Turkey: Data Protection Newsletter – May 2022

In April, the most significant developments in the field of personal data protection was the Personal Data Protection Authority's ("Authority") (i) public announcement on the obligation to register with the Data Controllers Registry ("VERBIS"), (ii) the principle decision on online payments and debt inquiry services provided by municipalities and (iii) the Constitutional Court's decision on the right to request protection of personal data.

We set out the summaries of the developments in April in Turkey and around the world below.

Announcement - Announcement on the data controllers who have failed to fulfill the VERBIS registration and notification obligation

In the decision dated 11 March 2021 numbered 2021/238, the Personal Data Protection Board ("Board") had granted the following data controllers a period until 31 December 2021 to fulfill the obligation to register with the VERBIS:

• Real or legal person data controllers that employ more than 50 employees per year or have an annual balance sheet above TRY 25 million (approx. USD 2.6 million),
• Real or legal person data controllers that employ less than 50 employees per year and have an annual balance sheet below TRY 25 million (approx. USD 2.6 million) and a principle business activity of which is processing special categories of personal data
• Data controllers residing outside of Turkey

In the public announcement dated 21 April 2022, the Authority announced that it has started to impose administrative sanctions on data controllers who have not fulfilled the above obligation.

The Authority may impose administrative fines from TRY 53,572 to 2,678,863 (approx. USD 3,600 to USD 180,000) on data controllers who have failed to fulfill the registration obligation. Disciplinary provisions can also be applied on the personnel if the violation occurs within public institutions, organizations and public professional organizations.

The announcement is available here (in Turkish).

Decision - Constitutional Court's decision on right to request protection of personal data

In the decision No. 2018/11988 published in the Official Gazette dated 19 April 2022, the Constitutional Court evaluated an applicant's ("Applicant") right to request protection of their personal data with respect to private life.

The decision is regarding the Applicant's claim that the recording of fingerprints for shift tracking violates their right to private life. The Applicant filed a lawsuit before the administrative court for the annulment of such a tracking system and the administrative court decided that the system is unlawful since there are no legal grounds for shift tracking. On the other hand, the Court of Appeal decided that such a fingerprint tracking system does not violate the law since public personnel are obliged to work during the shift and relevant administrative bodies are obliged to supervise.

The Constitutional Court evaluated the application within the scope of the right to request protection of personal data as per Article 20 of the Constitution of the Republic of Turkey ("Constitution"). The Constitutional Court pointed out that the restrictions on rights and freedoms must: (i) have a lawful basis; (ii) rely on legitimate causes under the Constitution; and (iii) comply with the needs of a democratic society and the principle of proportionality, according to Article 13 of the Constitution. The Constitutional Court analyzed the case based on the condition of the restrictions requiring lawful basis.

The Constitutional Court referred to Law No. 6698 on the Protection of Personal Data ("LPPD") and stated that in the case at hand, the fingerprint data (i.e. sensitive personal data) of the data subject can be processed based on the explicit consent of the data subject, or in cases expressly stipulated in the laws, without seeking explicit consent. The Constitutional Court emphasized that even in cases where the explicit consent of the data subjects is present, the processing activity is still required to have a legal basis as per the Article 13 of the Constitution.

In the case at hand, it is evident that the Applicant did not give their explicit consent. The Constitutional Court determined that there is also no regulation that allows for the processing of biometric data for the purposes of shift tracking. Accordingly, the Constitutional Court determined that the interference with personal rights does not have a legal basis.

The decision is available here (in Turkish).

Decision - Principle decision on the online payments and debt inquiry services provided by municipalities

In the decision numbered 2022/388 dated 21 April 2022, the board evaluated municipalities' online tax payment/ fast payment and debt inquiry services on which real estate information of data subjects can be accessed upon submitting the Turkish ID number of the relevant data subject.

The Board stated that the two-factor authentication measure is required where personal data can be accessed remotely in accordance with the Personal Data Security Guide (Technical and Administrative Measures). As per the decision, systems that request easily accessible information of the data subjects are considered single-factor verification. Accordingly, systems that are accessed via (i) a password created specifically by the data subject or (ii) an SMS code sent to the data subject's phone number are considered two-factor verification. The Board stated that rather than requesting information that can be accessed by third parties such as a phone number, date of birth, mother/father's name or a registration number, systems should request information that only the data subject can access or operate based on membership. The Board also stated that the municipalities that do not take the above measures would be subject to the sanctions set forth under Article 18 of LPPD.

The decision is available here (in Turkish).

Significant developments from around the world

• USA (New Jersey): Law on the employers' use of tracking device in vehicles operated by employees enters into effect
  The law on the employers' use of tracking device in vehicles operated by employees entered into effect on 18 April 2022 in New Jersey. As per the law, employers who use tracking devices in the vehicles operated by the employee are required to provide written notice to the employees. Accordingly, civil penalties up to USD 1,000 for the first and USD 2,500 for subsequent violations can be applied to employers.
  The law is available here.
• EU: European Data Protection Board (EDPB) adopted a statement on the new Trans-Atlantic Data Privacy Framework
  On 6 April 2022, the EDPB adopted a statement on the agreement in principle regarding the new Trans- Atlantic Data Privacy Framework announced on 25 March 2022. The EDPB evaluated the US' efforts to adopt strict measures to ensure the protection of personal data of the individuals from the European Economic Area (EEC) as a positive development. On the other hand, the EDPB reiterated that the adoption of an adequacy decision for the level of data protection provided by the US is subject to the EDPB's opinion to be submitted to the European Commission. To this end, EDPB will examine: (i) the reforms to ensure that personal data for national security purposes can be collected proportionately and only when strictly necessary; (ii) the redress mechanism and data subjects' right to free trial and effective remedy and (iii) the supporting documents of the European Commission.
  The statement is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.