ARTICLE
8 October 2021

Data Protection Newsletter - October 2021

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
In September, there were significant developments in the field of privacy.
Turkey Privacy

In September, there were significant developments in the field of privacy such as the Personal Data Protection Authority ("Authority") publishing the Guideline on the Processing of Biometric Data, the Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence and the announcement on COVID-19 PCR test results and vaccination status and imposing an administrative fine on an instant messaging app.

We set out a summary of developments below:

Announcement - Public announcement on COVID-19 PCR test results and vaccination data

The Authority published a public announcement regarding the processing of PCR test results and vaccination data on 28 September 2021.

Having referred to the letters of the Ministry of the Interior and the Ministry of Labor and Social Security, which require processing of PCR test results and/or vaccination data owned by citizens as well as employees, the Authority announced that processing of such data will be exempt from the Law on Protection of Personal Data No. 6698 ("Law"), to the extent such processing is carried out within preventive and protective measures taken by public institutions and organizations.

In light of the above, data processing activities carried out by public and private institutions based on the letters published by the Ministry of the Interior and the Ministry of Labor and Social Security will not be subject to the Law, whereas data processing activities exceeding the scope brought by these letters will nevertheless have to be compliant with provisions of the Law.

Further information on the announcement is available on our legal alert here. The announcement is available here (in Turkish).

Guideline - The Guideline on the Processing of Biometric Data

On 17 September 2021, the Authority published a guideline on the processing of biometric data that defines the biometric data and sets forth the legal grounds and principles for processing of such data.

In the guideline, the Authority defines biometric data for the first time as personal, unique and one-of-a-kind physical or behavioral characteristics, in line with the General Data Protection Regulation (GDPR). The Authority further emphasized that biometric information is data that cannot be forgotten, cannot be altered for a lifetime and is owned without intervention. The guideline sets forth the main principles that technical and organizational measures data controllers must comply with for protection and processing of biometric data.

Further information on the guideline is available on our legal alert here. The announcement is available here (in Turkish).

Guideline - Recommendations on the Protection of Personal Data in the Field of Artificial Intelligence

On 15 September 2021 the Authority published guidelines on the protection of personal data in the field of artificial intelligence, which include advice for the protection of personal data for developers, manufacturers, service providers and decision makers operating in the field of artificial intelligence (AI).

The Authority underlines that developments and practices in the field of AI should respect fundamental rights and freedoms and protect its users' fundamental human rights. Also, the Authority sets forth recommendations based on three categories: (i) general recommendations; (ii) recommendations for developers, manufacturers and service providers; and (iii) recommendations for decision makers.

Further information on the guideline is available on our legal alert here. The announcement is available here (in Turkish).

Decision - Administrative fine against an instant messaging app

The Personal Data Protection Board ("Board") determined that an instant messaging app ("App") has updated its terms of service and privacy policy as a precondition for the services it provides. The Board initiated an ex officio investigation against the App focusing on its (i) cross-border data transfers, (ii) collection of explicit consents as a precondition of services and (iii) compliance with the general principles.

In its decision No. 2021/891 of 3 September 2021, the Board has concluded that:

  • The free will element required for explicit consent was not fulfilled, as a blanket consent was obtained from users both for processing and cross-border transfer of their personal data.
  • The principle of lawfulness and fairness stipulated under Article 4 of the Law was violated as the terms of service and privacy policy were presented in a non-negotiable manner as part of the terms of service and as a precondition to the use of the App.
  • The principles of processing personal data for specified, explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes were violated.
  • Any kind of data processing activity on the personal data of data subjects in Turkey without having the servers located in Turkey qualifies as transfer of personal data abroad. Nevertheless, the requirements set forth under Article 9 of the Law were not met.
  • The use of cookies for profiling purposes is also unlawful due to the lack of explicit consent of data subjects.

In light of the foregoing, the Board decided to (i) impose an administrative fine of TRY 1.95 million (approximately USD 220,000) on the data controller who failed to take appropriate technical and organizational measures to ensure lawful processing of personal data, (ii) request the data controller to adjust its terms of service and privacy policy to comply with the Law within three months and (iii) request the data controller to comply to its obligation to inform in accordance with Article 10 of the Law and Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Obligation of Enlightenment.

Announcement is available here (in Turkish).

Statement - Personal Data Protection Summit

At the Personal Data Protection Summit organized on 2 September 2021, Prof. Dr. Faruk Bilir, the president of the Authority, stated that Turkey aims to harmonize the Law with the European Union standards, and the progress in the field of personal data protection in this regard continues. Bilir said that in light of the European Union's GDPR, some amendments will be introduced to the provisions of the Law with respect to the transfer of personal data abroad. In this scope, the Authority continues to work to ensure further compliance between the Law and GDPR.

The notes on the Summit is available here (in Turkish).

Significant developments around the world

  • China promulgated its first privacy law
    On 20 August 2021, the first Personal Information Protection Law (PIPL) of the People's Republic of China (PRC) was passed from the Standing Committee of the National People's Congress. Upon the promulgation of PIPL, the PRC stepped into a comprehensive regulatory framework with respect to the protection of personal data. With this development, (i) the Data Security Law, which applies to all types of data processing activities carried out within the territory of the PRC, effective from 1 September 2021; (ii) the PIPL, which covers personal data protection comprehensively for the first time in China, effective from 1 November 2021; and (iii) the Cybersecurity Law, which regulates the construction, operation, maintenance, use and security of cyber networks, effective since 1 June 2017 constitute the three main pillars of the personal data protection regime in the PRC.
  • South Korea is on the way to receiving an adequacy decision
    On 27 September 2021, the European Data Protection Board (EDPB) adopted an opinion on the draft South Korea Adequacy Decision prepared by the European Commission. The EDPB opined that although the draft is agreed on as a whole, further clarifications are required to ensure that South Korean data protection law is essentially equivalent to the relevant laws of the European Union. According to the statement made by EDPB Chair Andrea Jelinek, the adequacy decision will cover data transfers of both public and private bodies.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More