Explicit Consent under Data Protection Law
Explicit consent has been defined as consent that relates to a specified issue, declared by free will, and based on information. As the definition suggest, the Law stipulates that no kind of “blanket consent” of not limited to a specific subject or transaction will be valid. For example, consent such as "I allow all kinds of data processing activities", will not suffice under the Law. The data subject must know for what s/he is giving consent and must clearly express his/her… »
Transfer of Personal Data to Third Parties
Sensitive and non-sensitive personal data may be transferred to third parties if the data subject’s explicit consent is obtained or if one of the additional legal grounds is applicable for such transfer. The Law does not define a third party; therefore, any individual or entity (other than the data controller and the data subject) may be considered a third party. This creates a problem, especially about transfers between data controllers and data processors, as there is no… »
Transfer of Data Abroad
Sensitive and non-sensitive personal data can be transferred abroad if the data subject’s explicit consent is obtained. Furthermore, other legal grounds will also apply to transferring personal data to a foreign country. However, the destination country must have “sufficient protection” to conclude the transfer abroad based on legal grounds (except for having obtained explicit consent). The Board will determine a list of jurisdictions that provide sufficient protection. The… »
Data Breach Notification
The Law requires data controllers to notify the relevant data subject and the Board as soon as possible after becoming aware of a data breach. In its decision dated January 24, 2019, and numbered 2019/9, the Board clarified the rules and procedures applicable to data breach incidents. The Board took the GDPR approach regarding the timing of breach notifications and clarified that “as soon as possible” within the Law must be interpreted as 72 hours from becoming aware of a… »
Turkish DPA Fines Meta and WhatsApp Try 5,3m For Failure to Fulfill Their Registration Obligation to the VERBIS
The Turkish Personal Data Protection Authority (the “Turkish DPA”),concerning the investigation initiated ex officio, into Meta and WhatsApp which processes the personal data of the data subjects in Turkey and is subject to the provisions of the Law on the Protection of Personal Data No. 6698 (“Law”) over imposed an administrative fine of TRY 2,665,000 (approx. EUR 128,560) separately for failure to fulfill their Data Controller’s Registry (VERBIS) registration and… »
Data Controllers’ Registry (VERBIS)
According to Article 16 of the Law, an obligation to register in the Data Controllers Registry (“VERBIS”) has been introduced for data controllers. In 2018, the Board issued decisions granting exemptions from the registration obligation to specific professional groups, associations, and political parties. The Board also granted a general exemption to data controllers residing in Turkey with less than 50 employees and less than TRY 25 million on their balance sheets. Data… »
Consequences of Data Breach
The Law provides for both administrative fines and criminal liability where data breaches have occurred. Regarding criminal penalties, the Law refers to the relevant provisions of the Turkish Criminal Code that details sanctions for the unlawful recording, disclosing, or transferring of personal data. In addition to criminal sanctions, the Law also contains provisions detailing administrative fines applicable in a breach. Four breaches have been defined under the Law: The… »
Judicial Review of Board Decisions
The Law does not include an explicit provision concerning the process for appealing Board decisions that impose administrative fines. However, it is accepted that criminal courts of peace are the authorised courts under Law No. 5326 on Misdemeanours dated 30/3/2005 since the title of Article 18 of the Law is “Misdemeanours,” and administrative fines are issued as per Article 18 of the Law. With this in mind, decisions imposing behavioural sanctions can be appealed before… »
Court of Cassation Overturns Longstanding Precedents on Cumulative Protection Afforded by Trademark Infringement and Unfair Competition Provisions
Cumulative protection is no longer available in light of a recent Court of Cassation decision Trademarks are protected under the IP Code, but “name[s], title[s] or trademark[s]” are not covered by the unfair competition provisions under the new Commercial Code The decision will have a serious impact on pending cases In a recent decision that challenges longstanding precedents, the Court of Cassation has ruled that, in cases where trademark infringement has been found, it… »
Guidelines on Cookies Applications
The Board prepared the Guidelines on Cookies Applications (“Guidelines”) explaining cookies and practical advice for data controllers who process personal data through cookies. The Guidelines was published on the official website of the DPA on June 20, 2022. Within the Guidelines, cookies in general and their types are regulated. Moreover, the types of cookies are categorised based on their timeframe, intended purpose and parties. The relationship between the Electronic… »
Planned Amendments to the Law on the Protection of Personal Data
Processing Sensitive Personal Data Amendments to the law have been drafted by the Board and introduce some modifications to specific disputed provisions of the Law. These have been presented to relevant institutions and organisations for their consideration. The articles to be amended are Article 6, regulating the legal grounds for processing sensitive personal data and Article 9, regulating the transfer of personal data abroad. Under Article 6 of the Law, explicit consent… »
Turkish DPA Fines Tiktok Try 1.75m For Inadequate Data Security Measures
The Turkish Personal Data Protection Authority (the “Turkish DPA”) published, on 1 March 2023, a summary of its Decision No. 2023/134 concerning the investigation into TikTok over its data protection measures and imposed a fine of TRY 1,750,000 (approximately EUR 87,500) against the company. The decision of the Turkish DPA is very significant especially for service providers also targeting Turkish residents and children in Turkey. Also the Turkish DPA is not the first… »