ARTICLE
7 February 2022

Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – January 2022

GT
Gen Temizer

Contributor

Gen Temizer is a leading independent Turkish law firm located in Istanbul's financial centre. The Firm has an excellent track record of handling cross-border matters for clients and covers the full bandwidth of most complex transactions and litigation with its cross-departmental, multi-disciplinary and diverse team of over 30 lawyers. The Firm is deeply rooted in the local market with over 80 years of combined experience of the name partners while providing the highest global standards of legal services.
February 2022 – In January 2022, the Turkish Personal Data Protection Board (the "Board") published two decisions—one of which is a principle decision...
Turkey Privacy

February 2022 - In January 2022, the Turkish Personal Data Protection Board (the "Board") published two decisions-one of which is a principle decision-and announced four data breach notifications. In addition, in January the Board released its draft guidelines on the use of cookies and announced that the draft guidelines will be available for public opinion until 10 February 2022. The Board also approved the application of the Turkish Football Federation regarding cross-border data transfer.

On 28 January, the Board organised a conference in honour of Data Protection Day. During the conference, the participants underlined the importance of personal data protection and highlighted that the importance of privacy will increase in the age of digital technologies. You can find detailed information about the conference here (in Turkish only).

New Concept Alert: Joint Data Controller

On 20 January 2022, the Board issued a principal decision in the Official Gazette on the practice of blacklisting customers in the car-leasing sector. Privacy violations arising from the usage of software providing blacklisting practices were evaluated, and a new concept-the term "joint controller"-was introduced within Turkish Personal Data Protection Law ("DP Law"). For detailed information, please see our article here.

As background to its decision, the Board received several complaints that car-leasing companies are using software that provides a blacklisting tool. Allegedly, this tool allows the recording of customer information, including their personal data, and the ability to share this data with other car-leasing companies.

The Board underlined that car rental transactions are concluded within the scope of an agreement and stated that data controllers (i.e., car-leasing companies) may process the personal data of the data subject through a blacklist within the scope of the legitimate interest of the data controller. However, the Board pointed out the importance of applying a balance test between the legitimate interest of data controllers and real persons' fundamental rights and freedoms.

As a result, the Board concluded that:

if the personal data of customers on the "blacklist" is disclosed to other car-leasing companies by using the same software/application, this constitutes a violation of the fundamental rights and freedoms of customers;

if the blacklist is disclosed to other car-leasing companies, all car-leasing companies and the software company providing the blacklist application will be considered as joint controller. Thereby, the concept of joint controller has been defined in Turkish data protection law for the first time; and

data processing procedures shall be scrutinised in each concrete case in order to determine the liabilities and negligence of the joint controllers.

The Board is "cooking" draft guidelines on cookies

On 11 January 2022, the Board published draft guidelines ("Guidelines") in order to ensure an advisory and guiding document for data controllers who process personal data through cookies. Guidelines have been provided for those wishing to give their opinion and will be remain open for public opinion until 10 February 2022. You can find the Turkish version of the Guidelines here.

In the Guidelines, the Board mainly elaborates the following matters:

the definition of and types of cookies;

the relationship between the DP Law and Turkey's Electronic Communications Law (numbered 58090;

guidance on when explicit consent is necessary regarding the use of cookies;

several cookie implementation examples (both correct and incorrect ways of usage).

The purpose of the Guidelines is for data controllers to act in compliance with the law during the operation of their websites while using cookies and for the processing of personal data. In addition, the Board states that data controllers do not need to obtain explicit consent in circumstances where:

the use of cookies relates to the provision of communication on electronic communication networks; or

the use of cookies is strictly necessary for the information society services that are explicitly requested by the subscriber or user.

The Board announced the following data breach notifications in January

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Logo Yazılım Sanayi ve Ticaret A.Ş.

Users, Customers, Potential Customers

Name and surname, title, identity, tax ID No., contact, finance, customer transaction data

N/A

Industries S.p.A.

Customers

Identity, contact, shopping history

31,748

Moncler İstanbul Giyim ve Tekstil Ticaret Ltd. Şti.

Employers, Customers, Business Partners, Suppliers

Identity, contact, shopping history, payroll, health and commercial data

20,005

Pizza Restaurantları A.Ş. (Domino's Pizza)

Customers

Year of birth, name and surname, mobile phone number, e-mail address, customer ID

180,000

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More