Turkish Personal Data Protection Board (“Board”) has published 7 principal decisions taken within the scope of the Law on Protection of Personal Data No. 6698 (“Law”).

Important aspects regarding such decisions are stated below.

  • In line with the Board’s previous decisions, the Board emphasizes the administrative and technical measures the data controller should take when processing data in such decisions.

In this context, the Board states that the necessary technical and administrative measures should be taken to prevent unauthorized persons from taking part in sections such as counters / booths / desks in mail and cargo services, tourism agencies, customer service departments of chain stores, organizations where various subscription transactions are made, companies which provide services in a contiguous order with multiple employees, especially in the banking and health sectors and public and private sector institutions and organizations where services such as municipal, tax and population-related transactions are provided, and to prevent service users who are close to each other from hearing, seeing, learning or seizing personal data of each other at the same time.

  • In the decisions, it was mentioned that the data processing activities carried out by the websites and mobile applications that share the contact information of the data subject without any basis in the Law and the relevant legislation, are unlawful.
  • The Board emphasizes that it is against the Law that those who work at the data controller and who are authorized to access personal data due to their duties, abuse these powers and share this data with third parties for personal purposes in violation of their processing purposes.
  • The Board draws attention to the fact that it is illegal for the data controller to forward messages with advertising content by sending an SMS to the phone numbers of data subjects, making calls or sending mail to their e-mail addresses, without obtaining the consent of the data subjects or without providing the conditions under which data processing is possible without the express consent specified in the Law.
  • The Board states that software/programs/applications which allow to query of personal data of citizens such as identity and contact information which are obtained through various means by lawyers/ law firms and some individuals and organizations operating in finance, real estate, consultancy, insurance and similar sectors, are being used actively and emphasizes that legal action will be initiated against those who use these software, as well as administrative fines.
  • Also, the Board draws attention to the principles set forth in the Law and states that keeping personal data accurate and up-to-date when necessary is not only in the interests of the data controller, but also necessary for the protection of the fundamental rights and freedoms of the data subject. In this context, the Board states that the data controller has an active duty of care to ensure that the personal data is accurate and up-to-date when necessary, if the data processing activity of the data controller creates and causes consequences for the data owner based on personal data. At this point, it is stated that reasonable measures should be taken to verify the data owner’s information (such as sending a verification code/link to the phone number and/or e-mail address, etc.) in order to avoid negative consequences.

You can access the publication (in Turkish) of the Board from the link below:

https://kvkk.gov.tr/SharedFolderServer/CMSFiles/7a2f2dc1-b656-4325-9249-73e350c3ea57.pdf

Batuhan Şahmay
Behiç Ateş Gülenç
Associate | ates.gulenc@bener.com