The Board of Protection of Personal Data Has Published New Decisions 10 October 2019
Pursuant to the articles 15 and 22 of the Law on Protection of Personal Data no. 6698 (“the Law”), the Board of Protection of Personal Data (“the Board”) is entitled to conduct necessary inspection within the scope of its remit either ex officio in case that it learns the allegation of a violation or upon complaint, and to impose administrative fines in case of breach. The Board publishes decision summaries of its investigations which are considered to be important and to establish precedent on its website.
We hereby present the summary of these decisions by the Board.
The decision No. 2019/269 on Facebook published on 18.09.2019 by the Board
Although it is stated that the notice will be submitted to the Board in writing within the week following the e-mail giving information about data breach related to ‘’View as Someone Else’’ sent by the Facebook representative, dated 14.10.2018, Facebook has not made any notice to the Board. As a result of this failure of notice, the Board has decided to examine ex officio.
As a result of the review of the Board, it is determined that the data breach is a result of an error caused by the 3 different interaction of Facebook system which are ‘’View as Someone Else’’, ‘’Birthday Celebration’’ and ‘’Video Uploader’’. The Board, ascertained that the personal data such as name, gender, birthday, relationship status, educational background, religious information, country, location, recent searches on Facebook, up to 500 major accounts followed by the user were affected by the breach. The Board also stated that 280,959 users using Facebook in Turkey were affected by the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 1.150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 450.000 TL due to application which violates the obligation to notify as soon as possible. Thus, the Board of Protection of Personal Data decided to impose an administrative fine of 1 million 600 thousand TL in total, on Facebook. The Board had previously given an administrative fine of 1 million 650 thousand TL to Facebook due to data breach.
The decision No. 2019/254 on S Şans Oyunları A.Ş published on 27.08.2019 by the Board
The Board has been informed of the data breach in line with the S Şans Oyunları A.Ş.’s notification that they were operating as a virtual bookmaker on the website www.tuttur.com and that they were informed of the data breach by one of the members of the Company sharing the data leakage information and as a result, the Board has initiated an investigation to examine the claims.
As a result of the review of the Board of Protection of Personal Data, it is stated that the failure to determine the date of occurrence of the breach is an indication of failure of the data supervisor to carry out the necessary supervision, the failure to determine when the data in the Excel list was withdrawn from the system and when it was transferred to the data processor is an technical and administrative defect. And also, the fact that the number of person affected by data breach cannot be determined although 90% of the members in the list have been declared by the Company that they have never entered the system is an indication that the technical and administrative measures have not been fully implemented or applied, that the Company has not been able to take action to notify the people concerned in connection with the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 30.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/255 on a Tourism Company published on 27.08.2019 by the Board
As a result of the notification by Company to the Board that the cyber-attack is realized because of the entrance of the unauthorized passwords through the Local Area Network (LAN) and that this situation was occurred through a leakage from the computer of an employee located in the general areas of Company, the Board has decided to examine ex officio.
As a result of this review, the Board determined that there is not any special personal data among the affected personal data, that the access by unauthorized third parties who are not employees of the Company is an administrative imprudence, that the fact that the employees have not received pre-infringement security training is an administrative deficiency in terms of providing personal data security and awareness, that the failure of taking notice whether the leakage in computer network existed is an technical deficiency and the notification of the incident from employees in the other departments to the IT Department is an indication that the Company’s IT Department and Information Systems are not functioning properly.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 400.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 100.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/225 about Obligations of the branches in Turkey of legal entities resident abroad and the Liaison Office published on 23.07.2019 by the Board
The Board, after the assessment, decided that;
- Data supervisor resident abroad which process personal data activities directly or through branches in Turkey must be registered.
- In the case of the branches, of legal entities resident abroad, located in Turkey, by definition, are responsible for determining the personal data aims and the means and for managing of the establishment of the data recording system, they will be considered as a data supervisor in Turkey as distinct from legal entity resident abroad, also, in this case, as a result of the evaluation to be made in terms of ‘’annual number of employees’’ and ‘’ annual financial statement’’, it will be decided for the branches, of the legal entity resident abroad, located in Turkey, whether there is an obligation to register to the Registry or not. The branches in this case does not have any obligation to register.
In order to open a Liaison Office in Turkey, incorporation of a company must be executed according to the foreign law and the established Liaison Office is not be able to do commercial activities. And also, considering the fact that the Liaison Offices are not like branches and that are established for communication, feasibility research, conducting some projects in social and cultural areas, making preparations for the mergers and acquisitions between companies, promotions and advertising, closely monitoring the job opportunities in the country and informing the central company about these issues, these liaison offices are not obliged to register to Registry.
Other News
-
15.10.2025
Current Status Of The Obligation To Maintain Commercial Books In Electronic Form
1. INTRODUCTION With the Communiqué Amending the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated September 20, 2025 and numbered 33023 (“Amendment Communiqué”), significant amendments have been introduced to the Communiqué on Keeping Commercial Books Not Related to the Accounting of the Enterprise in Electronic Form, published in the Official Gazette dated February 14, 2025 and numbered 32813 (“Communiqué”).
-
25.9.2025
Social Security Procedures To Be Carried Out By The Employer Following A Reinstateme
Upon receiving notification of a final and binding reinstatement decision, if the employee communicates their intention to return to work within 10 business days, the employer may either reinstate the employee or refuse reinstatement by paying both the four months' idle period wages determined by the court and the compensation for non-reinstatement. As seen, the employer has two alternative courses of action in this situation; however, the procedures to be carried out before the Social Security Institution (SGK) differ in each case.
-
19.9.2025
The Court of Cassation has Ruled That The Competent Court Fot Cases Brought On The Grounds Of Volation Of The Non-Competition Clause Is The Commercial Court of First Instance
1. Introduction The duty not to compete is a type of loyalty obligation owed by the employee to the employer. The employee undertakes not to compete with the employer during the term of the employment contract as part of their loyalty obligation. However, Turkish law does not contain any legal provisions prohibiting the employee from competing with the employer after the employment contract has ended. However, the parties may freely agree that the employee will not compete with the employer after the termination of the employment contract. Articles 444-447 of the Turkish Code of Obligations also contain provisions and restrictions regarding non-competition agreements that may be established between the employee and the employer.
-
16.9.2025
Transfer Fee: Legal Characterization and Practical Application
1. Introduction The concept of a transfer fee is not directly defined in the Turkish Labor Code; its framework and legal nature in practice have largely been shaped by the decisions of the Court of Cassation (Turkey). This practice, which arises particularly in sectors with intense competition and limited skilled labor, is a type of payment that employers must carefully consider within the scope of their employment policies.
-
5.9.2025
Competition in the Labor Market: HR Practices to Avoid
The Turkish Competition Authority ("Authority"), which is entrusted with ensuring the proper functioning of markets, identifying practices that restrict competition, and imposing sanctions against infringements, operates under Law No. 4054 on the Protection of Competition ("Law") without distinction between input and output markets. Labor markets have recently emerged as one of the primary arenas in which entities compete in input markets and, with the influence of various additional dynamics, have become a market increasingly prioritized by the Authority. The Guidelines on Competition Violations in Labor Markets ("Guidelines"), adopted by the Authority on November 21, 2024, serve as an important reference for the prevention of competition infringements in labor markets. In this bulletin, in light of the Guidelines and decisions of the Competition Board ("Board") within the Authority, (i) the fundamental principles and information regarding the application of competition law to labor markets, and (ii) the main prohibited practices to be observed when competing in labor markets will be addressed.
-
29.8.2025
Does An Employee's Extended Period Of Sick Leave Grant The Employer The Right To Terminate The Emploment Contract?
In employer-employee relations, the direct impact of long-term medical reports on the status of the employment contract holds critical importance for both employees and employers. In particular, uninterrupted periods of sick leave lasting for a certain duration are regulated under Article 25/I(b) of the Labour Law as a specific provision that grants the employer the right to immediate termination for just cause and determines the rights to be granted to the employee. In this context, how the employer may exercise the right of termination for just cause following the employee's extended medical leave and the legal basis of this process should be examined in detail.
-
27.8.2025
Regulation On Direct Selling Was Published
The Regulation on Direct Selling ("Regulation"), issued by the Ministry of Trade ("Ministry") pursuant to Articles 47/A and 84 of the Consumer Protection Law No. 6502, was published in the Official Gazette dated 08.08.2025 and numbered 32980, thereby entering into force.
-
18.8.2025
SMS Verification Codes and the Personal Data Protection Board's Guideline Decision No. 2025/1072
The Personal Data Protection Board's Guideline Decision dated 10 June 2025 and numbered 2025/1072 introduces significant regulations regarding personal data processing activities conducted through SMS verification codes, which have become a widespread practice in commercial life. The decision requires significant adjustments to customer relationship management, particularly in the service and retail industries.
-
11.8.2025
Mergers And Acquisitions Of Companies Engaged In Renewable Energy Gereration
In recent years, notable developments in Turkey's electricity market have extended beyond investments aimed solely at increasing generation capacity. The sector has also come into focus through strategic investments and merger and acquisition (M&A) transactions involving companies operating in the field of renewable energy.
-
31.7.2025
Annual Leave, Severance Pay, and Notice Pay in Part - Time Employment Contracts
Part-Time Employment Contract Article 13 of the Labor Law No. 4857 defines a part-time employment contract as "a contract in which the employee's normal weekly working hours are significantly less than those of a full-time employee performing similar work."
-
30.7.2025
Legal Remedies And The Official Appeal Process For Property Tax Values
a. General Overview Following the enactment of Law No. 4751 in 2002, which amended the Tax Procedure Law, the Property Tax Law, and the Fees Law, the declaration-based system for determining the property tax base was abolished, and the tariff and assesment procedure implemented by administrative authorities was adopted.
-
25.7.2025
Labour Law No. 4857 Amended! Electronic Notification Opportunity Introduced With Rem
Article 109 of the Labour Law No. 4857 has been amended, together with its title and content, by the Law Amending the Law on the Protection of the Value of Turkish Currency and Certain Laws and the Decree Law No. 635 published in the Official Gazette dated 24 July 2025. With this important amendment, the procedures regarding the form of notifications to be made between employers and employees have been redefined.
-
16.7.2025
Terminatıon Right Of The Employer Due To Conviction And Detention And Legal Consequences
In labour law practice, which is a dynamic field based on the principle of protecting the balance between the employee and the employer, the employee's failure to fulfill their obligation to perform work-especially when this results from circumstances that restrict individual freedom, such as conviction or detention-has significant legal consequences regarding the termination of the employment contract.
-
14.7.2025
Radical Change In The Labor Law Dated 14.07.2025: Flexible Week Holiday Period Has Started In The Tourism Sector!
With the Law No. 7553 on the "Amendment of Certain Laws and Decree Law No. 375" published in the Official Gazette on July 14, 2025, important innovations have been introduced in the Labor Law and some other laws. In this context; as of 14.07.2025, with the provision added to the article Article 46 of the Labor Law which regulates the week holiday, flexible week holiday specific to the tourism sector have been introduced.
-
9.7.2025
Climate Law Enacted
The Climate Law No. 7552 ("Law"), which includes regulations on the procedures and principles related to the reduction of greenhouse gas emissions in the fight against climate change, climate adaptation activities, planning and implementation tools, revenues, permits and inspections, and the legal and institutional framework surrounding these, was published in the Official Gazette dated July 9, 2025, No. 32951, and entered into force. This Law sets out general principles and objectives from a casuistic perspective, preferring to leave detailed and technical regulations to secondary legislation.
