This year’s report focuses on the basic regulations and principles of personal data protection law, developments in Turkey, and the most important or challenging issues regarding data privacy as well as the latest developments in the field of personal data protection, the latest decisions and published guidelines. The Law on the Protection of Personal Data numbered 6698 (“Law”) entered into force in 2016. In 2022, it has been observed that settled case-laws have started to developin the personal data protection law, which went beyond the foundation provided with the Law, in accordance with new regulations and Personal Data Protection Board (“Board”) decisions. Nonetheless, acts that constitute an element of crime have also been subject to jurisdiction within the scope of the regulations of Turkish Criminal Law regarding the protection of personal data. It has been observed that fundamental decisions have been made by the Constitutional Court in terms of the protection of personal data.
In brief, decisions were made regarding insurance, banking, health and service industries about several data controllers and data breach notifications were made by data controllers in 2022.
In 2022, as per the data notifications, Turkish Data Protection Authority (“DPA”) showed its sensitivity regarding user data before DPA with its Public Announcement on Technical and Administrative Measures Recommended to be Taken by Data Controllers Regarding User Security, published for the purpose of preventing the access to user account information used for logging in the websites of data controllers operating in finance, e-commerce, social media and online game sectors via security vulnerabilities in data controllers’ systems or in end-users' computers and preventing such common data breaches , or ensuring the mitigation of the possibility of negative outcomes on the data subjects in cases of such breaches.
The Regulation on Protection and Processing of Personal Data by the Social Security Institution was published regarding the processing of data obtained via automated or unautomated means within the scope of Social Security Institution’s (“SSI”) duties and authorities.
In addition, the Guideline on Good Practices of the Protection of Personal Data in the Banking Sector was published by DPA. In this guideline, banks are considered as data controllers in terms of the activities they carry out in accordance with article 4 of the Banking Law, the guideline also refers to the points to be included in the data processing contracts with regard to the relationship between the data controller and data processorand includes explicit consent, which is one of the conditions to process data and obligations of the banks that are data controllers . Subsequently, the Regulation on the Collection, Storage and Disclosure of Insurance Data was published for an area where frequent and serious breaches are likely to occur. In this regulation, the concept of insurance term is defined with an extensive scope and it has been observed that those who keep insurance data are obliged to present the documents requested by the Insurance Information and Surveillance Centre, the Regulation explicitly defines the fundamental aims of the use of insurance data and the use specific to the Insurance Information and Surveillance Centre and introduces regulations regarding the requests for receiving information and data exchange in terms of insurance data.
For the first time, the Board issued a decision, which is about the processing of personal data via exclusively automated means and which evaluates profiling, evaluating the software used by rental companies and providing a black list and concluded that data was processed unlawfully and pointed out joint data controllership.
In a recent decision regarding the processing of biometric data, the Board reiterated its stance that this method should only be used on an exceptional basis by concluding that methods involving the processing of employees’ biometric data cannot be used to control the entry and exit to work and to ensure occupational health and safety. It was particularly stated that processing biometric data for controlling entry and exit and ensuring occupational health and safety is not a proportionate practice and that these goals shall be achieved with alternative methods. It was decided to destroy the personal data and verification data obtained by facial recognition systems until the date of the decision. It has been observed that the Board has developed a case law on this subject.
Furthermore, considering the shortcomings in meeting the obligation to register to the Data Controllers’ Registry (“VERBIS”) due to pandemics, the time prescribed to complete the registry records in accordance has expired, and administrative fines have started to be imposed on data controllers who do not fulfil this obligation following the reminders in DPA announcements and the control of the records. It is stated that the amounts of administrative fines are estimated in accordance with the “Algorithm Table of Administrative Fine Amounts for Domestic Data Controllers”.
The Board issued a decision imposing an administrative fine on the data controllers operating in the e-commerce sector who unlawfully process data using cookie applications. DPA announced the criteria and conditions for cookie applications and lawful data processing by publishing Guidelines on Cookies Application in June 2022.