Turkey: Two-Minute Recap Of Recent Developments In Turkish Personal Data Protection Law – August 2021

In August 2021, the Turkish Personal Data Protection Board (the "Board") published a total of twenty decisions and announced seven data breach notifications. The Board clearly continued its focus on data breaches, as all but one of its decisions announced during August relate to data breaches.

The Board also announced that the First International Personal Data Protection Congress on "Developments in the World and Turkey" will be held on 12-14 November 2021. You can access detailed information about the congress, which will be held online in Turkish and English, here (in Turkish only).

The Board penalises a game company

In August, the Board published a decision regarding a data breach of a computer game company. As a result, the Board imposed a total fine of TRL 130,000 (approximately EUR 13,237) on the Game Company-TRL 100,000 (approximately EUR 10,183) for failure to take the necessary technical and organisational measures to ensure data security, and TRL 30,000 (approximately EUR 3,054) for failure to fulfil the obligation to notify the Board within 72 hours.

In its defence, the Game Company stated that during a routine security control it discovered that a folder containing source code and data files had been uploaded to a website without authorisation by a former web developer employee, immediately after the individual's employment relation had been terminated by the Game Company.

In its decision the Board ruled that the former employee's ability to transfer personal data to a portable storage device and upload it to a website is an indication of a "security vulnerability". Further, as it took the Game Company nearly two years after the incident to identify the data breach, the Board concluded that the Game Company did not regularly carry out security controls, and thus the technical and organisational measures taken by the data controller were inadequate. In its decision, the Board also highlighted that data controllers are obliged to make adopt all employees the principle of "everything which is not forbidden is allowed".

Requests of Turkish citizens to stop the transfer of their personal data abroad are denied

The Board also made a public announcement in August concerning the numerous requests it has received from Turkish citizens residing outside of Turkey to prevent the transfer of their personal data to institutions and organisations in other countries, especially EU member countries.

In its announcement, the Board rejects these requests and states that data subjects must make an application to data controllers regarding their rights as the first step.. After the first procedural requirement, if a data subject does not provide a response within 30 days or if the response does not satisfy the data subject, the data subject has the right to apply to the Board.

The Board also stated that the competent authority in this area is the Revenue Administration, which is affiliated to the Ministry of Treasury and Finance, in terms of the implementation of the provisions of the "Multilateral Competent Authority Agreement on the Automatic Exchange of Financial Account Information" in Turkey. In this respect, the application under the above-mentioned Agreement must be submitted to the competent authority. From the date of its public announcement, the Board has not assessed any application or provided any further response in this regard.

The Board announced the following data breach notifications in August

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.