The Board of Protection of Personal Data Has Published New Decisions 10 April 2020
The Board of Protection of Personal Data Has Published New Decisions
Pursuant to Articles 15 and 22 of the Law on Protection of Personal Data No. 6698 (the “Law”), the Board of Protection of Personal Data (the “Board”) is entitled to conduct necessary inspections within the scope of its remit, either ex officio in case it learns independently of possible violations or upon complaint, and to impose administrative fines in cases of breach. The Board publishes, on its website, summaries of its post-investigation decisions, which are considered to be important and to establish precedents.
We hereby present summaries of several of these Board decisions.
Board Decision No. 2019/138, about unlawful access of an employee’s WhatsApp correspondence by a company owner, published on 16.05.2019 by the Board
Pursuant to a complaint made to the Board related to the claims about the unlawful obtaining of employee WhatsApp correspondence, which was subsequently shared with third parties, the Board initiated an investigation.
After the investigation, the Board concluded when an employer reads the correspondence of an employee made through the employee’s computer at the workplace, taking photos and/or screenshots, the employer has committed a crime under Turkish
Criminal Law No. 5237; when so deciding, the Board observed the complaint cannot be evaluated pursuant to Articles 15/1 and 15/2 of the Law, which provides the Board
is to make the necessary examination of alleged violations of the Law are it learned of them upon receiving a complaint, when complaint does not meet the requirements set forth in Article 6 of the Law on the Use of Right to Petition. In its decision, the Board found that the employer’s WhatsApp user is not a data controller, and reading the correspondence, taking photos and saving screenshots cannot be considered data processing.
Board Decision No. 2019/106, about claims that an intermediary service provider’s website requires visitors to log in and does not allow them to
proceed to homepage without filling in -mail section asking for their email addresses, published on 08.07.2019 by the Board
In a complaint made to the Board, the complainant alleged that an intermediary service provider’s website requires its visitors to log in and does not allow them to proceed to homepage without first providing their e-mail addresses, which means the provision of personal data is a condition for the use of service, with legal bases for processing the personal data not clearly stated in the data processing notice.
As a result of its examination, the Board found that offering or making utilization of a product or service conditioned on the provision of personal data violated the explicit consent requirement, i.e., the rule requiring that explicit consent be an exercise of free will. Although the website subject to the review does not appear to be a direct supplier/provider of goods and services, the Board observed the site acts as an intermediary service provider, allowing the purchase of various services offered by a variety of service providers in other locations, and in different sectors. In this regard, however, based on the Board’s assessment that the discounted prices and advantages offered within the website are only offered to its members, rather than being the provision or utilization of a product or service provided pursuant to explicit consent, the Board decided there is no action to be taken under the Law regarding the subject matter.
In addition, when text on the website, titled “Our Privacy and KVK Policy”, , was examined by the Board within the framework of the “relevant legislation” , the Board observed it had not been specified whether the personal information processed by the website was processed within the framework of the obligations arising under that legislation or was based on the explicit consent of the relevant persons, or what part of the personal data in question was processed in accordance with any such explicit consent . In this context, the Board concluded if the personal data processing activity was based on anything other than the explicit consent provided for in the Law, there would be no need to obtain explicit consent from the person concerned, as that would be deceptive and a misuse of the explicit consent requirement. As a matter of fact, it must be emphasised that, if the explicit consent of the relevant person is withdrawn, it would mean the data controller who continues the data processing activity of the personal information in question based on one of the other personal data processing conditions, would be violating the Law.
The Board decided to instruct the website to update the text of its “Privacy and KVK Policy” by taking into account the provisions found in the “Communique on Principles and Procedures to be Followed in Fullfillment of the Obligation to Inform” and the website’s obligation to properly inform and obtain explicit consent. As the Board has stated in many resolutions, the provisions on websites related to privacy must be written clearly and understandable, as well as being as short and concise as possible, and most importantly be in accordance with the Law, including the obligation to use titles such as “KVKK Information Text”, “Our KVKK Policy”, and “Privacy and Information about KVKK”.. IN other words, the Board has made it clear that privacy relate notices should be presented to the relevant persons in a clear, simple and understandable manner, and in accordance with the provisions of the Law and related secondary legislation.
Board Decision No. 2019/273, on the requests of relatives to access their deceased ones’ personal data, published on 18.09.2019 by the Board
In an appeal made to the Board by the spouse of the deceased, the living spouse requested medical records and other information of the deceased spouse from a medical clinic by registered letter with return receipt. However, the clinic did not answer. Thereupon, the spouce forwarded an e-mail containing the aforementioned requests to the clinic's electronic address, after which the request was rejected by the clinic, which stated it could not share such information in absence of an official request. The living spouse then /she appealed to the Board for access to the personal data of the deceased spouse.
The Board considered Article 3 of the Law , and determed the relevant person is defined as “real person whose personal data is processed” and decided the living spouse’s request would not qualify be considered as a request under Article 11 of the Law, since the requested personal data was not related to the living spouse and, instead, belongs to the deceased spouse. The Board took into consideration the provision in the definition of personal data regarding being related to the “real person”, and then considered the definition of personality set forth in the Civil Code, which provides personality begins with birth and ends at death, it conluded the personal data of deceased persons cannot be considered as personal data within the scope of the Law, and the rights specified in Article 11 of the Law cannot be utilized.
Other News
-
4.6.2026
A Noteworthy Principle Decision of the Personal Data Protection Board on the Use of Biometric Data
The Principle Decision of the Personal Data Protection Board (the "Board") dated 29 April 2026 and numbered 2026/921 was published in the Official Gazette dated 2 June 2026. The Decision contains important assessments regarding the use of fingerprint, facial recognition and similar biometric systems for employee attendance and working hours tracking.
-
2.6.2026
Designation of Critical Infrastructure Sectors Under Cybersecurity Law No. 7545 and Key Compliance Obligations
Cybersecurity Law No. 7545, which introduces comprehensive and far-reaching rules governing cybersecurity in Türkiye, was enacted on 12 March 2025. The Law regulates the powers of the Cybersecurity Authority, the rules to be observed by public institutions and private companies, supervisory mechanisms, and applicable sanctions.
-
25.5.2026
Does Your 2025 Balance Sheet Trigger a VERBIS Obligation? Deadline Set for 5 June 2026
The Personal Data Protection Authority ("Authority") has published an important announcement regarding corporate taxpayer legal entity data controllers that have become subject to the obligation to register with the Data Controllers' Registry ("VERBIS") due to the criteria relating to the 2025 financial balance sheet total. Within the scope of the announcement, the period granted for the fulfillment of the VERBIS registration and notification obligation has been extended until Friday, 5 June 2026.
-
22.5.2026
The Competiton Authority Has Updated Its Merger And Acquisition Guidelines: What Has Changed For Trancastion Parties?
There have been significant developments in the field of mergers and acquisitions in recent times. The Competition Authority has implemented a comprehensive update process with the aim of making the regulatory framework in this area clearer and more predictable. This process, which began with the amendments to the Communiqué No. 2026/2 on the Amendment to the Communiqué on Mergers and Acquisitions Requiring the Approval of the Competition Board (Communiqué No. 2010/4) in February 2026, has entered a new phase with the updated guidelines published in May 2026.
-
20.5.2026
A New Approach to the Limits of the Institution of Amendment of Pleadings: Unification of Judgments Decision
1. INTRODUCTION By its decision dated 08.05.2026, the Grand General Assembly for the Unification of Judgments of the Court of Cassation explicitly ruled that a claim not initially included in the statement of claim cannot subsequently be introduced into the action by way of "partial amendment".
-
13.5.2026
Significant Amendments to Temporary Incapacity Periods for Maternity under the Social Security Institution
Extension of Maternity Leave Periods under Circular No. 2026/13: With the Circular dated 08.05.2026 and numbered 2026/13 issued by the Social Security Institution (“SSI”), the implementation of temporary incapacity benefits under maternity insurance within the scope of the Social Insurance and General Health Insurance Law No. 5510 has been updated. The aforementioned amendments have been introduced in line with Law No. 7578, which entered into force on 01.05.2026. These regulations include new provisions that are particularly significant for employers and employees, especially with respect to the extension of postnatal rest periods and the transitional rules applicable to existing medical reports.
-
11.5.2026
The Communique Regarding Proffesions Subject to the Requirement for a Professional Competency Cerificate (2026/1) Has Been Published
With the "Communiqué Regarding Occupations Subject to the Mandatory Professional Competency Certificate by the Professional Competency Authority," dated March 23, 2026, and published in the Official Gazette No. 33202, the requirement to hold a Professional Competency Certificate has been expanded to include certain occupations classified as hazardous or highly hazardous
-
4.5.2026
Significant Changes in the Workplace: Maternity Leave Periods Revised
Law No. 7578, amending the Social Services Act and certain other laws, entered into force following its publication in Official Gazette No. 33240 dated 1 May 2026. This regulation introduces significant changes, particularly regarding maternity leave durations, which have implications for employers in terms of workforce planning and organisational processes. In this bulletin, we examine the key changes introduced by the regulation.
-
30.4.2026
Draft Law On The Protection Of Trade Secrets Has Been Released!
Whilst Turkish law contains various provisions on trade secrets across different laws and subordinate regulations, there has been no standalone legislation to date that directly and comprehensively defines trade secrets or provides for distinct protection and safeguard mechanisms. Prepared to address this gap, the Draft has been drafted in line with the EU's Directive 2016/943/EU on trade secrets and serves as a tool to support Turkey's international trade policies and the development of digital trade.
-
24.4.2026
A New Era For The Meal Allowance Exemption From Insurance Premium
Article 10 of Law No. 7577 on Amendments to Certain Laws, published in the Official Gazette dated 17.04.2026, introduced a significant amendment to paragraph (b) of Article 80, titled "Earnings Subject to Premium," of Law No. 5510 on Social Insurance and General Health Insurance, which regulates exemption amounts, with respect to the meal allowance exemption provided by employers.
-
20.4.2026
"Effective Remorse" as a Personal Ground Mitigating or Eliminating Punishment
1. What is Effective Remorse? Effective remorse is the legal consequence - in the form of a reduction or elimination of punishment - that the law attaches to the compensatory conduct voluntarily undertaken by a perpetrator following the completion of an offence, as a result of the remorse experienced by that perpetrator.
-
9.4.2026
Deadline for Compliance with Minimum Capital Requirement: 31 December 2026
Articles 332 and 580 of the Turkish Commercial Code (the "TCC") regulate the minimum capital requirements for joint stock companies and limited liability companies, respectively, and stipulate that such amounts shall be determined and may be increased by a Presidential Decree. Pursuant to this authority, with Presidential Decree No. 7887 published in the Official Gazette dated 25 November 2023, the minimum capital amounts have been significantly increased. Accordingly, under the said Decree:
-
7.4.2026
The Occupational Health And Safety Training Regulation Has Been Amended! What Innovations Does The 2026 Regulation Introduce?
Occupational Health and Safety (OHS) trainings constitute the cornerstone of a proactive approach to preventing workplace accidents. The new "Regulation on the Procedures and Principles of Occupational Health and Safety Training for Employees", which entered into force on April 2, 2026, repealed the 2013 regulation and introduced fundamental changes centered on digitalization, accessibility, and measurability in training processes.
-
2.4.2026
The Rights of Minority Shareholders: How Powerful Are They in Reality?
The fundamental principle in joint-stock companies and commercial companies in general is the majority rule. Shareholders holding control determine the fate of the company. However, to prevent this from turning into absolute dominance, the Turkish Commercial Code No. 6102 (the "TCC") grants minority shareholders various rights. The purpose of these rights is to establish a balance between the majority and the minority, and to prevent the minority from becoming entirely ineffective against the company's management.
-
31.3.2026
Employment Retention Incentive in the Manufacturing Industury Enters into Face
The Regulation on the Implementation of the Employment Retention Support Program was published in the Official Gazette dated 3 March 2026 and numbered 33185, and has entered into force.The Program aims to preserve and increase employment in enterprises operating in the manufacturing industry. It covers the period between 1 January 2026 and 31 December 2026, with the final deadline for submitting payment claims set as 31 March 2027.
