Founded in Paris in 1920, Gide is a leading international law firm with 12 offices spread throughout the world.
Gide is physically present in six regions of the world, with 11 offices, enabling it to act on cases globally.
The Data Protection Newsletter provides information on the latest developments regarding the protection of personal data and the implementation of Law No 6698 on the Protection of Personal Data (the "Law") in light of recent publications and announcements by the Personal Data Protection Authority (the "Authority"), decisions of the Personal Data Protection Board (the "Board") and the main headlines from the series of "Wednesday Seminars" organised by the Authority.
Below is the list of all the publications and announcements made by the Authority in the last quarter:
|
January 2023 |
|
|
12 January |
Announcement Regarding the Protection of Personal Data Academy Article Competition[1] |
|
12 January |
28 January Data Protection Day Announcement[2] |
|
17 January |
Announcement on Amounts of Administrative Fines under Law No 6698 on the Protection of Personal Data[3] |
|
26 January |
Announcement Regarding the Podcast Section of the Guide to the Terms in the Law[4] |
|
28 January |
Announcement Regarding the Data Protection Day Event Organised in Nevşehir[5] |
|
31 January |
Announcement Regarding the Results of the Contracted IT Personnel Recruitment Oral Exam[6] |
|
February 2023 |
|
|
9 February |
Announcement Regarding Data Subjects and Data Controllers Affected by the Earthquake[7] |
|
20 February |
Announcement Regarding the Protection of Personal Data Support Team in the Earthquake Region[8] |
|
March 2023 |
|
|
3 March |
Announcement Regarding the Call for Articles for the 9th Issue of the Journal of Personal Data Protection[9] |
|
23 March |
Public Announcement on Personal Data Processed by Political Parties and Independent Candidates within the Scope of Election Activities[10] |
|
27 March |
Public Announcement Regarding the Electronic Submission of Complaints to be made by Power of Attorney to the Board[11] |
|
30 March |
Announcement on an Application for a Letter of Undertaking[12] |
In the Constitutional Court decision dated 9 February 2023 and numbered 2020/15166, the applicant, who is a convict, claimed that the recording of letters of him in the National Judicial Network Information System constituted a violation of his right to request the protection of personal data within the scope of the right to respect for his private life and his freedom of communication. In this respect, the Constitutional Court concluded that the right to request the protection of personal data and the freedom of communication within the scope of the right to respect for his private life, as guaranteed under Articles 20 and 22 of the Constitution, and the right to request the protection of personal data and the right to freedom of communication had been violated on the grounds that there were no rules regulating the scope and implementation of the measures involving the recording, preservation and use of a convict's private information and personal data, the limits of the discretionary power of the administration and the safeguards against arbitrariness.
In the Constitutional Court decision dated 12 January 2023, and numbered 2019/26356; following the results of the applicant's Public Personnel Selection Exam placement, a security investigation and archive research were conducted and the applicant was notified that he could not be appointed to a contracted personnel position. The applicant filed a lawsuit to have the non-appointment process annulled, claiming that the information and data that prevented him from becoming a civil servant should be clearly revealed, that the transaction subject to the lawsuit consisted of a reference to an abstract article of law, that it did not contain any justification, that it was not legally possible for the abstract phrase in question to constitute the basis of specific administrative action and that it was not auditable as such. However, the first instance court and the Regional Administrative Court rejected the decision definitively on the grounds that the decision was in accordance with the procedure and the law.
The applicant made an individual application to the Constitutional Court and the application was examined within the scope of the right to request the protection of personal data and within the scope of the right to respect for his private life. The Constitutional Court concluded that the data obtained through security investigations and archive searches are personal data, and that the rules regulating this area should clearly indicate the conditions and limits under which the public authorities are authorised to apply measures and intervene in the privacy of a person’s private life, and that adequate safeguards should be provided against possible abuse. Under Law No 4045, on the other hand, although a security investigation and/or archive research are among the general conditions for civil servant recruitment, there is no regulation on what information and documents will be subject to a security investigation and archive research, on how this information will be used or on which authorities will conduct the investigation and research. The court ruled that the applicant's right to request the protection of personal data within the scope of the right to respect for his private life, guaranteed under Article 20 of the Constitution, had been violated.
Based on various news and complaints on the internet and social media platforms regarding the TikTok application, the Board decided to initiate an ex officio review based on various news and complaints that no explicit consent was obtained within the scope of the Law, that there had been unlawfulness in the collection and storage of personal data and that there are many security vulnerabilities in the software. As a result of defence letters received from the data controller on the subject and the examination of the Privacy Policy and Terms of Service in connection therewith, in Decision No 2023/134 of the Personal Data Protection Board found that;
With this in mind, it was decided to impose an administrative fine of TRY 1,750,000 on the data controller, who had failed to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data.
With a public announcement published on 27 March 2023, the Authority announced that, as of 27 March 2023, the "Complaint Module" system has been updated in a way that lawyers can also submit complaints under a power of attorney to the Authority. This has been implemented in order to ensure that complaints can be submitted by lawyers under a power of attorney, and the Authority can deal with them in a faster and more effective manner.
With the new update, it will also be possible to apply to the Authority electronically under a power of attorney.
The 28 January Data Protection Day event was held this year at Nevşehir Hacı Bektaş Veli University Culture and Congress Centre, involving the "Conference on the Protection of Personal Data in Turkey on the 42nd Anniversary of Convention No 108."[16] During the event, it was stated that 27,203 out of 29,348 notices, complaints, and applications concerning the protection of personal data had been dealt with, 225 of the 1003 data breach notifications received by the Authority had been announced on the Authority's website, 911 legal opinions had been given on issues falling within the scope of the Authority's duties, and five undertakings had been approved by the Board as having sufficient qualifications to transfer personal data abroad.
The European Parliament adopted a draft law on the Data Act on Tuesday, 14 March. The Data Act sets common rules governing the sharing of data generated through the use of connected products or related services (e.g. the internet of things and industrial machines) to ensure fairness in data-sharing agreements. According to the draft law, when companies are drafting data-sharing contracts, the law will rebalance the negotiating power in favour of SMEs and protect them from unfair contractual terms imposed by companies in a significantly stronger bargaining position. The text also defines how public sector bodies can access and use data held by the private sector that is necessary in exceptional circumstances or emergencies, such as floods and wildfires.
The MEPs also strengthened provisions to protect trade secrets and avoid a situation where increased access to data could be used by competitors to redesign services or devices and set stricter conditions on data requests from businesses to the government. In subsequent phases, MEPs will start negotiations with the Council on the final form of the law.
The European Data Protection Board ("EDPB") issued a binding decision on 5 December 2022, and instructed the Irish Data Protection Authority to amend its draft decision on WhatsApp Ireland in relation to the findings on the lawfulness of processing and the principle of fairness, and the corrective measures envisaged.
Regarding the lawfulness of processing for the purpose of improving the service, the EDPB found that WhatsApp had improperly relied on contracts as the legal basis for processing personal data. Therefore, the EDPB instructed the Irish Data Protection Authority to add an infringement of Article 6(1) GDPR and an infringement of the principle of fairness under Article 5(1)(a) to its decision.
The EDPB also decided that the Irish Data Protection Authority should conduct an investigation into WhatsApp's processing activities to determine whether it processes special categories of personal data (Article 9 of the GDPR); whether it processes data for behavioural advertising, marketing purposes, as well as for the provision of metrics to third parties and data exchange with affiliated companies for the purposes of service improvements.
Upon binding decision of the EDBP, WhatsApp was fined monetary fine amounting to €5.5 million by the Irish Data Protection Authority.
[1] https://www.kvkk.gov.tr/Icerik/7527/KVKK-Akademi-Makale-Yarismasi
[2] https://www.kvkk.gov.tr/Icerik/7528/28-Ocak-Veri-Koruma-Gunu
[3] https://www.kvkk.gov.tr/Icerik/7530/6698-Sayili-Kisisel-Verilerin-Korunmasi-Kanunu-Kapsaminda-Idari-Para-Cezasi-Tutarlari
[4] https://kvkk.gov.tr/Icerik/7101/Bir-Kucuk-Farkindalik
[5] https://www.kvkk.gov.tr/Icerik/7532/28-Ocak-Veri-Koruma-Gunu-Etkinligi-Nevsehir-de-Gerceklestirildi
[6] https://www.kvkk.gov.tr/Icerik/7534/Sozlesmeli-Bilisim-Personeli-Alimi-Sozlu-Sinav-Sonuc-Duyurusu
[7] https://www.kvkk.gov.tr/Icerik/7536/Depremden-Etkilenen-Ilgili-Kisilere-Ve-Veri-Sorumlularina-Yonelik-Kamuoyu-Duyurusu
[8] https://www.kvkk.gov.tr/Icerik/7537/KVKK-Destek-Ekibi-Deprem-Bolgesi-nde
[9] https://www.kvkk.gov.tr/Icerik/7539/Kisisel-Verileri-Koruma-Dergisi-9-Sayisi-Makale-Cagrisi
[10] https://www.kvkk.gov.tr/Icerik/7543/Secim-Faaliyetleri-Kapsaminda-Siyasi-Partiler-ve-Bagimsiz-Adaylar-Tarafindan-Islenen-Kisisel-Veriler-Hakkinda-Kamuoyu-Duyurusu
[11] https://www.kvkk.gov.tr/Icerik/7544/Vekaleten-Yapilacak-Sikayetlerin-Elektronik-Ortamda-Kurula-Iletilmesine-Iliskin-Kamuoyu-Duyurusu
[12] https://www.kvkk.gov.tr/Icerik/7546/-Taahhutname-Basvurusu-Hakkinda-Duyuru
[14] https://kararlarbilgibankasi.anayasa.gov.tr/BB/2019/26356
[15] https://kvkk.gov.tr/Icerik/7538/2023-134
[16] https://www.kvkk.gov.tr/Icerik/7532/28-Ocak-Veri-Koruma-Gunu-Etkinligi-Nevsehir-de-Gerceklestirildi
[17] https://www.europarl.europa.eu/news/en/press-room/20230310IPR77226/data-act-meps-back-new-rules-for-fair-access-to-and-use-of-industrial-data
[18] https://edpb.europa.eu/news/news/2023/edpb-publishes-binding-decision-concerning-whatsapp_en
