Conspicuous Decisions of the Personal Data Protection Board of Turkey

  • Anasayfa
  • Conspicuous Decisions of the Personal Data Protection Board of Turkey

Conspicuous Decisions of the Personal Data Protection Board of Turkey
Introduction
Personal data defined as “all kind of information relating to an identified or identifiable real person” in the Data Protection Law No.6698 (“Data Protection Law”). The importance of protecting the personal data has increased in parallel with the progress of the awareness of human rights and protection of them in last fifty years. Moreover, after the development of information technologies and the widespread use of the Internet, the existence and importance of personal data privacy is better understood due to emerging issues.

Not only the basic personal identification information such as the person's name, surname, date and place of birth, but any other personal data that can be directly or indirectly make such person identifiable, such as phone number, motor vehicle plate number, social security number, passport number, personal background, photo, video or audio records, fingerprints, genetics data, IP address, e-mail address, equipment identities, hobbies, preferences, contact persons, group memberships, family information etc. are included within the scope of personal data. Another major problem in this area is the acquisition of personal data on the Internet, which is also known as identity theft, usually by obtaining the customer’s name, date of birth, social security or citizenship numbers, credit card information without their knowledge. In this frame, right to protect personal data aims not only to protect the data itself as being independent of the rights and freedoms of the individual but it also aims to protect the freedoms of the individual.

Lisbon Treaty has been signed by 27 European Union (“EU”) Countries in 2004 and it shows that EU Countries have been giving importance to the personal data and protection for more than a decade1 . Moreover, General Data Protection Regulation (“GDPR”) was regulated in 2016 and it is supported that “GDPR is the most significant transformation to the landscape of European data protection in the past twenty years.” 2 Directive 95/46/EC on data protection (“Data Protection Directive”) is superseded by the GDPR. When personal data protection regulations are compared between Turkey and EU, it is seen that Data Protection Law which is based on the Data Protection Directive has come into force in Turkey on 7 April 2016 and it is an explicitly late date. Afterwards the Personal Data Protection Board of Turkey (“Board”) has been established to make decisions or organize the administrative fines and sanctions. The Board has started to clarify the issues that have not been specified or regulated in the Data Protection Law; if there is no previous decision about an issue, under favour of interpretation of EU applications in the similar issues, the decision can be made by the Board. Therefore, to clarify the personal data protection or violation of it, sample decisions, secondary legislation of the Board and fines will be explained briefly.

Decisions and Fines
Firstly, it should be indicated that companies, institutions and online service providers that process personal data illegally without express consent or relying on processing conditions will be obliged to pay fines up to 1 million Turkish Liras.

1 Serzhanova V, 'Personal Data Protection in the European Union under the Treaty of Lisbon.' (2012) 15 Annales Universitatis Apulensis Series Jurisprudentia [123]

2 Ganotra S, 'GDPR Compliant or Not.' (2018) 5(6) Ct Uncourt 2

If a personal data is used or recorded illegally, the data controller has to inform the relevant person and the Board within the shortest time. In a decision of the Board, it is emphasized that notification for the relevant person within 17 months or for the Board within 10 months cannot be evaluated as ‘the shortest time’ and an administrative sanction has to be applied to the data controller.

Sample Fines
- A screenshot of a medical report has been published on the internet and social media and the personal data of the patient has been disclosed. An administrative fine has been given to the data controller by the Board. It shows that, data controllers have to be attentive to provide the security and privacy of the personal data.

- There was a case about the cancellation of the fitness center membership by taking the fingerprints of children without their parents’ permission and the court requested the details from the bank about the refund of the fitness center membership. However, the bank sent all credit cards spending of last six months to the court without hiding any part of the credit card statement even if the court did not request anything except “information”. The bank has been imposed 30,000 Turkish Lira fine by the Board. Therefore it is clear that no one is allowed to share more information than requested by the court.

- Personal data such as application information, full name and e-mail details of a candidate have been shared with the other candidates after an online job application and the company has been imposed to an administrative fine by The Personal Data Protection. Moreover, it has been decided that, any data transcription between data controller companies within the scope of a group of companies without consent (such as job application information) shall be evaluated as violation of the personal data protection.

- The behaviour of the data controller which is to enforce the express consent provisions of the contract to a client as a mandatory condition of the contract and the related services of it is evaluated as violation of the obligation of taking the administrative precautions and an administrative sanction shall be applied to the data controllers.

- According to another decision of the Board, if unnecessary personal data is requested from the clients by the data controllers, an administrative sanction shall be applied to the data controllers.

Sample Decisions of the Board
The Protection of the Personal Data in Service Areas such as Counters, Booths, Desks etc.: Primarily in banking and health sectors; mail and cargo services, tourism agencies, customer service departments of chain stores, various subscriber organizations and public and private institutions and organizations providing services such as municipal tax and population transactions which are providing services in a row housing manner with more than one employee, are required to take all necessary technical and administrative measures in order to prevent unauthorized persons from taking part in such departments as counter / box office / desk and to prevent the service users to hear, see, learn or take over clients’ personal data.

Recording of the Personal Data for the Purpose of Determining the Hour of Work:
Some companies are controlling the employees and their hour of work by cameras or fingerprint systems and image or fingerprints of the employee have been recorded. However, it has not been guaranteed that the collected data will not be used for any reason at any time. Therefore, this type of collection and saving of the Personal Data are not legal if the employees are not informed about the time limitations, scope or legal basis of that.

Excess of Power:
It is also decided by the Board that if someone who is not authorised to reach, use or record the personal data, abuse the duty or exceed their authority, it should be evaluated as violation of the personal data protection. Therefore, necessary precautions and administrative measures have to be taken and appropriate security level has to be provided by data controllers.

Exceptions of the duty of registration to the enrolment of data controllers
  • - Who process the personal data in no automated methods only if they are part of the registration system;
  • - Notaries;
  • - Lawyers;
  • - Who process the only employees’, members’ and donators’ personal data in accordance with the law and the purpose, limited with the field of activity from the associations pursuant to Law of Associations numbered 5253; endowments pursuant to the Law of Foundations numbered 5737; from the trade-unions pursuant to the Law on Trade Unions and Collective Bargaining Agreements numbered 6356;
  • - Political Parties which are established pursuant to Political Parties Act numbered 2820;
  • - Freelance Financial Consultants and Certifies Public Accountants who work in accordance with Independent Accountant and Financial Advisor and Certified Councillorship Act numbered 3568;
  • - Real persons or legal entities that their main activity is not specifically personal data processing from the ones that their annual number of employees are less than 50 and total annual financial statement is less than 25 million Turkish Liras.
    • Conclusion
    It is seen that personal data is evaluated in a wide-ranging concept and in daily life people may violate the personal data protection easily. Therefore, personal data protection is a crucial issue and to prevent the enrolment, usage or processing the personal data without permission of the relevant person, the possible fines and sample decisions of The Board were mentioned above. It is clear that all kind of information relating to an identified or identifiable real person is protected by Law and Board’s decision. In overall, it should be understood by everyone who gets the personal data that personal data can be used and kept only if there is an explicit consent and if it fits for the purpose.