This Data Protection Newsletter provides information on the latest developments as regards personal data protection and the implementation of Law No 6698 on the Protection of Personal Data (the "Law") in light of recent publications and announcements by the Personal Data Protection Authority (the "Authority"), decisions of the Personal Data Protection Board (the "Board"), as well as the main headings from "Wednesday Seminars" organised by the Authority.

RECENT ANNOUNCEMENTS

Below is a list of all publications and announcements made by the Authority in the last quarter:

MAIN HIGHLIGHTS

The 44th Global Privacy Assembly was held in Istanbul

The 44th Global Privacy Conference ("GPA") with the main theme as "A Matter of Balance: Privacy in the Age of Rapid Technological Development", was held at the Haliç Congress Center in Istanbul, hosted by the Authority between 25 and 28 October 2022.

The topics discussed at this year’s GPA included: "Evaluation of Emerging Technologies in the Light of Privacy Principles", "Interaction between Consumer Rights, Competition and Privacy", "Blockchain and Metaverse: Privacy and Data Protection", "Effectiveness of Mechanisms Developed for Cross-Border Data Transfer", "Protection of Children's Personal Data in the Digital Age" and many others.

The Constitutional Court Decides that Denying a Request to Access Personal Data is a Violation of the Right to Request the Protection of Personal Data as well as the Right to Respect for Private Life

In a decision of the Constitutional Court dated 28 June 2022 and numbered 2018/6161, published in the Official Gazette dated 20 December 2022 and numbered 32049, the applicant requested traffic information, hot spot data and IP addresses of a phone line registered in his name in 2014-2015 from the telecommunication company. The telecommunication company rejected the request, stating that the information can only be provided by a court order. The applicant then brought his claim before the Consumer Court and the Regional Court of Appeal. The courts did not assess the obligations of the telecommunications company to provide access to personal data under the personal data protection provisions and rejected the request.

The applicant then applied to the Constitutional Court, claiming that his right to access his personal data, to learn the accuracy of the data and to rectify them had not been exercised, and that his right to the protection of personal data, the right to respect for his private life and the freedom to seek rights and the right to property had all been violated.

The Constitutional Court ruled that the applicant's right to access, control and rectify personal data within the scope of the right to privacy and the applicant's right to request the protection of personal data and the related right to an effective remedy had indeed been violated.

Amounts of Fines in 2023

Personal Data Protection Authority and the Union of Turkish Bar Associations Signed a Cooperation Protocol on Personal Data Protection Studies

It is planned to establish a coordination group between the Authority and the Union of Turkish Bar Associations in order to carry out joint work on the protection of personal data to establish working groups and to carry out activities.

The Report on the 5th Anniversary of the Personal Data Protection Authority is Published

With the report published by the Authority on the 5th Anniversary of the Personal Data Protection Authority, the activities carried out by the Authority since its establishment were evaluated, along with details of the Board’s decisions and announcements published so far.

In the five years of its existence – up until 31 March 2022– the Board issued 3,347 decisions and imposed total administrative fines of TRY 74,116,828.

In 2022, the Board issued 320 decisions and imposed administrative fines of TRY 6,880,000, of which TRY 2,580,000 related to data breach notifications and TRY 4,300,000 related to complaints and notifications.

Highlights from Seminars and Events

A seminar on "The Future of the Digital Media Industry: Web3, Metaverse and Digital Surveillance" was held on 12 October 2022. The seminar evaluated the changes in business models, the technologies they use and the digitalisation of the media industry.

DEVELOPMENTS OUTSIDE TURKEY REGARDING PERSONAL DATA PROTECTION

The Commission Started to Adopt an Adequacy Decision for Safe Data Flows with the US^[9]

On 13 December 2022, the European Commission (the “Commission”) launched the process towards adopting an adequacy decision for the EU-US Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020.

The draft adequacy decision, which reflects the Commission’s assessment of the US legal framework and concludes that it provides comparable safeguards to those of the EU, has now been published and sent to the European Data Protection Board (“EDPB”) for its opinion. The draft decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.

One of the key elements of the decision is that the US companies will be able to join the EU-US Data Privacy Framework (the “Framework”) by undertaking to comply with a detailed set of privacy obligations, for instance, the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected and to ensure the continuity of protection when personal data is shared with third parties. EU citizens will benefit from several avenues of redress if their personal data is handled in violation of the Framework, including free of charge before independent dispute resolution mechanisms and an arbitration panel.

In addition, the US legal framework provides for a number of limitations and safeguards regarding the access to data by US public authorities, in particular for criminal law enforcement and national security purposes. At the next step, the draft adequacy decision will go through the adoption procedure.

The Irish Supervisory Authority Announces its Decision in the Facebook “Data Scraping” Inquiry^[10]

On 14 April 2021, The Irish Supervisory Authority commenced an inquiry following media reports into the discovery of a collated dataset of Facebook personal data that had been made available on the internet. The material issues in the inquiry concerned questions of compliance with the GDPR obligation for “Data Protection by Design and Default”.

In its decision dated 25 November 2022, the Irish Supervisory Authority decided that Meta Platforms had violated Articles 25(1) and 25(2) of the GDPR. Meta Platforms was given a deadline to remedy the breaches and a total administrative fine of EUR 265 million was imposed, together with a reprimand.