The Personal Data Protection Board (“Board“) has published some summaries of decisions taken under the Personal Data Protection Law No. 6698 (“Law“) on its official website on 24.04.2023. Below, these decisions have been classified and summarized according to their subjects.

Among the decisions, there is an administrative fine decision regarding the transfer of personal data abroad in violation of the Law, as before. In addition, attention is drawn to the administrative fine decisions given due to the processing of data for commercial electronic communications without explicit consent of the data subject and the absence of a cookie policy on the data controller’s website. With respect to employee data, decisions regarding data that continue to be processed after termination of the employment relationship are also noteworthy.

A. Decisions on Data Processed within the Scope of Employment Relationship

  1. Summary of the Decision dated 07/04/2022 and numbered 2022/328 on “sending of notice containing the personal data of the data subject to other employees by the data controller providing payroll service”:

The complaint received by the Personal Data Protection Board (“Board“) briefly provides the following: The data controller has sent a notice to the data subject stating that they have been put on unpaid leave, and it is mentioned that the same notice has been sent to seven other individuals as well. It is stated that the personal data of the data subject has been publicly disclosed due to the presence of their Turkish identification number and address in the warning letter, and it is requested that necessary actions be taken.

As a result of the evaluation of the matter, it is observed that in this case, the information of the data subject and the other seven employees has been included in the same notice by the data controller, and the data controller has also acknowledged this. It is stated that the inclusion of the data subject’s identity and contact information in the same notice with the other seven employees, without any attempt to conceal such information or issue separate notices to each recipient, etc., has resulted in the sharing of the data subject’s personal data with other employees. In this regard, it is evaluated that the personal data processing activity which is not based on any processing condition stated in Article 5 of the Law, is in violation of Article 12(1) of the Law, and therefore, an administrative fine of 100,000 TL is imposed on the data controller.

  1. Summary of Decision dated 21/04/2022 and numbered 2022/386 on “sharing of the termination of the employment contract of a person working within the data controller on the social media account of the data controller”:

The complaint letter sent to the Board by the data subject briefly indicates the following: While working as a company manager within the data controller, the employment contract was unjustly terminated, and a social media post was shared on the data controller’s account stating “… We apologize for the inconvenience caused by … who was DISMISSED from the company due to irregularities committed by him/her…”. It is mentioned that a notice was sent to the data controller under Law No. 5651 on the Regulation of Publications on the Internet and Suppression of Crimes Committed through These Publications, requesting the deletion and cessation of the said post and the publication of a correction statement, but no response was received. The complainant states that they object to this announcement which was made without any court order or consent and requests that necessary actions be taken within the scope of the Law.

As a result of the examination conducted on the matter, it is found that in this case, the announcement containing allegations about the data subject with their full name was published on the data controller’s corporate account/page on social media, which is accessible not only by the company’s customers but by everyone. In this context, considering that the data controller’s corporate account/page on social media is not a private environment exclusive to the company’s customers but an open platform for everyone; it is considered that the mentioned action is in violation of the proportionality principle stated in Article 4 of the Law and no concrete information or evidence has been submitted to the Board to demonstrate that the processing of the data subject’s personal data is based on a processing condition under Article 5 of the Law. Taking into account the economic situation of the data controller, an administrative fine of 30,000 TL is imposed, and the data controller is instructed to destroy the personal data included in the social media post and inform the Board of the outcome.

  1. Summary of the Decision dated 18/05/2022 and numbered 2022/491 on “continued sharing of the photographs of the data subject who worked as a catalog model for a clothing store on the website of the data controller without her/his explicit consent after the termination of the employment relationship”:

The complaint of the data subject briefly indicates the following: The data controller, a clothing store, shares promotional materials and images of products for sale on its website. The complainant, who worked as a catalog model for the data controller, states that even after the termination of the employment relationship, their photos continued to be published on the data controller’s website without their explicit consent. The data subject has requested the removal of the photos from the data controller, but they have not been removed, and the complainant requests that necessary actions be taken.

As a result of the examination conducted on the matter, considering that the photos of the data subject were published on the data controller’s website based on the agreement between the data subject and the data controller for the purpose of promoting the clothes until the stock runs out, it is decided that there is no action to be taken against the data controller under the Law.

  1. Summary of the Decision dated 04/08/2022 and numbered 2022/798 on “the sharing of the information that the person concerned had a job interview with a company as well as various other information about the content of the interview by the company with the current workplace”:

The complaint received by the Board briefly indicates the following: The data subject, who is currently employed by a company, was invited for a job interview by another company, and the interview took place. During the job interview, the data controller company made several statements that damaged the reputation of the data subject’s current employer, and this information was shared with the data subject’s current workplace. As a result, the data subject was put on unpaid leave by their current employer. In response to this situation, the data subject sent notice for the termination of the employment contract, requesting information as to whether such personal data was processed or not and with whom it was shared, as well as compensation for material and moral damages and the deletion of their personal data. However, the data controller did not respond within the legal timeframe. Therefore, it is requested that necessary actions be taken against the data controller within the scope of the Law.

As a result of the examination conducted on the matter, it is evaluated that the activity of conveying information about the job interview held between the data controller and the data subject, where the data controller made several statements about the data subject’s current workplace, was not carried out in compliance with Article 8 of the Law. Taking into account that the data controller did not respond to the data subject’s requests within the legal timeframe, an administrative fine of 100,000 TL is imposed on the data controller.

  1. Summary of the Decision dated 02/09/2022 and numbered 2022/896 on “sharing of judicial correspondence information containing personal data of the data subject with his/her brother by the data controller who is the former employer”:

In the complaint received by the Board, in summary, it is stated that there was an existing employment relationship between the data subject and the data controller until the date of termination of the employment contract for just cause. Accordingly, the data controller processed various personal data of the data subject, such as identity, contact, employment, professional experience, and health data. However, no information was provided to the data subject regarding these personal data processing activities, and explicit consent of the data subject was not obtained during the processing of certain personal data. Additionally, it is mentioned that the data controller, without any connection to the case file, transmitted judicial correspondence information, in which the name of the data subject was mentioned, to the email address of the data subject’s sibling. It is also stated that despite the application made to the data controller regarding these matters, no response was received. Therefore, the data subject requested that the necessary actions be taken against the data controller within the scope of the Law.

As a result of the investigation conducted on the matter, it has been determined that an employment contract was established between the data subject and the data controller, and the data controller processed the identity information of the data subject based on the condition of “clearly stipulated in the laws.” It has been concluded that there is no action to be taken against the data controller within the scope of the Law. However, it has been evaluated that the act of the data controller, transmitting the complaint letter addressed to the Prosecutor’s Office containing the data subject’s and other individuals’ personal data , to a third party who is claimed to be the sibling of the data subject via email, which has no relevance to the incident, is a violation of their obligation to take necessary technical and administrative measures to prevent the unlawful processing of personal data. Therefore, an administrative fine of 150,000 TL is imposed on the data controller, and the data controller is reminded of other issues.

  1. Summary of the Decision dated 20/10/2022 and numbered 2022/1147 on “continued processing of personal data of the data subject by the employer after termination of the employment contract”:

In the complaint received by the Board, in summary, it is stated that the data subject worked as an interior designer in a joint-stock company operating in the furniture and decoration sector for approximately 3 years. After the termination of the employment contract, during the pandemic period, the data controller company used the data subject’s image from live broadcasts on social media for advertising and marketing purposes in TV commercials, the data controller company’s website, social media accounts and printed promotional materials. It is mentioned that the data subject was not informed about the use of their image in this way, and explicit consent was not obtained. Furthermore, it is stated that even after the termination of the employment contract, the data controller still used the data subject’s mobile phone number in shipping processes, and after the termination of the employment contract, the data subject appeared as the person performing sales and collection transactions within the data controller’s organization. Therefore, the data subject requested that the necessary actions be taken within the scope of the Law, and their unlawfully processed personal data be destroyed.

As a result of the evaluation conducted on the subject matter, it has been concluded that it would be lawful for the data subject’s images to be present in the data controller’s archives. However, there is no valid legal basis within the scope of the Law for the continued processing and sharing of such data after the termination of the employment contract. Furthermore, it has been observed that the data subject’s personal mobile phone number registered with the courier companies and personal data such as digital payment systems, various documents, and forms within the store where the data subject worked before the termination of the employment contract were processed in violation of the principle of “being accurate and up-to-date if necessary.” It has also been noted that the data controller could not demonstrate any other legal basis for the processing of this data. Therefore, it is understood that the data controller has failed to fulfill the obligations stated in Article 12(1) of the Law. Considering the high risk of negative consequences on the data subject due to the use of unlawfully processed identity and contact information in legal transactions such as sales and shipping, an administrative fine of 250,000 TL is imposed on the data controller.

  1. Summary of the Decision dated 19/01/2023 and numbered 2023/86 on “processing personal data by monitoring, accessing and storing the contents of the corporate e-mail address allocated by the data controller to its employees”:

In the complaint received by the Board, it is stated that the employment contract of the data subject in the data controller company was terminated, and the reason for termination was the sending of company internal data to the data subject’s personal email address through the company-provided email address, as well as secretly recording a phone conversation with another employee and sending it to the data subject’s lawyer’s email address using the personal email address. The data subject requests that the necessary actions be taken within the scope of the Law.

As a result of the examination conducted on the subject matter, it has been stated that the data subject made a declaration stating that they have read and understood the texts they have signed, and therefore, the data controller fulfilled the obligation to inform the data subject regarding the personal data to be processed through email monitoring contained in these texts. It has been concluded that the personal data processing activity carried out by the company through email monitoring falls within the processing conditions of “processing is necessary for the establishment, exercise, or protection of a right” and “processing is necessary for the legitimate interests pursued by the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.” It has been evaluated that the inclusion of the personal data obtained through email monitoring in the termination notification falls within the scope of the condition that “processing is necessary for the establishment, exercise, or protection of a right.” Furthermore, it has been determined that there is no violation of the principle of purpose limitation, data minimization, and proportionality. Therefore, considering that there is no unlawfulness in the personal data processing activity carried out by the company, it has been decided that there is no action to be taken against the data controller within the scope of the Law.

B. Decisions Regarding the Processing of Customer/Potential Customer Data

  1. Summary of the Decision dated 10/02/2022 and numbered 2022/107 on “processing of the mobile phone number of the data subject by a savings finance company without being based on any data processing conditions and sending advertising SMS to the relevant number”:

In the complaint letter submitted to the Board, it is summarized that the data controller, a savings finance company, sent several text messages to the complainant. Upon this, the complainant contacted the data controller to inquire about how and for what purpose their personal data, specifically their mobile phone number, was obtained without their explicit consent. In the response provided by the data controller, it was stated that they are a corporate firm registered in the Message Management System (İYS), and data entry into this system is done with the consent of members. It was also mentioned that it is possible to opt out of the İYS system at any time, that there is a possibility to refuse the content of the messages, and that the phone number associated with the complainant, registered in the system, was disabled for SMS sending. However, contrary to what was stated in the data controller’s response, the complainant stated that they did not provide any explicit consent or approval to the data controller through the İYS system. The complainant argued that sufficient answers were not provided regarding how their personal data was processed and for what purposes, and that their personal data was processed unlawfully without their explicit consent. Therefore, they requested that the necessary actions be taken against the company within the scope of the Law.

Upon examination of the matter, although there is separate legislation regarding commercial electronic messages, it was stated that sending commercial electronic messages by storing the complainant’s mobile phone number in a data recording system constitutes a personal data processing activity. Therefore, in addition to complying with the legislation on sending commercial electronic messages, the processes for sending such messages should also comply with the legislation on personal data protection, considering that the communication number used for sending messages is of a personal data nature.

In this case, based on the information and documents provided by the data controller, it could not be determined that there was a relationship between the complainant and the data controller that would justify the registration in the İYS system, nor was it proven that the complainant explicitly consented to the processing of their personal data by the data controller. In light of these findings and considering that the data controller did not take the necessary technical and administrative measures within the framework of Article 12(1) of the Law, an administrative fine of 75,000 TL was imposed on the data controller. Furthermore, since it was determined that the personal data in question was processed unlawfully and there was no other legitimate basis for processing, if applicable, the data controller was instructed to appropriately dispose of the personal data in accordance with the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction, and Anonymization of Personal Data, and to inform the Board of the outcome.

  1. Summary of Decision dated 03/08/2022 and numbered 2022/776 on “processing of personal data of a child by a data controller marketing company by sending promotional brochures without obtaining the explicit consent of the parent”:

The complaint letter received by the Board stated that a promotional brochure for a product owned by a marketing company was sent to an 8-year-old child (the data subject) through mail, by a natural person who is a free entrepreneur. In response to this, the child’s parent contacted the data subject, whose phone number was included in the letter, by phone and asked where they obtained the personal information of their 8-year-old daughter. However, during this conversation, no information was provided by the other party, and no processing of the child’s personal data was mentioned. In this context, the parent made a request to the marketing company regarding how they obtained personal data such as the child’s home address and name. However, no information was provided in response to the request. The parent stated that they did not give any consent for the processing of their child’s personal data and that the child’s personal data was processed for promotional purposes without explicit consent. Therefore, they requested that the necessary actions be taken against the marketing company within the scope of the Law.

As a result of the examination conducted regarding the matter, it was found that the promotional brochure sent to the data subject was not sent together with the order specified on the invoice. The sole sending of the brochure, which was the subject of the examination, was realized without relying on any of the processing conditions defined in the Law. Therefore, it was concluded that the obligations stated in Article 12(1) of the Law were not fulfilled, and since the offense was committed only once, it was determined that an administrative fine of 30,000 TL should be imposed on the data controller in accordance with Article 17(2) of Law No. 5326, taking into account the wrongful content of the offense, the fault of the data controller, and their economic situation.

  1. Summary of the Decision dated 07/10/2022 and numbered 2022/1072 on “processing of the e-mail address, which is the personal data of the data subject, by sending messages for advertising purposes”:

The complainant stated in their complaint to the Board that they received an email from an individual claiming to be an employee of a company operating in the pharmaceutical sector. They contacted the data controller to inquire about how their email address was obtained, and they learned that the email address was shared through pharmacy warehouses. They requested that the necessary actions be taken within the scope of the Law.

As a result of the evaluation conducted regarding the matter, it was concluded that the personal data processing conditions were not met in the processing of the complainant’s email address, which is considered personal data, by the data controller for the purpose of unauthorized commercial electronic communication for advertising and marketing purposes. It was also determined that the data controller did not take the necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data. Therefore, an administrative fine of 50,000 TL was imposed on the data controller.

  1. Summary of the Decision dated 01/09/2022 and numbered 2022/861 on “processing of the data subject’s workplace e-mail obtained from searches on internet search engines by sending commercial electronic messages by a data controller marketing company without obtaining explicit consent”:

In the complaint letter received by the Board the complainant stated that the data controller company sent campaign, advertisement, and similar content emails to the complainant’s work email address without any connection or affiliation with the data controller. The complainant contacted the data controller’s email address and inquired about how their contact and identity information was obtained. They requested that no more advertising/campaign emails be sent to them, their personal data be deleted, and they be informed about the deleted information. However, in the response provided by the data controller, it was only stated that the email address and information were deleted from the records, without providing any information about how the data was obtained. Therefore, the complainant requested that the necessary actions be taken within the scope of the Law.

As a result of the investigation conducted regarding the matter, it was determined that the data controller did not provide any conclusive evidence to the Institution that there was a public will for the processing of the complainant’s email address for advertising and marketing purposes on any platform. Considering that the data controller’s explanations regarding the processing of the complainant’s personal data within the scope of the processing conditions stated in the Law were legally unfounded, it was concluded that the data controller engaged in data processing activities without fulfilling any personal data processing condition under Article 5 of the Law. Therefore, an administrative fine of 150,000 TL was imposed on the data controller.

  1. Summary of the Decision dated 02/09/2022 and numbered 2022/902 on “processing of personal data by sending text messages for marketing purposes without the explicit consent of the data subject”:

In the complaint letter received by the Board, the complainant stated that the data controller company sent marketing messages to the complainant without fulfilling the obligation to inform and obtaining explicit consent, despite not engaging in any commercial activity with the complainant and without any permission for communication. In the response to the application made to the data controller, it was stated that an apology was offered to the complainant for the mistake, explaining that a text message was sent to the complainant because the system mistakenly identified them as regular customers due to their shopping from marketplaces. It was also mentioned that necessary corrections were made after the application. Therefore, the complainant requested that the necessary actions be taken within the scope of the Law.

As a result of the investigation conducted regarding the matter, it was determined that the message that should have been sent to the data controller’s customers/members who voluntarily gave consent to receive emails/SMS on their website was mistakenly sent to customers who made purchases from their stores on a sales platform. It was stated that the error was noticed and cancellation procedures were initiated, but it was not possible to prevent some customers from receiving text messages. Considering these circumstances, it was concluded that the data controller processed the complainant’s personal data, which is in the form of a telephone number, without relying on any processing conditions stated in Article 5 of the Law. It was also determined that the data controller did not take necessary technical and administrative measures to ensure an appropriate level of security to prevent the unlawful processing of personal data. Furthermore, it was noted that the complaint constituted a data breach, but the data controller did not report the occurred data breach to the Board. Therefore, an administrative fine of 30,000 TL was imposed on the data controller.

  1. Summary of the Decision dated 17/03/2022 and numbered 2022/249 on “transfer of personal data of the data subject abroad by a technology company without his/her explicit consent”:

In the complaint letter received by the Board the complainant stated that they became a member of the data controller’s system through the website, but there was no cookie policy on the website. It was also mentioned that the information notice indicated that data was transferred abroad, but the complainant did not give explicit consent for such transfer. As a result, the complainant contacted the email address provided in the information notice on the website, requesting information about which data was recorded and transferred. However, the complainant did not receive a response from the data controller within the legal period of 30 days. Therefore, the complainant requested that the necessary actions be taken within the scope of the Law.

During the investigation conducted regarding the matter, it was taken into account that the application made by the complainant to the data controller under Article 13 of the Law was overlooked due to an oversight. It was concluded that the necessary administrative and technical measures were not taken by the data controller to effectively and lawfully conclude the applications made by data subjects, as regulated in Article 6(1) of the Communique on Procedures and Principles for Application to the Data Controller. It was also stated that there was no approved commitment application by the Board, and other than obtaining explicit consent, there was no other legal basis for the lawful transfer of personal data abroad within the scope of the Law. It was mentioned that in the specific case, the data controller did not resort to obtaining informed consent based on information and freely given will from data subjects for the transfer activity within the scope of international data transfers.

Considering that the act of transferring personal data abroad was admitted by the data controller in the defense petition as a deliberate and intentional act systematically carried out by the data controller, constituting an offense and conducted within the scope of commercial purposes, and that despite six years have passed since the enactment of the Law, the international transfer activity has not been brought into compliance with the Law, it was decided to impose an administrative fine of 950,000 TL on the data controller. Additionally, it was decided to warn the data controller to take all necessary administrative and technical measures to effectively and lawfully conclude the applications to be made by data subjects within the scope of the Communique on Procedures and Principles for Application to the Data Controller.

  1. Summary of the Decision dated 02/06/2022 and numbered 2022/545 on “processing of the personal data of the data subject by the data controller bank, where the data subject does not have an account, without fulfilling the obligation to inform and without obtaining explicit consent”:

In the complaint of the person concerned, the complainant stated that they sent an SMS to the specified number by entering their national identification number (Turkish ID number) in order to find out the credit limit they could receive. In the SMS response received from the data controller bank, the complainant’s credit limit was specified. The complainant mentioned that they have never had any accounts or transactions with this bank and that the data controller bank did not provide any information to the complainant regarding the national identification number and mobile phone number provided to the bank. Despite not having any connection with this bank, the data controller was able to determine the credit limit for the complainant in a short period of time, which indicates that the personal data of the complainant was processed by the data controller without their knowledge. The complainant also stated that a proper response was not given to their application and explicit consent was not obtained when processing their personal data, and requested the necessary actions to be taken.

During the investigation conducted regarding the matter, it was found that an initial SMS was sent to the complainant regarding the protection of their personal data, which included a link to access the data controller’s information notice. It was observed that the subsequent SMS contained the available credit amount for the complainant. Therefore, it was determined that contrary to the complainant’s claim, the data controller had provided information to the complainant regarding the matter before completing the data processing process initiated with the complainant’s consent. Although the data controller stated that the complainant’s personal data was processed based on the conditions set forth in Article 5(2) of the Law, it was unknown which data these were and based on which condition stated in the relevant article they were processed. For these reasons, it was concluded that the data controller had violated its obligation to respond to the complainant with a complete and comprehensive information notice which fulfills the conditions mentioned, and thus, failed to comply with the Regulation on Procedures and Principles for Fulfilling the Obligation to Inform. Therefore, the data controller was instructed to bring the information notice into compliance with the aforementioned Regulation and to inform the Board within the legal period of thirty days. Furthermore, considering that the response given to the complainant’s application did not meet their requests and was incomplete, the data controller was warned to respond to data subjects’ applications in accordance with the Law and the Regulation, with maximum care and attention.

  1. Summary of the Decision dated 22/06/2022 and numbered 2022/594 on “sending of the results of the addictive substance test, which is a special quality personal health data, to the e-mail address of a third person working at the workplace of the data subjects by a private health institution without obtaining the explicit consent of the data subjects”

In the complaints received by the Board, in summary, it is stated that individuals within the employer’s organization were forced to undergo drug tests under pressure, without any reason or explanation, just like all other employees. It is mentioned that during the testing, the contact information of the individuals was not collected, and the test results were unlawfully sent to an email address belonging to a person in the workplace, thereby transferring personal health data to a third party without their consent and without any notification or information provided. Although the response letter from the data controller health institution indicated that the individuals were the employers, it is stated that the mentioned individuals were not their employers. Consequently, it was requested that the investigation results be sent to the parties involved instead of a third party.

As a result of the examination conducted on the matter, it is determined that the processing of special category personal data of the concerned individuals, shared by the data controller health institution to an email address belonging to a third person working at the individuals’ workplace, was carried out without any legal basis for the processing activity as stipulated in Article 6 of the Law. It is concluded that the data controller has not taken all necessary technical and administrative measures to ensure an adequate level of security to prevent the unlawful processing of personal data, and this constituted a violation of Article 12(1) of the Law. It is also noted that the number of individuals affected by this violation was not limited to the individuals concerned, as health data with special category personal data status of individuals were processed in the relevant data processing activity, and taking into account that the data controller provided health services to approximately 600 employees in multiple cities. Therefore, an administrative fine of 75,000 TL is imposed on the data controller.

  1. Summary of the Decision dated 29/06/2022 and numbered 2022/630 on “sharing of the photographs of the data subject taken during the surgery on the social media account of a doctor working at the data controller hospital”:

In the complaint submitted to the Board by the concerned individual, in summary, it is stated that personal data in the form of photographs were taken without obtaining explicit consent while the individual was unconscious during a nose surgery performed at a private hospital. These photographs were shared for promotional purposes on the social media account of the doctor who works at the data controller hospital and performed the surgery. It is mentioned that these photographs were kept on this account for approximately two years. Although the photographs were removed after the individual’s application, it is stated that there was no explicit consent for the processing of personal data for advertising and marketing purposes, and it is requested that the necessary actions be taken.

As a result of the evaluation conducted on the matter, it is determined that the concerned individual did not provide explicit consent for the sharing of the images taken while unconscious by the mentioned doctor. However, it is acknowledged that the data controller hospital was aware of the fact that these photographs were shared on the social media account of the aforementioned doctor. Therefore, considering that the data controller hospital did not take the necessary administrative and technical measures to prevent the sharing of the individual’s personal data in the form of the mentioned images on the social media account of the doctor, an administrative fine of 100,000 TL is imposed on the data controller hospital.

  1. Summary of the Decision dated 03/08/2022 and numbered 2022/768 on “transfer of personal data of the data subject to an insurance company by the data controller bank without obtaining explicit consent”:

In the complaint letter received by the Board from the concerned individual, in summary, it is stated that the individual was contacted multiple times by an insurance company on their personal phone. During the conversation with the insurance company, the individual learned that their mobile phone number was obtained through a bank, which is the data controller. It is mentioned that the individual had an account with the data controller bank but had no relationship with any other institution or organization associated with the data controller. In this context, it is stated that an application was made to the data controller, but the response provided by the data controller was not satisfactory, and therefore, it is requested that the necessary actions be taken in accordance with the law.

Upon examination of the matter, it is determined that the phone number, which is personal data of the individual, was transferred to the relevant insurance company by the data controller without relying on any of the personal data processing conditions specified in Article 5 of the Law, in violation of Article 8 of the Law. In this regard, considering that the obligation to take necessary administrative and technical measures to ensure an appropriate level of security to prevent the unlawful processing of personal data as stipulated in Article 12(1) of the Law was not fulfilled, an administrative fine of 250,000 TL is imposed on the data controller.

  1. Summary of the Decision dated 01/09/2022 and numbered 2022/863 on “processing of personal data by a bank’s customer services through calling the data subject by phone without fulfilling the obligation to inform and without obtaining his/her explicit consent”:

In the complaint letter received by the Board, in summary, it is stated that the individual transferred money from their account in another bank to an account belonging to a third party at the data controller bank. Subsequently, despite not giving consent for contact and not receiving any information, the data controller bank contacted the individual on the same day for promotional purposes. It is mentioned that the individual approached the data controller bank regarding this matter and it is shown from the postal delivery tracking that the application was received by the bank, but no response was provided within the legal timeframe. Therefore, it is requested that the necessary actions be taken against the data controller bank in accordance with the law.

Upon examination of the matter, it is concluded that the mobile phone information shared by the individual with the data controller bank for the purpose of contacting them was processed based on the legal processing condition of “explicitly provided for by laws” according to Article 6 of the Law on Regulation of Electronic Commerce and Article 6(2) of the Regulation on Commercial Communication and Commercial Electronic Messages. This is because the processing was carried out to provide information about the service in use, without promoting or advertising any goods or services, due to the ongoing customer relationship. Therefore, it is decided that there is no action to be taken against the data controller bank.

  1. Summary of the Decision dated 23/12/2022 and numbered 2022/1358 on “failure to provide clarification and explicit consent texts regarding cookies on a website”:

In the complaint letter received by the Board, in summary, it is stated that when accessing the website of a gaming platform, users were not provided with information about cookie processing processes, and explicit consent was not obtained for non-essential cookies. It is mentioned that when users register on the site, their identity and contact information were requested, but the information and consent texts were not provided. It is further stated that although an application was made to the relevant company, a satisfactory response was not received, and therefore, it is requested that the necessary actions be taken in accordance with the law.

Upon evaluation of the matter, it is determined that the data controller processed personal data through non-essential cookies on the website without relying on any legal processing conditions, such as for advertising and marketing purposes. Considering that this situation is in violation of the obligations stated in Article 12(1) of the Law, an administrative fine of 300,000 TL is imposed on the data controller.

  1. Summary of the Decision dated 23/12/2022 and numbered 2022/1357 on “processing of the blood type data, which is sensitive personal data, by the data controller, who is a gym operator, , without obtaining the explicit consent of the data subject”:

According to the complaint letter received by the Board from the concerned individual, in summary, the data controller, who is the operator of a sports facility, processed the health data (detailed body fat, weight and performance measurements, blood type, annual hospital visit count, smoking information, etc.) of individuals using the sports facility, as well as their biometric data (fingerprint taken at the entrance) and camera footage. However, it is stated that no information was provided regarding the processing of this data in accordance with the Law and no explicit consent was obtained from the individuals. It is also mentioned that the data subject’s email containing questions and requests regarding the processing of their personal data was not answered within the legal timeframe, and that the cards containing personal data of the individuals, including health data, could be accessed by anyone working at the sports facility, and the security of this information was not ensured. It is further stated that these cards, including health data, occasionally went missing, and it was uncertain who had access to them. It is alleged that the employees of the sports facility monitored the camera recordings and made interpretations based on the behavior of the individuals inside the facility, by matching them with the recordings.

As a result of the evaluation of the matter, considering that the special category personal data, such as blood type, was processed for sports facility membership without obtaining explicit consent, it is concluded that the data controller has not fulfilled the obligations stipulated in Article 12(1) of the Law. It is determined that the data controller processed the personal data of numerous members within the scope of the sports facility membership agreement, including special category personal data, which poses a significant risk to the privacy of users. Taking into account that the data controller operates in various sectors such as sports facility management, tourism and hotel management, and construction contracting, and considering its economic situation, an administrative fine of 100,000 TL is imposed. It is also decided that the information and explicit consent texts should be separately prepared in addition to the membership agreement provided to the members, the explicit consent should be presented to the data subjects in a manner that includes options for granting or withholding consent for each activity, and the information text should be prepared in compliance with the relevant provisions of Article 10 of the Law and the Communique on the Procedures and Principles to be Followed in Fulfilling the Obligation to Inform. Furthermore, the data controller is instructed to inform the Board about the outcomes of the measures taken.

  1. Summary of Decision No. 2022/277 dated 24/03/2022 on “a cargo package containing personal data of the data subject falling into the hands of a third party”:

The complaint of the data subject can be summarized as follows: The data subject delivered their headphones to a branch of an electronic retail chain in a shopping mall for repair. The store representatives handed over the headphones to a courier company to be sent to the distributor company. However, the package was delivered to an unrelated third party instead of the distributor company. Upon the third party’s contact with the data subject regarding the delivery, they became aware of the situation. The electronic retail chain officials claimed that they had no wrongdoing in the matter and that the error was solely on the part of the courier company. However, it was stated that the transported package contained documents containing the data subject’s personal information such as name, surname, mobile phone number, email address, city and district of residence, and the first six digits of the payment card used. The data subject requested the necessary actions to be taken within the scope of the Law regarding the matter.

As a result of the investigation conducted on the subject, it is determined that the incident underlying the data subject’s complaint, which is based on the personal data processing/transfer activity solely consisting of the delivery of documents containing some of the data subject’s personal data to the distributor company for a repair process by the data controller, falls within the scope of the data controller’s obligation arising from Article 12(1) of the Law. However, it is stated that there is no action contrary to Article 12(1) of the Law on the part of the data controller, as the data controller delivered the package containing the personal data of the data subject to the courier company with the sender being the data controller and the recipient being the distributor company. Although it is not deemed necessary to take any action within the scope of the Law regarding the personal data of the data subject contained in the documents sent to the distributor company for a repair process, taking into account the nature of the personal data of the data subject, it is noted that in the future, minimal personal data sharing should be ensured on the forms within the packages that may be sent by the data controller to repair companies, and the shared personal data should be masked as much as possible. The data controller is warned to take the necessary measures in this regard. It is also mentioned that, in response to the data subject’s application, although information was provided to the data subject, there is a disputed issue regarding whether there is any additional measure that can be considered without the guidance of the Board to prevent or minimize any negative consequences that may arise concerning the data subject due to the incident. Considering that there is no possibility of any person other than the data subject being affected by the erroneous delivery of the package, that there may not be a specific danger in terms of the protection of the data subject’s personal data due to the data controller’s failure to notify the Board about the incident, and that the existence of any additional measure that can enable the prevention or minimization of any potential adverse consequences concerning the data subject without the guidance of the Board is debatable, it is decided that the data controller should be instructed to make a notification to the data subject and the Board in accordance with Article 12(5) of the Law for similar incidents that may occur in the future.

  1. Decision dated 05/01/2023 and numbered 2023/4 on “a cargo company’s unlawful sharing of personal data due to a cross-barcoding error”:

According to the complaint of the data subject, in summary; they purchased a product from an e-commerce company and noticed that after the delivery by the shipping company to the data subject, the package contained address and contact information of another person (a third party) with a similar name other than the data subject. The data subject, as the complainant, requested information from the data controller, the shipping company, regarding the legal basis for the transfer of personal data belonging to the third party to the data subject, as well as whether their own personal data has been transferred to third parties, and if so, the legal grounds for such transfer. In the response letter provided by the data controller, it was stated that the situation occurred due to an error during the barcode process, and the package belonging to the data subject was returned by the third party and delivered to the sender company. Based on these statements, it was concluded that the data controller, through the mistake of cross-shipping, sent the package that should have been delivered to the data subject to the third party, thereby sharing the data subject’s personal data with the third party. Therefore, it was indicated that the data controller has unlawfully transferred both the data subject’s personal data and the third party’s personal data in violation of Article 8 of the Law, and requested the necessary actions to be taken.

As a result of the examination conducted regarding the matter; it was determined that the sharing of the data subject’s personal data with the third party constitutes a new data processing activity, which does not have a legal basis specified in the Law. It was found that the action of the data controller in question is in violation of the obligations regarding data security under the Law. Furthermore, considering that the situation qualifies as a data breach, and the data controller did not make a data breach notification to the Board, it was decided to impose an administrative fine of 75,000 TL on the data controller for not fulfilling the obligations stated in Article 12 of the Law.

  1. Summary of Decision dated 07/04/2022 and numbered 2022/325 on “sending of e-invoices issued on behalf of a business that is not related to the person concerned to the e-mail address of the person concerned”:

In the complaint received by the Board from the data subject, in summary; it is stated that e-invoices issued on behalf of a supermarket were sent to the data subject’s email address by the authorized personnel of a marketing company’s Trabzon regional office 15 times from 13/01/2020 to 20/04/2020, even though the data subject has no connection to the supermarket for which the invoices were issued. Despite reporting this situation to the company through various communication channels, the invoices continued to be sent to the data subject. Therefore, the necessary actions were requested to be taken.

As a result of the evaluation conducted regarding the matter, although the data subject filed a complaint to the Board regarding the marketing company with which the authorized seller initially signed a contract, considering that the person who issued the invoice in question had terminated their relationship with the marketing company as of November 2018 and the invoice date was in February 2020, it is understood that the marketing company that signed the initial contract did not have the status of data controller, and it was found that a contract was established with the final seller, the supermarket. It was stated that the data subject’s email address was processed by the data processor without any intention, as it was inadvertently recorded in the system, and the issue raised in the complaint has been rectified. It was concluded that there is no connection or responsibility of the initial marketing company, which was the subject of the complaint, in the act of sending invoices to the data subject who is not a party to it, and therefore no action needed to be taken against them. Considering that the data subject’s email address was mistakenly processed by the authorized seller, who is the data processor, due to the similarity with the email address of the supermarket owner, without intention, and that the data subject’s request for not sending invoices to their address has been fulfilled by making the necessary corrections, it was decided that there is no action to be taken against the second marketing company as the data controller. However, it was also decided to remind the second marketing company about the establishment of necessary confirmation mechanisms regarding the sending of emails containing personal data belonging to third parties, such as phone numbers and email addresses, to ensure compliance with the Law, within the scope of the Board’s Principle Decision dated 22/12/2020 and numbered 2020/966.

  1. Summary of Decision dated 03/08/2022 and numbered 2022/774 on “sending by the data controller of the order information of a third party shopping from an e-commerce site to the e-mail address of the relevant person”:

In the complaint received by the Board, in summary; it is stated that the order information of a third party who made a purchase from an e-commerce website was sent to the data subject’s email address. The email content clearly included information such as the paid amount, a visual representation of the order contents, sender’s name and surname, recipient’s name and surname, address, and phone number. Additionally, there was an “Order Tracking and Updates” button in the email that directed to a page where all order details could be viewed. On this page, in addition to the sender and recipient information, the product name, product code, color of the ordered item, and a message from the sender to the recipient were displayed. The sender or recipient information and the message could be edited, and there was also an active order cancellation button. The data subject realized that these constituted a data breach and believed that their personal data could be seen by others as indicated. Initially, the data subject contacted the customer service of the e-commerce website through the live support system and was informed by the customer service that they had provided the wrong email due to name similarity. They were assured that the notification of this order was sent in error, their email address was deleted, and they would no longer receive notifications. However, it was stated that the e-commerce website, as the data controller, still sent promotional emails to the mentioned email address, requesting the necessary actions to be taken within the scope of the Law.

During the examination of the matter, it was found that incorrect declarations could be made in manual data entries by individuals, and it is the responsibility of data controllers, within the scope of the obligation to take administrative and technical measures to prevent the unlawful processing of personal data defined in Article 12(1) of the Law, to take necessary administrative and technical measures to prevent the unlawful processing of personal data of third parties due to these incorrect data entries. It was emphasized that mechanisms should be established to verify the accuracy of the contact information provided to them. It was also stated that due to the lack of a verification mechanism in this process, all shopping transactions made through guest access without becoming a member of the e-commerce website pose a data breach risk. Considering the lack of compliance by the data controller with the obligations in Article 12 of the Law and the potential loss of rights in case of sending the email to the wrong recipient, as well as the negligent behavior in not establishing a verification mechanism for the recipient groups to whom the email would be sent, an administrative fine of 120,000 TL was imposed on the data controller.

  1. Summary of the Decision dated 04/08/2022 and numbered 2022/787 on “processing of the phone number of the data subject by the data controller selling household goods through contact for the debt of a third party”:

In the complaint received by the Board, in summary, it is stated that the data subject was contacted by a data controller who sells household goods. They received a phone call the first day and a text message on their mobile phone the next day. On a later date, the data subject was called three times by the data controller, and in the last call, the data controller asked for the number of a person who made a purchase. The data subject stated that they did not know the person’s number and that they did not have any debts or guarantees. However, the data controller stated that the data subject would be constantly disturbed until the debtor paid off the debt. When the data subject requested their number to be deleted from the system in the last call, their request was denied. Additionally, it was mentioned that the written application containing the deletion request to the data controller did not receive a response, and the calls continued. Therefore, it was requested that the necessary actions be taken within the scope of the Law.

As a result of the investigation conducted on the matter, considering that the data controller continued to process the personal data, namely the telephone number, of the data subject without any connection to a debt that the data subject does not own, in violation of the principles of “accuracy and being up to date” and “being relevant, limited, and proportionate to the purposes for which they are processed” stated in Article 4 of the Law, and without fulfilment of any of the processing conditions of personal data specified in Article 5 of the Law, it was decided to impose an administrative fine of 200,000 TL on the data controller, taking into account their economic situation.

  1. Summary of the Decision dated 01/09/2022 and numbered 2022/853 on “processing of the e-mail address of the data subject by a legal betting platform and sending of the personal data of one of its members to the e-mail address of the data subject who is a third party”:

In the complaint received by the Board, in summary , it is stated that in April 2022, an email was sent to the data subject’s personal email account, *************@gmail.com, by the legal betting platform ******.com. The email stated, among others, “Dear ******* ******, You can find the details regarding your membership below: Your Membership Number: ********. You can log into your ******.com account with your membership number, username, and your national identification number. As a security measure, we recommend changing your login password for ******.com at regular intervals.” Shortly after, a second email was received stating, “Dear Member, You have approved the sending of commercial electronic communications, such as advertisements and promotions, to your email address.” The data subject asserts that they have never created any membership on the ******.com website. The data controller responded with the statement, “As per your request, your email address has been removed from the registered membership.”

As a result of the investigation, it is determined that the main issue in this specific case, in terms of the Law, is that the data controller failed to establish any control mechanism while processing personal data. This non-compliance is in violation of the general principles stipulated in Article 4(2) of the Law, namely “compliance with the law and fairness,” “accuracy and being up to date,” and “being relevant, limited, and proportionate to the purposes for which they are processed.” Considering that the actions of the data controller are contrary to the provisions of Article 12(1)(a) of the Law, which regulates obligations regarding data security, an administrative fine of 250,000 TL is imposed on the data controller.

  1. Summary of Decision dated 08/09/2022 and numbered 2022/925 on “sending of e-invoices of other subscribers to the e-mail address of the person concerned”:

In the complaint received by the Board, the data subject stated that they had previously filed a complaint against the telecommunications company, the data controller, as they were receiving e-invoices of another subscriber to their personal email address. The Board had previously imposed an administrative fine on the telecommunications company and instructed the data controller to take all necessary administrative and technical measures regarding the security of personal data. However, the data subject stated that since 2018, they have been receiving e-invoices of the owner of the mobile number 053…4, and recently, they have also started receiving e-invoices of the owner of the mobile number 054…9. They requested that necessary actions be taken within the scope of the Law.

Following the evaluation of the matter, it is concluded that the processing of the data subject’s email address by sending invoices belonging to third parties constitutes a violation of the principle of “accuracy and, where necessary, kept up to date” as stipulated in Article 12(1) of the Law. Taking into account the previous decision of the Board, in which the telecommunications company was instructed to take necessary administrative and technical measures to ensure the security of subscribers’ personal data, it is decided to impose an administrative fine of 200,000 TL on the data controller.

  1. Summary of the Decision dated 12/01/2023 and numbered 2023/67 on “sending of money transfer and account information of the data subject to a third-party e-mail by a data controller bank”:

In the petition submitted by the data subject to the Board, it is summarized that the bank has sent account statements and real-time account transactions related to the data subject’s account to a third party’s email address without the knowledge and consent of the data subject. As a result, the data subject’s entire money transfers and account information have been learned by third parties, causing insecurity and distress. It is stated that the data controller failed to fulfill the obligation of informing, and it is requested that necessary actions be taken due to the violation of data security.

As a result of the examination conducted on the matter, it was found that the email address in question was initially shared with the bank by the representative of the company in which the data subject is a partner. Subsequently, during the data subject’s individual retirement application, the data subject approved the mentioned email address by signing the form presented to them. Furthermore, considering that the data controller promptly took action and made the necessary correction to the email address upon the data subject’s application, it is concluded that there is no action to be taken against the bank within the scope of the Law. However, in accordance with the Personal Data Protection Board’s “Principle Decision dated 22/12/2020 and numbered 2020/966” regarding personal data of third parties sent to communication channels such as telephone numbers and email addresses in violation of the Law, it is decided to warn the data controller bank to establish necessary mechanisms to verify and ensure the currency of the contact information of the relevant individuals used in banking transactions.

  1. Summary of the Decision dated 08/09/2022 and numbered 2022/923 on “processing of the phone number of the person concerned by sending SMS by a doctor who has left the hospital”:

In the complaint received by the Board, it is summarized that the data subject was examined by a doctor at a hospital in January 2018. The relevant doctor subsequently left the hospital and opened a private clinic, after which the doctor sent promotional SMS messages to the data subject’s mobile phone number. The data subject believes that their personal data was unlawfully obtained by the doctor upon leaving the hospital. It is stated that the data subject applied to the relevant doctor and the hospital regarding the matter but did not receive a satisfactory response. The data subject also mentioned that they do not have any ongoing or follow-up health issues with either the hospital or the doctor. Therefore, it is requested that necessary actions be taken against the hospital and the doctor within the scope of the law

As a result of the evaluation conducted on the matter, considering the available information and documents, it cannot be proven that the personal data in question was obtained from the hospital’s database. Therefore, no action can be taken against the hospital within the scope of the law. However, it is stated that the data controller doctor claimed that the phone number was obtained directly from the data subject. In this context, it is understood that the communication data in question was obtained for the purpose of informing the data subject about the examination/treatment processes within the patient-doctor relationship. However, considering that the doctor later processed the data subject’s phone number for the purpose of sending advertising SMS messages, it is concluded that the processing of personal data in question does not rely on any lawful basis. Accordingly, a fine of 100,000 TL is imposed on the individual data controller doctor for non-compliance with Article 12 of the Law.

  1. Summary of the Decision dated 04/08/2022 and numbered 2022/790 on “transfer of the health data of the person concerned by a university hospital to the defendant public institution upon his/her request to form the basis of an administrative case”:

In the complaint letter submitted to the Board, it is summarized as follows: In relation to a lawsuit pending before the administrative court between an individual and a public institution, the defendant public institution requested certain information from the university hospital. Upon this request, the relevant person’s health data were handed over to the public institution by the university hospital. It is claimed that the individual suffered moral damage due to the violation committed by the university and, therefore, a claim for non-pecuniary damages was made. It is stated that as a result of the examination conducted at the hospital, in the patient anamnesis form prepared for the individual, a statement was mistakenly written in the narrative section as “…he/she says he/she occasionally had to use marijuana.” It is explained that based on this statement, the individual was detained, and his/her residence and car were searched. It is stated that a decision was made that there was no basis for prosecution regarding the individual, and it was proven by the decision of the Public Prosecutor’s Office that he/she did not use any narcotics. Therefore, a request was made for the deletion of data and information regarding the use of marijuana from the individual’s health record. It is mentioned that the university did not respond to the individual’s requests and, therefore, action is requested to be taken against the university within the scope of the Law.

In the evaluation of the matter, it was found that the transfer of special category personal data related to the individual’s health, without the explicit consent of the data subject, to the public institution, was in violation of the Law. Furthermore, considering that information beyond the requested data was shared, it was concluded that the data controller, the university hospital, failed to fulfill its obligation to take all necessary technical and administrative measures for the security of personal data. Therefore, it was decided that disciplinary action should be taken against the responsible parties and the data controller should be instructed to inform the Board about the actions taken. Taking into account the individual’s right to request the correction of the “Marijuana Use” data in the Anamnesis Form, in accordance with the principle of accuracy and being up-to-date, it was decided to instruct the data controller to initiate the necessary procedures at the Provincial Health Directorate, both within its own organization and by guiding the relevant individual if necessary, and to inform the Board about the outcome.

  1. Summary of the Decision dated 07/07/2022 and numbered 2022/653 on “the request of the data subject to be notified of his credit card and mobile phone information regarding his shopping from the data controller providing online shopping services”:

In the complaint letter received by the Board, the person concerned summarized that in relation to a purchase made through the online shopping platform provided by the data controller company, their credit card information entered into the application and the contact information (mobile phone number) provided for order delivery were requested by the data controller in accordance with the Law and stated to be recorded, but despite the request for these information through the user’s registered email and phone, not sharing these information with them was considered a violation of the Law. Therefore, it is requested that necessary actions be taken within the scope of the Law.

Upon examination of the matter, considering that the relevant person’s credit card information is stored within the mobile payment technology provider intermediary company, it has been decided that there is no action to be taken against the data controller in this regard.

  1. Summary of the Decision dated 22/03/2023 and numbered 2023/426 on “Requesting e-Government Passwords from the Relevant Persons by the Company Providing Shopping Facilities with Consumer Financing Loans”:

In a complaint letter submitted to the Board, in summary, it is stated that while purchasing a television with a consumer finance loan from the Company, the individual was asked for their e-Government password.

In another complaint letter received by the Board, in summary, it is stated that the company requested the e-Government password from the informant. Despite the informant’s insistence, they refused to provide the password. It is known that e-Government passwords were obtained from many citizens other than the informant. The request is made for the necessary actions to be taken within the scope of the Law.

As a result of the investigation conducted on the matter, a strong belief has been formed that access to the e-Government passwords of the individuals was obtained. It is concluded that by requesting e-Government passwords, access can be gained to many personal data, including sensitive ones. Therefore, it is evaluated that the data controller did not fulfill its obligations stipulated in Article 12(1) of the Law, as the request for e-Government passwords in installment purchases does not rely on any data processing condition mentioned in Article 5 of the Law. Accordingly, an administrative fine of 400,000 TL is imposed on the data controller.

C. Decisions on Personal Data Processed by Lawyers

  1. Decision dated 22/03/2023 and numbered 2023/437 on “processing of personal data by sending a text message to the debtor by a law partnership”:

In a complaint letter submitted to the Board regarding the personal data processing activity carried out by an Attorney Partnership as the data controller on behalf of the Company, in the context of a subscription relationship between the Company and the individual concerned, where five text messages were sent to the individual for the purpose of debt follow-up and reminders, the following issues were summarized: failure of the data controller, the Law Partnership, to fulfill the obligation to provide information at the first contact with the individual regarding the personal data obtained from the Company, and also failure to fulfill the obligation to provide information prior to the recording of a voice call during a conversation conducted through the call center. As a result, sanctions were requested against the data controller for not complying with the provisions of the Law. Additionally, sanctions were requested against the data controller for sending five text messages to the individual on and with the same subject and content.

Following the examination of the matter, it was concluded that the personal data processing activity carried out by the data controller through the processing of the individual’s phone number falls within the scope of the provision in Article 5(2)(e) of the Law, which stipulates that data processing is necessary for the establishment, exercise, or protection of a right. Therefore, it was deemed lawful under the Law, and no action was deemed necessary regarding the mentioned complaint. Furthermore, it was found that the individual did not provide any explanation or request regarding the allegation of failure to fulfill the obligation to provide information at first contact with the individual and the recording of the voice call without fulfilling the obligation to provide information before the recording. Therefore, no action was deemed necessary under Article 18(1)(a) of the Law for the imposition of penalties. Regarding the request for an investigation into whether the data controller uses software/programs/applications that allow querying of personal data, such as citizens’ identity and contact information, based on illegally obtained data from individuals, it was noted that the data controller’s response letter denied this allegation and no information, document, or record supporting the claim was provided to the Board by the individual. Consequently, no action was deemed necessary under the Law regarding the mentioned request.

  1. Summary of Decision dated 07/07/2022 and numbered 2022/655 on “unlawful processing of personal data of the data subjects who were members of the board of directors of the liquidated company by the data controller lawyer by sending text messages and making calls within the scope of company debt”:

In the complaint letter received by the Board from the representatives of the concerned individuals, it is summarized that the data controller lawyer and employees communicate with the relevant individuals through text messages and calls, claiming that their personal data were being processed in relation to a debt allegedly belonging to a dissolved limited company of which the relevant individuals were partners. It is requested that the necessary actions be taken within the scope of the Law.

In the examination of the matter, it was determined that during the period when the debt arose/ enforcement proceedings were initiated, the relevant individuals were members of the dissolved company’s board of directors, and this fact was publicly disclosed in the Trade Registry Gazette. It is stated that the data controller lawyer, within the framework of the Attorneyship Law and other relevant legislation, acquires and processes the relevant individuals’ data such as their name, surname, ID number, address, and telephone number through UHAP/unknown number services or other legal platforms that operate in compliance with the regulations, in order to collect the receivables of the client within the attorney-client relationship. It is concluded that this acquisition and processing of data is necessary for the data controller to fulfill its legal obligations arising from the attorney-client relationship in accordance with Article 5(2)(ç) of the Law and necessary for the establishment, exercise, or protection of the creditor’s right to access justice in accordance with Article 5(2)(e) of the Law. Therefore, it is decided that there is no action to be taken within the scope of the Law regarding this allegation.

  1. Summary of Decision dated 01/12/2022 and numbered 2022/1281 on “sharing of the debt information of the debtor with his son by the data controller lawyer due to the execution proceedings and unlawful processing of the phone number of the son of the debtor whose debt information was shared with him”:

In the complaints submitted to the Board by the relevant individuals (debtor and his son), briefly, it is alleged that in relation to the execution proceedings initiated against the debtor, the data controller lawyer repeatedly contacted the debtor’s son via his phone number and provided information regarding the debt without the explicit consent of the debtor, thereby disclosing the debtor’s legal and financial information to a third party, namely his son. Furthermore, it is claimed that while the debtor, whose debt information was shared, received notification of the application made to the data controller lawyer, no response was provided. Therefore, it is requested that necessary actions be taken within the scope of the Law.

Upon evaluation of the matter, considering that the debtor’s son was present at the place of enforcement during the seizure and the seized assets were left in his custody as a bailee, and based on the available information and documents, it is understood that it cannot be substantiated that the data controller unlawfully processed the phone number of the debtor’s son. Therefore, it has been decided that no action will be taken within the scope of the Law regarding the aforementioned allegation.

  1. Summary of the Decision dated 19/01/2023 and numbered 2023/78 on “sending of the debt information of the concerned person as a text message to the corporate numbers of the company in which the person is a partner”:

In the complaint submitted to the Board by the relevant individual, it is stated that, in summary, as a result of the cancellation of the mobile internet subscription agreement between the relevant individual and the GSM operator data controller, a debt was imposed on the individual. It is alleged that the GSM operator authorized a law partnership to collect the debt incurred in the name of the individual, and the law partnership sent a short message to 4 different mobile phone numbers belonging to the company owned by the individual, masking the individual’s surname but clearly indicating the amount of debt for which enforcement proceedings would be initiated. It is claimed that due to these messages, employees using the company lines of the individual’s company, despite having no connection to the matter, became aware of the debt information of the individual. Furthermore, as there were no other individuals with the same name in the company, even if the surname was masked, the identity of the individual was revealed in the mentioned short message. It is stated that the individual applied to the law partnership and the GSM operator regarding the matter, and in the responses received, it was stated that the short message shared for informational purposes was masked. However, it was not explained for what purpose the personal data of the individual, relating to the company lines owned by the individual, were shared. Therefore, it is requested that the necessary actions be taken within the scope of the Law.

Upon examination of the matter, it was determined that the use of the corporate communication numbers belonging to the company owned by the individual as communication numbers in the individual contracts between the data controller and the individual contradicts the principle of “being accurate and up-to-date when necessary” by the data controller. Consequently, as a result of the transmission of short messages containing the personal data of the individual to the communication numbers of the company, which are unrelated to the debt-related transaction, without any processing condition for personal data of the individual, which was a third-party company employee without any connection to the matter, it was observed that the data controller did not fulfill its obligations regarding data security, as stipulated in Article 12 of the Law. Therefore, an administrative fine of 85,000 TL is imposed on the data controller, and it is decided that no action will be taken within the scope of the Law regarding the law partnership, which sent a single short message to the telephone numbers specified as belonging to the individual for debt collection purposes, within the framework of the instructions given by the data controller and processed the data without verification capability.

  1. Summary of the Decision dated 18/05/2022 and numbered 2022/489 on “sharing of the documents containing the personal data of the data subject by the Union, which is a public legal entity, with the lawyer appointed as the Union’s representative and subsequent transfer of the said documents by the lawyer to the Bar Association”:

In the complainant’s complaint, briefly, it is stated that the complainant is practicing the profession of law, and during the termination negotiations of the legal consultancy and attorney contract with the Union, a lawyer who introduced himself as the representative of the Union called the complainant and requested the termination of the contract. Subsequently, during the ongoing discussions with the Union on the matter, the lawyer presented himself as a representative of the Union and spoke in a manner inconsistent with legal professional ethics. Therefore, the complainant lodged a disciplinary complaint against the said lawyer with the Bar Association. It is mentioned that the lawyer submitted a defense statement to the Bar Presidency, which was unrelated to the complainant, and only included copies of freelance invoices and withholding tax payment lists issued to the Union within the scope of the consultancy contract. Furthermore, it is stated that the complainant contacted the lawyer and the Union regarding the matter but did not receive a response. Accordingly, it is requested that the necessary actions be taken within the scope of the law.

As a result of the examination of the matter, it is concluded that regarding the sharing of the documents containing the complainant’s personal data with the lawyer appointed as the representative of the Union by the Union Presidency, as the Union is a public legal entity and they receive external legal services in fulfilling their duties assigned to them, the sharing of the documents containing the personal data of the complainant with the said lawyer can be evaluated within the scope of Article 5(2)(e) of the Law. Therefore, it is decided that there is no action to be taken within the scope of the law regarding the complaint against the Union. It is also concluded that the lawyer, who has the status of data controller, transferring the documents containing the personal data of the complainant to the Bar Association during the investigation conducted in accordance with Article 8 of the Law, and within the framework of Article 5(2)(e) of the Law, is deemed to be in compliance with the provisions of the law. Therefore, it is decided that there is no action to be taken within the scope of the law regarding the complaint against the said lawyer.

D. Decisions on Other Data Processing Activities

  1. Summary of the Decision dated 10/11/2022 and numbered 2022/1201 on the “request of the relevant person to remove from the index the results obtained in the search engine with their name and surname regarding an advertisement accessible from the website of the Official Gazette”:

In the complaint made to the Board, in summary it is indicated that; when the name of the data subject was searched through a search engine, it led to the page https://www.resmigazete.gov.tr/arsiv/*****.pdf; it was requested from the data controller to have the page associated with the data subject’s name removed under the “right to be forgotten,” but the response received stated that the “content will not be blocked.” Therefore, it is requested that the necessary measures be taken to ensure that the address does not appear when the data subject’s name is searched on the data controller search engine.

As a result of the investigation conducted on the matter; it is determined that the data processing activity involved in indexing the page in question in the data controller search engine by associating it with the data subject’s name was not for the purpose of providing public access to the relevant content, but rather to ensure that the notification was delivered to the data subject. Furthermore, it is stated that according to the Notification Law and as indicated in the Official Gazette, the content in question would be considered as served 15 days after its publication date, and therefore, the purpose of notification to the data subject was fulfilled. Additionally, it is noted that the data subject was a board member and president of a company, but the content in question was not related to the data subject’s professional life. Moreover, considering that the purpose of processing the data contained in the content was not to provide public access to the relevant information but to ensure the notification to the data subject, it is concluded that there is no public interest in its publication. It is evident that the subject of the search results was not a child, and taking into account that the Official Gazette mentioned in the URL address mentioned in the complaint was dated **/**/2000 and the court decision was dated 1999, more than 20 years have passed, and thus, the content has lost its relevance. Although the information in the content confirmed that the data subject has been acquitted of the alleged crime by a court order, it could still cause prejudice against the data subject. It is also evaluated that the content was not published by the data subject himself and did not contain data processed within the scope of journalistic activities. Therefore, it is decided to instruct the data controller to remove the URL address https://www.resmigazete.gov.tr/arsiv/*****.pdf from the index in a way that cannot be associated with the data subject’s full name.

  1. Summary of the Decision dated 16/02/2023 and numbered 2023/224 on “unlawful processing of personal data of the data subject by sharing the video of a municipality’s council meeting on social media account”:

In the complaint received by the Board, the data subject states, in summary, that in a regular council meeting video shared on the social media account of a district municipality, their personal data was processed unlawfully. It is mentioned that during the said meeting, the mayor made a speech revealing information about the data subject’s private life, personal data, and certain court cases and legal proceedings, and this speech was shared with the public through the municipality’s social media account. In this context, it is stated that a complaint was filed with the municipality regarding the violation of personal data, but the municipality responded by stating that there was no violation of rights within the scope of the Law. Therefore, the data subject requests appropriate actions to be taken.

Following the evaluation of the matter, it was examined in the context of the complaint submitted to the Board regarding the alleged sharing of the data subject’s personal data during the Municipality Council Meeting and the publication of the relevant video recording on a social media platform. It was determined that the data subject was a former council member and that there was public interest in informing the public about the matter. Additionally, considering that the sixth paragraph of Article 20 of Law No. 5393 on Municipalities stipulates that “Meetings can be recorded with audio and video devices upon the decision of the council,” and the ninth paragraph of Article 11 of the Municipal Council Working Regulation states that “Council meetings are open to the public. The council president or any member can propose a closed session with justification,” it was concluded that the data processing activity in question falls within the scope of “necessity of data processing for the fulfillment of the data controller’s legal obligations.” Therefore, it was decided that no action within the scope of the Law could be taken against the Municipality Presidency.

  1. Summary of the Decision dated 24/11/2022 and numbered 2022/1249 on “sharing of images of the concerned person recorded by the security camera in the foreign exchange office with news agencies”:

The complaint filed by the data subject is summarized as follows: due to an incorrect transaction made by an officer at a currency exchange owned by the data controller, an overpayment was made to the data subject. Upon discovery of the overpayment, the excess amount was refunded. However, the CCTV footage of the data subject, recorded by the security camera at the currency exchange, was shared without obtaining the data subject’s explicit consent by news agencies and websites. It is stated that there was no warning sign indicating the recording of video footage at the data controller’s workplace. The data subject made a written application to the data controller in accordance with their rights under Article 11 of the Law, but the response provided was considered insufficient and the violation was denied by the data controller. Therefore, the request for necessary actions to be taken was made

As a result of the investigation conducted regarding the matter, it was determined that the obligation to have cameras in currency exchanges was a legal requirement. Thus, the processing of the data subject’s images through video recording was based on the necessity of fulfilling the data controller’s legal obligation. On the other hand, it was observed from the defense and attachments submitted by the data controller, including photographs, that there were signs stating “This premises is monitored by cameras 24/7” posted at various locations in the currency exchange office. Therefore, it is concluded that the individuals concerned were informed about the recording of camera footage, and their rights were adequately clarified. Consequently, it is decided that no action will be taken within the scope of the Law regarding the complaint of the data subject. Furthermore, with regards to the excessive/unjust payment made by the data controller to the data subject, in order to facilitate the refund and prevent economic loss, the transfer of the camera footage, which captures the data subject’s facial features and silhouette, to a local news channel for publication is considered to fall within the scope of “processing necessary for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject.” Therefore, it is concluded that no action will be taken within the scope of the Law regarding this matter.

Batuhan Şahmay
Partner | [email protected]
Naz Ergörün
Associate | [email protected]
Elif Yıldız
Legal Intern | [email protected]