INSIGHTS
In The Know.

  • Home
  • Insights
  • Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – January & February 2023

Search by

Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – January & February 2023

March 2023 – A devastating earthquake with a magnitude of 7.8 struck the southern region of Turkey on 6 February. This was followed by another strong earthquake with a 7.5 magnitude, occurring about nine hours later. Due to this disaster, we could not issue our two-minute recap for January 2023. You can find more information on the devastating earthquakes from our two-minute recap here.

In this recap, we will cover recent developments in February, as well as January. During this period, the Turkish Personal Data Protection Authority (“DPA”) made one public announcement and three data breach notifications.

Determination of statutory periods due to the earthquake

While the search-and-rescue operations in the earthquake regions continued, public institutions began to announce additional measures that they had taken. In this context, on 9 February, the DPA made a public announcement regarding the statutory periods to be considered by data controllers and data subjects regarding complaints, notices, data breach notifications, and other obligations within the scope of Turkish DP Law.

The DPA announced that the extraordinary conditions caused by the earthquake will be taken into consideration in the evaluation of the periods specified in Turkish DP Law and related secondary regulations for data subjects, data controllers, and lawyers who are (i) in the provinces where a state of emergency has been declared due to the earthquakes or (ii) in other provinces but are affected by the earthquakes.

Quick reminder: New amounts of fines for non-compliance to DP Law

The DPA announced the new amounts of administrative fines to be considered for 2023, according to the revaluation rate (i.e., 122.93%). Below you can find the new amounts of fines that the DPA has the authority to impose regarding misdemeanours for the year 2023:

Misdemeanours

Fine Amounts for 2023

Non-compliance to fulfil obligation to inform

TRY 29,852 — 597,191

(approx. EUR 1,500 — 29,860)

Non-compliance to ensure data security

TRY 89,571 — 5,971,989

(approx. EUR 4,480 — 298,600)

Non-compliance to comply with the decisions of the DPA

TRY 149,285 — 5,971,989

(approx. EUR 7,464 —298,600)

Non-compliance with the registration obligation with the Data Controllers’ Registry (VERBIS)

TRY 119,428 — 5,971,989

(approx. EUR 5,971 —298,600)

 

The DPA announced the following data breach notifications in January:

Data Controller

Affected Data Subjects

Affected Personal Data

Number of Data Subjects

Okko Sağlık Turizm İnşaat San. ve Tic.

Employees, Patients

Identity, Communication, Audio and Visual Records, Personnel Information and Health Data

N/A

Reon Sağlık Hizmetleri İnş. Tur. San ve Tic. (Özel Aktif Hastanesi)

Employees, Patients

Identity, Communication, Audio and Visual Records, Personnel Information and Health Data

N/A

Yalova Uzmanlar Sağlık Hizmetleri San.Paz.Tic.

Employees, Patients

Identity, Communication, Audio and Visual Records, Personnel Information and Health Data

N/A

 

For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com