In The Know.

  • Home
  • Insights
  • Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – December 2021

Search by

Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – December 2021

January 2022 – In December 2021, the Turkish Personal Data Protection Board (“Board”) published 33 decisions and announced three data breach notifications. The Board continued to conclude investigations regarding data breaches during the last month of the year.

In a communiqué published in the Official Gazette on 6 December, the Board established the term “Data Protection Officer” (“DPO”). In a subsequent announcement, the Board stated that the DPO must be a person with sufficient knowledge in terms of personal data protection legislation; however, the concept of a DPO in Turkish Data Protection Law will not be the same as the one defined in the GDPR and no job description has yet been made available.

Were explicit consents really explicit?

On 17 December 2021, the Board made a public announcement evaluating commercial electronic messages sent based on the explicit consent of data subjects that underlines the obligation to inform data controllers of the requirements of explicit consent. You can read our assessment of the decision here.  

In the announcement, the Board evaluated a common practice in shop stores. Accordingly, authorised persons of shop stores usually request a verification code that is sent to customers by SMS, after which the store begins to send commercial electronic messages based on the consent provided via the verification code.

In summary, the Board concluded that:

  • Authorised persons of shop stores must provide sufficient information in clean and plain language regarding the purpose of sending SMS messages to customers and what the result will be after providing the verification code received by SMS. In addition, the content of the SMS must include the necessary links to the shop store’s detailed privacy notice.
  • Shop stores must cease to collect the explicit consent of data subjects for several activities together, such as loyalty agreements, permission for personal data processing, approval for commercial electronic messages, etc., and must instead submit options for each data processing activity separately.
  • Shop stores must avoid situations where the obligation to inform and collect explicit consent are conducted together.
  • In the event that shop stores intend to send SMS verification codes to obtain the explicit consent of customers regarding the sending of commercial electronic messages, the explicit consent must include all requirements mentioned above.

The Board decides on the deletion of personal data collected from rejected job applications

The Board evaluated the data retention period of personal data collected for job applications based on a complaint of a data subject and decided to impose an administrative fine on the data controller (a bank) as it did not immediately delete the personal data of data subjects whose job applications were rejected.

In the case subject to the decision, after the job application made by the complainant to the bank was rejected, the complainant requested that the bank delete all its remaining data in the system. However, the Bank partially accepted the request of the data subject and did not delete the name, surname, identity number, or interview assessment data of the data subject from the system in order to take into account previous applications in the evaluation of the job applications to be made by future candidates. The complainant applied to the bank a second time, and the bank accepted to delete all personal data at that time.  

Within scope of its decision, the Board evaluated personal data during the job application process as follows:

  • The bank, as data controller, does not have to process such personal data in order to reach the purposes in question;
  • Fundamental rights and freedoms of the data subject are not at a competitive level with the benefit to be obtained as a result of the processing of personal data;
  • The legitimate interests of the bank, as data controller, is not explicit and specified on this matter; and
  • The bank, as data controller, may reach the expected purposes by other methods without processing such personal data. The data processing activity in question does not provide a corporate interest to be affected by an important number of people. Accordingly, the legitimate interests of the bank did not override the fundamental rights and freedoms of the data subject.

In conclusion, the Board imposed an administrative fine on the bank and also instructed it to delete the personal data of other candidates whose job applications were rejected and to inform the Board on this matter.

Is explicit consent required to perform a contract?

In a separate decision, the Board evaluated a complaint made by an insured data subject who alleged that they did not provide their explicit consent for the processing of their damaged car to be carried out by a third party instead of by the insurance company that is the data controller. As a result of its investigation, the Board concluded that the insurance company, as data controller, may transfer personal data in order to perform an agreement.

The complainant stated that the photos of the vehicle and license (which includes identity data) and contact information belonging to them were shared with a third company by the insurance company without their explicit consent and knowledge and that their application to the data controller in this regard remained unanswered. The insurance company, on the other hand, stated that it carried out the data transfer in question in order to perform insurance activities, fulfil its obligations arising from legislation, and to ensure the performance of the contract.

In conclusion, the Board stated that the data controller may transfer the personal data of a data subject to a third party that has the title of data processor without obtaining the explicit consent of the data subject, as it is necessary for the performance of the contract. However, the Board instructed the data controller to update its data privacy notice for data subjects by clearing it of general and ambiguous expressions.

The Board announced the following data breach notifications in December

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

T.C. İstanbul Kültür University


Identity, birthday, nationality, sex, phone number, institutional e-mail address, payment status, name and surname of the student and their advisor and scholarship status

15,967, LLC

Users (including legal persons)

Customer number, e-mail address, default WordPress admin login data, sFTP, database usernames and passwords


Eureko Sigorta A.Ş.

Customers, Potential Customers

Name and surname, identity and data of bank, branch and policy



For more information please contact Ceren Ceyhan, Associate, at, and Osman Tuğberk Çakırca, Legal Trainee, at