Newsletter on Latest Personal Data Protection Authority Decisions
On 27.12.2023, the Personal Data Protection Authority (“Authority”) published certain decisions it has taken within the scope of the Personal Data Protection Law No. 6698 (“Law”), on its official website. In this newsletter, we aim to include the summaries of the decisions that we believe to be noteworthy and/or contain new findings.
Accordingly, below are the highlights from the Authority’s decisions:
- Continuing to process the personal data of the data subject by enabling him/her to view the messages in the undefined e-mail since the e-mail was not prevented from being sent after he/she left his/her job is unlawful as it does not have any basis within the scope of Article 5 of the Law.
- Where the personal data of the data subject is processed through a newspaper, in order for personal data processing to be fully exempted within the scope of freedom of expression, the personal data processing activity should not violate the privacy of private life.
- The data controller’s practice of not performing membership and sales transactions without marking the privacy and disclosure texts on its website does not violate the Law as it aims to provide information to the customers in order to fulfil its disclosure obligation arising from the Law.
- In terms of the claim regarding the presentation of explicit consent as a prerequisite for the services of the data controller, it is stated that linking the benefits provided by the data controller to the explicit consent condition will not eliminate the condition of “giving explicit consent with free will”.
- In the decision regarding a data controller who operates an e-commerce website, the Authority, by referring to a decision of the European Data Protection Authority, stated that it is possible to continue to process the card information saved within the scope of a purchase in the user’s membership account only if the explicit consent of the data subject is obtained in accordance with the Law.
- In line with the Public Announcement on the Processing of Personal Data by Sending Verification Code to Individuals via SMS published by the Authority in recent months, it has been mentioned that obtaining explicit consent for the processing of personal data by sending commercial electronic messages during shopping will create the impression that this consent must be given as part of the shopping by the persons concerned, and it may damage the element of explicit consent “being disclosed with free will” .
- It is stated that although the Turkish ID number is a general personal data, it is a more important data than the telephone number in terms of its nature and it may cause greater damages for individuals in case of data breach.
- Finally, it is stated that the personal data processing activity carried out by camera surveillance of a sanctuary within the framework of occupational health and safety cannot be based on one of the data processing conditions in the Law.
You can find the decision summaries below.
1. Summary of the Decision of the Authority dated 03/08/2023 and numbered 2023/1321 on the continuation of the processing of the e-mail data of the data subject by the data controller company of which the data subject was previously a partner
The Authority’s decision provides that:
- After leaving the data controller company, the data subject started to do the same business with the data controller company,
- In this process, firstly, a former customer who did not know that he/she had ended his/her partnership with the data controller sent a message to the former e-mail address of the relevant person, and the data controller company official who read the message contacted the relevant customer,
- Secondly, an employee of the data subject’s new company sent a message to the old e-mail address by mistake, and the data controller company official responded to this message with an e-mail without comment,
- In this context, although the data controller states that the e-mail address in question has been closed, it is not among the e-mail addresses used by the company and the messages sent to this e-mail address come to the manager e-mail as “undefined mail”, messages continue to be sent to the e-mail address previously used by the person concerned and which is currently inactive,
- Additionally, e-mail data has the quality of personal data, in this respect, personal data continued to be processed by sending e-mails after the relevant person left the job and allowing the messages to be viewed in the undefined e-mail,
- Thus, the processing activity in question does not satisfy the processing conditions in Article 5 of the Law,
hence, an administrative fine of TRY 50.000 was imposed against the data controller.
2. Summary of the Decision of the Authority dated 11/04/2023 and numbered 2023/567 on the obligation to save credit/debit card information in order to shop from an e-commerce site
The Authority’s decision provides that:
- It is necessary to evaluate whether the processing conditions stated by the data controller can be valid if the card information must be saved in order to complete the shopping and the card information entered on the website of the data controller for the previous shopping continues to be registered after the completion of the shopping,
- In the “Recommendation 02/2021 on Data Processing Requirements for the Processing of Credit Card Data Only to Facilitate Subsequent Online Purchases” adopted by the European Data Protection Board (EDPB) on 19 May 2021, it is stated that the processing condition that can be relied upon in the continued processing of card information in order to facilitate purchases is explicit consent,
- The card information required to be entered in order to complete the shopping on the website of the data controller continues to be processed in the wallet account of the data subject in order to facilitate subsequent purchases after the completion of the shopping, and for this purpose, data processing can be carried out based on the processing condition of explicit consent under paragraph (1) of Article 5 of the Law
and, an administrative fine of TRY 500.000 was imposed against the data controller.
3. Summary of the Decision of the Authority dated 27/04/2023 and numbered 2023/646 on sharing the personal information of the employees of a university with all personnel
The Authority’s decision provides that:
- It was stated in the response letter of the data controller that the personal data sharing subject to the complaint was carried out based on the condition that “it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract” regulated in subparagraph (c) of paragraph (2) of Article 5 of the Law,
- This data sharing was realized in order to warn the relevant personnel about the use of leave status of the data subject, however the aforementioned processing condition will not apply to the sharing of the personal data of the data subject regarding their leave status with other persons working within the data controller,
- It is not necessary to share personal data with all other personnel in the unit where the relevant person works in order to warn the relevant person about the use of leave, and for this purpose, alternative processes can be operated only by taking the relevant person as the addressee,
- The personal data processing activity carried out by the data controller by sharing the personal data of the data subject regarding the leave status of the data subject with other personnel working in the department where the data subject works, is not based on any of the processing conditions specified in Article 5 of the Law and this situation constitutes a violation of paragraph (1) of Article 12 of the Law
and, it has been decided to instruct the data controller to take action against the relevant personnel working within the data controller in accordance with the disciplinary provisions and to inform the Authority about the outcome of the action.
4. Summary of the Decision of the Authority dated 11/05/2023 and numbered 2023/767 on the processing of sensitive personal data including health data of a married couple by publishing in the newspaper
The Authority’s decision provides that:
- In order for personal data processing to be considered as a fully exceptional case within the scope of freedom of expression, it should not violate the right to privacy and it should not constitute a criminal offence,
- In order for the news that is not in the nature of attacking personal right, to be accepted as lawful, it must be of public interest and benefit, be real and up-to-date, and the balance between substance and form must be observed,
- Although there is a criterion of public interest and benefit in making the news, there is no interest in the public knowing the details subject to the news as the publication of the personal data in question is not a situation that concerns or should concern public. It also does not encourage the public to think about an event or does not contribute to an issue discussed in the public. On the contrary, the news in question damages the personal rights of the persons concerned as a result of violating the right to protection of personal data. On the other hand, the fact that the personal data included in the news has the nature of private data shows that the balance between substance and form has not been achieved,
- In this context, the exception provision in subparagraph (c) of paragraph (1) of Article 28 of the Law cannot be relied upon in terms of the personal data in the news article and the processing of personal data without a valid processing condition in Articles 5 and 6 of the Law. This indicates that the “necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data and to ensure the preservation of personal data” in paragraph (1) of Article 12 of the Law have not been taken,
- As a result of the comparison made between freedom of expression and personal rights in terms of private personal data included in the news, it was concluded that the personal rights and privacy of private life were violated, and therefore, the freedom of expression exception in subparagraph (c) of paragraph (1) of Article 28 of the Law cannot be prioritized. In this respect, considering the fact that the sensitive data in the news article in question have been processed without a valid processing condition within the scope of the Law, the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, and to ensure the preservation of personal data, stated in Article 12 of the have not been taken
and, it has been decided to impose an administrative fine of TRY 100.000 against the data controller.
5. Summary of the Decision of the Authority dated 25/05/2023 and numbered 2023/890 on the condition of explicit consent for the special passenger program service of an airline company
The Authority’s decision provides that:
- The private passenger program subject to the complaint is a loyalty program. The data subject can benefit from the basic service of the data controller, which is the sale of flight tickets, without participating in this loyalty program, and the program only provides additional opportunities to its members,
- In this case, the display of gift miles was the subject of the complaint, and it was found that it is possible to display extra miles without becoming a member, but earning extra miles was only possible by becoming a member of the special passenger program. Such membership could only be created with the explicit consent of the person concerned,
- It is clearly accepted in the legislation of the European Union that the condition of explicit consent for additional benefits will not eliminate the condition of “giving explicit consent with free will”; as a matter of fact, in the Decision of the Personal Data Protection Authority dated 05/07/2019 and numbered 2019/198, it was evaluated that offering products / services at a discount with additional benefits within the scope of the loyalty program does not imply the enforcement of explicit consent as a prerequisite,
In this context, since it is seen that the participation in the special passenger program depends on the explicit consent of the data subject, it will not remove the “given with free will” element of the explicit consent. Also, as the viewing of the accumulated miles is not subject to the explicit consent condition, the miles accumulated within the scope of the program can be viewed through many alternative ways. Therefore the requisite of explicit consent as a condition is not present in the case. Also, the explicit consent of the data subject does not have the nature of requiring the explicit consent of the data subject as a prerequisite for the provision of a product or service or the benefit from the product or service.
and, it has been decided that there is no action to be taken against the data controller within the scope of the Law.
6. Summary of the Decision of the Authority dated 15/06/2023 and numbered 2023/1041 on the failure of the data controller to duly fulfil the disclosure obligation on its website and to condition the service it provides on explicit consent
The Authority’s decision provides that:
- Explicit consent was obtained for transfer abroad of personal data on the date of the complaint, in the sales made through the website. However, for customers who do not give explicit consent to the transfer of their personal data abroad, there is an alternative sales channel available through customer services and this channel offers shopping opportunities to customers without any additional cost / obligation. Therefore the person concerned will be able to obtain the product without any loss and without being forced to allow the transfer of personal data abroad. Thus, such service cannot be deemed to be conditional on explicit consent,
- In terms of the claim that the sale could not be realized and the membership process could not be performed without marking the privacy and disclosure texts; as a rule, , it is stated that the proof of the fulfilment of the disclosure obligation belongs to the data controller,
- As a result of the evaluation of the above, the application that membership and sales transactions cannot be carried out without marking the privacy and disclosure texts adopted by the Data Controller in order to fulfil the disclosure obligation arising from the Law, has the intention to inform the customers and encourage them to read and consider such texts, therefore it does not contradict the Law,
and, no administrative fine was imposed against the data controller. However, it has been decided to instruct the data controller to show the alternative sales channel clearly on the membership and sales screens in order to provide transparent information, taking into account that the alternative sales channel has become almost impossible to understand as a result of the change made on the website of the data controller.
7. Summary of the Decision of the Authority dated 10/08/2023 and numbered 2023/1356 on the submission of the images of the relevant person praying in a sanctuary by an employer to the reemployment case
The Authority’s decision provides that:
- It is possible to process general and sensitive personal data for many purposes such as fulfilling the obligations within the scope of ensuring the occupational health and safety of employees, controlling production processes, protecting the workplace and the customer, evaluating the performance of the worker and clarifying the suspicion of crime. Within this framework, first of all, it is necessary to evaluate whether the processing of images with cameras by the data controller is sensitive or general quality personal data. In the case subject to the complaint, the processing of image recordings in the sanctuary by the data controller through cameras is a data processing related to the religious belief of the person concerned and will fall into the category of sensitive personal data. Therefore it would be appropriate to make an evaluation within the framework of Article 6 of the Law,
- It was understood from the content of the e-mail sent to the data subject by the employee of the data controller, the explicit consent was not given with free will and the data subject was forced to sign other documents related to the processing of personal data retrospectively without his consent due to fear of dismissal,
- In any case, the data processing activity in question must comply with the principles of “processing for specific, explicit and legitimate purposes” and “being related, limited and proportionate to the purpose for which they are processed” among the general principles set out in Article 4 of the Law. Considering that the employees have a reasonable expectation of privacy in terms of changing rooms, toilets, showers, prayer rooms, rest rooms and breastfeeding rooms, data processing activities carried out by the data controller in these areas may be deemed to be in violation of the privacy expectations of the employees and constitutes invasion of their private spaces,
hence, an administrative fine of TRY 300.000 was imposed against the data controller.
8. Summary of the Decision of the Authority dated 17/08/2023 and numbered 2023/1430 on the processing of the Turkish ID number on the mobile application of the data controller providing meal card service
The Authority’s decision provides that:
- Although telephone number and Turkish ID number are included in the general category of personal data, identity number is a more important data than the phone number in terms of its nature and may cause greater damages for individuals in case of a data breach. In order to protect the interests of the relevant persons, if the employee wants to add physical cards to the mobile application, arrangements can be made to ensure verification on the application with information such as card information and phone number. This will be in accordance with the principles of privacy in design, data minimization and purposeful and measured processing of personal data,
- In the event that physical meal cards are recorded on the mobile application, it is possible to verify the card without processing the Turkish ID number information through ways that will protect the relevant persons more. Such ways are processing of the card and telephone number information through the employer. Thus the processing of the Turkish ID number data is done without the legal reasons stipulated under Article 5 of the Law and is contrary to the principle of proportionate processing for the purpose for which personal data is processed under Article 4 of the Law,
hence, an administrative fine of TRY 200.000 was imposed against the data controller.
9. Summary of the Decision of the Authority dated 28/09/2023 and numbered 2023/1645 on the unlawful processing of personal data by the data controller who is the distributor and sole authorized person in Turkey of a widely participated online game
The Authority’s decision provides that:
- It is seen that the data subjects who want to benefit from the online virtual game service offered by the data controller are required to create a membership registration. At the time of creation of membership registration, the data subjects are requested to tick the box that they have read, understood and accepted the “Sign Up Information Note ” and the “Privacy Policy”. When the “Sign Up Information Note” is examined, it is seen that it is prepared by the data controller for the data subjects who will create a membership registration and generally complies with Article 10 of the Law, however, ambiguous expressions such as “… may be shared” should not be included in the text,
- When the text titled “Privacy Policy” is examined; it is concluded that the relevant text is an online privacy policy presented to visitors, users and customers by the company, which is the major shareholder of the data controller, and that the company in question is a separate data controller. In the text, in general; the types of information collected are stated. This information includes information such as e-mail address, gender, telephone number, home address, date of birth, IP address; use and sharing of the information obtained by the company (internal use for commercial purposes; use and/or sharing by third parties for commercial purposes)., It was determined that the text in question is not in compliance with Article 10 of the Law and the Communiqué on the Principles and Methods of the Fulfilment of the Obligation to Inform the Data Subjects, for this reason, this text, which is presented to the relevant persons during membership registration and is assumed to be accepted in the User Agreement, should be made in accordance with the Law or it should be removed,
- In the “Personal Data Protection Policy” text, although general information regarding the processing of personal data is included, compared to the other two texts, it addresses a wider category of data subjects (employee candidate, employee, shareholder/partner, supplier employee, supplier official, product or service purchaser, visitors) and the purposes of the personal data processing activity carried out by the data controller, the categories of personal data, the categories of the parties with whom personal data are stated. However, it is not clearly understood which group of data subjects, which personal data, for what purpose and on what legal grounds are processed and to which third parties they are transferred. Therefore, the text in question should be made in accordance with subparagraphs (g), (ğ) and (h) of paragraph (1) of Article 5 of the Communiqué on the Principles and Methods of the Fulfilment of the Obligation to Inform the Data Subjects,
As a result, the presentation of three different texts creates a complex situation for the data subjects, this issue was conveyed to the data controller during the on-site examination and the data controller stated that studies are being carried out to harmonize these documents,
- Mandatory cookies, function cookies, analysis/performance cookies and targeting/advertising cookies are used on the website of the data controller. Under the pop-up description of cookies, two options are offered as “use only necessary cookies” and “allow all cookies”. For the personal data processing activity through cookies other than necessary cookies, the option of “allow all cookies” is offered to obtain collective explicit consent and the relevant persons are not given the opportunity to choose. However, since explicit consent should be obtained by the “opt-in” method by presenting options for each cookie type that requires explicit consent, the explicit consent text of the data controller violates the elements of “being related to a specific subject” and “given with free will” of explicit consent, and a lawful personal data processing activity has not been carried out within the scope of Article 5 of the Law,
- On the other hand, in the cookie table in the “Cookie Statement” and “Cookie Policy” published on the website of the data controller, it is stated that various cookies are used by third party cookie providers in the category of “necessary cookies”. As stated in the Guidelines on Cookie Applications, if third party cookies are placed on the website, , in cases where websites operating in Turkey carry out data transfer activities abroad through cookies used by companies operating abroad, this data transfer activity must be carried out in accordance with the conditions in Article 9 of the Law. The explicit consent of the data subjects is not obtained and the data is transferred abroad in violation of Article 9 of the Law,
hence, an administrative fine of TRY 750.000 was imposed against the data controller.
10. Decision of the Authority dated 28/09/2023 and numbered 2023/1653 on processing of personal data for the purpose of sending SMS for advertising purposes to the relevant persons in the store of the data controller
The Authority’s decision provides that:
- In the Public Announcement Regarding the Processing of Personal Data by Sending Verification Code to Persons via SMS, it is stated that the purpose of the SMS to be sent to the phone of the persons during shopping in stores and the consequences of giving the code transmitted by this SMS, the purpose of the SMS to be sent to the phone of the persons and the consequences of giving the code transmitted with this SMS should be conveyed to the relevant persons in a clear and understandable manner by the persons authorized by the data controller in the stores as a requirement of layered disclosure,
- In addition, in order to ensure that the disclosure obligation can be fulfilled, the necessary channels should also be provided in the SMS content, and if an application is made to send an SMS verification code in order to obtain explicit consent for sending commercial electronic messages, it is pointed out that the explicit consent to be obtained in the transaction in question should cover all elements stated in the Law,
- In this concrete case, the data subject sent a text message to the data controller with his/her own executive actions in order to give his/her explicit consent, read the code in the text message sent to him/her to the cashier, and the content of the text message sent to him/her included a link that enables access to an understandable clarification text that provides detailed information about which personal data are processed and for what purposes,
- It was understood that a personal data processing activity based on the explicit consent of the data subject was carried out; upon withdrawal of the explicit consent of the data subject, the processing activity in question was terminated, and there is no action to be taken within the scope of the Law regarding the complaint,
- Obtaining explicit consent for the processing of personal data by sending commercial electronic messages during shopping may undermine the element of express consent to be disclosed with free will, as it will create the impression that this consent should be given as part of the shopping by the relevant persons,
The Authority decided to instruct the data controller to revise the application in question by informing the relevant persons correctly and in a way that does not create the impression that it is part of the shopping, and also to instruct the data controller not to present the clarification and explicit consent approval code in the same text message and to inform the Authority about the result of the transactions made in this regard.