Turkey: The Personal Data Protection Board Published Nine New Decision Summaries

The Personal Data Protection Board ("Board") published the following nine new decision summaries on data controllers operating in several industries:

• (i)  Summary of Decision No. 2021/111: Regarding the contact with the relatives of the debtor concerning the debt, the Board decided to impose an administrative fine of TRY 50,000 against the first law firm that processed personal data without any reason for data processing, TRY 115,000 against the company that transferred this data to another law firm without checking its accuracy, and TRY 100,000 against the law firm that contacted them, despite knowing that the data in question belonged to the debtor himself.
• (ii)  Summary of Decision No. 2020/435: The Board decided to instruct the data controller, who refused to submit a copy of the personal data within the scope of the personal data after the unjust termination of the employment contract of the relevant person working in a cargo company, to provide a copy of the relevant documents to the relevant person within the scope of the right to access.
• (iii)  Summary of Decision No. 2020/414: The Board decided that the rejection of the request to remove the news from the website of the person whose sentence was executed, is classified as in compliance with the law, on the grounds that there is a public interest in the publication of the news and that freedom of expression prevails over personal rights in terms of conflicting rights.
• (iv)  Summary of Decision No. 2020/407: The Board decided to impose an administrative fine of TRY 100,000 on the data controller hospital, which transmitted the health data of the relevant person to a third person along with the relevant person via e-mail.
• (v)  Summary of Decision No. 2020/404: The Board imposed a total administrative fine of 250,000 TL on the data controller who did not provide proper disclosure, processed sensitive personal data without a valid consent and transferred the personal data abroad.
• (vi)  Summary of Decision No. 2020/396: The Board decided that the rejection of the request to remove the personal data of the relevant person from the petitioner's personal file regarding criminal convictions and security measures is classified as in compliance with the law.
• Summary of Decision No. 2020/379: The Board imposed an administrative fine of TRY 75,000 on the data controller medical center, who published the visual and audio data of the relevant employee in the "Video Promotion" section for marketing purposes on the website after the termination of employment.
• Summary of Decision No. 2020/336: The Board decided that the university which send the reply petition in form of an official letter to the relevant authority of the university and not to the relevant person himself, to be instructed to respond to the applications of the relevant persons in accordance with the DP Law.
• (ix)  Summary of Decision No. 2020/335: The Board has imposed an administrative fine of TRY 50,000 on the data controller who made express consent car rental services as a condition of and did not provide services to the customer who did not give his express consent.

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroglu Arseven.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.