This Data Protection Newsletter provides information on the latest developments as regards personal data protection and implementation of the Law No.6698 on the Protection of Personal Data (the "Law") in the light of recent publications and announcements by the Personal Data Protection Authority (the "Authority"), decisions of the Board, as well as main headings from "Wednesday seminars" organised by the Authority.

RECENT ANNOUNCEMENTS

Below is the list of all publications and announcements made by the Authority in the last quarter:

MAIN HIGHLIGHTS

Data Protection Officer

The Communiqué on the Procedures and Principles Regarding the Personnel Certification Mechanism (the "Communiqué") regarding the Data Protection Officer Programme (the "Programme") was published in the Official Gazette numbered 31681 and dated 6 December 2021. The Communiqué introduces for the first time the concept of data protection officer, and regulates procedures and principles regarding the training, examination and certification of individuals within the Programme in accordance with the (TS) EN ISO/IEC 17024 standard.

The Communiqué defines the data protection officer as a "natural person who has successfully passed the exam and is thus entitled to use the title of data protection officer", and who has sufficient knowledge of personal data protection legislation as part of their certification programme. Individuals who meet the training/certification requirements will be entitled to take the exam. The individuals who successfully pass the exam become data protection officers. The data protection officer certification is valid for four years.

The Communiqué states that the appointment of a data protection officer by the data controller and/or data processor shall not prejudice or remove their legal obligations.

Unlike GDPR, the Communiqué does not stipulate the duties or the authority of the data protection officer, neither does it impose an obligation for data controllers to appoint a data protection officer. Accordingly, the Authority has clarified in its announcement dated 10 December 2021 that the data protection officer in Turkish legislation differs from data protection officer under the GDPR.

Personal Data Breaches via Employment Promises

In its announcement dated 7 December 2021, the Authority stated that there had been an increase in the number of complaints by job applicants, due to requests for sending in pictures of their ID cards and for making payments for job applications available on social media and other online platforms.

The Authority declared that such fraudulent activities on employment promises fell within the scope of the Turkish Criminal Code and shall therefore constitute an offense thereunder. Concerned parties shall resort to the judiciary in order to establish the necessary legal proceedings regarding the issue.

Data Processing During In-Store Shopping

In its announcement dated 17 December 2021, based on the complaints and notices received, the Authority accounted for use of verification codes via SMS during in-store shopping as an explicit consent for receiving commercial electronic messages. In this respect, the Authority underlined that:

• the purpose of the SMS and the consequences of the code exchange via SMS must be explained by the shop staff to the customer before sending the SMS, and the SMS must provide the necessary access to a privacy notice;
• instead of obtaining consent through a single action, such as sending an SMS verification code, for more than one processing activity, such as personal data processing permission and approval for sending commercial electronic messages during shopping in stores, explicit consent must be obtained separately and with an option for each data processing activity;
• explicit consent shall not be obtained within the privacy notice;
• explicit consent for the sending of commercial electronic messages must be obtained for a specific subject, based on informed and free will.

Announcement Regarding VERBIS Registrations

In its announcement dated 4 January 2022, the Authority recalled the following regarding registration of the data controllers to the Data Controllers Registry Information System ("VERBIS"):

• The sole submission of the VERBIS registration application form via the online system or sending it to the Authority by mail, cargo, courier, registered email or hand delivery shall not suffice to meet the obligation of registration and notification to VERBIS. The required registration steps indeed consist of (i) submission of the VERBIS registration application form to the Authority; (ii) appointment of a “contact person” through VERBIS; (iii) logging in of the contact person to VERBIS; (iv) issuance of the notification for the data controller; and (v) approval of the notification through the system.
• Incomplete applications and notifications must be completed as explained above in the shortest possible time. In case registered information in VERBIS changes, it should be notified to the Authority via VERBIS within seven days as of the date such change occurs.

Draft Guidelines on the Use of Cookies

The Draft Guidelines on the use of cookies published on 11 January 2022 (the "Draft Guidelines") make recommendations to website operators processing personal data through cookies in order to provide a better understanding of the use of cookies and to ensure their compliance with the Law.

The scope of the Draft Guidelines covers the cookies used only for processing personal data on online platforms such as websites and online applications, and defines cookies as "a type of text file placed on the user's device by the website operators and is transferred as part of the HTTP (Hyper Text Transfer Protocol) query". It categorises cookies mainly under three groups based on (i) timeframe (i.e. session cookies, permanent cookies), (ii) purpose (i.e. mandatory cookies, functional cookies, performance-analytical cookies, advertising/marketing cookies), and (iii) parties (i.e. first party cookies, third party cookies).

The Draft Guidelines point out the relationship between Law No. 5809 on Electronic Communications (the "ECL") and the Law. As there is no provision in the Law that expressly regulates cookies, it is considered that in terms of data controller operators, the provisions of the ECL would be applied. Furthermore, it is stated that by taking into consideration the decision dated 27 February 2020 and numbered 2020/173 regarding information company services, the Law would be applicable due to the fact that unlike the EU Directive 2002/58/EC, the ECL does not regulate the processing of personal data through cookies.

Lastly, the Draft Guidelines explain when explicit consent must be obtained for the use of cookies by referring to EU practice. Accordingly, the following questions should be answered: either “are cookies used only for providing communication over an electronic communication network?” or “are cookies strictly necessary for the information company services that are explicitly requested by the subscriber or user?”. If the answer is negative, either the explicit consent of the data subject must be obtained, or another legal basis stipulated under the Law must be used.

Common Misconceptions About the Law

On 3 January 2022, the Authority published its second document aiming to clarify common misconceptions about the law by answering 64 questions. Topics include (i) conditions of data processing, (ii) explicit consent for data processing, (iii) use of opt-in and opt-out options, (iv) biometric data, (v) conditions of cross-border data transfers, (vi) fulfilment of the obligation to inform, and (vii) necessary steps to be taken in the event of a data breach.

Measures Regarding Security of Users' Data

In its announcement dated 15 February 2022, the Authority suggested to data controllers, especially those carrying out activities in finance, e-commerce, social media and game sectors, that they take some technical and organisational measures to the extent possible to ensure the security of their users' personal data. Some of these measures may include:

• establishing two-factor authentication systems;
• sending login information to the data subjects’ contact addresses via email or text message, in cases where users log in to their accounts from different devices;
• using HTTPS (Hypertext Transfer Protocol Secure) or another tool with the same security level, using secure and up-to-date hashing algorithms to protect user passwords against cyber-attacks;
• limiting the number of unsuccessful login attempts from an IP address;
• ensuring that data subjects can view information about at least 5 successful and unsuccessful login attempts;
• reminding data subjects that the same password should not be used on more than one platform;
• creating a password policy and ensuring that passwords are changed periodically, or reminding data subjects to do so, and preventing new passwords from being the same as old passwords (at least the last 3 passwords);
• using technologies such as security codes (CAPTCHA, four operations, etc.) that distinguish between computer and human behaviour during login and limiting IP addresses that may be used for access;
• ensuring that passwords entered into the systems contain at least 10 characters, uppercase and lowercase letters, numbers and special characters;
• updating and controlling systems regularly if third party software or services are being used to log in to the systems.

Monetary Fines Applicable in 2022

Highlights from Key Decisions of the Board

• Blacklisting in the car rental industry: In its principal decision dated 23 December 2021 and numbered 2021/1304, the Board assessed the privacy violations from blacklisting operations of car rental companies. It concluded that car rental companies having control over data concerned and software companies shall qualify as "joint controllers" for the blacklisting operations conducted in violation of the provisions of the Law. The Board also states in its decision that, although processing of data for the purpose of blacklisting operations could be assessed within "legitimate interest" of the data controller, such interest must only belong to the data controller itself and blacklisting records must remain within the company. Therefore, transfer of such list to third parties would breach fundamental rights and freedoms.
• Yemeksepeti data breach notification: In decision numbered 2021/1324 and dated 23 December 2021, the Board decided to impose TRY 1,900,000 administrative fine on Yemeksepeti because of the breach of Article 12 (1) of the Law. The Board ruled that the data controller had not taken the necessary technical and administrative measures to ensure data security, and caused the leak of 21,504,083 user data abroad.
• Sending commercial electronic messages by dealers and sub-contractors: In decision numbered 2021/1210 and dated 2 December 2021, the Board decided to instruct the satellite TV provider (Digiturk) to pay due attention and care to comply with the Law in the process of acquiring new customers, even though it is not considered as data controller in the matter at hand. It should also include explicit provisions regarding the identities of the data controller and data processor in its commercial contracts with dealers.

***

In compliance with Turkish bar regulations, opinions relating to Turkish law matters that are included in this client alert have been issued by Özdirekcan Dündar Şenocak Ak Avukatlık Ortaklığı, a Turkish law firm acting as correspondent firm of Gide Loyrette Nouel in Turkey.