The Turkish Data Protection Board ("Board") has recently published quite a number of decisions. Among those, some are important for certain matters of public interest and may constitute precedents for future cases. We have summarized such decisions below, along with explanations as to their significance.

Decision Regarding Factors to Be Considered In Determining the Parties' Roles as Data Processor and Data Controller, and Allocation of the Duty to Inform1

This decision is significant because it sets out illustrative criteria for allocating and identifying the roles of data processor and data controller in any given data processing activity. In the decision, the Board clarified that while the duty to inform rests with the data controller as a general rule, the data controller may authorize third parties to fulfill this duty, and as such, the data processor may be authorized to fulfill the data controller's duty to inform. The Board stated that the parties can make an agreement to circumscribe the extent of such duty, and allocate obligations thereunder.

The Board noted however if such authorization is given by the data controller to the data processor, the data processor's authority is limited to the authority given by the data controller. The Board also held that data controller will be held jointly liable with such party in case of any breach.

Those who carry out and determine (most of) the following criteria will be considered as data controllers:

  • The collection of personal data and the collection method,
  • The types of personal data to be collected,
  • Which individuals' personal data will be collected,
  • Deciding on the processing of personal data and who will process it,
  • Deciding on the basic elements of the processing (which personal data will be collected, for what purposes the collected data will be used and how it will be processed, how long the data will be retained, what the data retention policy will be, who will be authorized to access the data, who will be the recipients, etc. can be shown as examples)
  • Whether the collected data will be shared, and if so, with whom,
  • Being able to make decisions at a high level in the processing of personal data without taking any orders or instructions,
  • Dealing directly with the data subjects,
  • Appointment of a data processor to carry out data processing on their behalf,
  • Taking advantage of the processing activity.

Data controller may appoint a data processor who is authorized with the following through a data processing agreement:

  • Which IT systems or other methods will be used for collection of personal data,
  • Which method will be used to retain the personal data,
  • Details of the security measures that can be implemented for protection of personal data,
  • Which method will be used to transfer the data,
  • Method for correctly operating personal data retention periods,
  • Methods for deletion, destruction, or anonymization of personal data.

Those who carry out most of the following criteria are to be considered as data processors:

  • Taking instructions from another,
  • Not having the authority to make decisions in collection of personal data from individuals,
  • Not having the authority to decide how the data can be disclosed or who can access such data,
  • Not having the authority to decide on the data retention process,
  • Not having liability for the consequences of data processing,
  • Whether there are any decision-making mechanisms regarding data processing within the scope of authorities granted by the data controller under legally binding agreements, such as those executed with a data controller.

Decision Regarding the Right to be Forgotten2

The complainant`s case referred to a news item regarding an alleged misconduct in the recruitment of their relative to the University where the complainant was employed. This particular recruitment comprising an exam and interview process had been the subject of an internal investigation where no irregularity was discovered. Thereafter, the complainant requested that the news regarding the investigation be removed from the relevant search engine. The complaint came before the Data Protection Board upon the relevant search engine deciding not to take action.

In its decision, which is one of the few Board decisions regarding the right to be forgotten, the Board analyzed the complainant's claims in accordance with the right to be forgotten standards set forth in its decision with number 2020/481,3 and held that the search engine's decision of not taking action was in accordance with Law No. 6698 on Personal Data Protection ("DPL").

In its assessment the Board noted that, (i) the information provided by the complainant regarding the foregoing incident were accurate and that the complainant was still working at the same public university, (ii) the news contents did not include special categories of personal data, (iii) the incidents dated back to 2020 therefore are considered current, (iv) the contents did not pose any risk for the complainant and could be considered within the scope of journalism activities, (v) while conceivably the contents could cause prejudice against the complainant, that is not provable, (vi) there is no legal obligation in publishing of the contents, (vii) the individuals themselves did not publish the contents, and (viii) the contents do not relate to a criminal offence. In light of the foregoing, the Board concluded that the search engine's decision not to remove the contents was in accordance with the relevant criteria published by the Board's decision numbered 2020/481, and that there was no need to take action regarding the complaint, in terms of the DPL.

Decision on Making Explicit Consent a Precondition for Providing Services

In this case, the complainant argued that setting explicit consent as a precondition for the renewal of his healthcare insurance policy was in violation of the DPL.

The Board rejected the complainant's claims. In its decision, the Board held that renewal of a healthcare insurance policy consisted of processing of special categories of data, therefore explicit consent was required per Article 6/3 of the DPL. The decision is noteworthy, because although explicit consent cannot be asked as a precondition for service, this decision may indicate that, where the health data (or any special categories of data) is mandatory to provide the relevant service, explicit consent may be requested from the data subject, as a precondition.

Decision Regarding Collection of Employees' Fingerprints for Supervising Employee Shifts4

The Board conducted an investigation upon a civil servant's complaint regarding a public institution's implementation of fingerprinting method for supervising employee shifts. The public institution, in its defense, stated that fingerprints became mere templates and were neither matched with any other identified data, nor copied elsewhere.

In the decision, the Board held in favor of the civil servant, and ruled that the fingerprinting method was in violation of the general principles set forth under Article 4 of the DPL, namely, the requirement that the personal data collected be proportional and related to the purpose for which it is collected. The Board noted that the availability and feasibility of less invasive methods for accomplishing the end result i.e., tracking the employee shifts, was a deciding factor in considering whether the proportionality requirement was met.

Decision Regarding Destruction of Special Categories of Personal Data5

The complainant claimed that negligent deterioration and subsequent destruction of blood, serum and tissue samples obtained for scientific research constitutes a violation of obligations regarding data security in accordance with the Article 12 of the DPL.

In its defense, the data controller hospital argued that the samples had deteriorated and became unusable, and they had been destructed according to the procedures in place.

The Board decided that the collection of blood, serum and tissue samples with barcodes make it possible to match these samples with the patients, which constitutes a personal data processing activity. However, the Board further stated that, this processing activity falls outside of the scope of DPL as is pursued on a scientific purpose, which is regulated under the Article 28 of DPL as one of the exceptions.

Decision Regarding the Transfer of Data in Publicly Available Trade Registry Records6

The Board discussed the issue of whether the sharing of personal data with government entities and agencies upon their request is considered "processing of personal data" as per the DPL.

The Board held that since trade registry records contain shareholders` or merchants' name, addresses or other relevant information, the registration activity carried out by the registry is a personal data processing activity. Therefore, the Board reasoned that even though everyone can access and examine the trade registry, processing of the said personal data is not exempted from the data protection legislation. The Board also noted that sharing of personal data held by the trade registries with public institutions and organizations must be carried out in compliance the Article 8 of DPL.

Furthermore, the Board cited Article 44 of the Population Services Law No. 5490, ("PSL") and underlined that since PSL is a specific regulation with respect to the sharing of these data, requesting the identity and address data from the trade registries (instead of the Population and Citizenship Department) would be in violation of the PSL. It appears that by identity and address data, the Board refers to full identity (including ID number) and full address (not limited to city and county) information since the Board also notes that the Trade Registry Gazette masks the ID numbers and redacts the residency information of real persons by only including city and county.

In conclusion, the Board stated that, (i) the registration activity carried out by the trade registry is a personal data processing activity, (ii) public accessibility of trade registry records will not make the personal data processing exempt from DPL, (iii) sharing of any data from the registry to public institutions and organizations must be carried out within the scope of Article 8 of DPL regarding transfer of personal data, (iv) the processing of public personal data should be in line with the purpose of public access, (v) the requested personal data must be obtained from those authorities that are authorized by their specific regulations and (vi) in all processing activities, the obligation to take all technical and administrative measures related to data security and the principle of "being relevant, limited and proportionate to the purposes for which they are processed" in Article 4 of DPL, must be particularly taken into consideration.

Decision Regarding an Employee Obtaining Personal Data Belonging to the Employer's Customer7

The decision is regarding an employee who, while working in the data controller airline company, obtains the personal data of the data subject customer from the company records, which is in violation of the DPL.

In its defense, data controller responded to the data subject's request by stating that; (i) the employee who obtained the personal data is authorized to access passenger information as required by his/her duty, and the necessary sanctions are imposed as a result of the examination as to information access log records of the employee, (ii) the content of the conversations between the two individuals that are the subject of the complaint could not be determined, (iii) as a result of the evaluations, additional measures have been taken to prevent the viewing of the personal data of the data subject for security purposes by adding extra controls, and the personal data of the data subject are stored with statutory technical and organizational measures in place.

The Board has decided that the necessary technical and organizational measures for providing an appropriate level of security as per Article 12 of DPL, have not been fulfilled due to the fact that there is no restriction on access to personal data by the data controller and the training provided to employees is insufficient, thus, imposed an administrative fine in the amount of 100,000 Turkish Liras to the data controller company.

The important point in this decision is that the data controller has provided trainings to employees, yet, the Board has still found it insufficient as the trainings before the incident were infrequent. Moreover, although the data controller has been keeping log records of events, the Board has found it insufficient as the log records should make it available to observe unusual activities and it is imperative to identify unlawful access and processing of personal data through analysis of those records.

Decision Regarding Unlawful Publication of Data Subjects' Personal Data Through Online Journals8

According to the complaint, the data controller had published news that were claimed to be groundless and false, upon which, the data subject had sent an official warning to the data controller, through the notary, for retraction of the subject news item. Following this warning however, the newspaper data controller had published a full copy of the notice letter, including the personal details of the notifying party, as another news item.

The Board indicated that in case a publication violates a person`s honor and dignity or promotes false news about them, then Article 14 of the Press Law makes it mandatory for the editorial manager to publish any retraction or response letter (which does not breach the safeguarded interests of third parties or have any criminal element in content) as is, in the same fonts without making any edits and additions, latest within three days in daily publications, or in the next edition the three days from receipt in case of other publications; however, the data controller still has the obligation to comply with the principles under the DPL including "being relevant, limited and proportionate to the purposes for which the personal data are processed" as per Article 4.

The Board has concluded that publishing the relevant warning letter by the data controller is in accordance with DPL, as per the provision of "It is necessary for compliance with a legal obligation to which the data controller is subject to" in the clause (ç) of paragraph 2 of Article 5 of DPL. However, the publication of the personal data section of the letter, despite being removed from the website later on, violated the principles under Article 4.

Therefore, the Board decided that as per the provision of sub-clause (b) of the first paragraph of Article 18 of DPL, the data controller had not taken all the necessary technical and organizational measures and failed to fulfil the obligation stipulated in sub-clause (a) of paragraph (1) of Article 12 of DPL, and to impose an administrative fine of 55,000 Turkish Liras on the data controller in accordance with DPL.

This decision is significant due to the conflict of the mandatory rules under the DPL and the Press Law; since the Press Law required broadcasting of the retraction letter as is. However, the Board evaluated the necessity of compliance with the principles of the DPL. This decision demonstrates that the Board considers DPL as a framework and expects application of DPL principles in other fields of law, whenever possible.

Decision Regarding the Use of Data Subject's Credit Card Information by the Data Controller Car Rental Agency without Permission9

The decision was issued upon a complaint received by the DPA, where the complainant's credit card was used without his consent by data controller car rental company.

Data controller indicated in its defense that, according the terms of the rental agreement, data controller has the right to use any of the credit cards provided by customer in previous rental agreements, if the credit card provided for that transaction cannot be charged. The data controller based the processing on the grounds of Article 5/2/c "Processing of personal data of the parties of a contract is deemed necessary, provided that it is directly related to the establishment or performance of the contract" and Article 5/2/f "Processing of data is deemed necessary for the legitimate interests pursued by the data controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject" of the DPL.

The Board stated that unfair terms in consumer agreements are invalid according to the Regulation on Unfair Conditions in Consumer Contracts, and in this case the clause allowing the agency to collect payment from another credit card that was provided in previous rental agreements constitutes an unfair term and will be considered as invalid. The Board indicated that since the processing activity is based on an unfair term in the rental agreement and the situation had an adverse result beyond the person's reasonable expectation, this processing activity violates the principles of "lawfulness and fairness" and "being relevant, limited and proportionate to the purposes for which they are processed."

The Board decided that, the data controller's processing activities cannot be based on any of the processing condition in Article 5, that they violate the principles in Article 4 and breach Article 12 of DPL for not fulfilling its obligations regarding data security and therefore, imposed a fine of 75,000 Turkish Liras to the data controller.

The decision is significant as the Board made an assessment within the scope of another field of law and legislation (i.e., consumer law and secondary legislation) and such assessment constitutes an essential part of its decision.

Decision Regarding Data Controller Employer Failing to Provide the Data Subject Former Employee a Copy of their Personnel File on Request10

The data subject complainant was a former employee who requested his employer to provide a copy of his personnel file; and applied to the DPA when he received no response.

The cargo company, as data controller, stated in its defense that; (i) the employee requested a copy of his defense statement, letter of resignation which is allegedly forced to be signed by the employee, and the other letter of resignation submitted by the employee to the employee's personnel file, (ii) the request of the documents submitted to the personnel file by the employee is not a right regulated under the Article 11 of the DPL, nor is it applicable for requesting document copies, (iii) the requested copy documents are not processed "completely or partially automatically or by non-automatic means provided that they are part of any data recording system" as regulated by DPL, (iv) the employee does not actually intend to use his "right of access to information," but to obtain evidence for his claims regarding the payment of his statutory severance and notice payments and other employment receivables, and (v) no one can be compelled to testify or give evidence to incriminate himself, and therefore, the company exercises its right to remain silent, as per Article 38/5 of the Constitution of the Republic of Turkey ("Turkish Constitution").

The Board in its decision evaluated that (i) the defense statement and the letters of resignation contain personal information which makes the relevant person definite or identifiable, thus the documents are accepted as personal data, (ii) according to Article 20/3 of the Turkish Constitution, the person has the right to be informed and access the information, and according to Article/11(b) of DPL, the data subjects have the right to request information if their personal data is processed, (iii) the right to remain silent is a fundamental human right that is applicable to real persons.

The Board, considering that the data controller had not responded to the request within 30 days on the grounds that the request concerned the receipt of copies of certain documents, which is not a right within the scope of DPL, hence cannot be met within the scope of Article 11 of DPL, decided to instruct the data controller within the scope of paragraph (5) of Article 15 of DPL to submit the copy of the requested documents containing the personal data of the data subject, and to show the utmost attention and care to respond to the applications made by relevant persons within the legal period.

This decision is important in several points: (i) The Board has acknowledged the right of access even when it is not specifically indicated as a right under the DPL, on the grounds that it is identified as a right under the Constitution, (ii) the Board appears to acknowledge the grounds of the data controller and even though the request does not appear to be strictly complying with data subject request requirements in the legislation, the Board still decided that it should be met. However, considering all this, the Board appears to have decided to instruct the data controller instead of imposing an administrative fine. This demonstrates that the Board does not expect a strict compliance of procedural requirements under the Communiqué on the Principles and Procedures for the Request to Data Controller for data subject requests to be considered applicable.

Decision Regarding Removal Request of a News Article from a Newspaper's Website11

The decision is about the request of removal for a news article on a newspaper's website. The attorney for the data subject requested the DPA to decide for the ceasing of the unlawful behaviour of the parties who breached personal and sensitive personal data, and imposition of administrative fines to the relevant institutions as per the DPL, the ceasing of the processing and the transfer of data abroad, and the submission of a criminal complaint to the Public Prosecutor's Office about the relevant institutions.

In its defense, the newspaper as the data controller, argued that the subparagraph (c) of the "Exceptions" titled Article 28/1 of DPL clearly regulates that the processing of personal data within the scope of "freedom of expression," and provides a legal ground for "compliance with laws." The newspaper stated that receiving and providing news are considered as a part of the freedom of expression and are directly protected by the Constitution of the Republic of Turkey, and thus the article subject to the complaint should be evaluated within the scope of freedom of expression. Further, the newspaper stated that each removal request is evaluated within the scope of public interest, and the incident subject to the complaint was investigated by an impartial court, and ultimately the verdict of conviction was announced to public, therefore there is no disclosure of confidential information by the parties, and all the information mentioned in the news is finalized with the decision of the judicial authorities. The newspaper also emphasized that if the content is removed on the grounds that a certain time has passed, eventually the archives of the media organizations would completely dissolve, also erasing any social memory which is important for public order. The newspaper further pointed out the option of obtaining a court decision for banning access tothe contents within the scope of DPL No. 5651.

The Board emphasized the importance of determination on which right should be given supremacy by evaluating them within the scope of the following criteria a) public interest and benefit, b) factual and up-to-date information, c) balance between essence and form.

While evaluating whether the content is considered to be within the public interest, the Board found it appropriate to evaluate whether the news serves the unnecessary curiosity of the people or the protection of high moral and legal values and in this sense, stated that there is a public interest in the explanation of the events that arouse social interest, encourage the public to think and debate, and serve to enlighten a certain problem and show solutions to it. The Board provided an example on the matter: it is considered that there is a public interest in publicizing and criticizing illegal practices, bribery and corruption, on the other hand, stated that a narrower interpretation of restrictions on freedom of the press would be appropriate in terms of reporting on politicians and public officials within the scope of public interest and benefit criteria.

The Board concluded that although the news subject to the complaint is about a citizen who is not publicly recognised, there is mutual public interest and benefit disseminating the news since it is about the perpetrators of human trafficking, which can be considered in the same vein as the disclosure of illegal practices, bribery and public corruption to the public.

While evaluating whether the content includes factual information, the Board noted that of being factual did not mean the exact nature of events, but how the events had played out at the time the news were published. The evaluation on news being up-to-date should be based on the principle of having the public interest on the dates when the specific event is announced. Since the right to inform cannot be applicable for publishing an event that has expired and no longer has public interest in its disclosure, the personal right should prevail in such cases. In order to be deemed lawful, a news item which brings up a past event, should be of public interest.

The Board concluded that the incident subject to the news has been proven by the decision of a court, and furthermore, within the scope of evaluating the criterion of the news being up-to-date, it has decided that the relevant news remains current at this date and therefore that the public interest in receiving this news continues.

While evaluating the balance between essence and form, the Board found it appropriate that the language, wording, and pictures used in the news should have the necessary coverage as required by the way the news is provided, and there should not be unnecessary, irrelevant and unfavourable statements and comments in the news.

The Board concluded that, in the news subject to the complaint, in terms of the balance criterion between form and essence, the language, expression and pictures used were within the range by the way the news is provided; and unnecessary, irrelevant and unfavourable statements and evaluations had not been included in the news report.

Consequently, the Board concluded that there is already a public interest in the publication of the data pertaining to data subject and the subject of the news in question, and that freedom of expression prevails over personal rights in case of conflicting rights. Therefore, the news report was found to be within the scope of the exemption under Article 28/1(c) of DPL.

Decision Regarding the Request of the Data Subject for the Removal of Special Categories of Personal Data, Such as Records of Criminal Conviction and Security Measures from the Employee's Personal File12

The Board stated in its decision that, the relevant security clearance document that the complainant wanted removed dated back to 2013 and at that time Law No. 4045 on Security Investigations, Reinstatement of the Rights of Public Personnel Dismissed from and Not Allowed to Public Service, and Amendments to the Martial Law No. 1402 had been in force. Furthermore, the Board concluded that criminal record which is considered to be sufficient while investigating whether the employee meets the requirements of Law No. 657 on Civil Servants was not included in the response of the data subject and its attachments, thus it is understood that the relevant court orders were provided without provision of the criminal record and this provision was within the knowledge and/or consent of the data subject. Most importantly, the Board stated that the implementation by the data controller took place before the effective date of DPL and cannot be deemed to be contrary to the legislation in force at the time of the implementation.

In conclusion, the Board indicated that the personal data subject to the complaint is within special categories of personal data and the data subject does not have the explicit consent with regards to the inclusion of the relevant court orders in his/her/their personal file; however, since it is concluded that the "legality" factor regarding the processing of personal data in terms of DPL should be considered as the "material law" expressed in the doctrine, according to the opinion received from Office of Civil Employeesand per Communiqué on Civil Servantswith Serial No. 2, it has been decided that in terms of legislation, it is not necessary to remove the said court orders from the personal file.

Decision on the Failure to Submit Transcripts of Call Center Records of a Data Subject by an Airline Company as the Data Controller13

The data subject requested the transcript of voice recordings in accordance with the paragraph (d) of the Article 3 of DPL and his/her/their request was rejected by the data controller on the grounds that the submission of the relevant voice recordings is only possible if they are requested by legal authorities as per company procedures.

The data controller stated in its defense that, in accordance with the Board's decision of January 14, 2020 with number 2020/13, they have contacted the data subject again and shared the transcript of voice recordings by applying the necessary masking measures and furthermore, the relevant departments were informed to handle similar lawful requests with this approach.

In its decision, the Board referred to Article 11 of the DPL which also stipulates that everyone has the right to apply to the data controller to request relevant information if personal data related to him/her/them have been processed and noted that this right includes right to access. However, the Board underlined that this right does not mean direct access to the data filing system/medium where the personal data is processed, the delivery of this filing medium itself to the data subject or the acquisition of the data itself; but meant enabling the processed personal data to be reasonably accessed by the data subject to the extent that technical/physical means allow considering the obligations of the data controller regarding data security. Therefore, the Board concluded that no action needs to be taken with respect to the relevant data controller.

This decision confirms the Board's approach that right of access is a data subject right (even though it is not specifically included in the DPL) and it is also important as it includes the Board's opinion as to the scope of the right of access.

This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in June 2021. A link to the full Legal Insight Quarterly may be found here

Footnotes

1. See https://kvkk.gov.tr/Icerik/6874/2020-71 (Last accessed on April 7, 2021)

2. See https://kvkk.gov.tr/Icerik/6871/2020-927 (Last accessed on April 7, 2021)

3. See https://www.kvkk.gov.tr/Icerik/6776/2020-481 (Last accessed on April 7, 2021)

4. See https://kvkk.gov.tr/Icerik/6872/2020-915 (Last accessed on April 7, 2021)

5. See https://www.kvkk.gov.tr/Icerik/6876/2019-316 (Last accessed on April 7, 2021)

6. See https://kvkk.gov.tr/Icerik/6895/2020-307 (Last accessed on April 7, 2021)

7. See https://kvkk.gov.tr/Icerik/6886/2020-124 (Last accessed on April 7, 2021)

8. See https://kvkk.gov.tr/Icerik/6888/2020-145 (Last accessed on April 7, 2021)

9. See https://kvkk.gov.tr/Icerik/6889/2020-166 (Last accessed on April 7, 2021)

10. See https://kvkk.gov.tr/Icerik/6916/2020-435 (Last accessed on April 7, 2021)

11. See https://kvkk.gov.tr/Icerik/6915/2020-414 (Last accessed on April 7, 2021)

12. See https://kvkk.gov.tr/Icerik/6912/2020-396 (Last accessed on April 7, 2021)

13. See https://kvkk.gov.tr/Icerik/6932/2020-504 (Last accessed on April 7, 2021)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.