New Decisions Of The Personal Data Protection Board 12 June 2019
Pursuant to Articles 15 and 22 of the Law on the Protection of Personal Data (referred to as the ‘Law’), the Personal Data Protection Board (referred to as the ‘Board’) has the authority to examine complaints lodged by applicants or on matters that are ex officio and issue administrative fines for violations.
The Board publishes summaries of the decisions which it deems as important and which may constitute a precedent as a result of its examinations.
Below we are presenting the summaries of the last four decisions published by the Board.
Decision of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 on the failure of the Data Controller, who provides technical services, to Protect Personal Data:
The applicant has lodged a complaint before the Turkish Personal Data Protection Board ("Board") stating that the company responsible for the technical service ( referred to as the ‘Data Controller’ ) gave form numbers to its customers regarding their devices entry into service and the customers can access the information about the status of their device in the service by the form number query, but personal data belonging to different people can be accessed by changing the last digits of the form number. Although the relevant Data Controller stated that it was not possible to access the personal data of the device owners during the inquiries, it was found by the Board that inquiries about the other device owners could be made and the name, surname, address and IMEI number of the different persons could be accessed. Accordingly, with the decision dated 14/02/2019 and numbered 2019/23, the Board decided that the Data Controller failed to take the necessary administrative and technical measures to ensure the protection of personal data pursuant to article 12 of the Law on the Protection of Personal Data No. 6698, and therefore imposed an administrative fine of TL 150,000 pursuant to Article 18 of the relevant Law and stopped the use of the relevant internet link until the violation of the said law is corrected.
Decision of the Personal Data Protection Board dated 05/03/2019 and numbered 2019/52 on Non-compliance of the Data Controller, who provides technical service, with the Decision of the Board:
Following the notification of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 to the Data Controller Company, the inquiries were made with different form numbers on the Company website by the Board, and it was found that inquiries of other devices can still be carried out and no other security verification is being performed, also when the 'Click for Device Registration Images ‘link on the website is selected, the IMEI numbers are still clearly displayed. In this respect, due to non-compliance with the decision of the Board numbered 2019/23, (“…immediately abolish the said contradiction and immediately stop the use of the links in this Decision until the approval of the said contradiction is provided ..” ), which was notified to the Company, and failure of the Company to comply with Article 15 of the Personal Data Protection Act, the Board has decided to impose an administrative fine of TL 50,000 to the Company within the framework of Article 18 of the relevant law. In addition, the Board ordered the Company to change the system that allows inquiries for device monitoring and to immediately shut down access to the system in question.
Decision of the Personal Data Protection Board dated 01/03/2019 and numbered 2019/47 on the transfer of personal data to the judiciary and third parties without consent:
The applicant has lodged a complaint before the Personal Data Protection Board regarding illegal access to personal information about himself and his family and the transfer of it to the judiciary and third parties without his consent. As a result of the examination conducted by the Board, it was determined that the complainee did not engage in any personal data processing activity that was partially or fully automated or that was not part of any data recording system, and therefore the complainee could not be considered as a Data Controller. The Board further stated that the alleged unlawful collection of personal data belonging to the applicant and his family by the complainee was a criminal offense under the Turkish Penal Code and therefore there was no action to be taken under the Law no. 6698 on this subject.
Decision of the Personal Data Protection Board dated 02/05/2019 and numbered 2019/122 on the Failure to Respond to Applicant's Application to the Bank and the Non-Compliance of Information Text with the Regulations under the Law:
Pursuant to the rights contained in article 11 of the Law on Personal Data Protection No. 6698 , the applicant lodged a complaint to the Data Controller T.C Ziraat Bank A.Ş ( referred to as the ’ Bank’ ) via registered email (KEP) . However, this complaint was not replied within the legal period of thirty days. Thereupon, the applicant complained to the Board that the Information Text published by the Data Controller on the website did not meet the conditions stipulated in the legislation. A letter was sent to the Bank by the Board to provide explanations on the subject matter, but no response was given by the Bank. Therefore, pursuant to the third paragraph of Article 18 of the Personal Data Protection Law no. 6698, the Board has decided to take disciplinary actions against the persons responsible for violation in the Bank and those responsible for taking necessary measures and inspections. Furthermore, the Board ordered the Bank to respond to the Applicant's requests for the implementation of the Law. The Board has ordered the Bank to revise the Information Text on the Bank's website and to bring it in line with the provisions of the Communiqué, because it was not prepared in accordance with the provisions of paragraph (g) and (h) of of article 5 (including general and ambiguous statements and lack of legal reasons) of the Communiqué on the Procedures and Principles to be Complied With In Fulfilling the Obligation to Inform.
Decision of the Personal Data Protection Board on “Loyalty Cards’’ of Market Chains dated 25/03/2019 and numbered 2019/82:
The loyalty card is a card which is obtained from the stores of a market and provides the advantage of discounting and accumulating points in some purchases. On the website of the loyalty card, a warning text appears which states that ‘ In order to continue to take advantage of the card benefits, it is sufficient to grant data processing permission under the Personal Data Protection Act…… if you do not have permission, please read and confirm the membership and consent statement ‘’. In the text messages sent to the mobile phones of the customers it is stated that ‘’Please update your permission under the Protection of Personal Data Act. Our customers whose licenses are out of date will not be able to shop by saying mobile phones from our safes because their personal information will be deleted. ” In this sense, since the explicit consent was put forward as a condition for the provision of a product or service, it was requested by the applicant to establish the necessary transactions within the scope of the Personal Data Protection Law (referred to as the ‘Law’) no. 6698, and it was lodged as a complaint by the applicant that during the request for explicit consent of the customers, the company has requested a service fee of TL 0.01 under the name of Data Permit Application. As a result of the examination of the complaint, the Board found that participation in the Loyalty Card Program was not obligatory for the customers within the scope of service provision by the Data Controller Company and that there was no such situation as not providing services to the customers who are not members of the Program. The Board therefore concluded that, there was no action to be taken in relation to the applicant's claim that the provision of a service or product by the Company was subject to the express consent. With regards to receiving a service fee of TL 0.01 under the name of Data Permit Application, the Data Controller stated as defense that this event occurred due to a systematic error in information technology, and that the same amount of discount was charged to the customers' card as compensation immediately. Therefore, the Board has decided that there is no action to be taken by the Board under this Law. On the other hand, as a result of the examinations of the Board it is seen that open-ended statements are included in the Information Text, there are inconsistencies between the ‘Membership and Consent Statement’ and the ‘Information Text’ , in the information text it is stated that personal data (such as information on memberships of trade unions / associations / foundations, criminal convictions, data on security measures, sexual life, biometric data and information about health status) can be processed, the main field of activity of the company is to supply food and necessities to consumers in retail, and the Loyalty Card application offered in all the workplaces of the Company is designed as a marketing program. In view of the above, it has been found by the Board that the processing of personal data such as criminal convictions and data on security measures is not related to the purposes of the company, and is not limited and measured within the activities of the Data Controller. Therefore, the Board ordered that the inconsistencies between the ‘Membership and Consent Statement’ and the’ Information Text’ should be eliminated and tthe Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué. The Board ordered that the inconsistency between the “Membership and Consent Statement” and “Information Text’’ should be eliminated and the Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué.
Other News
-
16.9.2025
Transfer Fee: Legal Characterization and Practical Application
1. Introduction The concept of a transfer fee is not directly defined in the Turkish Labor Code; its framework and legal nature in practice have largely been shaped by the decisions of the Court of Cassation (Turkey). This practice, which arises particularly in sectors with intense competition and limited skilled labor, is a type of payment that employers must carefully consider within the scope of their employment policies.
-
5.9.2025
Competition in the Labor Market: HR Practices to Avoid
The Turkish Competition Authority ("Authority"), which is entrusted with ensuring the proper functioning of markets, identifying practices that restrict competition, and imposing sanctions against infringements, operates under Law No. 4054 on the Protection of Competition ("Law") without distinction between input and output markets. Labor markets have recently emerged as one of the primary arenas in which entities compete in input markets and, with the influence of various additional dynamics, have become a market increasingly prioritized by the Authority. The Guidelines on Competition Violations in Labor Markets ("Guidelines"), adopted by the Authority on November 21, 2024, serve as an important reference for the prevention of competition infringements in labor markets. In this bulletin, in light of the Guidelines and decisions of the Competition Board ("Board") within the Authority, (i) the fundamental principles and information regarding the application of competition law to labor markets, and (ii) the main prohibited practices to be observed when competing in labor markets will be addressed.
-
29.8.2025
Does An Employee's Extended Period Of Sick Leave Grant The Employer The Right To Terminate The Emploment Contract?
In employer-employee relations, the direct impact of long-term medical reports on the status of the employment contract holds critical importance for both employees and employers. In particular, uninterrupted periods of sick leave lasting for a certain duration are regulated under Article 25/I(b) of the Labour Law as a specific provision that grants the employer the right to immediate termination for just cause and determines the rights to be granted to the employee. In this context, how the employer may exercise the right of termination for just cause following the employee's extended medical leave and the legal basis of this process should be examined in detail.
-
27.8.2025
Regulation On Direct Selling Was Published
The Regulation on Direct Selling ("Regulation"), issued by the Ministry of Trade ("Ministry") pursuant to Articles 47/A and 84 of the Consumer Protection Law No. 6502, was published in the Official Gazette dated 08.08.2025 and numbered 32980, thereby entering into force.
-
18.8.2025
SMS Verification Codes and the Personal Data Protection Board's Guideline Decision No. 2025/1072
The Personal Data Protection Board's Guideline Decision dated 10 June 2025 and numbered 2025/1072 introduces significant regulations regarding personal data processing activities conducted through SMS verification codes, which have become a widespread practice in commercial life. The decision requires significant adjustments to customer relationship management, particularly in the service and retail industries.
-
11.8.2025
Mergers And Acquisitions Of Companies Engaged In Renewable Energy Gereration
In recent years, notable developments in Turkey's electricity market have extended beyond investments aimed solely at increasing generation capacity. The sector has also come into focus through strategic investments and merger and acquisition (M&A) transactions involving companies operating in the field of renewable energy.
-
31.7.2025
Annual Leave, Severance Pay, and Notice Pay in Part - Time Employment Contracts
Part-Time Employment Contract Article 13 of the Labor Law No. 4857 defines a part-time employment contract as "a contract in which the employee's normal weekly working hours are significantly less than those of a full-time employee performing similar work."
-
30.7.2025
Legal Remedies And The Official Appeal Process For Property Tax Values
a. General Overview Following the enactment of Law No. 4751 in 2002, which amended the Tax Procedure Law, the Property Tax Law, and the Fees Law, the declaration-based system for determining the property tax base was abolished, and the tariff and assesment procedure implemented by administrative authorities was adopted.
-
25.7.2025
Labour Law No. 4857 Amended! Electronic Notification Opportunity Introduced With Rem
Article 109 of the Labour Law No. 4857 has been amended, together with its title and content, by the Law Amending the Law on the Protection of the Value of Turkish Currency and Certain Laws and the Decree Law No. 635 published in the Official Gazette dated 24 July 2025. With this important amendment, the procedures regarding the form of notifications to be made between employers and employees have been redefined.
-
16.7.2025
Terminatıon Right Of The Employer Due To Conviction And Detention And Legal Consequences
In labour law practice, which is a dynamic field based on the principle of protecting the balance between the employee and the employer, the employee's failure to fulfill their obligation to perform work-especially when this results from circumstances that restrict individual freedom, such as conviction or detention-has significant legal consequences regarding the termination of the employment contract.
-
14.7.2025
Radical Change In The Labor Law Dated 14.07.2025: Flexible Week Holiday Period Has Started In The Tourism Sector!
With the Law No. 7553 on the "Amendment of Certain Laws and Decree Law No. 375" published in the Official Gazette on July 14, 2025, important innovations have been introduced in the Labor Law and some other laws. In this context; as of 14.07.2025, with the provision added to the article Article 46 of the Labor Law which regulates the week holiday, flexible week holiday specific to the tourism sector have been introduced.
-
9.7.2025
Climate Law Enacted
The Climate Law No. 7552 ("Law"), which includes regulations on the procedures and principles related to the reduction of greenhouse gas emissions in the fight against climate change, climate adaptation activities, planning and implementation tools, revenues, permits and inspections, and the legal and institutional framework surrounding these, was published in the Official Gazette dated July 9, 2025, No. 32951, and entered into force. This Law sets out general principles and objectives from a casuistic perspective, preferring to leave detailed and technical regulations to secondary legislation.
-
7.7.2025
Mediation Practices In The Land Registry
Pursuant to the amendments introduced by Law on Amendments to the Enforcement and Bankruptcy Law and to Certain Other Laws which was published in the Official Gazette dated 05.04.2023, numbered 32154 to the Law on Mediation in Civil Disputes dated 7/6/2012 and numbered 6325 ("Law"), the scope of disputes that may be resolved through procedural- mandatory- and voluntary mediation has been expanded.
-
27.6.2025
Effects Of The Concordatum Period On Pledgees
Pursuant to Article 285 of the Enforcement and Bankruptcy Law (EBL), a debtor who is unable to pay their debts on time or is at risk of default may request a concordatum. During the period granted to the debtor upon such request, no enforcement proceedings may be initiated, and ongoing proceedings are suspended, in accordance with Article 294/1 of the EBL.
-
18.6.2025
M&A Dynamics in Publicly Traded Companies: New Investment Strategies Through Borsa Istanbul
In recent years, IPOs in Turkey have reached record levels. In 2023 and 2024, a large number of companies started trading in Borsa Istanbul as a result of initial public offerings (IPO) transactions. These IPOs, which attracted great interest from small investors, stand out as important strategic moves in which companies gain transparency and visibility, and also play a role as an important financing tool. With IPOs, publicly traded companies / partnerships are now drawing the attention of not only small investors but also domestic/foreign strategic and financial investors.
