Turkish personal data protection law in 2023

This article seeks to assess the most significant developments in relation to data privacy and the implementation of Law No 6698 on the Protection of Personal Data (the “Law“) and offers an in-depth overview and analysis of significant decisions and publications of the Personal Data Protection Authority (the “DPA“) published in 2023. 

REGULATORY AND ADMINSITRATIVE DEVELOPMENTS IN 2023 

• Amendment to the Criteria for the Obligation to Register to the Data Controllers’ Registry 

The DPA decision dated 6 July 2023 and numbered 2023/1154, published in the Official Gazette dated 25 July 2023, amended the criteria regarding the obligation to register to the Data Controllers Registry (“VERBIS“). The previous threshold for VERBIS registration was an annual balance sheet total of at least TRY 25 million. The decision increased this to TRY 100 million. Accordingly, individuals or legal entities with fewer than 50 employees, and an annual balance sheet total of less than TRY 100 million, whose main activity does not involve processing sensitive personal data, are exempt from the VERBİS registration obligation.1 

• Collaboration and Information-Sharing Protocol in between DPA and the Turkish Competition Authority  

On 26 October 2023, the Turkish Competition Authority (“TCA“) and the DPA announced the signing of a collaboration and information-sharing protocol (the “Protocol“). The swift advancement and proliferation of data-based technologies have raised concerns regarding competition and the protection of personal data. Recognising the intersection of these two domains, the Protocol aims to strengthen cooperation with respect to: 

– the conduct of joint studies,
– the publication of reports targeting both undertakings and consumers,
– the organisation of joint presentations and discussion programmes,
– the arrangement of mutual educational initiatives,
– the engagement in consultation at events hosted by the authorities and provision of mutual support.

• The publication of the approved Medium Term Programme (2024-2026), including alignment with GDPR and the EU acquis 

A Presidential Decree dated 06.09.2023 and numbered 7597 on the Approval of the Medium-Term Programme (2024-2026) was published in the Official Gazette dated 06.09.2023 and numbered 32301. In line with EU digital economy regulations affecting exports of goods and services, the harmonisation process of the Law with the EU acquis, in particular the European Union General Data Protection Regulation (GDPR), is expected to be completed in the last quarter of 2024. In addition, in order to increase data-based competitiveness, a National Data Strategy and action plan is expected to be prepared and implemented by the third quarter of 20242.  

GUIDELINES PUBLISHED IN 2023  

• Guidelines on the Issues to be Considered when Processing Genetic Data 

On 13.10.2023, the DPA published its Guidelines on the Issues to be Considered when Processing Genetic Data3 regarding genetic data used for purposes such as diagnosis and treatment, determining ancestry, genetic predisposition tests, etc. in the field of health. Among other issues, the Guidelines focus on the transfer of genetic data abroad and the obligations of data controllers who process genetic data, giving recommendations in this respect. 

• Recommendations for Privacy Protection in Mobile Applications 

On 22.12.2023, the DPA published its Recommendations for Privacy Protection in Mobile Applications addressing existing and potential risks to the protection of privacy in mobile applications and providing general recommendations for data subjects and data controllers in terms of personal data processing activities performed through mobile applications used on smartphones and tablet. 

THE DPA’s 2023 ACTIVITIES IN NUMBERS  : 

• 9 396 complaints were filed
• 8 639 complaints were concluded
• 307 data breach notifications were submitted
• 102 legal opinions were provided
• 2 242 decisions were taken
• 2 committment applications were approved (Google and Otokoç)

SUMMARY OF the KEY DPA DECISIONS PUBLISHED IN 2023  

• Fine to TikTok for Inadequate Data Security Measures4 

The DPA launched an ex officio investigation in response to numerous complaints claiming that there is non-compliance with the Law in the process of collecting and storing personal data and obtaining the explicit consent and that the software of TikTok Pte. Ltd. (“TikTok”) has numerous security flaws.

Prior to the changes on the privacy settings and policy of TikTok in 2021, the latter had permitted personal information of users between the age of 13 and 15 to be publicly available and open to social interaction, rather than followers approved by them. In this respect DPA found that display of profiles publicly and absence of restriction on interaction with users between the age of 13 and 15 created a risk of accessing the data of vulnerable age groups without their parental consent, and that adequate security measures were not taken to mitigate these risks. Furthermore, DPA noticed that TikTok’s terms of service and privacy policy did not provide clear and specific information about the purposes of collection and processing of personal data and did not ask for separate explicit consent for the disclosure or processing of data, including for cookie profiling. Additionally, the DPA pointed out that TikTok did not provide users with a Turkish translation of its privacy policy and terms of service.

The DPA decided that (i) privacy policies must clearly state the legal grounds for each data processing activity, (ii) privacy documentation must be provided in Turkish language for Turkish data subjects, (iii)  an explicit consent and privacy notice must be presented as separate documentation and blanket consents are not acceptable, (iv) explicit consent must be obtained from the data subjects regarding the personal data processing activity carried out using cookies for profiling purposes.

As a result, the DPA imposed an administrative fine of TRY 1,750,000 on TikTok on grounds that it did not take necessary technical and administrative measures to ensure the appropriate level of security and asked to remedy its ongoing deficiencies with regard to privacy policy.
This decision is significant, since it is the first time that the DPA has declared that people between the age of 13 and 15 are considered to be at sensitive ages and that data controllers should take extra precautions once the risks associated with processing their personal data have been identified. Therefore, it is advisable for data controllers to conduct a data privacy impact assessment in order to identify potential risks and decide on the best course of action for processing personal data of individuals at such ages.

• Communicating with the data subject on a different phone number than the one shared with the bank⁵ 

In a filing made to the DPA, a data subject complained that a data controller bank had sent him text messages regarding a loan he applied for to a phone number not previously shared with the bank. The bank provided a defence statement indicating that (i) a different phone number was detected in the Credit Reference Agency (“CRA”) records, (ii) this situation was perceived as an early warning signal of a potential fraudulent transaction and (iii) the data subject was therefore contacted through the most up-to-date contact information registered in the CRA. As a result, the DPA concluded that the data processing activity in the relevant case was carried out based on the conditions of “being explicitly stipulated in the laws”, thus it was decided that there is no action to be taken against the data controller.

• Failure to provide information and obtain explicit consent for cookies on a website⁶

The data subject filed a complaint against a gaming platform for not providing information about its cookie processing procedures and not obtaining explicit consent for non-essential cookies. Although the data subject applied to the company in this regard, no response was received within the 30 days legal period. DPA has stated that; the explicit consent of individuals is not required for the processing of personal data through necessary cookies required for the proper functioning of a website, however the use of cookies that work for advertising, marketing and performance purposes is subject to the explicit consent of the data subject and that explicit consent should be obtained according to the “opt-in” mechanism, which stipulates that cookies should not work as the default setting. As a result, DPA imposed an administrative fine of TRY 300,000 on the data controller due to processing personal data through non-obligatory cookies.

• Unlawful processing of a former employee’s personal data after the termination of an employment agreement⁷ 

The DPA held that it was unlawful to use the image of an employee, who is an interior architect, in live broadcasts on social media for advertising and marketing purposes on TV screens, on the website and in printed materials for promotion after the termination of the employment agreement. The DPA considered that, after the termination of an employment agreement, there would be no valid legal grounds for processing this under the Law. As a result, the DPA imposed an administrative fine of TRY 250,000 for this processing activity.

• Unlawful processing of personal data by monitoring, accessing and retaining the contents of the corporate email address allocated by the data controller to its employees⁸

The company found out, through monitoring corporate email, that one of its employees had transferred internal company data from their corporate email address to their personal email address and secretly recorded a telephone conversation with another employee, sent it to his lawyer via his personal email address. Based on these findings, the company terminated the employment agreement with relevant employee. Subsequently, the data subject applied to the DPA on the grounds that the company retained his emails indefinitely after the termination of the employment agreement and exercised general control over these emails. As a result of the DPA’s investigation, the DPA concluded that (i) the data subject had approved the clarification text regarding the email monitoring before the start of the employment relationship (ii) the data processing regarding the email monitoring was in accordance with the general data processing principles (iii) the grounding of the termination notice on the personal data obtained through email monitoring could be considered as falling within the scope of the “necessity of data processing for the establishment, exercise or protection of a right.” Therefore, the DPA decided that there is no action to be taken against the data controller.

• Cross-border data transfer by a technology company without obtaining the explicit consent of the data subject⁹ 

The data subject, who subscribed to the system of the data controller through a website, filed a complaint due to the lack of a cookie policy on the website and the failure to obtain his explicit consent for cross border data transfer, although it was stated in the privacy policy that the data would be transferred abroad. The data subject applied to the company for information about the cross-border data transfer, but did not receive a response within the 30 days legal period. The data controller stated in its defence that (i) information on personal data processed through cookies is available in the privacy policy; (ii) they provide their services using cloud service technologies that are located outside of Türkiye. As a result of its examination, the DPA noted that the cross-border data transfer was not carried out based on any of the legal grounds listed in the Law and that no effective technical/administrative measures were taken regarding the processing of personal data. Accordingly, the DPA imposed an administrative fine of TRY 950,000.

• Explicit consent requirement as a prerequisite for delivering an airline’s special passenger programme service¹⁰ 

The decision relates to a complaint from a data subject who logged in to the website of the data controller airline company to see their miles accumulated in the special passenger programme. The data subject claimed that he was asked to fill in some fields in his profile in order to see the accumulated miles and that the box whereby he accepted the processing of his personal data for use in marketing activities had to be checked or the system did not allow him to proceed. As a result of its assessment, the DPA found that the company obtained such information and consent in order for the data subject to benefit from the opportunities of the special passenger programme rather than to view the accumulated miles, and that there were many alternative ways to inquire about the accumulated miles that did not rely on explicit consent. The DPA stated that linking additional benefits to the condition of explicit consent does not eliminate the condition of “giving explicit consent with free will.” Thus, in the present case, it was decided that there is no action to be taken against the data controller as the DPA did not consider the request for explicit consent from the data subject to benefit from the passenger programme as a prerequisite for providing a product or service.