Turkey: The Personal Data Protection Board Has Published 40 New Decisions

The Personal Data Protection Board ("Board") published 40 new decisions on its official website on 24 April 2023.

The published decisions are generally categorized in the following issues; please find the decision reviews that should be considered as remarkable in our article following.

• Failure to fulfil the obligation to inform,
• Violation of the general processing principles,
• Breach of personal data processing conditions,
• Destruction of personal data, and
• Unlawful processing of personal data via cookies.

Decision No. 2022/107: Within the Decision, commercial messages were sent by the data controller to data subject's the mobile phone. As per the Board, it was referred that a commercial electronic message must be sent in accordance with the legislation on sending commercial electronic messages, as well as within the scope of a data processing condition pursuant to article 5 of the Personal Data Protection Law No. 6698 ("DP Law"). Although it was stated by the data controller that the data subject has been registered to the Message Management System ("IYS"), it has not been determined that the data subject has a relationship with the data controller or that the data subject's explicit consent has been obtained for the processing of his/her personal data. The Board has decided to impose an administrative fine of TRY 75.000 to the data controller.

Decision No. 2022/386: The data subject applied to the data controller with the request to delete the post on the social media account of the data controller by his former employer with the content "... We apologize for the inconvenience caused to you by ....., who was dismissed due to irregularities ...". The data controller stated that the data subject had aimed at damaging the commercial reputation of the companies and that the social media post was shared to inform the customers and prevent them from any damage. The Board concluded that the data processing activity caused to violation of the principle of proportionality due to the lack of a reasonable balance between the data processing and the purpose to be achieved pursuant to Article 4 of the DP Law, since the announcement, including the data subject's name and surname and the accusations, were published on the company's social media corporate account, which is accessible not only to the company's customers but also to everyone. The Board imposed an administrative fine of TRY 30.000 due to the unlawful data processing activity.

Decision No. 2022/630: The data subject made a complaint due to the taking of his/her photographs during rhinoplasty surgery by the doctor working at the hospital as a data controller, and these photos were shared on the social media account of the doctor without obtaining her/his explicit consent. The Board concluded that the party to, which the data subject gave explicit consent within the data processing activity, was the hospital as a data controller and the data subject did not give explicit consent to doctor for the sharing of the photographs. However, the Board imposed an administrative fine of TRY 100.000 on the hospital as data controller since the data controller hospital did not take the necessary administrative and technical measures to prevent the sharing of the photographs of the data subject on the social media account of the doctor, even though the hospital was aware that the doctor shared the photographs of the data subject on the social media account. Also, the Board informed the data subject that these issues might be brought to a judicial remedy against the doctor within the scope of the Turkish Penal Code.

Decision No. 2022/653: The data subject has requested the credit card information entered into the app and the contact information provided for the order delivery regarding the shopping he/she made through the online shopping platform offered by the company as a data controller. However, the data controller stated that although such orders were made on the data subject's membership account, another person's data other than the data subject was shared; the data subject's request has been rejected since the orders belonged to third parties and the data controller did not process credit card information. The Board determined that the cardholder data was stored in the systems of the intermediary company, which is a mobile payment technology provider; therefore, the card information was not processed within the data controller. Besides, the Board referred to the principles of the European Data Protection Board's "Guideline No. 01/2022 on the data subject rights – Right of access" and stated that it is recommended not to grant the right of access to the data subject as long as the rights and freedoms of the other person are adversely affected and prevail over the right of access to personal data. As a result, the Board concluded that the data controller could not provide the telephone number to the data subject within the scope of the right of access to personal data since it is not the data subject's personal data. However, the Board has instructed the data controller to provide the phone number notified in order to deliver orders from the data subject's account to the data subject through the identity verification system.

Decision No. 2022/776: A self-employed entrepreneur sent a promotional brochure for a product belonging to a marketing company to an 8-year-old child (the data subject) by letter. The marketing company stated that there is a contractual relationship between the self-employed entrepreneur and the company, which provides to buy and sell the company's products, that the entrepreneur acts as an independent business owner/self-entrepreneur, and that the company has not given any instruction to the self-entrepreneur to send brochures. The self-employed entrepreneur stated that the parent of the data subject, who shared his address and contact information with him through the e-commerce website, made an order using the name of the data subject, although the parents provided his address and telephone, and that this brochure was sent to him within the order. The Board concluded that the marketing company was not involved in the personal data processing activity, and sending the brochure not with the order specified in the invoice to the data subject for promotional purposes was carried out without relying on any of the data processing conditions under the DP Law. As a result of the Board's assessment, the Board decided to impose an administrative fine of TRY 30.000 on the self-employed entrepreneur as a data controller.

Decision No. 2022/1358: The data subject made a complaint since a gaming platform did not fulfil the obligation to inform regarding data processing via cookies and obtain explicit consent for using of non-essential cookies. As a result of the Board's assessment, it was determined that data controller failed the obligation to inform about a large number of cookies were used on the website and not obtained explicit consent for using non-essential cookies which are tracking user movements for purposes such as advertising or statistics. The Board imposed an administrative fine of TRY 300.000.

You can access all the decisions published on 24 April 2023 in Turkish through this link.

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroglu Arseven.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.