New Decisions Of The Personal Data Protection Board 12 June 2019
Pursuant to Articles 15 and 22 of the Law on the Protection of Personal Data (referred to as the ‘Law’), the Personal Data Protection Board (referred to as the ‘Board’) has the authority to examine complaints lodged by applicants or on matters that are ex officio and issue administrative fines for violations.
The Board publishes summaries of the decisions which it deems as important and which may constitute a precedent as a result of its examinations.
Below we are presenting the summaries of the last four decisions published by the Board.
Decision of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 on the failure of the Data Controller, who provides technical services, to Protect Personal Data:
The applicant has lodged a complaint before the Turkish Personal Data Protection Board ("Board") stating that the company responsible for the technical service ( referred to as the ‘Data Controller’ ) gave form numbers to its customers regarding their devices entry into service and the customers can access the information about the status of their device in the service by the form number query, but personal data belonging to different people can be accessed by changing the last digits of the form number. Although the relevant Data Controller stated that it was not possible to access the personal data of the device owners during the inquiries, it was found by the Board that inquiries about the other device owners could be made and the name, surname, address and IMEI number of the different persons could be accessed. Accordingly, with the decision dated 14/02/2019 and numbered 2019/23, the Board decided that the Data Controller failed to take the necessary administrative and technical measures to ensure the protection of personal data pursuant to article 12 of the Law on the Protection of Personal Data No. 6698, and therefore imposed an administrative fine of TL 150,000 pursuant to Article 18 of the relevant Law and stopped the use of the relevant internet link until the violation of the said law is corrected.
Decision of the Personal Data Protection Board dated 05/03/2019 and numbered 2019/52 on Non-compliance of the Data Controller, who provides technical service, with the Decision of the Board:
Following the notification of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 to the Data Controller Company, the inquiries were made with different form numbers on the Company website by the Board, and it was found that inquiries of other devices can still be carried out and no other security verification is being performed, also when the 'Click for Device Registration Images ‘link on the website is selected, the IMEI numbers are still clearly displayed. In this respect, due to non-compliance with the decision of the Board numbered 2019/23, (“…immediately abolish the said contradiction and immediately stop the use of the links in this Decision until the approval of the said contradiction is provided ..” ), which was notified to the Company, and failure of the Company to comply with Article 15 of the Personal Data Protection Act, the Board has decided to impose an administrative fine of TL 50,000 to the Company within the framework of Article 18 of the relevant law. In addition, the Board ordered the Company to change the system that allows inquiries for device monitoring and to immediately shut down access to the system in question.
Decision of the Personal Data Protection Board dated 01/03/2019 and numbered 2019/47 on the transfer of personal data to the judiciary and third parties without consent:
The applicant has lodged a complaint before the Personal Data Protection Board regarding illegal access to personal information about himself and his family and the transfer of it to the judiciary and third parties without his consent. As a result of the examination conducted by the Board, it was determined that the complainee did not engage in any personal data processing activity that was partially or fully automated or that was not part of any data recording system, and therefore the complainee could not be considered as a Data Controller. The Board further stated that the alleged unlawful collection of personal data belonging to the applicant and his family by the complainee was a criminal offense under the Turkish Penal Code and therefore there was no action to be taken under the Law no. 6698 on this subject.
Decision of the Personal Data Protection Board dated 02/05/2019 and numbered 2019/122 on the Failure to Respond to Applicant's Application to the Bank and the Non-Compliance of Information Text with the Regulations under the Law:
Pursuant to the rights contained in article 11 of the Law on Personal Data Protection No. 6698 , the applicant lodged a complaint to the Data Controller T.C Ziraat Bank A.Ş ( referred to as the ’ Bank’ ) via registered email (KEP) . However, this complaint was not replied within the legal period of thirty days. Thereupon, the applicant complained to the Board that the Information Text published by the Data Controller on the website did not meet the conditions stipulated in the legislation. A letter was sent to the Bank by the Board to provide explanations on the subject matter, but no response was given by the Bank. Therefore, pursuant to the third paragraph of Article 18 of the Personal Data Protection Law no. 6698, the Board has decided to take disciplinary actions against the persons responsible for violation in the Bank and those responsible for taking necessary measures and inspections. Furthermore, the Board ordered the Bank to respond to the Applicant's requests for the implementation of the Law. The Board has ordered the Bank to revise the Information Text on the Bank's website and to bring it in line with the provisions of the Communiqué, because it was not prepared in accordance with the provisions of paragraph (g) and (h) of of article 5 (including general and ambiguous statements and lack of legal reasons) of the Communiqué on the Procedures and Principles to be Complied With In Fulfilling the Obligation to Inform.
Decision of the Personal Data Protection Board on “Loyalty Cards’’ of Market Chains dated 25/03/2019 and numbered 2019/82:
The loyalty card is a card which is obtained from the stores of a market and provides the advantage of discounting and accumulating points in some purchases. On the website of the loyalty card, a warning text appears which states that ‘ In order to continue to take advantage of the card benefits, it is sufficient to grant data processing permission under the Personal Data Protection Act…… if you do not have permission, please read and confirm the membership and consent statement ‘’. In the text messages sent to the mobile phones of the customers it is stated that ‘’Please update your permission under the Protection of Personal Data Act. Our customers whose licenses are out of date will not be able to shop by saying mobile phones from our safes because their personal information will be deleted. ” In this sense, since the explicit consent was put forward as a condition for the provision of a product or service, it was requested by the applicant to establish the necessary transactions within the scope of the Personal Data Protection Law (referred to as the ‘Law’) no. 6698, and it was lodged as a complaint by the applicant that during the request for explicit consent of the customers, the company has requested a service fee of TL 0.01 under the name of Data Permit Application. As a result of the examination of the complaint, the Board found that participation in the Loyalty Card Program was not obligatory for the customers within the scope of service provision by the Data Controller Company and that there was no such situation as not providing services to the customers who are not members of the Program. The Board therefore concluded that, there was no action to be taken in relation to the applicant's claim that the provision of a service or product by the Company was subject to the express consent. With regards to receiving a service fee of TL 0.01 under the name of Data Permit Application, the Data Controller stated as defense that this event occurred due to a systematic error in information technology, and that the same amount of discount was charged to the customers' card as compensation immediately. Therefore, the Board has decided that there is no action to be taken by the Board under this Law. On the other hand, as a result of the examinations of the Board it is seen that open-ended statements are included in the Information Text, there are inconsistencies between the ‘Membership and Consent Statement’ and the ‘Information Text’ , in the information text it is stated that personal data (such as information on memberships of trade unions / associations / foundations, criminal convictions, data on security measures, sexual life, biometric data and information about health status) can be processed, the main field of activity of the company is to supply food and necessities to consumers in retail, and the Loyalty Card application offered in all the workplaces of the Company is designed as a marketing program. In view of the above, it has been found by the Board that the processing of personal data such as criminal convictions and data on security measures is not related to the purposes of the company, and is not limited and measured within the activities of the Data Controller. Therefore, the Board ordered that the inconsistencies between the ‘Membership and Consent Statement’ and the’ Information Text’ should be eliminated and tthe Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué. The Board ordered that the inconsistency between the “Membership and Consent Statement” and “Information Text’’ should be eliminated and the Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué.
Other News
-
7.7.2025
Mediation Practices In The Land Registry
Pursuant to the amendments introduced by Law on Amendments to the Enforcement and Bankruptcy Law and to Certain Other Laws which was published in the Official Gazette dated 05.04.2023, numbered 32154 to the Law on Mediation in Civil Disputes dated 7/6/2012 and numbered 6325 ("Law"), the scope of disputes that may be resolved through procedural- mandatory- and voluntary mediation has been expanded.
-
27.6.2025
Effects Of The Concordatum Period On Pledgees
Pursuant to Article 285 of the Enforcement and Bankruptcy Law (EBL), a debtor who is unable to pay their debts on time or is at risk of default may request a concordatum. During the period granted to the debtor upon such request, no enforcement proceedings may be initiated, and ongoing proceedings are suspended, in accordance with Article 294/1 of the EBL.
-
18.6.2025
M&A Dynamics in Publicly Traded Companies: New Investment Strategies Through Borsa Istanbul
In recent years, IPOs in Turkey have reached record levels. In 2023 and 2024, a large number of companies started trading in Borsa Istanbul as a result of initial public offerings (IPO) transactions. These IPOs, which attracted great interest from small investors, stand out as important strategic moves in which companies gain transparency and visibility, and also play a role as an important financing tool. With IPOs, publicly traded companies / partnerships are now drawing the attention of not only small investors but also domestic/foreign strategic and financial investors.
-
16.6.2025
The Court Of Cassation Abandoned Its Long-Standing Precedent Regarding Construction Conracts In Return For Land Shares, Known As "Advance Deed"
Construction contracts in return for land shares are a common practice in the construction sector in Turkey.
-
11.6.2025
Amendments To The Regulation On Distance Contracts: Return Shipping Fees And Right Of Withdrawal For Electronics
With the Regulation Amending the Regulation on Distance Contracts ("Amending Regulation") published in the Official Gazette dated May 24, 2025 and numbered 32909, important amendments were made regarding distance sales. The key changes introduced by the Amending Regulation are as follows:
-
30.5.2025
Alimony Against Inflation: Adjustmen of Alimony and the Issue of Payment in Foreign Currency
Alimony for supplementary welfare allowance and child support awarded by court judgment as a result of divorce cases is generally fixed at a certain amount and either remains the same over the years or is increased only within limited rates determined by the court. Similarly, the provisional alimony determined during the litigation process can become insufficient over time due to the prolonged duration of the proceedings and high inflation; this significantly hampers the effectiveness of alimony enforcement.
-
23.5.2025
Right To Compassionate Leave: Duration, Implementation And Assessment
Legal Basis and Definition of Compassionate Leave: In situations where an employee is unable to perform their work obligation due to certain personal circumstances in which, pursuant to the principle of good faith, the employer cannot reasonably expect the employee to work, the employee must be deemed to be on justified leave. Compassionate leave was introduced by Law No. 6645 in 2015 and is regulated under Additional Article 2 of the Turkish Labour Law No. 4857.
-
20.5.2025
The Right to Be Forgotten in the Context of Search Engines
IWith the rapid advancement of technology, personal data is increasingly recorded in digital environments and can be stored for long periods of time. This situation causes individuals' past negative experiences or changing opinions over time to remain constantly accessible. In particular, search engines make personal data widely accessible by indexing results that appear when searching individuals by their first and last names. Within this context, the "Right to Be Forgotten" stands out as the right of individuals to request the deletion of their personal data or the restriction of access to it in digital environments.
-
16.5.2025
The Penalty Clause in Turkish Law, Reduction of the Penalty Clause, and Practial Interpretations
One of the fundamental concepts of contract law, "penalty clauses" function as an important security for the creditor in the event that the debtor fails to properly perform their obligation. As an extension of the principle of freedom of contract, the parties may agree in advance to the payment of a specific amount in case the obligation is not performed at all or not performed correctly, thereby encouraging performance and easing the burden of proof for any damages that may arise.
-
13.5.2025
A Review on US Customs Tariffs and Its Impact on M&A Transactions
US President Donald Trump recently announced a "declaration of economic independence". Accordingly, a reciprocal tariff on all countries came into force. The tariff rate for Turkey was set at 10%, i.e. the minimum rate.
-
12.2.2025
An EMRA Decision: Capital Increase Obligation for Electricity Market Companies in Share Transfers to Foreign Investors
1. Current Regulation The Energy Market Regulatory Authority ("EMRA" or the "Authority") regulates the transfer of shares in the capital of companies operating in the electricity market under Article 57 of the Electricity Market Licence Regulation ("Regulation").
-
29.1.2025
Turkish Competition Board Mergers And Acquisitions Outlook Report For 2024 Has Been Published
On January 7th, 2025, the Turkish Competition Authority has published the Report prepared by the Competition Board on Mergers, Acquisitions And Privatisation Transactions in 2024 ("Report").
-
22.11.2024
The Procedure of Sale by Auction and The Legal Aspect of New Regulations Brought by the 9th Judicial Package
By new regulations brought by the 9th Judicial Package, a new legal frame for the sale of seized goods electronically is instructed according to Enforcement and Bankruptcy Law Article 111/b. Transactions about the sales of seized goods are made via a sale portal integrated with the National Judicial Network Information System (UYAP) by auction. However, because of the legal gaps of the law, an application about the sale transactions cannot be displayed. The amendments introduced by legislators to the law regarding electronic sales in the 8th and 9th Judicial Packages, as well as the newly established regulations, are considered an important step toward making foreclosure processes faster and ensuring that sales transactions are conducted in a safer and more transparent environment.
-
15.11.2024
Law Numbered 7531 On Amendments To Certain Laws Was Published
Law1 No. 7531 on the Amendment of Certain Laws ("Law"), also known as the 9th Judicial Package, was published in the Official Gazette dated 14.11.2024 and numbered 32722 and contains significant amendments to 17 different laws.
-
13.11.2024
E-Government Era Begins In Lease Agreements!
The Ministry of Treasury and Finance ("Ministry") announced in the 2023-2025 period of its 2022 Action Plan for Combating the Informal Economy ("Action Plan") that lease agreements could be concluded through the e-Government portal to support the decision-making processes of the parties involved and conduct risk analysis studies. The first phase of this activity was launched on November 4, 2024, through the e-Government portal, and the second phase is expected to be implemented by the end of the year.
