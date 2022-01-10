ARTICLE

In December 2021, the significant developments in the field of personal data protection are: (i) the Communiqué on the Procedures and Principles Regarding Personnel Certification Mechanism published by the Personal Data Protection Authority ("Authority"); (ii) public announcements regarding (a) data protection officers, (b) unlawful collection of personal data for recruitment and (c) verification codes sent by the stores to data subjects via SMSs during in-store shopping; and (iii) the decisions of the Personal Data Protection Board ("Board").

We set out below the summaries of these developments in Turkey and from around the world:

Communiqué - Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism and public announcement on the data protection officers

The Authority's Communiqué regarding certification as a data protection officer was published in the Official Gazette dated 6 December 2021 and entered into force on the same date. The Communiqué regulates the training, examination and certification processes of data protection officers.

As per the Communiqué, "data protection officer" is defined as a "natural person who is entitled to use the title of data protection officer by successfully passing the exam," and it is stipulated that data protection officers have sufficient knowledge in terms of personal data protection legislation of their certification program. Individuals who have passed the necessary examination and training process in accordance with the Communiqué will be able to become data protection officers.

Unlike the General Data Protection Regulation (GDPR), the Communiqué does not regulate the concept of data protection officers in detail. In this regard, the Authority emphasized in its announcement dated 10 December 2021, that the data protection officer under the GDPR (DPO) is different from the data protection officer in Turkish legislation. The Communiqué neither imposes any obligation on data controllers regarding the appointment of a data protection officer nor stipulates the duties of the data protection officer. The Communiqué, however, states that having appointment of a data protection officer by the data controller and/or data processor will not eliminate the obligations of the data controller and the data processor arising from the Law on the Protection of Personal Data ("Law").

Further information on the Communiqué is available in our legal alert here. The Communiqué is available online here (in Turkish).

Announcement - Public announcement on personal data breaches with job promise

According to the announcement dated 7 December 2021, complaints of data subjects who are requested to send photos of their identity cards and make payments for job applications available on social media and other mediums have increased. As per the claims, data subjects cannot contact the real or legal persons who promise the job once the request is fulfilled. The Authority stated that such fraudulent activities can constitute a crime under the Turkish Penal Code (TPC), and the petitions that fall under the jurisdiction of judicial authorities shall be submitted to the relevant authorities

The announcement is available online here (in Turkish).

Announcement - Public announcement regarding the processing of personal data by sending a verification code via SMS during in-store shopping

The announcement dated 17 December 2021 evaluates the claims regarding commercial electronic messages companies send to data subjects upon learning the verification code sent via SMS to complete their shopping transactions. The Authority determined that the data controllers use the code requested to finalize a transaction as explicit consent for commercial electronic messages, although data subjects are not provided with any clarifications beforehand.

The Authority remarked that: (i) layered notice as to the purpose, content and consequences of the SMS must be provided by the store staff and in the content of the SMS; (ii) separate explicit consent must be obtained for each data processing activity; (iii) explicit consent shall not be obtained within the privacy notice; and (iv) explicit consent must be obtained for a specific subject based on informed and free will.

The announcement is available online here (in Turkish).

Decision - Decision on push notifications of a bank's mobile app

In the complaint submitted to the Authority, it was claimed that a data controller bank sends promotional messages via the mobile app without obtaining the explicit consent of data subjects.

According to the Board's decision no. 2021/361 dated 13 April 2021: (i) Law No. 6563 on the Regulation of Electronic Commerce and the Law are violated since the "push notifications" settings in the mobile app are in approved mode by default; and (ii) the data controller who sends promotional messages without duly obtained and explicit consent failed to take necessary technical and organizational measures to ensure appropriate level of security.

Accordingly, the Board decided to impose an administrative fine on the data controller and instructed the data controller to configure its mobile app to request explicit consent from the data subjects.

The decision is available online here (in Turkish).

Decision regarding photos shared on the social media account of a data controller

In the complaint submitted to the Authority, the data subject, who is a former employee of the data controller, claimed that their photos were published on the social media account of the data controller without explicit consent. Also, according to the claim the photos were not removed despite the data subject's request.

According to its decision no. 2021/422 dated 27 April 2021, the Board concluded that: (i) since there is no evidence that explicit consent of the data subject was obtained, the data processing activity is unlawful; and (ii) the photos must have been deleted or destroyed within the 30-day legal period upon request of the data subject, as per the Regulation on the Deletion, Destruction or Anonymization of Personal Data ("Regulation"), and hence continuing data processing despite the expiry of the legal retention period is unlawful.

In accordance with the Regulation, the Board decided to impose an administrative fine against the data controller and instructed the data controller to remove, delete or destroy all photos of the data subject on its social media account.

The decision is available online here (in Turkish).

Decision - Decision on advertising SMSs sent to the data subject

In the complaint submitted to the Authority, the data subject claimed that the data controller education center who sent an SMS to the data subject for advertising/ notification purposes without obtaining explicit consent did not respond to their application within the legal period.

According to the Board's decision no. 2021/227 dated 11 March 2021:

The data controller cooperated with a third-party survey company that obtains "blanket consent" of data subjects.

Explicit consent requirement is not fulfilled since the burden of proof lies with the data controller despite the claim that whether the information on the survey belongs to the person filling it is beyond the control of the data controller.

The data controller failed to take the necessary organizational and technical measures to establish mechanisms to ensure the accuracy of the contact information.

The data controller failed to take necessary technical and organizational measures to ensure appropriate level of security in order to prevent the unlawful processing of personal data.

In light of the above, the Board decided to impose an administrative fine on the data controller, instruct the data controller to destroy the personal data subject to the complaint, and initiate an ex officio investigation against the third-party survey company which may also be a data controller.

The decision is available online here (in Turkish).

