In September the Board also organised a Personal Data Protection Summit, at which the president of the Board, Faruk Bilir, underlined that the Board continues to align Turkish data protection law with the GDPR. You can find detailed information about the summit here (in Turkish only).

The Board issues fresh guidelines on biometric data

On 17 September, the Board issued a guideline for the processing of biometric data. The Board once again emphasised that biometric data is considered as sensitive under Turkish data protection law. The guidelines set out fundamental processing principles and necessary technical and organisational measures for the processing of biometric data. You can find the Turkish version of the Guidelines here.

Within the scope of the Guidelines, the Board classifies biometric data under two separate categories: physical and behavioural biometric data. The Board gave examples of physical biometric data, which includes fingerprints, the retina, palm, face, hand shape, and iris. Behavioural biometric data includes things like the manner in which an individual walks, types or drives.

The Board also states that the processing of biometric data must comply with the general principles of Turkish Data Protection Law. To assess whether such processing activity complies with data protection legislation, the Board stressed the need for case-by-case assessments.

The Guidelines set out fundamental principles for the processing of biometric data, as follows;

  • Lawfulness and fairness-the processing biometric data must comply with Turkish data protection law and:
    • - must not infringe the essence of fundamental rights and freedoms;
    • - must be suitable for the purpose of data collection and convenient for the processing activity;
    • - the selected method for processing must be necessary in terms of purpose;
    • - proportionality between the purposes and means preferred for the processing activity must exist;
    • - biometric data must be retained for as long as necessary;
    • - data controllers must fulfil their obligation to inform about such processing activity;
    • - data controllers must rely on the explicit consent of data subjects, if necessary.
  • Data controllers must keep records and documentation showing that they comply with the above-mentioned principles;
  • Data controllers must not collect genetic data unless it is necessary;
  • Reasons and documentation must be provided for preferring a particular biometric data type or types (i.e. fingerprint, retina, palm etc.);
  • The retention period for biometric data to be processed must be as long as necessary for the purposes of the processing activity.

The Board imposes its largest-ever fine on WhatsApp

In September, the Board finalised its ex officio investigation against WhatsApp, which it initiated after WhatsApp updated its Terms of Service and Privacy Policy to include the explicit consent of users related to the processing of personal data and the transfer of personal data abroad. As a result, the Board imposed a record administrative fine of TRL 1,950,000 (approximately EUR 198,000) on the company. You can read our summary of the decision here.

Within the scope of its decision, the Board concluded as follows:

  • Blanket consent: Once a user approves the user agreement, it is deemed that they provide consent for the processing and transfer of personal data abroad with this single consent.
  • Free-will: By incorporating consent for the processing of personal data into the agreement, the condition of "free will" was again violated.
  • Lawfulness and fairness: In order to use the application, users have to provide explicit consent. Accordingly, this is a violation of the principle of "lawfulness and fairness".
  • Purpose limitation: WhatsApp requires explicit consent to transfer all personal data, yet it is unclear what data will be transferred and for what purpose.
  • Cross-border data flows: No explicit consent was obtained for the transfer of data abroad, nor was an application made to the Board regarding a letter of undertaking for cross-border data flows.
  • Cookie policies: Explicit consent was not obtained from users regarding the personal data processing activity carried out through cookies for profiling purposes.

Turkish Data Protection Authority clarifies issues on vaccination status and PCR test results

On 28 September, the Turkish Data Protection Authority published a public announcement on how to process PCR test and/or vaccination information under Turkish Data Protection Law. Within the scope the public announcement, the Board concluded that the provisions of the Turkish Data Protection Law will not be applied to the activities carried out by public institutions and organisations authorised by law in order to limit the spread of the Covid-19 pandemic. You can read our summary of the decision here.

The Board announced the following data breach notifications in September

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Art Sistem Bilgisayar ve Güvenlik Teknolojileri Ltd. Şti

Customers/Potential Customers

Identity, contact, location, customer transaction, and marketing data

N/A

Arvato Lojistik Dış Ticaret ve E-Ticaret Hizmetleri AŞ

N/A

N/A

N/A

AK Gıda Sanayi ve Ticaret AŞ

Customers

Identity (name-surname, ID No.), contact (e-mail and telephone) data

185,492

Elginkan Group Companies

N/A

Identity, contact, personnel, transaction security, financial, trade-union membership data

N/A

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.