The Constitutional Court’s Decision dated 12.10.2023 with application number 2020/7518 published in the Official Gazette dated 15.12.2023 (“Decision”) concerns the unauthorized third party’s access to the database of the accommodation company taken over by the applicant holding company with its head office abroad and the administrative fine imposed by the Personal Data Protection Board (“Board“) on the applicant under the Personal Data Protection Law No. 6698 (“Law“).

1. Highlights of the Decision

Remarkably, the Decision provides that (i) the objection to the administrative fines imposed by the Board was not effectively reviewed by the criminal court of peace and (ii) since the administrative fines imposed by the Board constitute an interference with the right to property, the principle of proportionality stipulated in the Constitution should be complied with regarding these fines. This is because, although there is an appeal procedure against administrative fines imposed by the Board, in practice, it has been on the agenda for some time that the criminal courts of peace reject the objections without adequately reviewing the matter.

In the present case, the Constitutional Court sent the dispute subject to the application back to the relevant criminal court of peace and requested a retrial to remove the violation of the right to property.

On the other hand, the Decision also makes some important observations on the provisions of the Law regarding data security:

  • Protection of personal data and protection of data security are two different matters. While the protection of personal data mainly refers to the protection of fundamental rights and freedoms during the processing of personal data and the legal limits for the processing of data, the protection of data security refers to the technical and administrative measures to be taken to protect the data itself.
  • According to the Law, it is obligatory to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the protection of personal data.
  • While evaluating the appropriate level of security, the risks caused by the processing activity, especially the accidental or improper destruction, loss, alteration, unauthorized disclosure or access to the personal data transmitted, stored or processed, are taken into consideration.
  • In determining the appropriate level of security, the size or the balance sheet of the company, as well as the nature of the data controller’s business and the nature of the personal data protected should be considered.
  • Administrative institutions have a certain degree of discretion in determining which measure to apply in order to ensure data security. However, the discretionary power of the administrative institutions regarding the necessity of the chosen tool is not unlimited. It is possible for the Constitutional Court to conclude that the intervention is not necessary if the preferred tool significantly aggravates the intervention compared to the purpose to be achieved.

2. Summary of the Case Subject to the Decision

  • The applicant issued a press release on 30/11/2018 regarding the data breach caused by the unauthorized access of a third party to its database, and the applicant gave advice on how data subjects could protect themselves from the consequences of the data breach. The applicant has also sent e-mails to its guests affected by the data breach.
  • On 3/12/2018, the applicant submitted a data breach notification to the Personal Data Protection Board regarding the data breach, which also concerned Turkish citizens. In this notification and the subsequent response to the Board’s request for information, the applicant company indicated the following in summary:
    • 500 million customer data were copied due to the data breach,
    • there has been unauthorized access to the network of the company where the database is kept since July 2014 and the unauthorized access to the guest database was detected on 8/9/2018,
    • the personal data of approximately 327 million out of 500 million customers were stolen,
    • the data affected by the breach is information including name/surname, postal address, telephone number, date of birth, gender, passport number, accommodation company account details, hotel details, check-in and check-out details, payment card numbers and payment card expiry dates, booking date and contact preferences,
    • there are approximately 383 million customer records, of which approximately 1.24 million indicate Turkey as the region/country address, which does not mean that 383 million separate customers or 1.24 million Turkish customers are involved and that there are often multiple records for the same customer,
    • the deduplication of the stolen data was not easily carried out in view of the nature and size of the stolen data, and the information that the examination could reveal was limited, given the competence of the attacker in this field in the time elapsed,
    • the acquired accommodation company should be recognized as the data controller.

On 16/5/2019, the Board decided to impose an administrative fine of 1,450,000 TRY in total, consisting of 1,100,000 TRY for failing to take the necessary technical and administrative measures to ensure data security within the framework of paragraph (1) of Article 12 of the Law and 350,000 TRY for failing to comply with the obligation to notify the breach as soon as possible as per paragraph (5) of Article 12 of the Law. This decision was notified on 12/7/2019 to the indirect subsidiary of the applicant, which operates the applicant’s hotels in Turkey, with the applicant as the addressee.

In its petition of objection against the administrative fine, the applicant stated that:

    • The accommodation company where the data breach occurred should be accepted as the data controller, that it is not the addressee of the administrative fines; therefore the administrative fine is against the individuality of the penalties,
    • That the application of Law, which entered into force after the date of the act, to the act alleged to be a misdemeanour is contrary to the principle of retroactivity of laws,
    • The Board’s decision regarding the administrative fine was not duly notified, did not contain sufficient justification, and the court of first instance decided to reject the objection without conducting sufficient and necessary examination,
    • The reply petition was not served,
    • All technical and administrative measures were taken, the violation was detected and notified in a short period of time, there is no restrictive period in this direction in Law, the failure to observe this issue by the courts of first instance is contrary to the principles of legality in crime and punishment, the imposition of administrative fines at the highest limit is not proportionate and violates the right to property.

3. Evaluation

The Constitutional Court considered the following points in its assessment:

  • In the present case, it is clear that the imposition of an administrative fine on the applicant for not taking the necessary technical and administrative measures to ensure data security within the scope of the Law and not reporting the data security breach as soon as possible constitutes an interference with the right to property. The said interference aims to prevent the violation of the regulations on the protection of personal data. In this case, considering the purpose of the intervention in the case of the application, the intervention should be examined within the framework of the rule on controlling the use of property for public benefit.
  • In order for the interference with the right to property to be in compliance with the Constitution, the interference must be based on the law, have a public interest purpose and observe the principle of proportionality.
  • Article 13 of the Constitution adopts the fundamental principle that rights and freedoms can only be restricted by law. Accordingly, the primary criterion to be taken into consideration in interventions to the right to property is that the intervention is based on the law.
  • The administrative fine subject to the application was imposed based on paragraphs (1) and (5) of Article 12 of Law. Although the applicant claims that there is no restrictive period under the Law in terms of detecting and notifying the data breach, and therefore the intervention has no legal basis, it is appropriate to make the evaluation under the title of “Proportionality“.
  • According to Articles 13 and 35 of the Constitution, the right to property can only be restricted for public interest. The concept of public interest effectively protects the right to property by enabling the restriction of the right to property in cases where the public interest requires it. It also serves as a limiting measure by stipulating that the right to property cannot be restricted except for the purpose of public interest and by establishing a limit in this sense. It is clear that imposing obligations on data controllers for the protection of data security and imposing sanctions in case of violation of these obligations are intended to ensure public interest.
  • The principle of proportionality in Article 13 of the Constitution consists of three sub-principles: suitability, necessity and proportionality. In order for the interference with the right to property to comply with the Constitution, it must be necessary as well as suitable for the purpose.
  • It should be emphasized that the protection of personal data and the protection of data security are quite different from each other. While the protection of personal data mainly refers to the protection of fundamental rights and freedoms during the processing of personal data and the legal limits for the processing of data, the protection of data security refers to the technical and administrative measures to be taken to protect the data itself.
  • According to the Law, it is obligatory to ensure the appropriate level of security in order to prevent unlawful processing of personal data and unlawful access to personal data and to ensure the protection of personal data. While evaluating the appropriate level of security, the risks caused by the processing activity, especially the accidental or improper destruction, loss, alteration, unauthorized disclosure or access to the personal data transmitted, stored or processed, are taken into consideration. In determining the appropriate level of security, the size or balance sheet of the company is important, as well as the nature of the data controller’s business and the nature of the personal data protected.
  • The applicant, while appealing to the criminal court of peace, stated that the decision of the Board was made in violation of the procedure, that it did not contain a legally necessary and sufficient justification, that the administrative fine was not applicable in terms of time, that it was not the addressee of the administrative fines, therefore the administrative fine was contrary to the individuality of the penalty, that it fulfilled the obligation to notify in a short time, that the uncertainty in the legislation regarding the time period was interpreted against it, that there is no determination regarding the time period in the law, that the decisions of the Board regarding the time period were made after the concrete event and therefore cannot be applied in the concrete event, that fault liability is essential in the protection of personal data, that it is unlawful to impose a fine despite taking all measures and having no fault, that the administrative fine is contrary to the principle of proportionality and the principle of equality when compared to other events subject to the fine.
  • It is clear that these allegations of the applicant are important allegations that affect the entire judicial process and must be met. It has been observed that no assessment was made by the criminal court of peace on these objections of the applicant. For this reason, it is concluded that the procedural safeguards for the protection of the right to property were not fulfilled in the present case and the applicant’s right to property was violated.

You can find the full text (in Turkish) of the Constitutional Court decision below:

https://kararlarbilgibankasi.anayasa.gov.tr/BB/2020/7518

Batuhan Şahmay
Partner | [email protected]
Naz Ergörün
Associate | [email protected]
Behiç Ateş Gülenç
Associate | [email protected]