The Board of Protection of Personal Data Has Published New Decisions 09 April 2020
The Board of Protection of Personal Data Has Published New Decisions
Pursuant to Articles 15 and 22 of the Law on Protection of Personal Data No. 6698 (the “Law”), the Board of Protection of Personal Data (the “Board”) is entitled to conduct necessary inspections within the scope of its remit, either ex officio in case it learns independently of possible violations or upon complaint, and to impose administrative fines in cases of breach. The Board publishes, on its website, summaries of its post-investigation decisions, which are considered to be important and to establish precedents.
We hereby present summaries of several of these Board decisions.
Board Decision No. 2019/138, about unlawful access of an employee’s WhatsApp correspondence by a company owner, published on 16.05.2019 by the Board
Pursuant to a complaint made to the Board related to the claims about the unlawful obtaining of employee WhatsApp correspondence, which was subsequently shared with third parties, the Board initiated an investigation.
After the investigation, the Board concluded when an employer reads the correspondence of an employee made through the employee’s computer at the workplace, taking photos and/or screenshots, the employer has committed a crime under Turkish
Criminal Law No. 5237; when so deciding, the Board observed the complaint cannot be evaluated pursuant to Articles 15/1 and 15/2 of the Law, which provides the Board
is to make the necessary examination of alleged violations of the Law are it learned of them upon receiving a complaint, when complaint does not meet the requirements set forth in Article 6 of the Law on the Use of Right to Petition. In its decision, the Board found that the employer’s WhatsApp user is not a data controller, and reading the correspondence, taking photos and saving screenshots cannot be considered data processing.
Board Decision No. 2019/106, about claims that an intermediary service provider’s website requires visitors to log in and does not allow them to
proceed to homepage without filling in -mail section asking for their email addresses, published on 08.07.2019 by the Board
In a complaint made to the Board, the complainant alleged that an intermediary service provider’s website requires its visitors to log in and does not allow them to proceed to homepage without first providing their e-mail addresses, which means the provision of personal data is a condition for the use of service, with legal bases for processing the personal data not clearly stated in the data processing notice.
As a result of its examination, the Board found that offering or making utilization of a product or service conditioned on the provision of personal data violated the explicit consent requirement, i.e., the rule requiring that explicit consent be an exercise of free will. Although the website subject to the review does not appear to be a direct supplier/provider of goods and services, the Board observed the site acts as an intermediary service provider, allowing the purchase of various services offered by a variety of service providers in other locations, and in different sectors. In this regard, however, based on the Board’s assessment that the discounted prices and advantages offered within the website are only offered to its members, rather than being the provision or utilization of a product or service provided pursuant to explicit consent, the Board decided there is no action to be taken under the Law regarding the subject matter.
In addition, when text on the website, titled “Our Privacy and KVK Policy”, , was examined by the Board within the framework of the “relevant legislation” , the Board observed it had not been specified whether the personal information processed by the website was processed within the framework of the obligations arising under that legislation or was based on the explicit consent of the relevant persons, or what part of the personal data in question was processed in accordance with any such explicit consent . In this context, the Board concluded if the personal data processing activity was based on anything other than the explicit consent provided for in the Law, there would be no need to obtain explicit consent from the person concerned, as that would be deceptive and a misuse of the explicit consent requirement. As a matter of fact, it must be emphasised that, if the explicit consent of the relevant person is withdrawn, it would mean the data controller who continues the data processing activity of the personal information in question based on one of the other personal data processing conditions, would be violating the Law.
The Board decided to instruct the website to update the text of its “Privacy and KVK Policy” by taking into account the provisions found in the “Communique on Principles and Procedures to be Followed in Fullfillment of the Obligation to Inform” and the website’s obligation to properly inform and obtain explicit consent. As the Board has stated in many resolutions, the provisions on websites related to privacy must be written clearly and understandable, as well as being as short and concise as possible, and most importantly be in accordance with the Law, including the obligation to use titles such as “KVKK Information Text”, “Our KVKK Policy”, and “Privacy and Information about KVKK”.. IN other words, the Board has made it clear that privacy relate notices should be presented to the relevant persons in a clear, simple and understandable manner, and in accordance with the provisions of the Law and related secondary legislation.
Board Decision No. 2019/273, on the requests of relatives to access their deceased ones’ personal data, published on 18.09.2019 by the Board
In an appeal made to the Board by the spouse of the deceased, the living spouse requested medical records and other information of the deceased spouse from a medical clinic by registered letter with return receipt. However, the clinic did not answer. Thereupon, the spouce forwarded an e-mail containing the aforementioned requests to the clinic's electronic address, after which the request was rejected by the clinic, which stated it could not share such information in absence of an official request. The living spouse then /she appealed to the Board for access to the personal data of the deceased spouse.
The Board considered Article 3 of the Law , and determed the relevant person is defined as “real person whose personal data is processed” and decided the living spouse’s request would not qualify be considered as a request under Article 11 of the Law, since the requested personal data was not related to the living spouse and, instead, belongs to the deceased spouse. The Board took into consideration the provision in the definition of personal data regarding being related to the “real person”, and then considered the definition of personality set forth in the Civil Code, which provides personality begins with birth and ends at death, it conluded the personal data of deceased persons cannot be considered as personal data within the scope of the Law, and the rights specified in Article 11 of the Law cannot be utilized.
Other News
-
21.11.2024
The Procedure of Sale by Auction and The Legal Aspect of New Regulations Brought by the 9th Judicial Package
By new regulations brought by the 9th Judicial Package, a new legal frame for the sale of seized goods electronically is instructed according to Enforcement and Bankruptcy Law Article 111/b. Transactions about the sales of seized goods are made via a sale portal integrated with the National Judicial Network Information System (UYAP) by auction. However, because of the legal gaps of the law, an application about the sale transactions cannot be displayed. The amendments introduced by legislators to the law regarding electronic sales in the 8th and 9th Judicial Packages, as well as the newly established regulations, are considered an important step toward making foreclosure processes faster and ensuring that sales transactions are conducted in a safer and more transparent environment.
-
14.11.2024
Law Numbered 7531 On Amendments To Certain Laws Was Published
Law1 No. 7531 on the Amendment of Certain Laws ("Law"), also known as the 9th Judicial Package, was published in the Official Gazette dated 14.11.2024 and numbered 32722 and contains significant amendments to 17 different laws.
-
12.11.2024
E-Government Era Begins In Lease Agreements!
The Ministry of Treasury and Finance ("Ministry") announced in the 2023-2025 period of its 2022 Action Plan for Combating the Informal Economy ("Action Plan") that lease agreements could be concluded through the e-Government portal to support the decision-making processes of the parties involved and conduct risk analysis studies. The first phase of this activity was launched on November 4, 2024, through the e-Government portal, and the second phase is expected to be implemented by the end of the year.
-
10.11.2024
A New Era in Digital Markets: The Competition Authori's The Competition Authority's 2024-2028 Strategic Plan Published
The Competition Authority ("the Authority") has published its 2024-2028 Strategic Plan ("the Strategic Plan") with the aim of adapting to the rapidly evolving dynamics of digital markets and maintaining a competitive economic order. Developed in light of recent shifts in the global competitive environment, the Strategic Plan focuses on new regulations in digital markets and emerging technologies. The Authority aims to ensure fair and competitive markets through this plan, with a clear focus on enhancing consumer welfare.
-
30.10.2024
Public Announcement on Standard Contract Notification Module Published
Public Announcement on Standard Contract Notification Module published on 24.10.2024 on the official website of Personal Data Protection Authority ("Authority"). By the decision dated 17.10.2024, the Personal Data Protection Board ("Board") created "Standard Contract Notification Module" ("Module") in order to carry out standard contract notification processes in a faster and more efficient manner and decided that the notifications could also be carried out online via the Module.
-
27.10.2024
Warning To Research Companies: Inform First, Then Obtain Consent
After the number of complaints to the Personal Data Protection Authority ("Authority"), the Authority published a Public Announcement on "Personal Data Processing Activities of Research Companies by Using "Random-Digit Dialing as a Method of Telephone Sampling" for the purpose of Statistical Research" ("Public Announcement").
-
20.10.2024
EU Data Act
In today's world, where digitalization is gaining significant pace, data sharing and management are of vital importance for all sectors. In this context, the European Union has adopted the EU Data Act, which reshapes the regulations on data sharing. It aims to promote the wider use of data generated by digital devices and services while introducing new rules for a fair data economy.
-
1.10.2024
Regulation No.2023/1115 on the Prevention of Deforestation and Rules for Companies Exporting Products to the European Union
According to data from the United Nations Food and Agriculture Organization, it has been determined that the world's forests decreased by 178 million hectares over the 30-year period from 1990 to 2020.
-
30.9.2024
SEC Climate Disclosure Rule
For the sake of a livable environment and the future of our world, sustainability and ecosystem protection are becoming increasingly important. In this context, governments are introducing environmental reporting standards for companies, which are among the actors that most significantly impact the ecosystem.
-
25.7.2024
2024-2025 Action Plan For The National Artificial Intelligence Strategy Has Entered Into Force
Presidency of the Republic of Türkiye Digital Transformation Office published 2024-2025 Action Plan for the National Artificial Intelligence Strategy within the framework of the 12th Development Plan in order to further Turkey's progress in the field of artificial intelligence and to achieve the set targets.
-
29.5.2024
Important Amendments Introduced to the Turkish Commercial Code by Law No.7511
The Law on Amendments on Turkish Commercial Code and Certain Laws (the "Law") was published in the Official Gazette dated 29 May 2024 and numbered 32560.
-
7.5.2024
Law Proposal on the Amendments on the Turkish Commercial Code Numbered 6102 and Certain Laws in Offered to the Parliament
Law Proposal on the Amendments on the Turkish Commercial Code and Certain Laws is offered to the parliament. Within the scope of the proposal, it is planned to make important amendments to a number of laws, particularly the Turkish Commercial Code, the Cooperatives Law, the Law on the Protection of Competition and the Law on Consumer Protection.
-
18.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
7.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
4.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.