April 2022 – In March 2022, the Turkish Personal Data Protection Board (the “Board”) published one decision and announced two data breach notifications.
The Board also organised a seminar in March regarding smart profiling technologies, biometric data surveillance, and privacy. During the seminar, subjects such as “targeting advertisement based on online behaviours”, “transparency on algorithms” and “stages of processing biometric data for identity verification” were discussed.
Ship your data to shop...
In March the Board evaluated a notification regarding a shopping mall (as a data controller) and decided to impose an administrative fine of TRY 300,000 (approximately EUR 18,500) against the shopping mall, as it found that it had violated Turkish Data Protection Law.
The Board initiated its investigation against the shopping mall based on an anonymous notification, which alleged that the shopping mall had requested the official e-government system passwords of data subjects in order to complete the sales process with a promissory note. Although the shopping mall stated in its defence that a screenshot submitted as evidence has the nature of a .jpg file and that they did not collect the relevant data, the Board determined that the screenshot submitted as part of the notification was removed immediately from the website by the shopping mall. In addition, the shopping mall requested the ID number of data subjects for their website membership registration, and the shopping mall is able to verify the ID numbers inserted, as well.
As a result, the Board determined in its decision as follows:
The Board also determined that when an account holder (user) inserts an ID number for the second time on the account creation page, the shopping mall’s system displays the address information of the relevant registered data subject. Accordingly, this security deficiency may enable unlawful access to the personal data by a third party. As a result, this situation triggered the obligation to notify the Board of a data breach. As the shopping mall failed to notify the Board of such a data breach, the Board launched an ex officio investigation.
In conclusion, the Board decided to impose an administrative fine of TRY 300,000 (approximately EUR 18,500) against the shopping mall. The Board also instructed the shopping mall to destroy all e-government passwords and ID numbers collected and requested that it eliminate the display of data subjects’ data.
Constitutional Court Reminder: Ensuring data privacy is everyone’s responsibility, including the State’s
The Constitutional Court has issued a decision regarding a case where a spouse requested access to his/her spouse’s health data. The Constitutional Court ruled that the spouse had obtained the health data of his/her spouse unlawfully, and that the protection of personal data within the scope of the right to privacy had been violated by the public authorities’ failure to comply with their positive obligations.
As background, during divorce proceedings:
The Constitutional Court decided that the public authorities have positive obligations such as (i) taking adequate measures and (ii) conducting effective investigations to prevent the unlawful intervention of third parties to fundamental rights and freedoms. The Constitutional Court also highlighted that the evaluation that a first-degree relative has the right to access personal and health data of another first-degree relative is incorrect, as the Applicant did not provide his/her health records before their marriage to his/her spouse, and the Applicant did not provide his/her explicit consent to share such data with his/her spouse, and this constitutes a violation of the right to privacy.
Anniversary of the Turkish Privacy Shield
On 7 April 2016, Turkish Data Protection Law numbered 6698 was published in the Official Gazette and entered into force, ushering in a new era for privacy in Turkish privacy law.
In order to raise awareness among youth of the importance of the protection of personal data, the Ministry of National Education of the Republic of Turkey has decided to celebrate 7 April as "Personal Data Protection Day".
The Board announced the following data breach notifications in March
Data Controller |
Affected Data Subjects |
Affected Personal Data |
Number of Data Subjects |
Martı İleri Teknoloji A.Ş. |
N/A |
N/A |
N/A |
Yonca Sağlık Hizmetleri Ltd. Şti. |
Employees, Patients |
Identity Information, Communication, Personnel Information, Professional Experience, Finance, Marketing Information |
500,000 |
For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Legal Trainee Hatice Nur Arslan, at narslan@gentemizerozer.com.