Turkish Personal Data Protection Board ("Board") has announced new summaries of latest decisions on April, 3 2019.
Click here to see whole texts of the summaries.
A. The Information Obligation and Obtainment of Explicit Consent Has to be Performed Separately:
The Board ex officio reviewed a group of companies that received job applications on an online platform. As a result of the examination, it was determined that it is compulsory to create a membership on the platform in order to apply for a job. In addition, it was stated that both the approval on reading the information notice and the explicit consent on the data processing activities are obtained from the data subjects by marking the same box at the same time. On its Decision, The Board referred to Article 5/1 (f) of the Communiqué on the Procedures and Principles that Shall Be Applied to the Performance of the Information Obligation, which states the requirement to perform the obligation to disclose and to obtain explicit consent separately, and stated that this implementation breaches the legislation.
The Board emphasized that, the performance of information obligation is not subject to the approval of the data subject. Though the Board has not imposed any sanctions to the data controller; it explicitly instructed that the mechanisms related to the proof of the information notice has been read and the explicit consent has been obtained must be separated.
B. The Persons Whose Identities Cannot Be Addressed shall not be subject to Board Sanctions:
The applicant has lodged a complaint before Turkish Personal Data Protection Authority ("Authority") regarding the unlawful access and share of the documents, which were signed by him with respect to his duty, on the internet. In addition, some of the slanderous texts has been shared by using the initials of the first and last names of the data subject. However, the identity of those who have committed such violations cannot be identified.
On the Decision, the Articles on scope and the definitions of the Law on the Protection of Personal Data ("Law") has been emphasized and it is stated that the persons whose identities cannot be addressed, cannot be defined as "data controllers". However, this circumstance shall not prevent penalization of the act stated. As a matter of fact, the Board stated that the provisions of the Turkish Penal Code shall be applied by referring to Article 17 of the Law which regulates crimes. However, it was stated that no action shall be taken by the Authority since the concrete case was transferred to the judiciary independent of the complaint filed with the Institution.
C. The Failure to Perform the Board Decision within the Period Stated by the Board:
According to the decision, the data subject has applied to the data controller, which is a public authority, for erasure of his personal data but did not receive a satisfactory response. Accordingly, he has made an application to the Authority and the Board gave a decision on this matter and notified the data controller regarding the complaint. Pursuant to Article 15/5 of the Law, the data controller is obliged to fulfil the requirements arising from the decisions of the Board regarding the elimination of violation and unlawfulness within thirty days from the notification.
In the present case, the decision on elimination of unlawfulness was garnished to the data controller on July 2, 2018 and a response was provided to the data subject on August 17, 2018. The data subject was notified that the personal data whose retention period has expired shall be destroyed in first periodical inspection and other personal data shall be destroyed in first periodical inspection upon end of respective retention period. However the data controller did not mention the instructions of Data Protection Board in its response
The Board has deemed it unlawful for both the failure to perform the requirements arising from the decision within thirty days' period and not to inform the data subject about the matters that mentioned in the decision. In this context, by taking into consideration that the data controller is a public authority, the Board has decided to establish a transaction based on Article 18/3, which includes the procedures to be made according to the disciplinary provisions of civil servants working in the public authority and notifying the Board regarding the result. In addition, the data controller has been instructed on the necessary actions to be taken related to the data stored.
D. The Data of a Legal Entity is not within the Scope of Law:
The Board has examined the transfer of the data of a legal entity between two different data controllers, upon an application. As a result of the examination, it is explained that such personal data could not be considered as personal data because of the legal entity. However, it was stated in the decision that natural persons representing the legal entity could exercise the rights of the data subjects. In the present case, the application was not accepted as a valid application due to the fact that these rights were also used by the legal entity applying to the Institution; it was emphasized that the application in question should be carried out by the natural persons concerned.
E. The Applications Related to the Jurisdiction of Judicial Authorities:
Article 15 of the Law regulates the principles and procedures of the examination to be carried out by the Board. Pursuant to Paragraph 2 of this Article, it is necessary for the complaints to be examined to meet the requirements set out in Article 6 of Law No. 3071 on the Use of Right to Petition. In accordance with the reference to Article 6, notices or complaints concerning the issues that fall under the jurisdiction of the judicial authorities shall not be taken into consideration.
In this respect, in the present case, it is decided not to consider the complaint concerning the matter that has passed to the judiciary, since it is related to the issues that fall under the jurisdiction of the judicial authorities.
F. Storage of the Personal Data through the Period Set Forth by the Legislation:
In the present case, the data subject made an application to the bank, the data controller, and requested the erasure of his personal data. This request was then transferred to the examination of the Authority as an application.
As a result of the examination conducted by the Board, it was determined that the data controller may store the data for a period of ten years in accordance with the banking legislation and it was decided that there is no need for a transaction by the Authority for the complaint in question.
With the decisions issued by the Board, we observed that the Board has aimed to announce the wrong implementations regarding applications and complaints. Moreover, although the administrative fines are not included in the announced summaries, pursuant to Article 18/3 of the Law, the decisions of the Board are binding for the parties
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.