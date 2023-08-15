August 2023 – In July 2023, the Turkish Personal Data Protection Authority (the "DPA") issued one decision, one bulletin and published nine data breach notifications.

The DPA also announced the dates for the forthcoming II International Personal Data Protection Congress, set for 16-17 November 2023. Jointly organised by the DPA and Bilkent University Faculty of Law, the main theme of this year's event is "Privacy: A Priority in the Digital Age". The congress will offer various types of sessions, including international, plenary, and simultaneous hybrid sessions conducted in Turkish and English as the official languages. You can access more information about the congress here.

Attention data controllers: Threshold value for the VERBIS obligation raised to TRY 100 million

On 25 July, with the decision of the DPA published in the Official Gazette, the financial balance threshold considered for the obligation to register in the Data Controllers Registry ("VERBIS") has been raised from TRL 25 million (approx. EUR 855,000) to TRL 100 million (approx. EUR 3,420,000).

The DPA's decision numbered 2018/87, which governs the VERBIS registration obligation, has been revised to update the threshold related to the annual total of the financial balance sheet. Previously, local data controllers with (i) fewer than 50 employees annually and (ii) an annual total on their financial balance sheet of less than TRL 25 million were exempted from the VERBIS registration obligation, unless they primarily process sensitive personal data. With this recent decision, the threshold for the exemption related to the balance sheet has been increased from TRL 25 million to TRL 100 million. You can find our article on the VERBIS registration obligation here.

In order to calculate the annual financial balance sheet:

There must be a completed year;

The financial balance included in the financial statements attached to the income or corporate tax declaration given annually submitted to the competent public authority for this completed year should be evaluated; and

The total amount that is equal in the "assets" or "liabilities" section of this financial balance information should be considered.

Regulation on advertising and promotion related to health services is in effect!

On 29 July, the Ministry of Health introduced the "Regulation on Promotional and Informative Activities in Health Services" (the "Regulation"), with its primary purpose being the regulation of advertising, promotional, and information activities related to health services. The Regulation outlines the scope of these activities, sets forth the principles that must be complied with, and determines the sanctions to be imposed in cases of non-compliance. You can find more details from our article from here.

Key points addressed within the Regulation include:

A prohibition on both implicit and explicit advertising in the delivery of health services;

A set of rules and principles governing promotional and informative activities for health services and sanctions for non-compliance;

A provision stipulating that the activities should be carried out in accordance with the Law on the Protection of Personal Data numbered 6698.

First issue of DPA Bulletin published!

The first issue of the DPA Bulletin, prepared to increase awareness and share information about the protection of personal data, has been published. This initial edition covers the subject of generative artificial intelligence, including global developments, and highlights current developments made during the period from January to June 2023. It has been announced that the bulletin is planned to be published quarterly. Below you can find one of the interesting topics from this new Bulletin:

The DPA asked ChatGPT:

In this Bulletin, the DPA raised a question to ChatGPT concerning the importance of privacy in generative AI implementations. In response, ChatGPT emphasised that this technology poses a significant risk to privacy, highlighting the necessity for enhanced transparency.

ChatGPT's response highlights the crucial importance of privacy in the age of Generative AI. By using vast databases containing millions of data points from both public and private sources, generative artificial intelligence poses a significant risk to individual privacy. As per the generated response of ChatGPT, to effectively addresses these challenges (i) enhanced transparency regarding the training and usage of AI models, and (ii) implementing policies to ensure responsible data usage and developing ethical guidelines for AI practices are necessary.

You can access the Bulletin here (in Turkish only).

The DPA announced the following data breach notifications in July:

Data Controller Affected Data Subjects Affected Personal Data Number of Data Subjects Oden Insaat Turizm ve Tic. AS Customers Identity, Communication, Finance and Customer Transaction Data 155 Anadolu Isuzu Otomotiv Sanayi Ticaret Employees Identity and Communication Data 1,113 Çelik Motor Ticaret Employees Identity and Communication Data 2,242 Geberit Tesisat Sistemleri Ticaret Employees Identity and Communication Data 743 Mais Motorlu Araçlar Imal ve Satis Employees Identity and Communication Data 4,776 Schneider Elektrik Sanayi ve Ticaret Employees Identity and Communication Data 12,249 Toyota Türkiye Pazarlama ve Satis Employees Identity and Communication Data 286 Vodafone Dagitim Servis ve Içerik Hizmetleri Employees Identity, Communication and Personnel Information Data 26,698 Vestel Ticaret Employees Identity and Communication Data 7,560



