Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – May 2022

June 2022 - In May 2022, the Turkish Personal Data Protection Board (the "Board") announced three data breach notifications and issued 15 decisions on various practice areas including banking, e-commerce, recruitment, and pharmaceuticals.

GDPR compliance is not solely adequate for personal data processing activities in Turkey!

On 23 May, the Board issued a decision based on the complaint of an employee against their former employer residing outside of Turkey. The employee alleged that the employer continued to process their personal data after the termination of the employment agreement without any legal ground.

The Board determined that the employer has fulfilled its obligation arising from GDPR. However, the employer did not fulfil its obligations under Turkish DP Law and continued to share the employee's photograph on its website without any legal grounds. Accordingly, the Board concluded that compliance with the GDPR is not solely adequate and that the data controller must comply with Turkish DP Law as well.

Background

The employee worked in a liaison office of a foreign employer. The employee alleged that the employer continued to store their personal data and share it on the website of the employer after the termination of the employment relation. In addition, the employee also alleged that the employer failed to fulfil its obligation to inform either during the employment relationship or after the period of termination.

As the liaison office is not a legal entity, the Board initiated an investigation against the foreign employer.

Evaluation of the Board

In its decision, the Board concluded as follows:

1. Failing to fulfil the obligation to inform arising from the DP Law: The Board determined that the employer fulfilled its obligation to inform under the GDPR when the data subject worked in the London office of the employer. However, the employer failed to perform its obligation to inform arising from the DP Law once the employee started to work in Turkey.

2. Continuing to share the employee's personal data on the website: The Board concluded that if the data controller (employer) shares personal data on a website based on the explicit consent given by the data subject (employee), it should be deemed that the employee has withdrawn their consent after the termination of employment.

As a result, this decision of the Board is a reminder that compliance with GDPR is not solely adequate for data processing activities carried out in Turkey, and that data controllers must comply with the obligations arising from DP Law in terms of data processing activities in Turkey.

The Board establishes the "strictly necessary" exemption on the use of cookies

On 23 May 2022, the Board issued a decision on "cookies" used on websites and/or mobile apps by an e-commerce company. In its decision, the Board decided to impose a monetary fine of TRY 800,000 (approx. EUR 45,000) due to unlawful data processing activity through cookies and made a distinction between strictly necessary cookies and not strictly necessary cookies. For detailed information, please see our article here.

In short, the Board has clarified that cookies that are essential for directly operating a website and/or mobile app are classified as strictly necessary, whereas cookies that are not necessary for operating a web-site/mobile app, such as 'performance-analytical cookies' and 'advertising/marketing cookies' are classified as not strictly necessary. Furthermore, the Board touched on the processing principles for cookie practices and stated that:

• if a data controller uses a strictly necessary cookie, the data controller does not need to obtain explicit consent to processes personal data via such a cookie;
• if a data controller uses cookies other than strictly necessary cookies, the data controller must obtain the explicit consent of the relevant data subjects;
• at the stage of obtaining explicit consent, data controllers must use an opt-in mechanism rather than an opt-out mechanism;
• data controllers are obliged to fulfil their obligation to inform on the usage of cookies, regardless of the types of cookies used.

The Board scrutinises employers' monitoring power over employees

On 23 May 2022, the Board issued a decision on the power of employers to access employee corporate e-mail accounts. The Board examined the complaint of an employee who claimed that their employer monitors their corporate e-mail address and imposed a monetary fine of TRY 250,000 (approx. EUR 14,215) on the employer. In addition, the Board decided to initiate an ex officio investigation on the transferring of personal data outside of Turkey, as the employer use the Microsoft cloud system OneDrive. For detailed information, please see our article here.

In its decision, the Board stated as follows:

• Employers need to conduct a balance test between the benefit of their expectations from monitoring activity and the fundamental freedom and rights of employees. If the benefit of the employer suppresses employees' rights, then the employer must not conduct such monitoring activity.
• If an employer decides to conduct such activity, the employer must fulfil their obligation to inform its employees in advance that it monitors employee correspondence and other communication activities.
• If there is a less interfering method and/or measure, employers must not directly access the content of employee correspondence.

The Board announced the following data breach notifications in May

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.