INSIGHTS
In The Know.

  • Home
  • Insights
  • Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – July 2022

Search by

Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – July 2022

In July 2022, the Turkish Personal Data Protection Authority (“Authority”) announced five breach notifications and issued 12 decisions relating to various industries and sectors including insurance, health, and banking.

Here comes the decision on commercial electronic messages again

On 18 July 2022, the Authority published its decision on a data subject’s complaint alleging that a data controller in the health sector sent a commercial electronic message to the data subject without obtaining their explicit consent to send messages. The Authority found that the data controller had obtained the contact data of the data subject for another purpose other than sending commercial electronic messages and therefore decided to impose a monetary fine on the data controller.

In its decision, the Authority stated that:

  • a data controller in the healthcare sector can process the contact information of data subjects (or their chaperones during patient registration, and this activity does not constitute a violation of Turkish Data Protection Law or other applicable laws;
  • the data controller in this case sent an e-mail for marketing and commercial purposes;
  • the processing of personal data to send a commercial electronic message is irrelevant to the purpose of obtaining the relevant personal data; accordingly, such data processing activity constitutes a violation of Turkish Data Protection Law.

Based on the above-mentioned evaluation, the Authority decided to impose a monetary fine of TRY 100,000 (approx. EUR 5,470) on the data controller for the unlawful data processing activity of sending a commercial electronic message to the data subject’s e-mail address for advertising and marketing purposes without any legal basis. You can access the decision here (available in Turkish only).

The Authority states that data controllers cannot require a special power of attorney for data subject applications

On 18 July 2022, the Authority published its decision on a data subject’s complaint alleging that an insurance company had processed their personal data without legal grounds. As a result of the examination, the Authority concluded that the insurance company had processed the individual’s personal data to carry out the insurance policy executed between the data subject and the insurance company.

The most important aspect of the decision is that the Authority has highlighted that data subjects are able to apply to data controllers via a lawyer without a power of attorney involving a special authority to apply to data controllers.

During the examination, the insurance company stated in its defence that the application was made by the data subject’s lawyer with a general power of attorney, but that, a special power of attorney is required to make such an application. Following its investigation, the Authority concluded that data controllers cannot seek a special power of attorney for applications made by data subjects’ lawyers, as there is no provision stipulating such a requirement in Turkish law. For detailed information, please see our article here.

The Board announced the following data breach notifications in July

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

NeoPets Inc.

Users, Members, Children

Identity, Information on Communication and Transaction Security

N/A

Surtaş Otomotiv ve Servis Hizmetleri Sanayi Ticaret Limited Şirketi

Employees, Customers, Potential Customers

Identity, Communication Information and Audio and Visual Records

1200

Türkiye Elektrik Dağıtım A.Ş.

Employees, Citizens

Identity, Communication Information

208,000

Knauf İnşaat ve Yapı Elemanları San. And Tic. A.Ş ile Knauf Insulation Izolation San. ve Tic. A.Ş

 

N/A

 

N/A

 

N/A

Meklas Otomotiv San. ve Tic. A.Ş.

Employees, Users, Customers, Potential Customers

Identity, Information on Communication, Personnel, Transaction Security, Finance, Marketing, Audio and Visual Records, Health, Philosophical Belief, Religion

142

 

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com