New Decisions Of The Personal Data Protection Board 11 June 2019
Pursuant to Articles 15 and 22 of the Law on the Protection of Personal Data (referred to as the ‘Law’), the Personal Data Protection Board (referred to as the ‘Board’) has the authority to examine complaints lodged by applicants or on matters that are ex officio and issue administrative fines for violations.
The Board publishes summaries of the decisions which it deems as important and which may constitute a precedent as a result of its examinations.
Below we are presenting the summaries of the last four decisions published by the Board.
Decision of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 on the failure of the Data Controller, who provides technical services, to Protect Personal Data:
The applicant has lodged a complaint before the Turkish Personal Data Protection Board ("Board") stating that the company responsible for the technical service ( referred to as the ‘Data Controller’ ) gave form numbers to its customers regarding their devices entry into service and the customers can access the information about the status of their device in the service by the form number query, but personal data belonging to different people can be accessed by changing the last digits of the form number. Although the relevant Data Controller stated that it was not possible to access the personal data of the device owners during the inquiries, it was found by the Board that inquiries about the other device owners could be made and the name, surname, address and IMEI number of the different persons could be accessed. Accordingly, with the decision dated 14/02/2019 and numbered 2019/23, the Board decided that the Data Controller failed to take the necessary administrative and technical measures to ensure the protection of personal data pursuant to article 12 of the Law on the Protection of Personal Data No. 6698, and therefore imposed an administrative fine of TL 150,000 pursuant to Article 18 of the relevant Law and stopped the use of the relevant internet link until the violation of the said law is corrected.
Decision of the Personal Data Protection Board dated 05/03/2019 and numbered 2019/52 on Non-compliance of the Data Controller, who provides technical service, with the Decision of the Board:
Following the notification of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 to the Data Controller Company, the inquiries were made with different form numbers on the Company website by the Board, and it was found that inquiries of other devices can still be carried out and no other security verification is being performed, also when the 'Click for Device Registration Images ‘link on the website is selected, the IMEI numbers are still clearly displayed. In this respect, due to non-compliance with the decision of the Board numbered 2019/23, (“…immediately abolish the said contradiction and immediately stop the use of the links in this Decision until the approval of the said contradiction is provided ..” ), which was notified to the Company, and failure of the Company to comply with Article 15 of the Personal Data Protection Act, the Board has decided to impose an administrative fine of TL 50,000 to the Company within the framework of Article 18 of the relevant law. In addition, the Board ordered the Company to change the system that allows inquiries for device monitoring and to immediately shut down access to the system in question.
Decision of the Personal Data Protection Board dated 01/03/2019 and numbered 2019/47 on the transfer of personal data to the judiciary and third parties without consent:
The applicant has lodged a complaint before the Personal Data Protection Board regarding illegal access to personal information about himself and his family and the transfer of it to the judiciary and third parties without his consent. As a result of the examination conducted by the Board, it was determined that the complainee did not engage in any personal data processing activity that was partially or fully automated or that was not part of any data recording system, and therefore the complainee could not be considered as a Data Controller. The Board further stated that the alleged unlawful collection of personal data belonging to the applicant and his family by the complainee was a criminal offense under the Turkish Penal Code and therefore there was no action to be taken under the Law no. 6698 on this subject.
Decision of the Personal Data Protection Board dated 02/05/2019 and numbered 2019/122 on the Failure to Respond to Applicant's Application to the Bank and the Non-Compliance of Information Text with the Regulations under the Law:
Pursuant to the rights contained in article 11 of the Law on Personal Data Protection No. 6698 , the applicant lodged a complaint to the Data Controller T.C Ziraat Bank A.Ş ( referred to as the ’ Bank’ ) via registered email (KEP) . However, this complaint was not replied within the legal period of thirty days. Thereupon, the applicant complained to the Board that the Information Text published by the Data Controller on the website did not meet the conditions stipulated in the legislation. A letter was sent to the Bank by the Board to provide explanations on the subject matter, but no response was given by the Bank. Therefore, pursuant to the third paragraph of Article 18 of the Personal Data Protection Law no. 6698, the Board has decided to take disciplinary actions against the persons responsible for violation in the Bank and those responsible for taking necessary measures and inspections. Furthermore, the Board ordered the Bank to respond to the Applicant's requests for the implementation of the Law. The Board has ordered the Bank to revise the Information Text on the Bank's website and to bring it in line with the provisions of the Communiqué, because it was not prepared in accordance with the provisions of paragraph (g) and (h) of of article 5 (including general and ambiguous statements and lack of legal reasons) of the Communiqué on the Procedures and Principles to be Complied With In Fulfilling the Obligation to Inform.
Decision of the Personal Data Protection Board on “Loyalty Cards’’ of Market Chains dated 25/03/2019 and numbered 2019/82:
The loyalty card is a card which is obtained from the stores of a market and provides the advantage of discounting and accumulating points in some purchases. On the website of the loyalty card, a warning text appears which states that ‘ In order to continue to take advantage of the card benefits, it is sufficient to grant data processing permission under the Personal Data Protection Act…… if you do not have permission, please read and confirm the membership and consent statement ‘’. In the text messages sent to the mobile phones of the customers it is stated that ‘’Please update your permission under the Protection of Personal Data Act. Our customers whose licenses are out of date will not be able to shop by saying mobile phones from our safes because their personal information will be deleted. ” In this sense, since the explicit consent was put forward as a condition for the provision of a product or service, it was requested by the applicant to establish the necessary transactions within the scope of the Personal Data Protection Law (referred to as the ‘Law’) no. 6698, and it was lodged as a complaint by the applicant that during the request for explicit consent of the customers, the company has requested a service fee of TL 0.01 under the name of Data Permit Application. As a result of the examination of the complaint, the Board found that participation in the Loyalty Card Program was not obligatory for the customers within the scope of service provision by the Data Controller Company and that there was no such situation as not providing services to the customers who are not members of the Program. The Board therefore concluded that, there was no action to be taken in relation to the applicant's claim that the provision of a service or product by the Company was subject to the express consent. With regards to receiving a service fee of TL 0.01 under the name of Data Permit Application, the Data Controller stated as defense that this event occurred due to a systematic error in information technology, and that the same amount of discount was charged to the customers' card as compensation immediately. Therefore, the Board has decided that there is no action to be taken by the Board under this Law. On the other hand, as a result of the examinations of the Board it is seen that open-ended statements are included in the Information Text, there are inconsistencies between the ‘Membership and Consent Statement’ and the ‘Information Text’ , in the information text it is stated that personal data (such as information on memberships of trade unions / associations / foundations, criminal convictions, data on security measures, sexual life, biometric data and information about health status) can be processed, the main field of activity of the company is to supply food and necessities to consumers in retail, and the Loyalty Card application offered in all the workplaces of the Company is designed as a marketing program. In view of the above, it has been found by the Board that the processing of personal data such as criminal convictions and data on security measures is not related to the purposes of the company, and is not limited and measured within the activities of the Data Controller. Therefore, the Board ordered that the inconsistencies between the ‘Membership and Consent Statement’ and the’ Information Text’ should be eliminated and tthe Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué. The Board ordered that the inconsistency between the “Membership and Consent Statement” and “Information Text’’ should be eliminated and the Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué.
Other News
-
21.11.2024
The Procedure of Sale by Auction and The Legal Aspect of New Regulations Brought by the 9th Judicial Package
By new regulations brought by the 9th Judicial Package, a new legal frame for the sale of seized goods electronically is instructed according to Enforcement and Bankruptcy Law Article 111/b. Transactions about the sales of seized goods are made via a sale portal integrated with the National Judicial Network Information System (UYAP) by auction. However, because of the legal gaps of the law, an application about the sale transactions cannot be displayed. The amendments introduced by legislators to the law regarding electronic sales in the 8th and 9th Judicial Packages, as well as the newly established regulations, are considered an important step toward making foreclosure processes faster and ensuring that sales transactions are conducted in a safer and more transparent environment.
-
14.11.2024
Law Numbered 7531 On Amendments To Certain Laws Was Published
Law1 No. 7531 on the Amendment of Certain Laws ("Law"), also known as the 9th Judicial Package, was published in the Official Gazette dated 14.11.2024 and numbered 32722 and contains significant amendments to 17 different laws.
-
12.11.2024
E-Government Era Begins In Lease Agreements!
The Ministry of Treasury and Finance ("Ministry") announced in the 2023-2025 period of its 2022 Action Plan for Combating the Informal Economy ("Action Plan") that lease agreements could be concluded through the e-Government portal to support the decision-making processes of the parties involved and conduct risk analysis studies. The first phase of this activity was launched on November 4, 2024, through the e-Government portal, and the second phase is expected to be implemented by the end of the year.
-
10.11.2024
A New Era in Digital Markets: The Competition Authori's The Competition Authority's 2024-2028 Strategic Plan Published
The Competition Authority ("the Authority") has published its 2024-2028 Strategic Plan ("the Strategic Plan") with the aim of adapting to the rapidly evolving dynamics of digital markets and maintaining a competitive economic order. Developed in light of recent shifts in the global competitive environment, the Strategic Plan focuses on new regulations in digital markets and emerging technologies. The Authority aims to ensure fair and competitive markets through this plan, with a clear focus on enhancing consumer welfare.
-
30.10.2024
Public Announcement on Standard Contract Notification Module Published
Public Announcement on Standard Contract Notification Module published on 24.10.2024 on the official website of Personal Data Protection Authority ("Authority"). By the decision dated 17.10.2024, the Personal Data Protection Board ("Board") created "Standard Contract Notification Module" ("Module") in order to carry out standard contract notification processes in a faster and more efficient manner and decided that the notifications could also be carried out online via the Module.
-
27.10.2024
Warning To Research Companies: Inform First, Then Obtain Consent
After the number of complaints to the Personal Data Protection Authority ("Authority"), the Authority published a Public Announcement on "Personal Data Processing Activities of Research Companies by Using "Random-Digit Dialing as a Method of Telephone Sampling" for the purpose of Statistical Research" ("Public Announcement").
-
20.10.2024
EU Data Act
In today's world, where digitalization is gaining significant pace, data sharing and management are of vital importance for all sectors. In this context, the European Union has adopted the EU Data Act, which reshapes the regulations on data sharing. It aims to promote the wider use of data generated by digital devices and services while introducing new rules for a fair data economy.
-
1.10.2024
Regulation No.2023/1115 on the Prevention of Deforestation and Rules for Companies Exporting Products to the European Union
According to data from the United Nations Food and Agriculture Organization, it has been determined that the world's forests decreased by 178 million hectares over the 30-year period from 1990 to 2020.
-
30.9.2024
SEC Climate Disclosure Rule
For the sake of a livable environment and the future of our world, sustainability and ecosystem protection are becoming increasingly important. In this context, governments are introducing environmental reporting standards for companies, which are among the actors that most significantly impact the ecosystem.
-
25.7.2024
2024-2025 Action Plan For The National Artificial Intelligence Strategy Has Entered Into Force
Presidency of the Republic of Türkiye Digital Transformation Office published 2024-2025 Action Plan for the National Artificial Intelligence Strategy within the framework of the 12th Development Plan in order to further Turkey's progress in the field of artificial intelligence and to achieve the set targets.
-
29.5.2024
Important Amendments Introduced to the Turkish Commercial Code by Law No.7511
The Law on Amendments on Turkish Commercial Code and Certain Laws (the "Law") was published in the Official Gazette dated 29 May 2024 and numbered 32560.
-
7.5.2024
Law Proposal on the Amendments on the Turkish Commercial Code Numbered 6102 and Certain Laws in Offered to the Parliament
Law Proposal on the Amendments on the Turkish Commercial Code and Certain Laws is offered to the parliament. Within the scope of the proposal, it is planned to make important amendments to a number of laws, particularly the Turkish Commercial Code, the Cooperatives Law, the Law on the Protection of Competition and the Law on Consumer Protection.
-
18.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
7.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
4.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.