The Turkish Data Protection Board ("Board") has recently published summaries of several important decisions on certain matters of public interest, which may constitute precedents for future cases.

Decision on the Failure to Fulfill the Obligation Regarding Processing of Personal Data 2020/7651

The Board recently published a decision summary (2020/765) regarding a bank which failed to follow the instructions given by the Board.

The Board stated in the decision that this bank has not responded the data subject's application within the scope of Article 11 of the Law No. 6698 on Protection of Personal Data ("Law No. 6698") within the 30-day period, and that the privacy notice document at the relevant bank's website is not in accordance with the Communiqué on Procedures and Principles on Fulfilling the Obligation to Inform ("Communique") published by the Board. Upon the data subject's complaint to the Board, Board requested the Bank to revise its privacy notice document in accordance with the Communique and send its defense statement pertaining to the matter. Following the Bank's statement and documents received from the Bank on the matter, the Board decided that the Board's request for revision of the privacy notice had not been fulfilled.

The Board also noted that the same general privacy notice text was used for the consumer loan applications and credit card applications, that these are not specific to the processing activity of the products in question and stated that the privacy notice documents in question violated Article 5/1/h of the Communiqué due to failure to provide details of the personal data processing terms.

Consequently, the Board decided to impose an administrative fine of TRY 120,000 to the Bank for the violation of Article 15/5 of the Law No 6698.

The Principle Decision Regarding Sending Third Party's Personal Data to Data Subjects Contact Channels2

The Board's principle decision3 of December 22, 2020 with number 2020/966 was published in the Official Gazette on January 15, 2021. This decision is with regard to infringements involving third parties' personal data sent to emails or numbers of other persons, due to the data subject providing wrong contact information to data controllers, which may result in which certain correspondence containing personal data being sent to third parties other than the relevant subjects.

The Board stated that according to Article 4 of the Law No. 6698, personal data must only be processed in accordance with the law and other regulations and must follow the principles set forth under Article 4/2. Among these, the principle of keeping personal data accurate and up-to-date where necessary is an important condition for protecting the fundamental rights and freedoms of the data subjects. Therefore, in order to ensure that personal data are kept accurate and, up-to-date where necessary, the sources from which personal data are obtained must be detectable, accurate, kept open for any updates. In order to ensure these, the data controller must take reasonable measures such as sending confirmation request messages to data subject's phone numbers or e-mail addresses for processing.

The Board also stated that data controllers have the obligation to prevent unlawful accessing or processing of personal data, as per Article 12 of the Law No. 6698. Therefore, data controllers have to take all necessary technical and administrative measures to ensure the appropriate level of security.

Consequently, the Board stated that, data controllers should ensure that they implement any necessary measures to prevent sending documents such as bank statements, invoices etc. containing personal data of third parties, via contact channels such as message texts, e-mail address etc. in accordance with the Article 12/1 of the Law No. 6698.

Decision Regarding the Data Breach Notification of a Company Operating in the Health Sector4

The Board recently published a decision summary with number 2020/787 regarding a data breach notification made by a company operating in health sector. In the decision the Board detailed the information and documents shared with the Data Protection Authority ("DPA") by the data controller regarding the data breach, the data controller`s data management processes and security measures in place.

Under its data breach notification the data controller submitted the following information on the breach to the DPA:

  1. the start and end date of the breach,
  2. the reason and the consequences of the breach
  3. the type of personal data subject to the breach,
  4. the number of people affected from the breach,
  5. how soon the data subjects will be notified about the breach in question.

The Board's decision also indicated that the data controller's personnel had participated in periodic security trainings and newly joined personnel also received training during their orientation in accordance with the ISO27001 procedures, and that the data controller submitted all the documents pertaining to these trainings along with the data breach notification. The Board further elaborated on the data controller's technical and administrative measures before and after the data breach, in detail.

By taking into consideration the documents and information received from the data controller, the Board concluded the following:

  1. The data breach was not caused due to the lack of measures on part of the data controller but due to a commonly used application, and that the data controller would have been unable to intervene in this incident,
  2. The data controller noticed the violation in a short time,
  3. Personal data affected by the breach could be easily obtained from sole trader's seal and public sources,
  4. The data controller stated that it will notify the data subjects affected by the breach within three working days,
  5. The risk of the breach to have negative consequences for the persons concerned was low, and
  6. The data controller has taken reasonable technical and administrative measures.

Consequently, the Board decided that, once the data controller evinced to the DPA that the data subjects who are affected by the breach were duly notified of the breach, there was no further action needed to be taken within the scope of Article 12 of the Law No. 6698 regarding the data breach notification in question.

This decision of the Board sheds light on what documents and information are considered relevant by the Board and the approach of the Board regarding data breach notifications.

In addition to the foregoing decisions of the Board, the DPA also published the below announcement which became a hot topic in Turkey.

The Turkish DPA's Announcement on WhatsApp5

The DPA recently published an announcement regarding WhatsApp's change to its privacy policy. According to the announcement, the DPA has ex officio initiated an investigation against WhatsApp.

WhatsApp announced that it was updating its Privacy Policy and required the users to provide their consents for the changes, which were to take effect on February 8, 2021. In the consent form, WhatsApp indicated the key changes as "WhatsApp's service and how we process your data", "How businesses can use Facebook hosted services to store and manage their WhatsApp chats", "How we partner with Facebook to offer integrations across the Facebook Company Products." WhatsApp consent script also indicated that the users would need to accept these updates to continue using WhatsApp after February 8, 2021.

This caused general privacy concerns across the country as well as other parts of the world and many users switched to other IM applications. The updated version of the policy that would be effective as of February 8, 2021 included Facebook as an information sharing party to the entirety of the privacy policy and explained several processes further and in more detail compared to previous versions.

In its announcement regarding the initiation of an investigation against WhatsApp Inc., the DPA also provided explanations with regard to regulatory conditions of personal data processing, the rules applied to explicit consent and cross-border personal data transfers, and its preliminary assessment on WhatsApp's update of its privacy policy.

The announcement sets forth that an explicit consent must be informed, freely given and specific to a certain subject. Furthermore, an explicit consent must contain an affirmative declaration of intent and the data subject must be provided a right to withdraw its explicit consent. On the other hand, with regard to the imposition of explicit consent as a pre-requisite of a contract/service, the DPA refers to the Board decision numbered 2018/19 wherein it was decided that the imposition of explicit consent as a pre-requisite of a contract or service would jeopardize the validity of explicit consent, and also constitute an abuse of right by the data controller. The DPA states that data subjects should be provided with the option to consent to certain personal data processing operations which require explicit consent, and that each explicit consent should be obtained separately. The DPA also refers to the conditions for cross-border transfer under the Law No. 6698.

In the announcement the DPA notes that, WhatsApp had sent a notification to its users to get their consent to the changes to processing of their personal data and transfer to third parties residing abroad, by indicating that if they do not consent, they would not be able to use the app and that their accounts would be deleted. Furthermore, the Privacy Policy that this WhatsApp notification linked to, was deemed to be unclear as to the transferee parties and transfer purposes.

In light of the foregoing, DPA has ex officio initiated an investigation against WhatsApp to assess (i) whether the consent required by WhatsApp violates the requirement to be freely given, (ii) whether allowing app use based on the condition of transfer to third party residing abroad, is violating the personal data processing principles under Article 4 of the Law No. 6698, (iii) whether WhatsApp Inc.'s update causes imposition of explicit consent as a pre-requisite of a contract/service and (iv) whether WhatsApp Inc.'s transfer of personal data to data controllers residing abroad violates Article 9 of Law No. 6698.

This article was first published in Legal Insights Quarterly by ELIG Gürkaynak Attorneys-at-Law in March 2021. A link to the full Legal Insight Quarterly may be found here

Footnotes

1. See https://kvkk.gov.tr/Icerik/6844/2020-765 (Last accessed on February 23, 2021)

2. See https://kvkk.gov.tr/Icerik/6858/2020-966 (Last accessed on February 23, 2021)

3. Principle decision which is regulated under Article 15 of the Law No. 6698 is the decision issued by the Board wherein it is determined that the infringement is widespread. Prior to taking the principle decision, the Board may also receive the opinions of the relevant institutions and organizations, if needed.

4. See https://kvkk.gov.tr/Icerik/6860/2020-787 (Last accessed on February 23, 2021)

5. See https://kvkk.gov.tr/Icerik/6856/WHATSAPP-UYGULAMASI-HAKKINDA-KAMUOYU-DUYURUSU (Last accessed on February 23, 2021)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.