New Decisions Of The Personal Data Protection Board 12 June 2019
Pursuant to Articles 15 and 22 of the Law on the Protection of Personal Data (referred to as the ‘Law’), the Personal Data Protection Board (referred to as the ‘Board’) has the authority to examine complaints lodged by applicants or on matters that are ex officio and issue administrative fines for violations.
The Board publishes summaries of the decisions which it deems as important and which may constitute a precedent as a result of its examinations.
Below we are presenting the summaries of the last four decisions published by the Board.
Decision of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 on the failure of the Data Controller, who provides technical services, to Protect Personal Data:
The applicant has lodged a complaint before the Turkish Personal Data Protection Board ("Board") stating that the company responsible for the technical service ( referred to as the ‘Data Controller’ ) gave form numbers to its customers regarding their devices entry into service and the customers can access the information about the status of their device in the service by the form number query, but personal data belonging to different people can be accessed by changing the last digits of the form number. Although the relevant Data Controller stated that it was not possible to access the personal data of the device owners during the inquiries, it was found by the Board that inquiries about the other device owners could be made and the name, surname, address and IMEI number of the different persons could be accessed. Accordingly, with the decision dated 14/02/2019 and numbered 2019/23, the Board decided that the Data Controller failed to take the necessary administrative and technical measures to ensure the protection of personal data pursuant to article 12 of the Law on the Protection of Personal Data No. 6698, and therefore imposed an administrative fine of TL 150,000 pursuant to Article 18 of the relevant Law and stopped the use of the relevant internet link until the violation of the said law is corrected.
Decision of the Personal Data Protection Board dated 05/03/2019 and numbered 2019/52 on Non-compliance of the Data Controller, who provides technical service, with the Decision of the Board:
Following the notification of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 to the Data Controller Company, the inquiries were made with different form numbers on the Company website by the Board, and it was found that inquiries of other devices can still be carried out and no other security verification is being performed, also when the 'Click for Device Registration Images ‘link on the website is selected, the IMEI numbers are still clearly displayed. In this respect, due to non-compliance with the decision of the Board numbered 2019/23, (“…immediately abolish the said contradiction and immediately stop the use of the links in this Decision until the approval of the said contradiction is provided ..” ), which was notified to the Company, and failure of the Company to comply with Article 15 of the Personal Data Protection Act, the Board has decided to impose an administrative fine of TL 50,000 to the Company within the framework of Article 18 of the relevant law. In addition, the Board ordered the Company to change the system that allows inquiries for device monitoring and to immediately shut down access to the system in question.
Decision of the Personal Data Protection Board dated 01/03/2019 and numbered 2019/47 on the transfer of personal data to the judiciary and third parties without consent:
The applicant has lodged a complaint before the Personal Data Protection Board regarding illegal access to personal information about himself and his family and the transfer of it to the judiciary and third parties without his consent. As a result of the examination conducted by the Board, it was determined that the complainee did not engage in any personal data processing activity that was partially or fully automated or that was not part of any data recording system, and therefore the complainee could not be considered as a Data Controller. The Board further stated that the alleged unlawful collection of personal data belonging to the applicant and his family by the complainee was a criminal offense under the Turkish Penal Code and therefore there was no action to be taken under the Law no. 6698 on this subject.
Decision of the Personal Data Protection Board dated 02/05/2019 and numbered 2019/122 on the Failure to Respond to Applicant's Application to the Bank and the Non-Compliance of Information Text with the Regulations under the Law:
Pursuant to the rights contained in article 11 of the Law on Personal Data Protection No. 6698 , the applicant lodged a complaint to the Data Controller T.C Ziraat Bank A.Ş ( referred to as the ’ Bank’ ) via registered email (KEP) . However, this complaint was not replied within the legal period of thirty days. Thereupon, the applicant complained to the Board that the Information Text published by the Data Controller on the website did not meet the conditions stipulated in the legislation. A letter was sent to the Bank by the Board to provide explanations on the subject matter, but no response was given by the Bank. Therefore, pursuant to the third paragraph of Article 18 of the Personal Data Protection Law no. 6698, the Board has decided to take disciplinary actions against the persons responsible for violation in the Bank and those responsible for taking necessary measures and inspections. Furthermore, the Board ordered the Bank to respond to the Applicant's requests for the implementation of the Law. The Board has ordered the Bank to revise the Information Text on the Bank's website and to bring it in line with the provisions of the Communiqué, because it was not prepared in accordance with the provisions of paragraph (g) and (h) of of article 5 (including general and ambiguous statements and lack of legal reasons) of the Communiqué on the Procedures and Principles to be Complied With In Fulfilling the Obligation to Inform.
Decision of the Personal Data Protection Board on “Loyalty Cards’’ of Market Chains dated 25/03/2019 and numbered 2019/82:
The loyalty card is a card which is obtained from the stores of a market and provides the advantage of discounting and accumulating points in some purchases. On the website of the loyalty card, a warning text appears which states that ‘ In order to continue to take advantage of the card benefits, it is sufficient to grant data processing permission under the Personal Data Protection Act…… if you do not have permission, please read and confirm the membership and consent statement ‘’. In the text messages sent to the mobile phones of the customers it is stated that ‘’Please update your permission under the Protection of Personal Data Act. Our customers whose licenses are out of date will not be able to shop by saying mobile phones from our safes because their personal information will be deleted. ” In this sense, since the explicit consent was put forward as a condition for the provision of a product or service, it was requested by the applicant to establish the necessary transactions within the scope of the Personal Data Protection Law (referred to as the ‘Law’) no. 6698, and it was lodged as a complaint by the applicant that during the request for explicit consent of the customers, the company has requested a service fee of TL 0.01 under the name of Data Permit Application. As a result of the examination of the complaint, the Board found that participation in the Loyalty Card Program was not obligatory for the customers within the scope of service provision by the Data Controller Company and that there was no such situation as not providing services to the customers who are not members of the Program. The Board therefore concluded that, there was no action to be taken in relation to the applicant's claim that the provision of a service or product by the Company was subject to the express consent. With regards to receiving a service fee of TL 0.01 under the name of Data Permit Application, the Data Controller stated as defense that this event occurred due to a systematic error in information technology, and that the same amount of discount was charged to the customers' card as compensation immediately. Therefore, the Board has decided that there is no action to be taken by the Board under this Law. On the other hand, as a result of the examinations of the Board it is seen that open-ended statements are included in the Information Text, there are inconsistencies between the ‘Membership and Consent Statement’ and the ‘Information Text’ , in the information text it is stated that personal data (such as information on memberships of trade unions / associations / foundations, criminal convictions, data on security measures, sexual life, biometric data and information about health status) can be processed, the main field of activity of the company is to supply food and necessities to consumers in retail, and the Loyalty Card application offered in all the workplaces of the Company is designed as a marketing program. In view of the above, it has been found by the Board that the processing of personal data such as criminal convictions and data on security measures is not related to the purposes of the company, and is not limited and measured within the activities of the Data Controller. Therefore, the Board ordered that the inconsistencies between the ‘Membership and Consent Statement’ and the’ Information Text’ should be eliminated and tthe Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué. The Board ordered that the inconsistency between the “Membership and Consent Statement” and “Information Text’’ should be eliminated and the Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué.
Other News
-
24.10.2025
The Obligation for the Principal and Subcontractor Employers to Jointly Participate in Mediation Has Been Annuled by the Constitutional Court
An important Constitutional Court decision has been published regarding the mediation process that an employee can apply to with a request for reinstatement after the termination of employment relations in the workplace. The Constitutional Court ruled that the provision in paragraph (15) of Article 3 of the Labor Courts Law No. 7036, which states, "In cases where there is a principal employer-subcontractor relationship, for a request for reinstatement to be submitted to a mediator, the employers must participate in the mediation talks together and their intentions must be compatible for an agreement to be reached," is unconstitutional. The decision was published in the Official Gazette dated October 17, 2025, and numbered 33050.
-
23.10.2025
The Constitutional Court Has Annulled The Provision Granting The President Authority To Restrict Foreign Exhange And Money Movements!
In its decision No. 2024/193 Merits 2025/136 Decision1 dated 17 June 2025 ("Decision"), published in the Official Gazette on 15 October 2025, the Constitutional Court ("Court") annulled Article 1 of Law No. 1567 on the Protection of the Value of the Turkish Currency ("Law"). The annulled provision had stated that: "The President is authorized to make decisions for the regulation and restriction of the export from or import into the country of currencies, securities, and bonds, and of the purchase and sale of foreign exchange, cash, securities, bonds, precious metals, precious stones, and any goods and valuables made of or containing them; as well as of commercial papers and all means and instruments used for payment, and to take decisions aimed at protecting the value of the Turkish currency."
-
21.10.2025
Seizure of Property Belonging to Persons Other than the Debtor and Protection of Legal Rights
In enforcement proceedings, the seizure of property that does not belong to the debtor but rather to third parties is a situation frequently encountered in practice that leads to significant aggrievements. Uncertainties arising from property regimes complicate ownership relations, making it difficult to accurately determine to whom the property belongs during enforcement measures. Within this framework, when seizure is imposed on property belonging to the debtor's spouse or another third party, the most important legal remedy is the ownership claim (assertion).
-
20.10.2025
Mergers and Acquisitions and the Notification Obligation within the Framework of Competition Law
Mergers and acquisitions (M&A) are at the center of the growth and restructuring strategies of companies. These transactions, serving the purpose of companies to expand both nationally and internationally to increase their market shares or to enter into new markets, not only give rise to economic and commercial consequences but also carry the potential to directly affect the competition dynamics in the relevant market. Therefore, merger and acquisition transactions may affect the competition structure in the market. In this respect, while M&A transactions create strategic opportunities, they are also among the areas carefully scrutinized by regulatory authorities to preserve competitive order.
-
17.10.2025
Important Amendment to the Organized Industrial Zones (OIZ) Implementation Regulation: Additional Time Granted To Participant
Published in the Official Gazette No. 33050, dated October 17, 2025, the "Regulation Amending the Organized Industrial Zones Implementation Regulation" introduces a new Provisional Article 13 to the existing regulation.This new provision allows OIZ participants who have not yet obtained a building permit or a workplace opening and operating license to apply for an extension period under certain conditions.
-
15.10.2025
Current Status Of The Obligation To Maintain Commercial Books In Electronic Form
1. INTRODUCTION With the Communiqué Amending the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated September 20, 2025 and numbered 33023 (“Amendment Communiqué”), significant amendments have been introduced to the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated February 14, 2025 and numbered 32813 (“Communiqué”).
-
25.9.2025
Social Security Procedures To Be Carried Out By The Employer Following A Reinstateme
Upon receiving notification of a final and binding reinstatement decision, if the employee communicates their intention to return to work within 10 business days, the employer may either reinstate the employee or refuse reinstatement by paying both the four months' idle period wages determined by the court and the compensation for non-reinstatement. As seen, the employer has two alternative courses of action in this situation; however, the procedures to be carried out before the Social Security Institution (SGK) differ in each case.
-
19.9.2025
The Court of Cassation has Ruled That The Competent Court Fot Cases Brought On The Grounds Of Volation Of The Non-Competition Clause Is The Commercial Court of First Instance
1. Introduction The duty not to compete is a type of loyalty obligation owed by the employee to the employer. The employee undertakes not to compete with the employer during the term of the employment contract as part of their loyalty obligation. However, Turkish law does not contain any legal provisions prohibiting the employee from competing with the employer after the employment contract has ended. However, the parties may freely agree that the employee will not compete with the employer after the termination of the employment contract. Articles 444-447 of the Turkish Code of Obligations also contain provisions and restrictions regarding non-competition agreements that may be established between the employee and the employer.
-
16.9.2025
Transfer Fee: Legal Characterization and Practical Application
1. Introduction The concept of a transfer fee is not directly defined in the Turkish Labor Code; its framework and legal nature in practice have largely been shaped by the decisions of the Court of Cassation (Turkey). This practice, which arises particularly in sectors with intense competition and limited skilled labor, is a type of payment that employers must carefully consider within the scope of their employment policies.
-
5.9.2025
Competition in the Labor Market: HR Practices to Avoid
The Turkish Competition Authority ("Authority"), which is entrusted with ensuring the proper functioning of markets, identifying practices that restrict competition, and imposing sanctions against infringements, operates under Law No. 4054 on the Protection of Competition ("Law") without distinction between input and output markets. Labor markets have recently emerged as one of the primary arenas in which entities compete in input markets and, with the influence of various additional dynamics, have become a market increasingly prioritized by the Authority. The Guidelines on Competition Violations in Labor Markets ("Guidelines"), adopted by the Authority on November 21, 2024, serve as an important reference for the prevention of competition infringements in labor markets. In this bulletin, in light of the Guidelines and decisions of the Competition Board ("Board") within the Authority, (i) the fundamental principles and information regarding the application of competition law to labor markets, and (ii) the main prohibited practices to be observed when competing in labor markets will be addressed.
-
29.8.2025
Does An Employee's Extended Period Of Sick Leave Grant The Employer The Right To Terminate The Emploment Contract?
In employer-employee relations, the direct impact of long-term medical reports on the status of the employment contract holds critical importance for both employees and employers. In particular, uninterrupted periods of sick leave lasting for a certain duration are regulated under Article 25/I(b) of the Labour Law as a specific provision that grants the employer the right to immediate termination for just cause and determines the rights to be granted to the employee. In this context, how the employer may exercise the right of termination for just cause following the employee's extended medical leave and the legal basis of this process should be examined in detail.
-
27.8.2025
Regulation On Direct Selling Was Published
The Regulation on Direct Selling ("Regulation"), issued by the Ministry of Trade ("Ministry") pursuant to Articles 47/A and 84 of the Consumer Protection Law No. 6502, was published in the Official Gazette dated 08.08.2025 and numbered 32980, thereby entering into force.
-
18.8.2025
SMS Verification Codes and the Personal Data Protection Board's Guideline Decision No. 2025/1072
The Personal Data Protection Board's Guideline Decision dated 10 June 2025 and numbered 2025/1072 introduces significant regulations regarding personal data processing activities conducted through SMS verification codes, which have become a widespread practice in commercial life. The decision requires significant adjustments to customer relationship management, particularly in the service and retail industries.
-
11.8.2025
Mergers And Acquisitions Of Companies Engaged In Renewable Energy Gereration
In recent years, notable developments in Turkey's electricity market have extended beyond investments aimed solely at increasing generation capacity. The sector has also come into focus through strategic investments and merger and acquisition (M&A) transactions involving companies operating in the field of renewable energy.
-
31.7.2025
Annual Leave, Severance Pay, and Notice Pay in Part - Time Employment Contracts
Part-Time Employment Contract Article 13 of the Labor Law No. 4857 defines a part-time employment contract as "a contract in which the employee's normal weekly working hours are significantly less than those of a full-time employee performing similar work."
