The most important development in Turkish data protection law in February was the announcement dated 9 February 2021 in which the Turkish Data Protection Board (the "Board") published its first example of approving a transfer of personal data abroad. The Board approved the transfer of personal data abroad by a Turkish fleet company based on a letter of undertaking submitted by that company. Our detailed analysis of the decision is here.
Turkish Constitutional Court decides on employee personal data
The Turkish Constitutional Court published on 5 February 2021 its decision on the rights of employees regarding their personal data stored on corporate communication systems. An employee working in a private bank made an individual application to the Constitutional Court and alleged that the employer had violated his right to protection of personal data by inspecting the contents of his corporate e-mail account and did not provide information about or request consent for such an inspection.
The Constitutional Court decided that there was no violation and that an employer may conduct an audit of an employee's communication tools as part of its management right, provided that the employer had previously informed the employee that such an audit may take place.
In this case, information regarding the inspection of communication tools was included in the employment agreement. Accordingly, the Constitutional Court concluded that this is enough to fulfil the obligation to pre-inform and that the employee had given his consent by signing the employment agreement.
Additionally, the Constitutional Court ruled in similar decisions that the following conditions must exist for the employer to be legally allowed to inspect the communication tools and equipment provided to an employee:
- the employer should have a legitimate interest for such an inspection;
- the employer should provide information such as the storage period of data, justifications for the processing of personal data, and the data subject's right to employee data in advance of the inspection. If such information has been explicitly provided to the employee, the employer cannot be expected to obtain a specific consent from the employee before the inspection;
- the inspection shall be adequate and necessary to achieve and proportional with the purpose;
- the employer is unable to fulfil the intended purpose through lesser intervention.
The Board clarifies the distinction between data controller and data processor
The Board published twelve decisions on 12 February 2021.. In one of the most important decisions, the Board further clarifies the distinction between a data controller and data processor. While doing so, the Board expressly referred to EU laws,1 which is a growing trend for the Board in its decisions. Our detailed analysis of the decision is here.
In brief, a data processor is the party that takes care of the interests of the data controller and is obliged to fulfil certain assigned duties with instructions, and its processing activities are more related to the technical parts of data processing. A data controller has the power to take decisions regarding the processing of personal data and to entrust a data processor with the authority to decide on certain issues within a personal data processing agreement. A data controller is also entitled to choose whether the obligation to inform will be fulfilled by the data controller or by another party authorised by the data controller.
The Board announced the following data breach notifications in February
In February, the Board announced only one data breach notification, made by So CHIC Mağazacılık San. ve Tic. AŞ (the "Company") on 31 January 2021. The Company determined the breach following a letter from the Information Technology and Communication Authority, which stated that the information of the Company was being sold in a forum by attackers. A total of 4792 data subjects were affected by the violation.
1 The Board expressly referred to the Opinion 1/2010 on the Concepts of "Controller" and "Processor", published by the Article 29 Data Protection Working Party" ( https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf) and "Guidelines on the Concepts of Controller, Processor and Joint Controllership Under Regulation (EU) 2018/1725", published by the European Data Protection Supervisor ( https://edps.europa.eu/sites/default/files/publication/19-11-07_edps_guidelines_on_controller_processor_and_jc_reg_2018_1725_en.pdf)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.