DPA's Landmark Consent Ruling on Marketing
The Personal Data Protection Board ("DPA") issued a significant ruling regarding unsolicited commercial electronic communications. The Board found that a data controller's use of an individual's contact information for marketing calls and SMS messages without obtaining explicit consent constitutes unlawful processing under the Personal Data Protection Law No. 6698 ("Law"). It emphasized that not only the act of calling or sending messages but also retaining contact details in the system for marketing purposes qualifies as personal data processing. Furthermore, the data controller failed to meet its transparency obligations and deprived the data subject of accessible communication channels. Consequently, the DPA imposed an administrative fine of TRY 300,000 for breaching data security obligations under the Law. This ruling clearly establishes the Board's strict stance against marketing activities conducted without explicit consent.
Constitutional Court Limits Employer's Data Access
The Constitutional Court ("CC") issued a landmark judgment concerning employer access to employees' personal email accounts. In this case, private emails left open on a corporate device were accessed and used by the employer during disciplinary proceedings and contract termination. The Court ruled that the employer's right to access data is not unlimited and that the access violated the employee's rights to privacy and freedom of communication. Key factors included the absence of prior clear notification to the employee about such access and the use of the data for purposes unrelated to its original processing intent. The CC underlined that employers must adhere to principles of proportionality and transparency in data processing activities. This decision reaffirmed that fundamental rights guaranteed by Articles 20 and 22 of the Constitution also apply within the workplace.
Constitutional Court Rules Against Employer's Fingerprint Data Collection
A case involving the processing of employees' fingerprint data for attendance tracking was initially upheld by both the first instance and regional appellate courts as compliant with the Law. Upon review, the CC concluded that fingerprint data qualify as biometric data personal data and that their processing must comply with explicit consent, proportionality, and legality requirements under the Law. The Court found violations due to lack of employee notification and absence of explicit consent, resulting in the annulment of the lower courts' decisions. The ruling highlights the necessity of limiting and transparently managing biometric data processing to safeguard employees' privacy rights.
Supreme Court Highlights Importance of KVKK Training in Dismissal
An employee in the reporting department of a finance company mistakenly encrypted and sent a different customer's file to a customer representative. The file was forwarded without verification, leading the employer to terminate the employee under "Code 49" for personal data breach. The employee contested the dismissal, citing insufficient training and requested correction of the termination code.
The Labor Court found insufficient evidence that the employee acted intentionally and that proper warnings and training were provided. It ruled to amend the termination code to "Code 04" (termination without just cause). The Regional Court of Appeal upheld this decision, concluding the dismissal lacked just cause and the termination code was unlawful. The Supreme Court rejected the employer's appeal, affirming the lower courts' rulings.
This case highlights the critical role of training and acknowledgment obligations under the Law, as well as the protection of employees' rights in dismissal procedures.
The DPA announced the following data breach notifications in June:
| Data Controller (and sector) | Affected Data Subjects | Affected Personal Data Categories | Number of Data Subjects |
| BeiGene, Ltd. | Employees and patients | ID, contact, and health information | 467 in Türkiye (including 17 employees and 450 patients) |
| TCO Turkey Mücevherat Ticareti Ltd. | Employees and customers | Names, contact information, job titles, managerial details, usernames, hashed passwords, and possibly customer names, contact info, age, sales data, and gender, based on ongoing investigation | Not detected |
| İstanbul Gedik Üniversitesi | Employees, users, and students | Name, surname, username, masked and last four digits of national ID number, email, institutional department details, and user traffic data | 23.269 |
| Richemont İstanbul Lüks Eşya Dağıtım A.Ş. | Current and potential customers | Name, email, country, customer ID, and date of birth | 25.737 |
| Manulaş Manisa Ulaşım Hizmetleri Makina Sanayi ve Ticaret A.Ş | Subscribers and members | Name, surname, national ID number, date of birth, gender, phone number, email, full address, occupation, vehicle plate number, photo, and health data | Approximately 1.268.222 (actual number presumed lower) |
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
