emphasized the authority's dedication to protecting Turkish citizens' fundamental privacy rights.

Criminal Sentence Upheld

A prison sentence of more than two years imposed on a call center employee for unlawful recording of personal data has been upheld by the 12th Criminal Chamber of the Court of Cassation. A criminal investigation was initiated under Article 135/1 of the Turkish Penal Code after affected customers, who had their names, addresses, phone numbers and credit card details recorded, filed complaints.

The Local Criminal Court of First Instance initially imposed a custodial sentence of 2.3 years. The defendant argued that the data was stored for commercial purposes and therefore no offence had been committed. However, the court ruled that the Penal Code only allows processing of personal data with the explicit consent of the subject - and that this fundamental principle had been violated.

On appeal the 12th Criminal Chamber of the Court of Cassation unanimously upheld the lower court's ruling. It further noted that the case file's evidence affirmed the first instance court's judgment, and the conviction had not been subject to legal error. This ruling emphatically underscores the need for strict compliance and potential criminal liability for anyone processing personal data in Turkey.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More