New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July 09 August 2019
New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July
Decision Summary of the Board of Protection of Personal Data dated 31/05/2019 and numbered 2019/166: “Sending an irrelevant content to the phone number of a data subject”
Data subject appealed to the data controller regarding the text message which was sent to his/her phone number and of which content was not belong to his/her own. Data subject received a reply explaining that the messages were intended to be sent to another subscriber but as a result of an employee’s mistyping with just 1 number, it was sent to the data subject, and then it was remedied. However, the complainant argued that the person, whose personal data was the content of the message sent to the data subject, was the nephew/niece of the data subject and it was impossible to mistype 1 number when the relevant phone numbers were considered. Upon the inspection after the data subject’s appeal on this, the Board stated that the following two data processing activities resulted from one action; the name, surname and service number of the nephew/niece were sent to the phone number of the complainant and the data process of the phone number of the complainant without any legal reason stated in the Law. The Board imposed an administrative fine of 50.000 TL to the data controller lawyer as per Article 18/1/b of the Law, by reason of the data controller- lawyer default “Prevent unlawful processing of personal data” stated as per Article 12/1.
Decision Summary of the Board of Protection of Personal Data dated 25/03/2019 and numbered 2019/81 and decision dated 31/05/2019 and numbered 2019/165 “Data processing of biometric personal data of the members for control of the entrance and exit”
Two separate data controller company which are both operating fitness center, passed to hand and palm print system during entrance and exit of their members. Upon various notices and complaints to the Board, indicated the concerns regarding data processing such as passport photo, time of their last visit at the facilities on TV screen, and safe storage;
1-As per Article 6 of the Law, biometric data have been identified as special category of personal data, but biometric data are not defined under the Law. As per Article 51 of the GDPR which enter into force on 25.05.2018, for defining biometric personal data, that the person shall be uniquely verified and identified by the biometric personal data. The 15th Chamber of the Council of State stated in decision numbered 2014/4562 that biometrical personal data refer to specify technical processing by measurable physiological and individual characteristics and automatic identity check that include the fingerprint scanning, palm scanning, hand geometry recognition methods while entrance and exit to fitness center and indicated that data controller process special categories of personal data by using biometric processing.
2- a) As per Article 4 of Law, personal data shall only be processed in accordance with the law, in good faith and for explicitly specified and legitimate purposes, with the condition of being accurate and up to date when necessary, be relevant, limited and proportionate to the purposes for which data are processed and stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected. Within the principle of proportionality, the data controller shall process the personal data for its purpose, request minimum level of information from the relevant person, otherwise avoid unnecessary processing, use the personal data for necessary purposes and not store it for longer than necessary. In the decisions of the Council of State numbered 2014/2242 and numbered 2014/4562, biometric methods such as “fingerprint or face scanning system” are also within the scope of the right of privacy, even if in the public sphere. The absence of any assurance that the collected data could not be used in any other way in the future was held to be unlawful. In the decision of European Court of Human Rights S. and Marper v. The United Kingdom dated 4 December 2008, the retention of the fingerprints constituted a disproportionate interference with the applicant’s right to respect for private life and could not be regarded as necessary in a democratic society and the court decided that it was a violation of the Article 8 of the European Convention on Human Rights. Therefore, the “hand and fingerprint scanning” system applied by the data controller for the compulsory and only way of entrance to the gym, was held not to be in accordance with the principle of minimum level of data request from the subject, in light of the principle of proportionality.
b) Processing special categories of personal data to ensure entrance and exit controls in sport clubs is not explicitly regulated by law. For this reason, in relation to the claim that the permission of the data subject is obtained by the data controller for the processing of hand and fingerprint; Article 6 of the Law states that biometric and genetic data are considered as special categories of personal data, and the same declares that “special categories of personal data cannot be processed without the permission of the data subject.” It has been understood that data controllers had taken explicit consent of the data subject for the processing of the palm print. Explicit consent must consist of three elements to be valid, as defined by the Law No.6698. It must be limited to a specific subject. Since it is a declaration of will, the data subject must know what it consents to, the subject matter and consequences of its consent, in order to ensure the existence of free will. In the present matter, the online membership agreement must include consent to the recording of palm print, which is a special category of personal data, in order to form a valid contract. In case of non-compliance, it is considered that the right of termination has been granted to the company and the members will not be able to benefit from the service if they do not consent to the palm trail information at the entrance to the clubs. It is not possible to say that the express consent of the members is based on free will. In this context, it has been seen that the provision of the service by the data controller is based on explicit consent. In relation to the data controllers, it has been decided that it is possible to provide access to those who want to benefit from club services by alternative ways control to control entry to and exit from the sports clubs, the acquisition of palm-print data as biometric data of persons is incompatible with the principle of “Connected purpose of data processing, limited and measured” in Article 4 of Law No. 6698. On the other hand, special categories of personal data may only be processed with the explicit consent of the data subject or within the scope of the Law of the conditions specified in Article 6, paragraph 3. Explicit consent of the data subject for the processing of palm print data must have been obtained by the data controller; but if explicit consent is not provided, it is a violation of Article 12 of the law. Therefore, an administrative fine shall be imposed under Article 18 of the Law; Control of exit to and entrance from the Sports Club for security purposes must be provided to the people who wish to benefit from the club services by means of alternative ways other than processing biometric data; The data controllers must be instructed to stop regulating entry to and exist from the club with biometric data and processing the data; The data of hand, finger and palm prints, processed and maintained by data controllers must be immediately destroyed, in accordance with the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction or Anonymous Making of Personal Data, If the relevant special categories of personal data is to be passed on to third parties, data controllers must be instructed to notify third parties in relation to the destruction of the data.
Decision Summary of the Board of Protection of Personal Data dated 31.05.2019 and numbered 2019/162 “commercial electronic communication sent by a joint stock company (data controller) without data subject’s explicit consent”
Data subject appealed to the data controller regarding a commercial electronic commercial; data subject claims that he/she does not know how and where his/her personal data was obtained and the message was sent without his/her explicit consent and he/she contacted the data controller within the scope of the Protection of Personal Data Law No. 6698, but the data controller didn’t respond to the data subject in the legal time period, data subject appealed to the Board; 1-Whether data controller has his/her explicit consent to send commercial electronic communications, 2-whether his/her personal data has been processed or not processed, if it has been processed, for which the purposes 3- to whom his/her personal data has been transferred at home, 4- whether his/her personal data has been transferred abroad and if it has been to whom, 5- whether data controller is aware of the commercial electronic communications that are sent to him/her and as a result of the inspection; The Board has been decided that sending commercial electronic communications to data subject’s mobile phone number, which is the complainant's personal data used by the company for the purpose of send commercial communication, is a data processing activity within the scope of Law, this process activity must based on any of the conditions under Articles 5 and 6 of the Law but such processing is not based on any of the conditions. The Board imposed an administrative fine of TL 50,000 on the data controller for failing to take technical and administrative measures in order to prevent unlawful processing of the access to personal data stated as per Article 12/1 and to ensure a adequate level of security according to Article 18/1 of the Law.
Decision Summary of the Board of Protection of Personal Data dated 31/05/20019 and numbered 2019/159 “Sending multiple messages from an asset management company to data subject’s phone number:
The data subject stated that he/she receives short messages on his / her phone without obtaining his/her explicit consent and the text message did not an option- put option, he/she does not know from where and how his/her personal data has been obtained, he/she didn’t get any results from application to the data controller in the time period indicated in the relevant articles of the Personal Data Protection Law no.6698, and he/she applied to the Board.
On the matter of failing to respond to the application of the data subject within the legal period of 30 day, the Board determine that the data controller responded to the data subject with the reply letter attachment, this letter was received by the data subject, the data controller was documented the letter with the Shipment Tracking and was answered all matters of complainant information requested. So the Board decided not to take any action regarding the data controller. The Board also decided that about the debts of the data subject, the bank has been transferred to data controller in compliance with to provision of Banking Law No. 5411 and the Turkish Code of Obligations No. 6098. The data controller was the new creditor of the credit debts used by the data subject from the related banks. Pursuant to Article 186 of Law No. 6098, to prevent the debtor from performing its debt to previous creditors; and that the data subject's data are processed in order to inform the data subject about the legal risks to which the data subject may be exposed in case the debt is not paid, as it is possible that it can be realized without the explicit consent of the person concerned in compliance with the subclause 2 of Article 5 of Law no. However, the use of personal data within the scope of Law No. 6698 is also a data processing activity. Therefore, sending the messages with the same content to the data subject’s phone number more than once is considered as abuse of the right of data controller. It has been concluded that the processing of personal data in subclause 4 of Article 4 of the Law was contrary to the principle of compliance with the law and honesty rules. About the data controller who fails to take the necessary technical and administrative measures to prevent unlawful processing of personal data in subclause 1 of Article 12 of the Law, the Board decided to impose an administrative fine of 20,000 TL on the data controller in compliance 1 of Article 18 of the Law.
Decision Summary of the Board of Protection of Personal Data dated 31/05/2018 and numbered 2019/157 “Corporate e-mail service, whether can be used provided by Google (gmail) through the same extension”
The data subject requested the Board’s guidance on the matter of whether a private e-mail addresses can be used for corporate e-mail addresses with the same extension via Google (gmail) through an open source e-mail service Zimbra, which provides a free corporate e-mail service. The Board stated that the e-mail messages sent and received might be stored in data centers located in different parts of the world while using e-mail service which belongs to Google. In such a case, the personal data would be transferred abroad and the data controller shall do in compliance with the provisions of Article 9 of Law 6698 on the Protection of Personal Data; “Transfer of personal data”, The Board stated that the storage services obtained through data controllers / data processors whose servers are located abroad shall be in compliance with Article 9 of the Law.
Other News
-
12.12.2025
Extension of the Exemption Period in Capital Loss and Over - Indebtedness Calculations
Article 376 of the Turkish Commercial Code No. 6102 ("TCC") regulates the determination of capital loss and insolvency situations in companies, and the procedures and principles to be followed in such cases are detailed in the "Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102" ("Communiqué on TCC Art. 376"),
-
8.12.2025
What is OFAC? Its Strategic Importance For Investors And Areas Of Application
As the world changes and with each passing day, one of the terms we encounter more frequently is "OFAC". In today's globalized world, investors seeking to make international investments come across OFAC or interact with it in one way or another. This is because the sanctions imposed by OFAC relate not only to U.S. citizens or U.S.-origin companies, but also to individuals who have direct or indirect economic or financial contact with the United States. So, what is this OFAC?
-
4.12.2025
Loans To Shareholders And Adat Invoice
In practice, it is quite common for companies to extend loans to their shareholders. In situations where the company becomes a creditor of its shareholders, adat interest must be calculated on the outstanding balance and an invoice must be issued. Accordingly, adat is a method used to calculate accrued interest based on the period during which company funds are utilized by shareholders or related parties, ensuring that any potential tax loss is compensated. These calculations are important for compliance with transfer pricing rules, accurate determination of the tax base, and the fulfillment of legal obligations such as Value Added Tax (“VAT”).
-
28.11.2025
Notification Process To The Central Securities Depository & Trade Repository Of Türkiye For Bearer Share Certificates And Legal Consequences
1. Issuance and Notification of Bearer Share Certificates Pursuant to Article 484 of the Turkish Commercial Code ("TCC"), joint stock companies have two types of share certificates: registered shares and bearer shares. While the transfer of registered shares is completed through delivery, certain conditions have been introduced under the Communiqué on the Notification and Registration of Bearer Share Certificates with the Central Securities Depository ("Communiqué") for the transfer of bearer shares. Within the scope of the Communiqué, the registration of bearer shares with the Central Securities Depository & Trade Reposıtory of Türkiye ("MKK"), the adoption of a board resolution, and the registration and announcement of this resolution before the relevant trade registry directorate and in the Turkish Trade Registry Gazette are required.
-
20.11.2025
The Letter Of Intent Procsess in Merger and Acquisition Transactions
Merger and acquisition ("M&A") transactions are multi-layered processes from both legal and commercial perspectives. Before the parties proceed to the contractual stage, they enter into a preparatory phase in order to articulate their transactional intentions, exchange commercial expectations, and establish the legal framework. This preparatory phase constitutes the initial stage in which the parties discuss the fundamental principles of the transaction structure, formulate their negotiation strategies, and assess the transactional risks.
-
14.11.2025
New Constitutional Court Decision On Violation Of The Right To A Reasoned Decision Published İn The Official Gazette
1. INTRODUCTION The reasoning constitutes the part of judicial decisions that demonstrates the cause and justification for resolving the matter in the manner indicated in the operative section, and it is an extension of adjudication. The fact that the reasoning is satisfactory and consistent is crucial for ensuring the right to be legally heard and the right to a fair trial. By setting forth the court's impartiality, a reasoned judgment enables the parties to understand and be satisfied with the material and legal grounds upon which they have won or lost the case, owing to reasoning that genuinely aligns with the contents of the file, as well as with logic and law.
-
7.11.2025
Decision Of The Constitutional Court Concercing Excluded Pernonnel
In the Constitutional Court's Judgment published in the Official Gazette dated 22 September 2025.
-
24.10.2025
The Obligation for the Principal and Subcontractor Employers to Jointly Participate in Mediation Has Been Annuled by the Constitutional Court
An important Constitutional Court decision has been published regarding the mediation process that an employee can apply to with a request for reinstatement after the termination of employment relations in the workplace. The Constitutional Court ruled that the provision in paragraph (15) of Article 3 of the Labor Courts Law No. 7036, which states, "In cases where there is a principal employer-subcontractor relationship, for a request for reinstatement to be submitted to a mediator, the employers must participate in the mediation talks together and their intentions must be compatible for an agreement to be reached," is unconstitutional. The decision was published in the Official Gazette dated October 17, 2025, and numbered 33050.
-
23.10.2025
The Constitutional Court Has Annulled The Provision Granting The President Authority To Restrict Foreign Exhange And Money Movements!
In its decision No. 2024/193 Merits 2025/136 Decision1 dated 17 June 2025 ("Decision"), published in the Official Gazette on 15 October 2025, the Constitutional Court ("Court") annulled Article 1 of Law No. 1567 on the Protection of the Value of the Turkish Currency ("Law"). The annulled provision had stated that: "The President is authorized to make decisions for the regulation and restriction of the export from or import into the country of currencies, securities, and bonds, and of the purchase and sale of foreign exchange, cash, securities, bonds, precious metals, precious stones, and any goods and valuables made of or containing them; as well as of commercial papers and all means and instruments used for payment, and to take decisions aimed at protecting the value of the Turkish currency."
-
21.10.2025
Seizure of Property Belonging to Persons Other than the Debtor and Protection of Legal Rights
In enforcement proceedings, the seizure of property that does not belong to the debtor but rather to third parties is a situation frequently encountered in practice that leads to significant aggrievements. Uncertainties arising from property regimes complicate ownership relations, making it difficult to accurately determine to whom the property belongs during enforcement measures. Within this framework, when seizure is imposed on property belonging to the debtor's spouse or another third party, the most important legal remedy is the ownership claim (assertion).
-
20.10.2025
Mergers and Acquisitions and the Notification Obligation within the Framework of Competition Law
Mergers and acquisitions (M&A) are at the center of the growth and restructuring strategies of companies. These transactions, serving the purpose of companies to expand both nationally and internationally to increase their market shares or to enter into new markets, not only give rise to economic and commercial consequences but also carry the potential to directly affect the competition dynamics in the relevant market. Therefore, merger and acquisition transactions may affect the competition structure in the market. In this respect, while M&A transactions create strategic opportunities, they are also among the areas carefully scrutinized by regulatory authorities to preserve competitive order.
-
17.10.2025
Important Amendment to the Organized Industrial Zones (OIZ) Implementation Regulation: Additional Time Granted To Participant
Published in the Official Gazette No. 33050, dated October 17, 2025, the "Regulation Amending the Organized Industrial Zones Implementation Regulation" introduces a new Provisional Article 13 to the existing regulation.This new provision allows OIZ participants who have not yet obtained a building permit or a workplace opening and operating license to apply for an extension period under certain conditions.
-
15.10.2025
Current Status Of The Obligation To Maintain Commercial Books In Electronic Form
1. INTRODUCTION With the Communiqué Amending the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated September 20, 2025 and numbered 33023 (“Amendment Communiqué”), significant amendments have been introduced to the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated February 14, 2025 and numbered 32813 (“Communiqué”).
-
25.9.2025
Social Security Procedures To Be Carried Out By The Employer Following A Reinstateme
Upon receiving notification of a final and binding reinstatement decision, if the employee communicates their intention to return to work within 10 business days, the employer may either reinstate the employee or refuse reinstatement by paying both the four months' idle period wages determined by the court and the compensation for non-reinstatement. As seen, the employer has two alternative courses of action in this situation; however, the procedures to be carried out before the Social Security Institution (SGK) differ in each case.
-
19.9.2025
The Court of Cassation has Ruled That The Competent Court Fot Cases Brought On The Grounds Of Volation Of The Non-Competition Clause Is The Commercial Court of First Instance
1. Introduction The duty not to compete is a type of loyalty obligation owed by the employee to the employer. The employee undertakes not to compete with the employer during the term of the employment contract as part of their loyalty obligation. However, Turkish law does not contain any legal provisions prohibiting the employee from competing with the employer after the employment contract has ended. However, the parties may freely agree that the employee will not compete with the employer after the termination of the employment contract. Articles 444-447 of the Turkish Code of Obligations also contain provisions and restrictions regarding non-competition agreements that may be established between the employee and the employer.
