August 2023 – In July 2023, the Turkish Personal Data Protection Authority (the "DPA") issued one decision, one bulletin and published nine data breach notifications.

The DPA also announced the dates for the forthcoming II International Personal Data Protection Congress, set for 16-17 November 2023. Jointly organised by the DPA and Bilkent University Faculty of Law, the main theme of this year's event is "Privacy: A Priority in the Digital Age". The congress will offer various types of sessions, including international, plenary, and simultaneous hybrid sessions conducted in Turkish and English as the official languages. You can access more information about the congress here.

Attention data controllers: Threshold value for the VERBIS obligation raised to TRY 100 million

On 25 July, with the decision of the DPA published in the Official Gazette, the financial balance threshold considered for the obligation to register in the Data Controllers Registry ("VERBIS") has been raised from TRL 25 million (approx. EUR 855,000) to TRL 100 million (approx. EUR 3,420,000).

The DPA's decision numbered 2018/87, which governs the VERBIS registration obligation, has been revised to update the threshold related to the annual total of the financial balance sheet. Previously, local data controllers with (i) fewer than 50 employees annually and (ii) an annual total on their financial balance sheet of less than TRL 25 million were exempted from the VERBIS registration obligation, unless they primarily process sensitive personal data. With this recent decision, the threshold for the exemption related to the balance sheet has been increased from TRL 25 million to TRL 100 million. You can find our article on the VERBIS registration obligation here.

In order to calculate the annual financial balance sheet:

  • There must be a completed year;
  • The financial balance included in the financial statements attached to the income or corporate tax declaration given annually submitted to the competent public authority for this completed year should be evaluated; and
  • The total amount that is equal in the "assets" or "liabilities" section of this financial balance information should be considered.

Regulation on advertising and promotion related to health services is in effect!

On 29 July, the Ministry of Health introduced the "Regulation on Promotional and Informative Activities in Health Services" (the "Regulation"), with its primary purpose being the regulation of advertising, promotional, and information activities related to health services. The Regulation outlines the scope of these activities, sets forth the principles that must be complied with, and determines the sanctions to be imposed in cases of non-compliance. You can find more details from our article from here.

Key points addressed within the Regulation include:

  • A prohibition on both implicit and explicit advertising in the delivery of health services;
  • A set of rules and principles governing promotional and informative activities for health services and sanctions for non-compliance;
  • A provision stipulating that the activities should be carried out in accordance with the Law on the Protection of Personal Data numbered 6698.

First issue of DPA Bulletin published!

The first issue of the DPA Bulletin, prepared to increase awareness and share information about the protection of personal data, has been published. This initial edition covers the subject of generative artificial intelligence, including global developments, and highlights current developments made during the period from January to June 2023. It has been announced that the bulletin is planned to be published quarterly. Below you can find one of the interesting topics from this new Bulletin:

The DPA asked ChatGPT:

In this Bulletin, the DPA raised a question to ChatGPT concerning the importance of privacy in generative AI implementations. In response, ChatGPT emphasised that this technology poses a significant risk to privacy, highlighting the necessity for enhanced transparency.

ChatGPT's response highlights the crucial importance of privacy in the age of Generative AI. By using vast databases containing millions of data points from both public and private sources, generative artificial intelligence poses a significant risk to individual privacy. As per the generated response of ChatGPT, to effectively addresses these challenges (i) enhanced transparency regarding the training and usage of AI models, and (ii) implementing policies to ensure responsible data usage and developing ethical guidelines for AI practices are necessary.

You can access the Bulletin here (in Turkish only).

The DPA announced the following data breach notifications in July:

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Oden Insaat Turizm ve Tic. AS

Customers

Identity, Communication, Finance and Customer Transaction Data

155

Anadolu Isuzu Otomotiv Sanayi Ticaret

Employees

Identity and Communication Data

1,113

Çelik Motor Ticaret

Employees

Identity and Communication Data

2,242

Geberit Tesisat Sistemleri Ticaret

Employees

Identity and Communication Data

743

Mais Motorlu Araçlar Imal ve Satis

Employees

Identity and Communication Data

4,776

Schneider Elektrik Sanayi ve Ticaret

Employees

Identity and Communication Data

12,249

Toyota Türkiye Pazarlama ve Satis

Employees

Identity and Communication Data

286

Vodafone Dagitim Servis ve Içerik Hizmetleri

Employees

Identity, Communication and Personnel Information Data

26,698

Vestel Ticaret

Employees

Identity and Communication Data

7,560


The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.