Partner
Analysis
Data protection: update on major developments in Q1 2023
The Data Protection Newsletter provides information on the latest developments regarding the protection of personal data and the implementation of Law No 6698 on the Protection of Personal Data (the “Law“) in light of recent publications and announcements by the Personal Data Protection Authority (the “Authority“), decisions of the Personal Data Protection Board (the “Board“) and the main headlines from the series of “Wednesday Seminars” organised by the Authority.
Recent Announcements
Below is the list of all the publications and announcements made by the Authority in the last quarter:
|
January 2023 |
|
|
12 January |
Announcement Regarding the Protection of Personal Data Academy Article Competition[1] |
|
12 January |
28 January Data Protection Day Announcement[2] |
|
17 January |
Announcement on Amounts of Administrative Fines under Law No 6698 on the Protection of Personal Data[3] |
|
26 January |
Announcement Regarding the Podcast Section of the Guide to the Terms in the Law[4] |
|
28 January |
Announcement Regarding the Data Protection Day Event Organised in Nevşehir[5] |
|
31 January |
Announcement Regarding the Results of the Contracted IT Personnel Recruitment Oral Exam[6] |
|
February 2023 |
|
|
9 February |
Announcement Regarding Data Subjects and Data Controllers Affected by the Earthquake[7] |
|
20 February |
Announcement Regarding the Protection of Personal Data Support Team in the Earthquake Region[8] |
|
March 2023 |
|
|
3 March |
Announcement Regarding the Call for Articles for the 9th Issue of the Journal of Personal Data Protection[9] |
|
23 March |
Public Announcement on Personal Data Processed by Political Parties and Independent Candidates within the Scope of Election Activities[10] |
|
27 March |
Public Announcement Regarding the Electronic Submission of Complaints to be made by Power of Attorney to the Board[11] |
|
30 March |
Announcement on an Application for a Letter of Undertaking[12] |
Main Highlights
The Constitutional Court Ruled That the Right to Request the Protection of Personal Data within the Scope of Respect for his Private Life Was Violated in an Application Regarding the National Judicial Network Information System.[13]
In the Constitutional Court decision dated 9 February 2023 and numbered 2020/15166, the applicant, who is a convict, claimed that the recording of letters of him in the National Judicial Network Information System constituted a violation of his right to request the protection of personal data within the scope of the right to respect for his private life and his freedom of communication. In this respect, the Constitutional Court concluded that the right to request the protection of personal data and the freedom of communication within the scope of the right to respect for his private life, as guaranteed under Articles 20 and 22 of the Constitution, and the right to request the protection of personal data and the right to freedom of communication had been violated on the grounds that there were no rules regulating the scope and implementation of the measures involving the recording, preservation and use of a convict’s private information and personal data, the limits of the discretionary power of the administration and the safeguards against arbitrariness.
The Constitutional Court Ruled that Taking Personal Data as the Basis for Security Investigations Violates the Right to Request the Protection of Personal Data within the Scope of the Right to Respect for his Private Life.[14]
In the Constitutional Court decision dated 12 January 2023, and numbered 2019/26356; following the results of the applicant’s Public Personnel Selection Exam placement, a security investigation and archive research were conducted and the applicant was notified that he could not be appointed to a contracted personnel position. The applicant filed a lawsuit to have the non-appointment process annulled, claiming that the information and data that prevented him from becoming a civil servant should be clearly revealed, that the transaction subject to the lawsuit consisted of a reference to an abstract article of law, that it did not contain any justification, that it was not legally possible for the abstract phrase in question to constitute the basis of specific administrative action and that it was not auditable as such. However, the first instance court and the Regional Administrative Court rejected the decision definitively on the grounds that the decision was in accordance with the procedure and the law.
The applicant made an individual application to the Constitutional Court and the application was examined within the scope of the right to request the protection of personal data and within the scope of the right to respect for his private life. The Constitutional Court concluded that the data obtained through security investigations and archive searches are personal data, and that the rules regulating this area should clearly indicate the conditions and limits under which the public authorities are authorised to apply measures and intervene in the privacy of a person’s private life, and that adequate safeguards should be provided against possible abuse. Under Law No 4045, on the other hand, although a security investigation and/or archive research are among the general conditions for civil servant recruitment, there is no regulation on what information and documents will be subject to a security investigation and archive research, on how this information will be used or on which authorities will conduct the investigation and research. The court ruled that the applicant’s right to request the protection of personal data within the scope of the right to respect for his private life, guaranteed under Article 20 of the Constitution, had been violated.
The Personal Data Protection Board Decided to Impose An Administrative Fine of 1,750,000 Turkish Liras against TikTok Pte. Ltd.[15]
Based on various news and complaints on the internet and social media platforms regarding the TikTok application, the Board decided to initiate an ex officio review based on various news and complaints that no explicit consent was obtained within the scope of the Law, that there had been unlawfulness in the collection and storage of personal data and that there are many security vulnerabilities in the software. As a result of defence letters received from the data controller on the subject and the examination of the Privacy Policy and Terms of Service in connection therewith, in Decision No 2023/134 of the Personal Data Protection Board found that;
- TikTok’s Privacy Policy was updated in January 2021 and that restrictions can be imposed on viewing accounts of users between the ages of 13 and 15, but before the specified update, by default, the profiles were displayed publicly and there was no restriction on interaction, which posed a risk within the scope of accessing the data of users in a sensitive age group,
- No clear information was provided about the purposes for which personal data are processed and the grounds or conditions for processing,
- When creating a TikTok account, it is detected that users will be deemed to have accepted the Terms of Service (Terms of Use) and Privacy Policy if they continue to create an account, but the relevant text has not yet been translated into Turkish, despite obtaining approval in the Terms of Service section. This means the content is not presented to users in an easy-to-understand form,
- There is no situation of obtaining explicit consent while creating an account on the platform or while creating an account and actively using it,
- TikTok’s Privacy Policy is essentially a text prepared to meet the disclosure obligation, but it is also used instead of an explicit consent text, therefore, the condition of fulfilling explicit consent separately from the disclosure obligation is not met,
- The data controller did not obtain explicit consent from the data subjects regarding the personal data processing activity carried out by using cookies for profiling purposes, and the personal data processing activity carried out within this scope is not in accordance with the Law.
With this in mind, it was decided to impose an administrative fine of TRY 1,750,000 on the data controller, who had failed to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data.
Public Announcement on the Electronic Submission of Complaints to be made by Power of Attorney to the Board
With a public announcement published on 27 March 2023, the Authority announced that, as of 27 March 2023, the “Complaint Module” system has been updated in a way that lawyers can also submit complaints under a power of attorney to the Authority. This has been implemented in order to ensure that complaints can be submitted by lawyers under a power of attorney, and the Authority can deal with them in a faster and more effective manner.
With the new update, it will also be possible to apply to the Authority electronically under a power of attorney.
Notes from Seminars and Events
The 28 January Data Protection Day event was held this year at Nevşehir Hacı Bektaş Veli University Culture and Congress Centre, involving the “Conference on the Protection of Personal Data in Turkey on the 42nd Anniversary of Convention No 108.”[16] During the event, it was stated that 27,203 out of 29,348 notices, complaints, and applications concerning the protection of personal data had been dealt with, 225 of the 1003 data breach notifications received by the Authority had been announced on the Authority’s website, 911 legal opinions had been given on issues falling within the scope of the Authority’s duties, and five undertakings had been approved by the Board as having sufficient qualifications to transfer personal data abroad.
Developments Outside Turkey Regarding The Protection of Personal Data
European Parliament Approves the Proposed Data Law Act[17]
The European Parliament adopted a draft law on the Data Act on Tuesday, 14 March. The Data Act sets common rules governing the sharing of data generated through the use of connected products or related services (e.g. the internet of things and industrial machines) to ensure fairness in data-sharing agreements. According to the draft law, when companies are drafting data-sharing contracts, the law will rebalance the negotiating power in favour of SMEs and protect them from unfair contractual terms imposed by companies in a significantly stronger bargaining position. The text also defines how public sector bodies can access and use data held by the private sector that is necessary in exceptional circumstances or emergencies, such as floods and wildfires.
The MEPs also strengthened provisions to protect trade secrets and avoid a situation where increased access to data could be used by competitors to redesign services or devices and set stricter conditions on data requests from businesses to the government. In subsequent phases, MEPs will start negotiations with the Council on the final form of the law.
European Data Protection Board publishes a Binding Decision on WhatsApp[18]
The European Data Protection Board (“EDPB“) issued a binding decision on 5 December 2022, and instructed the Irish Data Protection Authority to amend its draft decision on WhatsApp Ireland in relation to the findings on the lawfulness of processing and the principle of fairness, and the corrective measures envisaged.
Regarding the lawfulness of processing for the purpose of improving the service, the EDPB found that WhatsApp had improperly relied on contracts as the legal basis for processing personal data. Therefore, the EDPB instructed the Irish Data Protection Authority to add an infringement of Article 6(1) GDPR and an infringement of the principle of fairness under Article 5(1)(a) to its decision.
The EDPB also decided that the Irish Data Protection Authority should conduct an investigation into WhatsApp’s processing activities to determine whether it processes special categories of personal data (Article 9 of the GDPR); whether it processes data for behavioural advertising, marketing purposes, as well as for the provision of metrics to third parties and data exchange with affiliated companies for the purposes of service improvements.
Upon binding decision of the EDBP, WhatsApp was fined monetary fine amounting to €5.5 million by the Irish Data Protection Authority.
[1] https://www.kvkk.gov.tr/Icerik/7527/KVKK-Akademi-Makale-Yarismasi
[2] https://www.kvkk.gov.tr/Icerik/7528/28-Ocak-Veri-Koruma-Gunu
[3] https://www.kvkk.gov.tr/Icerik/7530/6698-Sayili-Kisisel-Verilerin-Korunmasi-Kanunu-Kapsaminda-Idari-Para-Cezasi-Tutarlari
[4] https://kvkk.gov.tr/Icerik/7101/Bir-Kucuk-Farkindalik
[5] https://www.kvkk.gov.tr/Icerik/7532/28-Ocak-Veri-Koruma-Gunu-Etkinligi-Nevsehir-de-Gerceklestirildi
[6] https://www.kvkk.gov.tr/Icerik/7534/Sozlesmeli-Bilisim-Personeli-Alimi-Sozlu-Sinav-Sonuc-Duyurusu
[7] https://www.kvkk.gov.tr/Icerik/7536/Depremden-Etkilenen-Ilgili-Kisilere-Ve-Veri-Sorumlularina-Yonelik-Kamuoyu-Duyurusu
[8] https://www.kvkk.gov.tr/Icerik/7537/KVKK-Destek-Ekibi-Deprem-Bolgesi-nde
[9] https://www.kvkk.gov.tr/Icerik/7539/Kisisel-Verileri-Koruma-Dergisi-9-Sayisi-Makale-Cagrisi
[10] https://www.kvkk.gov.tr/Icerik/7543/Secim-Faaliyetleri-Kapsaminda-Siyasi-Partiler-ve-Bagimsiz-Adaylar-Tarafindan-Islenen-Kisisel-Veriler-Hakkinda-Kamuoyu-Duyurusu
[11] https://www.kvkk.gov.tr/Icerik/7544/Vekaleten-Yapilacak-Sikayetlerin-Elektronik-Ortamda-Kurula-Iletilmesine-Iliskin-Kamuoyu-Duyurusu
[12] https://www.kvkk.gov.tr/Icerik/7546/-Taahhutname-Basvurusu-Hakkinda-Duyuru
[14] https://kararlarbilgibankasi.anayasa.gov.tr/BB/2019/26356
[15] https://kvkk.gov.tr/Icerik/7538/2023-134
[16] https://www.kvkk.gov.tr/Icerik/7532/28-Ocak-Veri-Koruma-Gunu-Etkinligi-Nevsehir-de-Gerceklestirildi
[17] https://www.europarl.europa.eu/news/en/press-room/20230310IPR77226/data-act-meps-back-new-rules-for-fair-access-to-and-use-of-industrial-data
[18] https://edpb.europa.eu/news/news/2023/edpb-publishes-binding-decision-concerning-whatsapp_en