New Decisions Of The Personal Data Protection Board 12 June 2019
Pursuant to Articles 15 and 22 of the Law on the Protection of Personal Data (referred to as the ‘Law’), the Personal Data Protection Board (referred to as the ‘Board’) has the authority to examine complaints lodged by applicants or on matters that are ex officio and issue administrative fines for violations.
The Board publishes summaries of the decisions which it deems as important and which may constitute a precedent as a result of its examinations.
Below we are presenting the summaries of the last four decisions published by the Board.
Decision of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 on the failure of the Data Controller, who provides technical services, to Protect Personal Data:
The applicant has lodged a complaint before the Turkish Personal Data Protection Board ("Board") stating that the company responsible for the technical service ( referred to as the ‘Data Controller’ ) gave form numbers to its customers regarding their devices entry into service and the customers can access the information about the status of their device in the service by the form number query, but personal data belonging to different people can be accessed by changing the last digits of the form number. Although the relevant Data Controller stated that it was not possible to access the personal data of the device owners during the inquiries, it was found by the Board that inquiries about the other device owners could be made and the name, surname, address and IMEI number of the different persons could be accessed. Accordingly, with the decision dated 14/02/2019 and numbered 2019/23, the Board decided that the Data Controller failed to take the necessary administrative and technical measures to ensure the protection of personal data pursuant to article 12 of the Law on the Protection of Personal Data No. 6698, and therefore imposed an administrative fine of TL 150,000 pursuant to Article 18 of the relevant Law and stopped the use of the relevant internet link until the violation of the said law is corrected.
Decision of the Personal Data Protection Board dated 05/03/2019 and numbered 2019/52 on Non-compliance of the Data Controller, who provides technical service, with the Decision of the Board:
Following the notification of the Personal Data Protection Board dated 14/02/2019 and numbered 2019/23 to the Data Controller Company, the inquiries were made with different form numbers on the Company website by the Board, and it was found that inquiries of other devices can still be carried out and no other security verification is being performed, also when the 'Click for Device Registration Images ‘link on the website is selected, the IMEI numbers are still clearly displayed. In this respect, due to non-compliance with the decision of the Board numbered 2019/23, (“…immediately abolish the said contradiction and immediately stop the use of the links in this Decision until the approval of the said contradiction is provided ..” ), which was notified to the Company, and failure of the Company to comply with Article 15 of the Personal Data Protection Act, the Board has decided to impose an administrative fine of TL 50,000 to the Company within the framework of Article 18 of the relevant law. In addition, the Board ordered the Company to change the system that allows inquiries for device monitoring and to immediately shut down access to the system in question.
Decision of the Personal Data Protection Board dated 01/03/2019 and numbered 2019/47 on the transfer of personal data to the judiciary and third parties without consent:
The applicant has lodged a complaint before the Personal Data Protection Board regarding illegal access to personal information about himself and his family and the transfer of it to the judiciary and third parties without his consent. As a result of the examination conducted by the Board, it was determined that the complainee did not engage in any personal data processing activity that was partially or fully automated or that was not part of any data recording system, and therefore the complainee could not be considered as a Data Controller. The Board further stated that the alleged unlawful collection of personal data belonging to the applicant and his family by the complainee was a criminal offense under the Turkish Penal Code and therefore there was no action to be taken under the Law no. 6698 on this subject.
Decision of the Personal Data Protection Board dated 02/05/2019 and numbered 2019/122 on the Failure to Respond to Applicant's Application to the Bank and the Non-Compliance of Information Text with the Regulations under the Law:
Pursuant to the rights contained in article 11 of the Law on Personal Data Protection No. 6698 , the applicant lodged a complaint to the Data Controller T.C Ziraat Bank A.Ş ( referred to as the ’ Bank’ ) via registered email (KEP) . However, this complaint was not replied within the legal period of thirty days. Thereupon, the applicant complained to the Board that the Information Text published by the Data Controller on the website did not meet the conditions stipulated in the legislation. A letter was sent to the Bank by the Board to provide explanations on the subject matter, but no response was given by the Bank. Therefore, pursuant to the third paragraph of Article 18 of the Personal Data Protection Law no. 6698, the Board has decided to take disciplinary actions against the persons responsible for violation in the Bank and those responsible for taking necessary measures and inspections. Furthermore, the Board ordered the Bank to respond to the Applicant's requests for the implementation of the Law. The Board has ordered the Bank to revise the Information Text on the Bank's website and to bring it in line with the provisions of the Communiqué, because it was not prepared in accordance with the provisions of paragraph (g) and (h) of of article 5 (including general and ambiguous statements and lack of legal reasons) of the Communiqué on the Procedures and Principles to be Complied With In Fulfilling the Obligation to Inform.
Decision of the Personal Data Protection Board on “Loyalty Cards’’ of Market Chains dated 25/03/2019 and numbered 2019/82:
The loyalty card is a card which is obtained from the stores of a market and provides the advantage of discounting and accumulating points in some purchases. On the website of the loyalty card, a warning text appears which states that ‘ In order to continue to take advantage of the card benefits, it is sufficient to grant data processing permission under the Personal Data Protection Act…… if you do not have permission, please read and confirm the membership and consent statement ‘’. In the text messages sent to the mobile phones of the customers it is stated that ‘’Please update your permission under the Protection of Personal Data Act. Our customers whose licenses are out of date will not be able to shop by saying mobile phones from our safes because their personal information will be deleted. ” In this sense, since the explicit consent was put forward as a condition for the provision of a product or service, it was requested by the applicant to establish the necessary transactions within the scope of the Personal Data Protection Law (referred to as the ‘Law’) no. 6698, and it was lodged as a complaint by the applicant that during the request for explicit consent of the customers, the company has requested a service fee of TL 0.01 under the name of Data Permit Application. As a result of the examination of the complaint, the Board found that participation in the Loyalty Card Program was not obligatory for the customers within the scope of service provision by the Data Controller Company and that there was no such situation as not providing services to the customers who are not members of the Program. The Board therefore concluded that, there was no action to be taken in relation to the applicant's claim that the provision of a service or product by the Company was subject to the express consent. With regards to receiving a service fee of TL 0.01 under the name of Data Permit Application, the Data Controller stated as defense that this event occurred due to a systematic error in information technology, and that the same amount of discount was charged to the customers' card as compensation immediately. Therefore, the Board has decided that there is no action to be taken by the Board under this Law. On the other hand, as a result of the examinations of the Board it is seen that open-ended statements are included in the Information Text, there are inconsistencies between the ‘Membership and Consent Statement’ and the ‘Information Text’ , in the information text it is stated that personal data (such as information on memberships of trade unions / associations / foundations, criminal convictions, data on security measures, sexual life, biometric data and information about health status) can be processed, the main field of activity of the company is to supply food and necessities to consumers in retail, and the Loyalty Card application offered in all the workplaces of the Company is designed as a marketing program. In view of the above, it has been found by the Board that the processing of personal data such as criminal convictions and data on security measures is not related to the purposes of the company, and is not limited and measured within the activities of the Data Controller. Therefore, the Board ordered that the inconsistencies between the ‘Membership and Consent Statement’ and the’ Information Text’ should be eliminated and tthe Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué. The Board ordered that the inconsistency between the “Membership and Consent Statement” and “Information Text’’ should be eliminated and the Company's Information Text should be updated by taking into consideration the basic principles of the Law and the provisions of the Communiqué.
Other News
-
4.6.2026
A Noteworthy Principle Decision of the Personal Data Protection Board on the Use of Biometric Data
The Principle Decision of the Personal Data Protection Board (the "Board") dated 29 April 2026 and numbered 2026/921 was published in the Official Gazette dated 2 June 2026. The Decision contains important assessments regarding the use of fingerprint, facial recognition and similar biometric systems for employee attendance and working hours tracking.
-
2.6.2026
Designation of Critical Infrastructure Sectors Under Cybersecurity Law No. 7545 and Key Compliance Obligations
Cybersecurity Law No. 7545, which introduces comprehensive and far-reaching rules governing cybersecurity in Türkiye, was enacted on 12 March 2025. The Law regulates the powers of the Cybersecurity Authority, the rules to be observed by public institutions and private companies, supervisory mechanisms, and applicable sanctions.
-
25.5.2026
Does Your 2025 Balance Sheet Trigger a VERBIS Obligation? Deadline Set for 5 June 2026
The Personal Data Protection Authority ("Authority") has published an important announcement regarding corporate taxpayer legal entity data controllers that have become subject to the obligation to register with the Data Controllers' Registry ("VERBIS") due to the criteria relating to the 2025 financial balance sheet total. Within the scope of the announcement, the period granted for the fulfillment of the VERBIS registration and notification obligation has been extended until Friday, 5 June 2026.
-
22.5.2026
The Competiton Authority Has Updated Its Merger And Acquisition Guidelines: What Has Changed For Trancastion Parties?
There have been significant developments in the field of mergers and acquisitions in recent times. The Competition Authority has implemented a comprehensive update process with the aim of making the regulatory framework in this area clearer and more predictable. This process, which began with the amendments to the Communiqué No. 2026/2 on the Amendment to the Communiqué on Mergers and Acquisitions Requiring the Approval of the Competition Board (Communiqué No. 2010/4) in February 2026, has entered a new phase with the updated guidelines published in May 2026.
-
20.5.2026
A New Approach to the Limits of the Institution of Amendment of Pleadings: Unification of Judgments Decision
1. INTRODUCTION By its decision dated 08.05.2026, the Grand General Assembly for the Unification of Judgments of the Court of Cassation explicitly ruled that a claim not initially included in the statement of claim cannot subsequently be introduced into the action by way of "partial amendment".
-
13.5.2026
Significant Amendments to Temporary Incapacity Periods for Maternity under the Social Security Institution
Extension of Maternity Leave Periods under Circular No. 2026/13: With the Circular dated 08.05.2026 and numbered 2026/13 issued by the Social Security Institution (“SSI”), the implementation of temporary incapacity benefits under maternity insurance within the scope of the Social Insurance and General Health Insurance Law No. 5510 has been updated. The aforementioned amendments have been introduced in line with Law No. 7578, which entered into force on 01.05.2026. These regulations include new provisions that are particularly significant for employers and employees, especially with respect to the extension of postnatal rest periods and the transitional rules applicable to existing medical reports.
-
11.5.2026
The Communique Regarding Proffesions Subject to the Requirement for a Professional Competency Cerificate (2026/1) Has Been Published
With the "Communiqué Regarding Occupations Subject to the Mandatory Professional Competency Certificate by the Professional Competency Authority," dated March 23, 2026, and published in the Official Gazette No. 33202, the requirement to hold a Professional Competency Certificate has been expanded to include certain occupations classified as hazardous or highly hazardous
-
4.5.2026
Significant Changes in the Workplace: Maternity Leave Periods Revised
Law No. 7578, amending the Social Services Act and certain other laws, entered into force following its publication in Official Gazette No. 33240 dated 1 May 2026. This regulation introduces significant changes, particularly regarding maternity leave durations, which have implications for employers in terms of workforce planning and organisational processes. In this bulletin, we examine the key changes introduced by the regulation.
-
30.4.2026
Draft Law On The Protection Of Trade Secrets Has Been Released!
Whilst Turkish law contains various provisions on trade secrets across different laws and subordinate regulations, there has been no standalone legislation to date that directly and comprehensively defines trade secrets or provides for distinct protection and safeguard mechanisms. Prepared to address this gap, the Draft has been drafted in line with the EU's Directive 2016/943/EU on trade secrets and serves as a tool to support Turkey's international trade policies and the development of digital trade.
-
24.4.2026
A New Era For The Meal Allowance Exemption From Insurance Premium
Article 10 of Law No. 7577 on Amendments to Certain Laws, published in the Official Gazette dated 17.04.2026, introduced a significant amendment to paragraph (b) of Article 80, titled "Earnings Subject to Premium," of Law No. 5510 on Social Insurance and General Health Insurance, which regulates exemption amounts, with respect to the meal allowance exemption provided by employers.
-
20.4.2026
"Effective Remorse" as a Personal Ground Mitigating or Eliminating Punishment
1. What is Effective Remorse? Effective remorse is the legal consequence - in the form of a reduction or elimination of punishment - that the law attaches to the compensatory conduct voluntarily undertaken by a perpetrator following the completion of an offence, as a result of the remorse experienced by that perpetrator.
-
9.4.2026
Deadline for Compliance with Minimum Capital Requirement: 31 December 2026
Articles 332 and 580 of the Turkish Commercial Code (the "TCC") regulate the minimum capital requirements for joint stock companies and limited liability companies, respectively, and stipulate that such amounts shall be determined and may be increased by a Presidential Decree. Pursuant to this authority, with Presidential Decree No. 7887 published in the Official Gazette dated 25 November 2023, the minimum capital amounts have been significantly increased. Accordingly, under the said Decree:
-
7.4.2026
The Occupational Health And Safety Training Regulation Has Been Amended! What Innovations Does The 2026 Regulation Introduce?
Occupational Health and Safety (OHS) trainings constitute the cornerstone of a proactive approach to preventing workplace accidents. The new "Regulation on the Procedures and Principles of Occupational Health and Safety Training for Employees", which entered into force on April 2, 2026, repealed the 2013 regulation and introduced fundamental changes centered on digitalization, accessibility, and measurability in training processes.
-
2.4.2026
The Rights of Minority Shareholders: How Powerful Are They in Reality?
The fundamental principle in joint-stock companies and commercial companies in general is the majority rule. Shareholders holding control determine the fate of the company. However, to prevent this from turning into absolute dominance, the Turkish Commercial Code No. 6102 (the "TCC") grants minority shareholders various rights. The purpose of these rights is to establish a balance between the majority and the minority, and to prevent the minority from becoming entirely ineffective against the company's management.
-
31.3.2026
Employment Retention Incentive in the Manufacturing Industury Enters into Face
The Regulation on the Implementation of the Employment Retention Support Program was published in the Official Gazette dated 3 March 2026 and numbered 33185, and has entered into force.The Program aims to preserve and increase employment in enterprises operating in the manufacturing industry. It covers the period between 1 January 2026 and 31 December 2026, with the final deadline for submitting payment claims set as 31 March 2027.
