The Board of Protection of Personal Data Has Published New Decisions 10 October 2019
Pursuant to the articles 15 and 22 of the Law on Protection of Personal Data no. 6698 (“the Law”), the Board of Protection of Personal Data (“the Board”) is entitled to conduct necessary inspection within the scope of its remit either ex officio in case that it learns the allegation of a violation or upon complaint, and to impose administrative fines in case of breach. The Board publishes decision summaries of its investigations which are considered to be important and to establish precedent on its website.
We hereby present the summary of these decisions by the Board.
The decision No. 2019/269 on Facebook published on 18.09.2019 by the Board
Although it is stated that the notice will be submitted to the Board in writing within the week following the e-mail giving information about data breach related to ‘’View as Someone Else’’ sent by the Facebook representative, dated 14.10.2018, Facebook has not made any notice to the Board. As a result of this failure of notice, the Board has decided to examine ex officio.
As a result of the review of the Board, it is determined that the data breach is a result of an error caused by the 3 different interaction of Facebook system which are ‘’View as Someone Else’’, ‘’Birthday Celebration’’ and ‘’Video Uploader’’. The Board, ascertained that the personal data such as name, gender, birthday, relationship status, educational background, religious information, country, location, recent searches on Facebook, up to 500 major accounts followed by the user were affected by the breach. The Board also stated that 280,959 users using Facebook in Turkey were affected by the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 1.150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 450.000 TL due to application which violates the obligation to notify as soon as possible. Thus, the Board of Protection of Personal Data decided to impose an administrative fine of 1 million 600 thousand TL in total, on Facebook. The Board had previously given an administrative fine of 1 million 650 thousand TL to Facebook due to data breach.
The decision No. 2019/254 on S Şans Oyunları A.Ş published on 27.08.2019 by the Board
The Board has been informed of the data breach in line with the S Şans Oyunları A.Ş.’s notification that they were operating as a virtual bookmaker on the website www.tuttur.com and that they were informed of the data breach by one of the members of the Company sharing the data leakage information and as a result, the Board has initiated an investigation to examine the claims.
As a result of the review of the Board of Protection of Personal Data, it is stated that the failure to determine the date of occurrence of the breach is an indication of failure of the data supervisor to carry out the necessary supervision, the failure to determine when the data in the Excel list was withdrawn from the system and when it was transferred to the data processor is an technical and administrative defect. And also, the fact that the number of person affected by data breach cannot be determined although 90% of the members in the list have been declared by the Company that they have never entered the system is an indication that the technical and administrative measures have not been fully implemented or applied, that the Company has not been able to take action to notify the people concerned in connection with the data breach.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 150.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 30.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/255 on a Tourism Company published on 27.08.2019 by the Board
As a result of the notification by Company to the Board that the cyber-attack is realized because of the entrance of the unauthorized passwords through the Local Area Network (LAN) and that this situation was occurred through a leakage from the computer of an employee located in the general areas of Company, the Board has decided to examine ex officio.
As a result of this review, the Board determined that there is not any special personal data among the affected personal data, that the access by unauthorized third parties who are not employees of the Company is an administrative imprudence, that the fact that the employees have not received pre-infringement security training is an administrative deficiency in terms of providing personal data security and awareness, that the failure of taking notice whether the leakage in computer network existed is an technical deficiency and the notification of the incident from employees in the other departments to the IT Department is an indication that the Company’s IT Department and Information Systems are not functioning properly.
For this reason, the Board, pursuant to Article 12 of the Law, decided to impose 400.000 TL due to lack of administrative and technical measures to ensure the protection of personal data within the scope of Article 18 of the Law No. 6698 and also decided to impose 100.000 TL due to application which violates the obligation to notify as soon as possible.
The decision No. 2019/225 about Obligations of the branches in Turkey of legal entities resident abroad and the Liaison Office published on 23.07.2019 by the Board
The Board, after the assessment, decided that;
- Data supervisor resident abroad which process personal data activities directly or through branches in Turkey must be registered.
- In the case of the branches, of legal entities resident abroad, located in Turkey, by definition, are responsible for determining the personal data aims and the means and for managing of the establishment of the data recording system, they will be considered as a data supervisor in Turkey as distinct from legal entity resident abroad, also, in this case, as a result of the evaluation to be made in terms of ‘’annual number of employees’’ and ‘’ annual financial statement’’, it will be decided for the branches, of the legal entity resident abroad, located in Turkey, whether there is an obligation to register to the Registry or not. The branches in this case does not have any obligation to register.
In order to open a Liaison Office in Turkey, incorporation of a company must be executed according to the foreign law and the established Liaison Office is not be able to do commercial activities. And also, considering the fact that the Liaison Offices are not like branches and that are established for communication, feasibility research, conducting some projects in social and cultural areas, making preparations for the mergers and acquisitions between companies, promotions and advertising, closely monitoring the job opportunities in the country and informing the central company about these issues, these liaison offices are not obliged to register to Registry.
Other News
-
4.6.2026
A Noteworthy Principle Decision of the Personal Data Protection Board on the Use of Biometric Data
The Principle Decision of the Personal Data Protection Board (the "Board") dated 29 April 2026 and numbered 2026/921 was published in the Official Gazette dated 2 June 2026. The Decision contains important assessments regarding the use of fingerprint, facial recognition and similar biometric systems for employee attendance and working hours tracking.
-
2.6.2026
Designation of Critical Infrastructure Sectors Under Cybersecurity Law No. 7545 and Key Compliance Obligations
Cybersecurity Law No. 7545, which introduces comprehensive and far-reaching rules governing cybersecurity in Türkiye, was enacted on 12 March 2025. The Law regulates the powers of the Cybersecurity Authority, the rules to be observed by public institutions and private companies, supervisory mechanisms, and applicable sanctions.
-
25.5.2026
Does Your 2025 Balance Sheet Trigger a VERBIS Obligation? Deadline Set for 5 June 2026
The Personal Data Protection Authority ("Authority") has published an important announcement regarding corporate taxpayer legal entity data controllers that have become subject to the obligation to register with the Data Controllers' Registry ("VERBIS") due to the criteria relating to the 2025 financial balance sheet total. Within the scope of the announcement, the period granted for the fulfillment of the VERBIS registration and notification obligation has been extended until Friday, 5 June 2026.
-
22.5.2026
The Competiton Authority Has Updated Its Merger And Acquisition Guidelines: What Has Changed For Trancastion Parties?
There have been significant developments in the field of mergers and acquisitions in recent times. The Competition Authority has implemented a comprehensive update process with the aim of making the regulatory framework in this area clearer and more predictable. This process, which began with the amendments to the Communiqué No. 2026/2 on the Amendment to the Communiqué on Mergers and Acquisitions Requiring the Approval of the Competition Board (Communiqué No. 2010/4) in February 2026, has entered a new phase with the updated guidelines published in May 2026.
-
20.5.2026
A New Approach to the Limits of the Institution of Amendment of Pleadings: Unification of Judgments Decision
1. INTRODUCTION By its decision dated 08.05.2026, the Grand General Assembly for the Unification of Judgments of the Court of Cassation explicitly ruled that a claim not initially included in the statement of claim cannot subsequently be introduced into the action by way of "partial amendment".
-
13.5.2026
Significant Amendments to Temporary Incapacity Periods for Maternity under the Social Security Institution
Extension of Maternity Leave Periods under Circular No. 2026/13: With the Circular dated 08.05.2026 and numbered 2026/13 issued by the Social Security Institution (“SSI”), the implementation of temporary incapacity benefits under maternity insurance within the scope of the Social Insurance and General Health Insurance Law No. 5510 has been updated. The aforementioned amendments have been introduced in line with Law No. 7578, which entered into force on 01.05.2026. These regulations include new provisions that are particularly significant for employers and employees, especially with respect to the extension of postnatal rest periods and the transitional rules applicable to existing medical reports.
-
11.5.2026
The Communique Regarding Proffesions Subject to the Requirement for a Professional Competency Cerificate (2026/1) Has Been Published
With the "Communiqué Regarding Occupations Subject to the Mandatory Professional Competency Certificate by the Professional Competency Authority," dated March 23, 2026, and published in the Official Gazette No. 33202, the requirement to hold a Professional Competency Certificate has been expanded to include certain occupations classified as hazardous or highly hazardous
-
4.5.2026
Significant Changes in the Workplace: Maternity Leave Periods Revised
Law No. 7578, amending the Social Services Act and certain other laws, entered into force following its publication in Official Gazette No. 33240 dated 1 May 2026. This regulation introduces significant changes, particularly regarding maternity leave durations, which have implications for employers in terms of workforce planning and organisational processes. In this bulletin, we examine the key changes introduced by the regulation.
-
30.4.2026
Draft Law On The Protection Of Trade Secrets Has Been Released!
Whilst Turkish law contains various provisions on trade secrets across different laws and subordinate regulations, there has been no standalone legislation to date that directly and comprehensively defines trade secrets or provides for distinct protection and safeguard mechanisms. Prepared to address this gap, the Draft has been drafted in line with the EU's Directive 2016/943/EU on trade secrets and serves as a tool to support Turkey's international trade policies and the development of digital trade.
-
24.4.2026
A New Era For The Meal Allowance Exemption From Insurance Premium
Article 10 of Law No. 7577 on Amendments to Certain Laws, published in the Official Gazette dated 17.04.2026, introduced a significant amendment to paragraph (b) of Article 80, titled "Earnings Subject to Premium," of Law No. 5510 on Social Insurance and General Health Insurance, which regulates exemption amounts, with respect to the meal allowance exemption provided by employers.
-
20.4.2026
"Effective Remorse" as a Personal Ground Mitigating or Eliminating Punishment
1. What is Effective Remorse? Effective remorse is the legal consequence - in the form of a reduction or elimination of punishment - that the law attaches to the compensatory conduct voluntarily undertaken by a perpetrator following the completion of an offence, as a result of the remorse experienced by that perpetrator.
-
9.4.2026
Deadline for Compliance with Minimum Capital Requirement: 31 December 2026
Articles 332 and 580 of the Turkish Commercial Code (the "TCC") regulate the minimum capital requirements for joint stock companies and limited liability companies, respectively, and stipulate that such amounts shall be determined and may be increased by a Presidential Decree. Pursuant to this authority, with Presidential Decree No. 7887 published in the Official Gazette dated 25 November 2023, the minimum capital amounts have been significantly increased. Accordingly, under the said Decree:
-
7.4.2026
The Occupational Health And Safety Training Regulation Has Been Amended! What Innovations Does The 2026 Regulation Introduce?
Occupational Health and Safety (OHS) trainings constitute the cornerstone of a proactive approach to preventing workplace accidents. The new "Regulation on the Procedures and Principles of Occupational Health and Safety Training for Employees", which entered into force on April 2, 2026, repealed the 2013 regulation and introduced fundamental changes centered on digitalization, accessibility, and measurability in training processes.
-
2.4.2026
The Rights of Minority Shareholders: How Powerful Are They in Reality?
The fundamental principle in joint-stock companies and commercial companies in general is the majority rule. Shareholders holding control determine the fate of the company. However, to prevent this from turning into absolute dominance, the Turkish Commercial Code No. 6102 (the "TCC") grants minority shareholders various rights. The purpose of these rights is to establish a balance between the majority and the minority, and to prevent the minority from becoming entirely ineffective against the company's management.
-
31.3.2026
Employment Retention Incentive in the Manufacturing Industury Enters into Face
The Regulation on the Implementation of the Employment Retention Support Program was published in the Official Gazette dated 3 March 2026 and numbered 33185, and has entered into force.The Program aims to preserve and increase employment in enterprises operating in the manufacturing industry. It covers the period between 1 January 2026 and 31 December 2026, with the final deadline for submitting payment claims set as 31 March 2027.
