The Board of Protection of Personal Data Has Published New Decisions 10 October 2019
Pursuant to the articles 15 and 22 of the Law on Protection of Personal Data no. 6698 (“the Law”), the Board of Protection of Personal Data (“the Board”) is entitled to conduct necessary inspection within the scope of its remit either ex officio in case that it learns the allegation of a violation or upon complaint, and to impose administrative fines in case of breach. The Board publishes decision summaries of its investigations which are considered to be important and to establish precedent on its website.
We hereby present the summary of these decisions by the Board.
The decision No. 2019/269 on Facebook published on 18.09.2019 by the Board
Although it is stated that the notice will be submitted to the Board in writing within the week following the e-mail giving information about data breach related to ‘’View as Someone Else’’ sent by the Facebook representative, dated 14.10.2018, Facebook has not made any notice to the Board. As a result of this failure of notice, the Board has decided to examine ex officio.
As a result of the review of the Board, it is determined that the data breach is a result of an error caused by the 3 different interaction of Facebook system which are ‘’View as Someone Else’’, ‘’Birthday Celebration’’ and ‘’Video Uploader’’. The Board, ascertained that the personal data such as name, gender, birthday, relationship status, educational background, religious information, country, location, recent searches on Facebook, up to 500 major accounts followed by the user were affected by the breach. The Board also stated that 280,959 users using Facebook in Turkey were affected by the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 1.150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 450.000 TL due to application which violates the obligation to notify as soon as possible. Thus, the Board of Protection of Personal Data decided to impose an administrative fine of 1 million 600 thousand TL in total, on Facebook. The Board had previously given an administrative fine of 1 million 650 thousand TL to Facebook due to data breach.
The decision No. 2019/254 on S Şans Oyunları A.Ş published on 27.08.2019 by the Board
The Board has been informed of the data breach in line with the S Şans Oyunları A.Ş.’s notification that they were operating as a virtual bookmaker on the website www.tuttur.com and that they were informed of the data breach by one of the members of the Company sharing the data leakage information and as a result, the Board has initiated an investigation to examine the claims.
As a result of the review of the Board of Protection of Personal Data, it is stated that the failure to determine the date of occurrence of the breach is an indication of failure of the data supervisor to carry out the necessary supervision, the failure to determine when the data in the Excel list was withdrawn from the system and when it was transferred to the data processor is an technical and administrative defect. And also, the fact that the number of person affected by data breach cannot be determined although 90% of the members in the list have been declared by the Company that they have never entered the system is an indication that the technical and administrative measures have not been fully implemented or applied, that the Company has not been able to take action to notify the people concerned in connection with the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 30.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/255 on a Tourism Company published on 27.08.2019 by the Board
As a result of the notification by Company to the Board that the cyber-attack is realized because of the entrance of the unauthorized passwords through the Local Area Network (LAN) and that this situation was occurred through a leakage from the computer of an employee located in the general areas of Company, the Board has decided to examine ex officio.
As a result of this review, the Board determined that there is not any special personal data among the affected personal data, that the access by unauthorized third parties who are not employees of the Company is an administrative imprudence, that the fact that the employees have not received pre-infringement security training is an administrative deficiency in terms of providing personal data security and awareness, that the failure of taking notice whether the leakage in computer network existed is an technical deficiency and the notification of the incident from employees in the other departments to the IT Department is an indication that the Company’s IT Department and Information Systems are not functioning properly.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 400.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 100.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/225 about Obligations of the branches in Turkey of legal entities resident abroad and the Liaison Office published on 23.07.2019 by the Board
The Board, after the assessment, decided that;
- Data supervisor resident abroad which process personal data activities directly or through branches in Turkey must be registered.
- In the case of the branches, of legal entities resident abroad, located in Turkey, by definition, are responsible for determining the personal data aims and the means and for managing of the establishment of the data recording system, they will be considered as a data supervisor in Turkey as distinct from legal entity resident abroad, also, in this case, as a result of the evaluation to be made in terms of ‘’annual number of employees’’ and ‘’ annual financial statement’’, it will be decided for the branches, of the legal entity resident abroad, located in Turkey, whether there is an obligation to register to the Registry or not. The branches in this case does not have any obligation to register.
In order to open a Liaison Office in Turkey, incorporation of a company must be executed according to the foreign law and the established Liaison Office is not be able to do commercial activities. And also, considering the fact that the Liaison Offices are not like branches and that are established for communication, feasibility research, conducting some projects in social and cultural areas, making preparations for the mergers and acquisitions between companies, promotions and advertising, closely monitoring the job opportunities in the country and informing the central company about these issues, these liaison offices are not obliged to register to Registry.
Other News
-
8.12.2025
What is OFAC? Its Strategic Importance For Investors And Areas Of Application
As the world changes and with each passing day, one of the terms we encounter more frequently is "OFAC". In today's globalized world, investors seeking to make international investments come across OFAC or interact with it in one way or another. This is because the sanctions imposed by OFAC relate not only to U.S. citizens or U.S.-origin companies, but also to individuals who have direct or indirect economic or financial contact with the United States. So, what is this OFAC?
-
4.12.2025
Loans To Shareholders And Adat Invoice
In practice, it is quite common for companies to extend loans to their shareholders. In situations where the company becomes a creditor of its shareholders, adat interest must be calculated on the outstanding balance and an invoice must be issued. Accordingly, adat is a method used to calculate accrued interest based on the period during which company funds are utilized by shareholders or related parties, ensuring that any potential tax loss is compensated. These calculations are important for compliance with transfer pricing rules, accurate determination of the tax base, and the fulfillment of legal obligations such as Value Added Tax (“VAT”).
-
28.11.2025
Notification Process To The Central Securities Depository & Trade Repository Of Türkiye For Bearer Share Certificates And Legal Consequences
1. Issuance and Notification of Bearer Share Certificates Pursuant to Article 484 of the Turkish Commercial Code ("TCC"), joint stock companies have two types of share certificates: registered shares and bearer shares. While the transfer of registered shares is completed through delivery, certain conditions have been introduced under the Communiqué on the Notification and Registration of Bearer Share Certificates with the Central Securities Depository ("Communiqué") for the transfer of bearer shares. Within the scope of the Communiqué, the registration of bearer shares with the Central Securities Depository & Trade Reposıtory of Türkiye ("MKK"), the adoption of a board resolution, and the registration and announcement of this resolution before the relevant trade registry directorate and in the Turkish Trade Registry Gazette are required.
-
20.11.2025
The Letter Of Intent Procsess in Merger and Acquisition Transactions
Merger and acquisition ("M&A") transactions are multi-layered processes from both legal and commercial perspectives. Before the parties proceed to the contractual stage, they enter into a preparatory phase in order to articulate their transactional intentions, exchange commercial expectations, and establish the legal framework. This preparatory phase constitutes the initial stage in which the parties discuss the fundamental principles of the transaction structure, formulate their negotiation strategies, and assess the transactional risks.
-
14.11.2025
New Constitutional Court Decision On Violation Of The Right To A Reasoned Decision Published İn The Official Gazette
1. INTRODUCTION The reasoning constitutes the part of judicial decisions that demonstrates the cause and justification for resolving the matter in the manner indicated in the operative section, and it is an extension of adjudication. The fact that the reasoning is satisfactory and consistent is crucial for ensuring the right to be legally heard and the right to a fair trial. By setting forth the court's impartiality, a reasoned judgment enables the parties to understand and be satisfied with the material and legal grounds upon which they have won or lost the case, owing to reasoning that genuinely aligns with the contents of the file, as well as with logic and law.
-
7.11.2025
Decision Of The Constitutional Court Concercing Excluded Pernonnel
In the Constitutional Court's Judgment published in the Official Gazette dated 22 September 2025.
-
24.10.2025
The Obligation for the Principal and Subcontractor Employers to Jointly Participate in Mediation Has Been Annuled by the Constitutional Court
An important Constitutional Court decision has been published regarding the mediation process that an employee can apply to with a request for reinstatement after the termination of employment relations in the workplace. The Constitutional Court ruled that the provision in paragraph (15) of Article 3 of the Labor Courts Law No. 7036, which states, "In cases where there is a principal employer-subcontractor relationship, for a request for reinstatement to be submitted to a mediator, the employers must participate in the mediation talks together and their intentions must be compatible for an agreement to be reached," is unconstitutional. The decision was published in the Official Gazette dated October 17, 2025, and numbered 33050.
-
23.10.2025
The Constitutional Court Has Annulled The Provision Granting The President Authority To Restrict Foreign Exhange And Money Movements!
In its decision No. 2024/193 Merits 2025/136 Decision1 dated 17 June 2025 ("Decision"), published in the Official Gazette on 15 October 2025, the Constitutional Court ("Court") annulled Article 1 of Law No. 1567 on the Protection of the Value of the Turkish Currency ("Law"). The annulled provision had stated that: "The President is authorized to make decisions for the regulation and restriction of the export from or import into the country of currencies, securities, and bonds, and of the purchase and sale of foreign exchange, cash, securities, bonds, precious metals, precious stones, and any goods and valuables made of or containing them; as well as of commercial papers and all means and instruments used for payment, and to take decisions aimed at protecting the value of the Turkish currency."
-
21.10.2025
Seizure of Property Belonging to Persons Other than the Debtor and Protection of Legal Rights
In enforcement proceedings, the seizure of property that does not belong to the debtor but rather to third parties is a situation frequently encountered in practice that leads to significant aggrievements. Uncertainties arising from property regimes complicate ownership relations, making it difficult to accurately determine to whom the property belongs during enforcement measures. Within this framework, when seizure is imposed on property belonging to the debtor's spouse or another third party, the most important legal remedy is the ownership claim (assertion).
-
20.10.2025
Mergers and Acquisitions and the Notification Obligation within the Framework of Competition Law
Mergers and acquisitions (M&A) are at the center of the growth and restructuring strategies of companies. These transactions, serving the purpose of companies to expand both nationally and internationally to increase their market shares or to enter into new markets, not only give rise to economic and commercial consequences but also carry the potential to directly affect the competition dynamics in the relevant market. Therefore, merger and acquisition transactions may affect the competition structure in the market. In this respect, while M&A transactions create strategic opportunities, they are also among the areas carefully scrutinized by regulatory authorities to preserve competitive order.
-
17.10.2025
Important Amendment to the Organized Industrial Zones (OIZ) Implementation Regulation: Additional Time Granted To Participant
Published in the Official Gazette No. 33050, dated October 17, 2025, the "Regulation Amending the Organized Industrial Zones Implementation Regulation" introduces a new Provisional Article 13 to the existing regulation.This new provision allows OIZ participants who have not yet obtained a building permit or a workplace opening and operating license to apply for an extension period under certain conditions.
-
15.10.2025
Current Status Of The Obligation To Maintain Commercial Books In Electronic Form
1. INTRODUCTION With the Communiqué Amending the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated September 20, 2025 and numbered 33023 (“Amendment Communiqué”), significant amendments have been introduced to the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated February 14, 2025 and numbered 32813 (“Communiqué”).
-
25.9.2025
Social Security Procedures To Be Carried Out By The Employer Following A Reinstateme
Upon receiving notification of a final and binding reinstatement decision, if the employee communicates their intention to return to work within 10 business days, the employer may either reinstate the employee or refuse reinstatement by paying both the four months' idle period wages determined by the court and the compensation for non-reinstatement. As seen, the employer has two alternative courses of action in this situation; however, the procedures to be carried out before the Social Security Institution (SGK) differ in each case.
-
19.9.2025
The Court of Cassation has Ruled That The Competent Court Fot Cases Brought On The Grounds Of Volation Of The Non-Competition Clause Is The Commercial Court of First Instance
1. Introduction The duty not to compete is a type of loyalty obligation owed by the employee to the employer. The employee undertakes not to compete with the employer during the term of the employment contract as part of their loyalty obligation. However, Turkish law does not contain any legal provisions prohibiting the employee from competing with the employer after the employment contract has ended. However, the parties may freely agree that the employee will not compete with the employer after the termination of the employment contract. Articles 444-447 of the Turkish Code of Obligations also contain provisions and restrictions regarding non-competition agreements that may be established between the employee and the employer.
-
16.9.2025
Transfer Fee: Legal Characterization and Practical Application
1. Introduction The concept of a transfer fee is not directly defined in the Turkish Labor Code; its framework and legal nature in practice have largely been shaped by the decisions of the Court of Cassation (Turkey). This practice, which arises particularly in sectors with intense competition and limited skilled labor, is a type of payment that employers must carefully consider within the scope of their employment policies.
