Bülten
Penalties and enforcement decisions for breaches of Data Protection Law in Turkey
Penalties
Certain breaches of data protection law can result in imprisonment under Turkish law:
- prison sentences (ranging from six months to four years) or judicial fines can apply for unlawful collection, processing and transfer of personal data under the Criminal Code;
- safety measures may be imposed on legal entities such as cancelation of licences or seizure of the goods used for or gained as a result of the commissioned crime or benefits gained from the commissioned crime determined under Article 60 of the Criminal Code;
- administrative fines ranging between TRY 5,000 (approx. €497) and TRY 1 million (approx. €99,401) will apply for breaches of the Data Protection Law;
- individuals can claim compensation for unlawful collection or processing of personal data (under Civil Code, Law No. 4721 (as amended) (only available in Turkish here); and
- sector-specific regulations also contemplate administrative fines, see for example the Regulation on Administrative Sanctions of Information and Communications Authority (only available in Turkish here), which imposes fines on authorised operators (service providers, network providers, infrastructure operators) worth up to 3% of the preceding calendar year’s net sales for violating personal data and security obligations.
Enforcement decisions
The Board issued six principle-decisions outlining the essential concepts that data controllers must take into account. The specifics of such principle-decisions are listed under board decisions further down. The following criteria are highlighted by such principle-decisions:
- all data processing activities must comply with the conditions under Articles 5 and Article 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the Law;
- the entities providing services at service counters, box-offices and desks must ensure that only authorised persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other’s personal data;
- the data controllers must take all necessary technical and organisational measures to provide appropriate data security in order to cease and prevent unauthorised accesses and misuse of the authority;
- advertising, using data subjects’ contact details unlawfully should cease;
- individuals and organisations use software programs, which allow them to question personal data, through data which obtained in various ways are unlawful and such usages are subject to procedural actions under Turkish Criminal Law; and
- reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or e-mail address, etc.
In addition to above-mentioned principle-decisions, some sample decisions of the Board, which are significant to clarify, are as follows:
- the Board imposed an administrative fine in it’s decision numbered 2020/559 TRY 900,000 (approx. €88,390) on a data controller for transferring personal data abroad without having a valid legal basis. The data controller’s claim that Convention 108 is sufficient per se for data transfer abroad among the parties has been declined by the Turkish Data Protection Board. Being a party to Convention 108 is not sufficient to accept such a party as a safe country and the data controller relies on Convention 108 for abroad data transfer are not met the requirements under the Data Protection Law (only available in Turkish here);
- the Board stated under its decision numbered 2019/157 that usage of e-mail services from service providers having their servers/data centres outside of Turkey, shall be deemed as a data transfer abroad; therefore, storage services obtained through data controllers/data processors whose servers are located abroad shall also be required to comply with Article 9 of the Data Protection Law (only available in Turkish here);
- the Board stated under its decision numbered 2020/746 that the right to inform covers the right to access and the data subjects’ request on receiving the personal data is lawful. However, if the related personal data record includes personal data of anyone other than the related data subject, the data processor shall have the option to mask the third parties’ personal data and/or to provide the record in an alternative format (such as transcript or the record) (only available in Turkish here);
- the Board found under its decision numbered 2020/494 that it is lawful for the employer to present the camera recordings as evidence in the reemployment lawsuit filed by the employee whose employment contract was terminated (only available in Turkish here);
- the Board has decided in its decision numbered 2021/115 to impose an administrative fine of TRY 175,000 (approx. €15,067) on the data controller for registering the phone number of a debtor’s brother as an alternative phone number because the bank had previously contacted by using this phone number (only available in Turkish here);
- the Board decided in its decision numbered 2020/755 that a real estate property manager-data controller did not violate Personal Data Protection Law by sharing with data subject’s landlord certain personal data requested, including an accounting of delinquent property dues and mobile phone number, since processing was necessary to landlord’s exercise of rights granted by Article 22 of the Property Ownership Law number 634 (only available in Turkish here);
- the Board decided in its decision numbered 2021/111 that regarding the contact with the relatives of the debtor concerning the debt, the Board decided to impose an administrative fine of TRY 50,000 (approx. €4,913) against the first law firm that processed personal data without any reason for data processing, TRY 115,000 (approx. €11,300) against the company that transferred this data to another law firm without checking its accuracy, and TRY 100,000 (approx. €9.826) against the law firm that contacted them, despite knowing that the data in question belonged to the debtor himself (only available in Turkish here);
- the Board decided in its decision numbered 2020/407 to impose an administrative fine of TRY 100,000 (approx. €8,610) on the data controller hospital, which transmitted the health data of the relevant person to a third person along with the relevant person via e-mail (only available in Turkish here);
- the Board decided in its decision numbered 2020/404 to impose a total administrative fine of TRY 250,000 (approx. €24,565) on the data controller who did not provide proper disclosure, processed sensitive personal data (biometric data such as fingerprints during entrances and exits to workplace) without a valid consent and transferred the personal data abroad (only available in Turkish here); and
- the Board has imposed in its decision numbered 2020/335 an administrative fine of TRY 50,000 (approx. €4,912) on the data controller who made express consent car rental services as a condition of and did not provide services to the customer who did not give his express consent (available in Turkish here).
Board decisions
In addition, the Board issues decisions to clarify areas within the Data Protection Law, regulations, and practice. Key decisions include:
- Decision Number 2018/10 on the adequate measures to be implemented when processing special categories of personal data (only available in Turkish here): the Board declared that data controllers must prepare a separate policy and procedure for protecting special categories of personal data and emphasised the importance of implementing measures which had previously been determined in the Personal Data Security Guide. Decision Number 2017/62 on the data security in service areas (only available in Turkish here): the Board declared that entities providing services at service counters, box-offices, and desks must ensure that only authorised persons are in these locations, as well as take necessary measures to prevent people receiving services at these locations from seeing or hearing each other’s personal data. The Board specifically referred to banks and healthcare organisations in this context. Decision Number 2017/61 on phone directory services (only available in Turkish here): the Board found that websites and applications which offer phone directory services (searchable via phone number or name) and share personal data without any justifiable reason determined under the Data Protection Law and relevant legislation, must immediately cease their activities or face either administrative or criminal sanctions. The decision underlines that all data processing activities must comply with the conditions under Articles 5 and 6 of the Data Protection Law for processing personal data, and persons processing personal data must also comply with other requirements under the Data Protection Law.
Principle decisions published by the Board include:
- Decision Number 2018/63 on the unauthorised access and usage of the data (only available in Turkish here): the Board announced that the data controllers must take all necessary technical and organisational measures to provide appropriate data security in order to cease and prevent unauthorised accesses and misuse of the authority.
- Decision Number 2018/119 on advertising using data subjects contact addresses unlawfully (only available in Turkish here): the Board announced that advertising using data subjects’ contact details unlawfully should cease. The Board stated that those advertising via e-mail, SMS, and calls should also cease such activities and the Board will impose sanctions for failures to do so.
- Decision Number 2019/308 on individuals and institutions using various software programs that allow questioning personal data (only available in Turkish here): the Board determined that individuals and organisations use software programs, which allow them to question personal data, through data which obtained in various ways. The Board specifically referred to attorneys, law firms, individuals, and organisations operating in finance, real estate, and insurance sectors. The Board announced that use of such software programs is not in not in compliance with the Article 12 of the Data Protection Law and the data processors using such software programs shall be subject to procedural actions under Turkish Criminal Law.
- Decision Number 2020/966 on the technical and administrative measures to be taken by data controllers in order to verify the contact addresses provided by data subjects (only available in Turkish here): In order to ensure that personal data are kept accurate and up-to-date when necessary, the Board decided that reasonable measures should be taken to verify the contact information declared by the data subjects via sending a verification code and/or link to the phone number and/or e-mail address, etc.
- Decision Number 2019/125 on specifying the criteria to determine the countries with an adequate level of protection (only available in Turkish here): within the scope of Article 9 of the Data Protection Law;
- Decision Number 2019/10 on notification procedures and principles related to the personal data breach (only available in Turkish here);
- Decision Number 2019/9 on application procedures to the data controller and determination of complaint periods to the Board (only available in Turkish here);
- Decision Number 2019/225 on Data Controller Registry (‘the Registry’) registration obligation of data controllers located outside Turkey (only available in Turkish here). Data controllers located outside Turkey might be obliged to register with VERBIS if they carry out personal data processing activities in Turkey directly or by its branches or liaison offices;
Decisions on the exemptions from registration to the data controller’s registry include:
- decision Number 2018/32 (only available in Turkish here);
- decision Number 2018/68 (only available in Turkish here);
- decision Number 2018/75 (only available in Turkish here);
- decision Number 2018/87 (only available in Turkish here);
- decision Number 2019/353 (only available in Turkish here);
- decision Number 2020/315 (only available in Turkish here) please see section 5 for further information on this decision; and
- decision Number 2018/88 on registration deadlines (only available in Turkish here)
Decisions on the registration deadlines include:
- decision Number 2019/265 (only available in Turkish here);
- decision Number 2019/387 (only available in Turkish here);
- decision Number 2020/482 (only available in Turkish here); and
- decision Number 2021/238 (only available in Turkish here).
The KVKK has also published the Board’s summarised and anonymised decisions to help clarify legislation and practices in this developing area, giving some insight on how the Board will treat certain aspects of data processing, transfers, and security breaches. Notable points from the decisions include:
- Decision Number 2020/481 on the right to be forgotten (only available in Turkish here): The Board stated that the search engines, operating based on the data collected from third party websites are data controllers, carrying out data processing activities. The Board evaluated the delisting requests of the data subjects from search engines as a subtitle of right to be forgotten. To consider such requests, a balance test between the data subject’s fundamental rights and freedoms and public’s interest for obtaining the information is required. The Board published a list consisting of 13 criteria, which may be used while making such balance test.
- the Board ruled that notifying data subjects about a breach of personal data security 17 months after the breach exceeds the reasonable period, constituting a breach of data security (only available in Turkish here);
- if other grounds of processing personal data exist, granting explicit consent of data subjects constitutes abuse of right, by the data controller and the explicit consent cannot be requested as a pre-condition for the services (only available in Turkish here);
- the Board ruled that transferring personal data to courts which exceeds the requested amount violates the principle of data minimisation (only available in Turkish here);
- the Board warned data controllers which do not respond to data subjects who wish to exercise their rights within 30 days (only available in Turkish here);
- the Board warned a company for processing personal data for purposes other than its legal obligations where the company kept personal data for ten years on the basis of its legal obligations (only available in Turkish here);
- the Board sanctioned a data controller which sent a customer’s personal data to another customer with the same name on the basis that the error indicates a lack of technical and administrative measures (only available in Turkish here);
- the Board ruled that adding an employee’s residential address to sample contracts which were sent to third parties without any legal basis is a violation (only available in Turkish here);
- the Board refused a data subject’s request to remove his/her name from a column in a journal, on the basis that freedom of press overrides their right to privacy (only available in Turkish here);
- the Board sanctioned a data controller which obtained additional documents including personal data that are not necessary for the execution of the related transaction (only available in Turkish here);
- the Board decided with its decision numbered 2019/122 to apply disciplinary procedures against a bank’s employees who did not respond to the application made by the relevant person and ruled that such bank should change its privacy notice available on its official website in accordance with the Obligation to Inform Communiqué (only available in Turkish here).
- the Board ruled with its decision numbered 2019/82 that a company’s loyalty card is designed as a marketing tool and consequently seeking consent for processing of special categories personal data is not related, limited nor proportionate to the scope of the activities of data controller (only available in Turkish here);
- the Board noted in its decision numbered 2018/90 that the data controller’s obligation to inform and seek the data subject’s explicit consent should be carried out separately (only available in Turkish here);
- the Board noted in its decision numbered 2019/106 that unidentified person(s) shall not be determined as data controllers (only available in Turkish here);
- the Board ruled with its decision numbered 2018/156 that applications made to the KVKK regarding issues falling under the jurisdiction of the judicial authorities shall not be considered within the scope of the Data Protection Law (only available in Turkish here);
- the Board announced that Microsoft notified the Board on 8 May 2019 due to a data breach occurred in the company system. Microsoft instructed that the ID information of a customer support manager working for one of its service providers has unauthorisedly been obtained by the third parties. The company reported that this manager violated Microsoft’s policy and shared his/her account login information with 13 support representatives. As a result, third parties were able to partly reach Microsoft users’ e-mail accounts between 1 January 2019 and 28 March 2019. (only available in Turkish here);
- the Board announced that Microsoft notified the Board on 29 January 2020 due to a data misconfiguration on its security systems that lead to a breach which resulted in illegal disclosure of Microsoft customer records;
- the Board has put forward two recent decisions numbered 2019/81 and 2019/165 on biometric data. Accordingly, the Board has imposed administrative sanctions on two different data controllers which are both operating fitness centres due to processing of biometric data during entrances and exits of their members. The Board construes that explicit consent obtained from members has been presented as a pre-condition for receiving the services; therefore, explicit consents cannot be considered as given with free will and hence invalid. In addition, the Board has decided that data controllers’ practice of requiring their members to use fingerprints as the obligatory and only way to entering the fitness centres, is not compliance with the principle of proportionality which requires minimisation of the data collected, to the extent possible. The Board also explicitly stated that obtaining explicit consent do not legalise collection of excessive personal data and the collection needs to be proportionate and limited with the purpose of processing. (only available in Turkish here);
- the Board ruled that rejecting data subjects’ access request due to the application was not sent notary public or via electronically signed e-mail is a pecuniary burden that is not foreseen in the Data Protection Law or the Application Communiqué with its decision Number 2019/296. Therefore, the right of the data subject to make an appropriate application is prevented and this situation which constitutes breach of law and rules of honesty which is stipulated under Article 6 of the Application Communiqué (only available in Turkish here);
- the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13. (only available in Turkish here);
- the Board ruled with its decision Number 2020/173, that explicit consent cannot be incorporated into a general privacy notice and must be obtained before the transfer of personal data. Obtaining the consent of the data subject through an opt-in section is not enough to comply with the explicit consent requirements. The transfers carried out based on this approval are unlawful. (only available in Turkish here);
- the Board highlighted the difference between wet-ink signature and biometric signature in its decision numbered 2020/649. Biometric signature solutions are not defined within the framework of a specific standard, they have different fictional features and are not considered equivalent to wet-ink signature. The provisions regarding a signature in the Turkish Code of Obligations number 6098 are the regulations for classical signature and electronic signature and does not include the biometric signature. As the biometric signature falls in the scope of a special category of personal data, it can only be processed in the presence of the explicit consent of the data subject or if clearly prescribed by the law. However, the provisions of the Turkish Code of Obligations number 6098 do not fulfil the requirement of being ‘clearly prescribed by the law’. (only available in Turkish here);
- the Board issued a decision numbered 2020/927 on a data subject’s request regarding to be excluded from results of search engine queries. The Board decided that, the request is subject to evaluation of trial court and does not related to scope of Data Protection Law (only available in Turkish here);
- the Board decided with its decision numbered 2020/93 that there is no ground for deleting or modifying health data (including mental health data), since the data were processed by the Ministry, who fulfils ‘the authorised institutions and establishments’ requirement and for the purpose of ‘protection of public health, preventive medicine, medical diagnosis, provision of health care services and treatment, planning, and management of health care services and their financing’ (only available in Turkish here);
- the Board ruled with its decision numbered 2020/508 that processing personal data, which became public for a special purpose, for the same purpose, does not breach the Data Protection Law. Since the personal data, posted on the attorney’s search websites, are processed for the same purpose as the Turkish Bar Association, the process of personal data is not unlawful (only available in Turkish here);
- the Board decided with its decision numbered 2020/667 that since to obtain special category personal data is necessary for renewal of the insurance policy, the insurance company’s explicit consent request from its client in order to process their special category personal data is lawful (only available in Turkish here);
- the Board issued a decision, numbered 2020/710 on the process of personal data during enforcement proceedings. As the Article 89 of Enforcement and Bankruptcy Law (only available in Turkish here) allows a secured creditor in an enforcement proceeding to pursue recovery against non-debtor third parties who may be in possession of debtor assets, to process the data of non-debtor third parties in this regard does not violate the Data Protection Law (only available in Turkish here);
- the Board issued a decision, numbered 2020/212 on CCTV camera with audio video recording practice. The Board highlighted that each audio video recording practice of data controllers shall be considered based on the principle of proportionality (only available in Turkish here);
- the Board evaluated the trade registry offices practice and principle of publicity of trade registry records with its decision number 2020/307. The documents recorded by the trade registry offices includes personal data pertaining to real person representatives. Therefore, the trade registry offices must provide the requested documents and/or information to third parties provided that the sections including personal data are redacted. The Board noted that the trade registry offices are under a confidentiality obligation with regards to the personal data in its possession and are not the authorised body in order to provide civil registry information as per the Civil Registry Services Law numbered 5490 (only available in Turkish here);
- the Board ruled with its decision numbered 2020/507 that the legal inheritors of the deceased persons are entitled to obtain records including personal data related to health (only available in Turkish here);
- the Board issued a decision, numbered 2020/504 regarding the request of an airline company’s customer who requests to obtain the audio records pertaining to conversation between the customer and the call centre. Since the audio records include other personal data belonging to third parties in addition to related customer’s data, the airline company provided its customer a redacted transcript of the related conversation. The Board noted that, the right to information right involves the right to obtain the related data, unless the related data does not violate third parties’ rights. In case the data violates third parties’ rights, providing the content of the data, which includes all details pertaining to related data subject, in an alternative form such as its transcripts is an eligible way to satisfy the data subject’s request. (only available in Turkish here);
- The Board ruled that the purpose of data breach notification is to create an opportunity to swiftly avoid or minimise the negative outcomes that might arise from the breach to be borne by the data subjects. Therefore, in its decision numbered 2019/271, the Board determined the minimum requirements that should be included in a data breach notification (only available in Turkish here); and
- the Board has put forward its opinion on the implementation of the right to access with its decision Number 2020/13 (only available in Turkish here).
The Board imposed fines on:
- a hospital which could not provide an adequate level of protection for patients’ personal data (only available in Turkish here);
- a career platform which shared an applicant’s personal data with other applicants without any legal basis (only available in Turkish here);
- a company which shared an applicant’s CV with the other group companies through a mutual electronic platform, without the applicant’s consent (only available in Turkish here);
- a technical service provider company which could not take necessary technical and administrative measures to protect its customers. Afterwards, the Board imposed a second fine to this company for not complying with the Board’s previous decision (decision numbered 2019/52 is only available in Turkish here);
- a social media platform (Facebook) which failed to prevent unlawful access to the user’s visual data. This data breach was caused by an ‘API bug’,’ as a result, third-party applications were able to access user photos, for 12 days. The total amount of the fine issued was TRY 1.65 million (approx. € 164,012), coming in two parts: The Board firstly imposed TRY 1.100.000 on Facebook for failure to react in time to take necessary technical and administrative measures, and secondly imposed TRY 550,000 (approx. €54,670) (for not notifying the Board as soon as possible after detecting the API bug (decision numbered 2019/104 is only available in Turkish here);
- three different companies working on transportation sector and lodging industry: The Board imposed TRY 550.000 (approx. €54,670) to transportation companies separately and imposed TRY 1.45 million to a hotel due to non-compliance with taking necessary administrative and technical measures and obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/144 is only available in Turkish here);
- an asset management company that sent text messages to data subject on multiple times regarding the same issue without obtaining data subject’s explicit consent (decision numbered 2019/159 is only available in Turkish here);
- a data controller that sent commercial electronic communication without obtaining data subject’s explicit consent. The Board decided that sending commercial electronic communication to data subject is a data processing activity and it should be compliant to data processing conditions stipulated under Article 5 of the Data Protection Law (decision numbered 2019/162 is only available in Turkish here);
- a data controller an administrative fine of TRY 50,000 (approx. €4,970) on the data controller for failing to fulfil its obligation to prevent illegal processing of personal data (decision numbered 2019/166 is only available in Turkish here);
- a social media platform (Facebook) which failed to prevent unlawful access to the user’s data. This data breach was caused by the complex interaction of multiple bugs related to three different Facebook features. However, the breach in question was not duly notified by Facebook to the Board as envisaged under the Personal Data Protection Law. In this respect, the Board started an ex-officio investigation on Facebook in accordance with Article 15(1) of the Data Protection Law. As a result of the investigation, the Board fined Facebook TRY 1.6 million (approx. €159,042) due to the facts that Facebook did not take the necessary technical and administrative measures to prevent possible data breaches and failed to notify the Board of the breach (decision numbered 2019/269 is only available in Turkish here);
- a data controller that fails to ensure adequate level of administrative and technical measures to protect personal data and also imposed second administrative fine due to applicant that violates the obligation to inform the Board and data subjects about data breach as soon as possible (decision numbered 2019/122 is only available in Turkish here);
- an airline company that requests both-sided identification card by the data subject in response to the data subject’s request to change the username and password of his loyalty membership due to processing of data subject’s health and religion data (sensitive personal data) on the ID card without obtaining explicit consent from data subject. Also, the Board decided that the data controller has processed personal data non-compliant to the principle of being relevant with, limited to and proportionate to the purposes for which they are processed (decision numbered 2019/294 is only available in Turkish here);
- a data controller that processes personal data that is made public by the data subject inconsistently with its purpose. (decision numbered 2019/331 is only available in Turkish here);
- a newspaper that has disclosed a special kind of personal data of the data subject in a column without obtaining his explicit consent. The Board decided that the special kind of personal data was disclosed against the personal data processing conditions and imposed administrative fine on the newspaper that failed to prevent unlawful processing of personal data (decision numbered 2020/32 is only available in Turkish here);
- a bank which did not take adequate administrative and technical measures in line with its obligations to ensure the protection of personal data during the delivery of the credit card and did not make sufficient and reasonable efforts to keep the data of the data subject up-to-date. The Board decided that the courier does not act as data controller for the data contained in the envelope but acts as data controller for the data such as the sender and receiver name and surname used to provide its service (only available in Turkish here);
- a gaming company which fails to ensure adequate level of administrative and technical measures to run sufficient vulnerability testing. The unauthorised access was detected via the company’s log records; however, the company did not detect the potential breach risk through its log records. The preventative technical measures were taken after the users’ data breach, and no notification was made to the Board (decision numbered 2020/286 only available in Turkish here);
- a media company which published the legal notification on rectification request without masking the sections including personal data (decision numbered 2020/145 is only available in Turkish here);
- a car rental company which uses credit card information, obtained at previous rental transaction, for the payments of another rental transaction. The provisions of the customer agreements, allowing the usage of credit card information for any potential future transactions, are deemed as unfair condition and such provisions do not enough to comply with the explicit consent requirements (decision numbered 2020/166 is only available in Turkish here);
- a private school which implements CAS Test (Cognitive Assessment System) to assess the planning skills and attention processes of its students without obtaining explicit consent from data subject’s custodian. Since the results of the CAS Test includes information on students’ mental assessment system, which shall be considered within the scope of special categories of personal data, the data controller must fulfil its obligation to inform and obtain the explicit consent of the data subject’s custodian (decision numbered 2020/255 is only available in Turkish here);
- a car rental company which obtains its customers’ explicit consent as a pre-condition for its services (decision numbered 2020/335 is only available in Turkish here);
- a company who implements fingerprints practice at its workplace. The Board decided that the special kind of personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obligation to inform and obligation to obtain explicit consent (decision numbered 2020/404 is only available in Turkish here); and
- a bank who contacted the sibling of its debtor regarding its receivables. The Board decided that personal data was processed against the personal data processing conditions and imposed administrative fine on the company for failure to obtain explicit consent. Additionally, the Board did not impose administrative fine on the attorney of the bank who contacted the sibling of the debtor on behalf of the bank to perform its receivables, since the attorney made the phone call based on the contact details provided by the bank and since the attorney ended the conversation after he/she recognised that the contact person is not the debtor of the bank (decision numbered 2021/115 is only available in Turkish here).
The Board imposed disciplinary action on:
A public university that made students’ exam results accessible to third parties by publishing them on internet. The Board stated that the examination results of students who took the examination years ago cannot remain accessible to third parties with no time limitation and the Board decided that the data controller did not respond in a timely manner to the Board’s information and document request (decision numbered 2019/188 is only available in Turkish here).