Large fine for Meta
The DPA has imposed a fine of approx. EUR 319,000 on the parent company of Instagram, for violating the DP Law in relation to child accounts.
An investigation arose from claims that Instagram allowed conversion of accounts created by minors (under-18s) to public business accounts making personal data, including email addresses and phone numbers, publicly accessible. Said investigation revealed that the applicable personal data was displayed via Instagram's HTML source code. The DPA therefore determined that Meta failed to implement adequate technical security measures thus putting minors at risk.
Meta was fined approx. EUR 70,000 for its failure to implement necessary technical and administrative safeguards. An additional penalty of approx. EUR 250,000 was imposed for its failures to verify users' age when converting to business accounts or ensure parental oversight.
The DPA Clarifies Penalty Timings Under New Amendments
An information note published on 19 December 2024 has clarified the application of penalties for data protection breaches in light of recent amendments. Key points include the time of the offence and whether it was continuous or instantaneous crime.
For more details on interpretation of the law and its impact please refer to our full article here.
Constitutional Court Rules on Right to Access Personal Data in Employment Records
The Constitutional Court issued a 17 December ruling on violation of the right to request protection of personal data. The case arose after the Ministry of Foreign Affairs rejected multiple requests from a public employee to access their employment records.
The Court confirmed that individuals have a constitutional right to access employment records as part of the right to respect for private life. (emphasizing that this right cannot be restricted unless specifically regulated by law). The Ministry's refusal was therefore deemed unlawful and the applicant awarded approx. EUR 800 in moral compensation.
For further details please refer to our article on the case.
DPA Announces 2024 Stats
The DPA imposed a total of approx. EUR 15 million in administrative fines and resolved 6,598 of 8,186 complaints and notifications received. It also issued 110 legal opinions; approved three commitments for the transfer of personal data abroad; received 1,345 standard contracts; and publicized 63 of 281 data breach notifications processed. The announcement also emphasized the authority's dedication to protecting Turkish citizens' fundamental privacy rights.
Criminal Sentence Upheld
A prison sentence of more than two years imposed on a call center employee for unlawful recording of personal data has been upheld by the 12th Criminal Chamber of the Court of Cassation. A criminal investigation was initiated under Article 135/1 of the Turkish Penal Code after affected customers, who had their names, addresses, phone numbers and credit card details recorded, filed complaints.
The Local Criminal Court of First Instance initially imposed a custodial sentence of 2.3 years. The defendant argued that the data was stored for commercial purposes and therefore no offence had been committed. However, the court ruled that the Penal Code only allows processing of personal data with the explicit consent of the subject - and that this fundamental principle had been violated.
On appeal the 12th Criminal Chamber of the Court of Cassation unanimously upheld the lower court's ruling. It further noted that the case file's evidence affirmed the first instance court's judgment, and the conviction had not been subject to legal error. This ruling emphatically underscores the need for strict compliance and potential criminal liability for anyone processing personal data in Turkey.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.