The Constitutional Court (“Court”), in its decision dated 27 January 2026, bearing application number 2020/32193 (“Decision”), examined an administrative fine imposed under the Personal Data Protection Law No. 6698 (“DP Law”) in the context of the principle of legality in offences and penalties as guaranteed under Article 38 of the Constitution, and ruled that the said principle had been violated. The Decision was published in the Official Gazette dated 16 June 2026.
Decision is significant not only with respect to the specific dispute at hand, but also in terms of the legal basis of administrative sanctions imposed under the DP Law, the limits of the interpretive methods adopted in the decisions of the Personal Data Protection Board (“Board”), and the role of the guidance documents published by the Personal Data Protection Authority (“Authority”) in enforcement proceedings. Court emphasized that the imposition of an administrative sanction based on a concept not expressly regulated by law, or whose scope has not been defined by law, must be assessed within the framework of the principle of legality in offences and penalties.
1. Background
The developments in the dispute subject to the Decision are summarized chronologically below:
- The complainant lodged a complaint with the Authority, alleging that their personal data had been obtained and processed without a valid legal basis after they were contacted by telephone in connection with the promotion and marketing of insurance services and the scheduling of a commercial meeting.
- During the investigation, the applicant company argued that the complainant’s contact details had been obtained from an online platform on which the data subject had made such information publicly available. On that basis, the applicant maintained that the processing fell within the scope of Article 5/2(d) of the DP Law concerning personal data made public by the data subject and could therefore be carried out without the complainant’s explicit consent.
- In its decision dated 7 November 2019, the Board concluded that, even if the complainant’s data had been made publicly available on the relevant platform, the applicant had used the data for a purpose incompatible with the purpose of its disclosure, namely to arrange a commercial appointment rather than to engage with the complainant in relation to their professional activities.
- In reaching that conclusion, the Board relied on the explanations set out in the “Guidance on Implementation of the Personal Data Protection Law” (“Guidance”) published by the Authority, and found that the applicant had breached its data security obligations under Article 12/1(a) of the DP Law, accordingly imposing an administrative fine pursuant to Article 18/1(b) of the DP Law.
- The Istanbul Anatolian 5th Criminal Court of Peace, while upholding the lawfulness of the sanction, reduced the amount of the fine on the grounds that the reasons for departing from the statutory minimum had not been sufficiently set out. Objections filed by the parties were dismissed and the decision became final.
- The applicant subsequently lodged an individual application before the Constitutional Court, arguing that the imposition of an administrative sanction on the basis of the concept of the “purpose of publication”, a concept not expressly set out in the DP Law, was contrary to the principles of legal certainty and foreseeability.
2. Court’s Assessment
Court first emphasized that the principle of legality in offences and penalties applies not only to criminal offences in the strict sense but also to administrative offences subject to administrative sanctions, and recalled that the ability of individuals to foresee in advance which of their conduct may give rise to a sanction, and the requirement that the rules on which a sanction is based be regulated with sufficient clarity, are among the fundamental elements of the principle of legality.
- Court acknowledged that the sanction imposed on the applicant was formally grounded in Articles 12 and 18 of the DP Law but separately examined whether the interpretation underlying the sanction satisfied the requirements of the principle of legality in terms of its substance.
- It was found that Article 5/2(d) of the DP Law merely provides that personal data made publicly available by the data subject may be processed; however, the law contains no provision concerning the concept of the “purpose of publication”, its scope, or the attachment of a sanction to use that is inconsistent with that purpose.
- Court noted that the explanations concerning the purpose of publication relied upon in the Board’s decision appeared only in the Guidance, and that guidance documents cannot be interpreted in a manner that creates new obligations or grounds for sanctions not provided for in the law.
- As a requirement of the principle of legality in offences and penalties, the conduct subject to a sanction and its consequences must be ascertainable directly from the statutory provision by the persons concerned.
- Court further noted that the scope of the applicant’s status as a data controller and the potential liability of the platform on which the personal data was originally published had not been assessed with sufficient clarity in the sanctioning decision.
- It has been concluded that the sanction imposed on the applicant relied on a concept not contained in the text of the law and stemmed from an interpretation extending beyond the reasonably foreseeable scope of the relevant statutory provision.
Court unanimously ruled that the principle of legality in offences and penalties, as guaranteed under Article 38 of the Constitution, had been violated for the reasons set out above. It further ordered that the case file be remitted to the Istanbul Anatolian 5th Criminal Court of Peace for a retrial to remedy the consequences of the violation.
You may access the full text of the Constitutional Court’s decision here. (only available in Turkish)
