INSIGHTS
In The Know.

  • Home
  • Insights
  • Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – December 2022

Search by

Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – December 2022

January 2023 – In December 2022, the Turkish Personal Data Protection Authority (“DPA”) announced one data breach notification but did not publish any decisions.

In December, Turkey’s Constitutional Court continued to conclude cases on personal data protection. In this respect, the Constitutional Court published two decisions, which we have summarised below.

Decisions on the right to request personal data protection

Recording a private conversation

On 1 December, the Constitutional Court ruled that the applicant’s right to request the protection of their personal data was violated and that the state did not fulfil its positive obligations in terms of protecting this right. You can read more about this decision here (in Turkish only).

Background

The applicant filed a complaint with the Prosecutor's office regarding the unlawful recording of their non-public conversation and demanded the protection of their personal data. The Prosecutor's office decided not to pursue the matter, stating that (i) no information relating to private life was recorded, and (ii) the person who recorded the conversation did not intend to commit a crime but had the intention to present evidence.

Evaluation of the Constitutional Court

The Constitutional Court stated that (i) the applicant's privacy was violated through the recording, as they had a rightful expectation of preserving their privacy; (ii) using such a recording without the applicant's consent and recording it in a non-public environment constitutes a serious attack on personal data; and (iii) the state must prevent attacks on the right to privacy against individuals.

Requesting information about a private phone

On 20 December 2022, the Constitutional Court decided that a telecommunications provider (the “operator company”) violated the right to request the protection of personal data by rejecting the applicant’s request for information about their phone. You can read more about this decision here (in Turkish only).

Background

The applicant requested various types of information, such as internet data, log records, IMEI information, and IP numbers regarding the telephone number that they used from the relevant operator company. The operator company refused this request by stating that they could not provide this information unless a court requests it. The applicant filed a case before the first instance and appeal courts; however, they were refused.

Evaluation of the Constitutional Court

The Constitutional Court referred to the right to respect for private life and emphasised that it was mandatory to determine an effective and accessible procedure that would enable individuals to access any information concerning them.

In this respect, the Constitutional Court considered the information that the applicant requested to access as personal data and stated that this request needs to be examined in terms of the applicant’s right to request the protection of personal data. As a result, the Constitutional Court ruled that the rejection of the applicant's request by the first instance and appeal courts violated the right to an effective application in connection with the right to request the protection of personal data.

The DPA announced the following data breach notifications in December:

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Sitil Çizgi İnşaat Turizm ve Tekstil

Employees, Customers

Identity, Contact, Transaction Personnel and Customer Transaction Data

N/A

 

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com