The Personal Data Protection Board (“Board”) has published 15 new decisions on 23 May 2022. Most of the decisions revolve around the transactions made under conditions where the data controllers are e-commerce platforms.
Most notable decisions are as follows:
- Summary of Decision No. 2021/1218: The Board evaluated a case where a data breach is caused by an employer residing abroad. In the case at hand, the employer failed to notify the employee on the data processing activities, in addition to processing the employer’s data unlawfully. The Board decided, (i) to remind the data controller to pay attention to fulfill the obligation to inform in accordance with article 10 of the Law in terms of personal data processed in Turkey, although the data subject has been informed within the scope of the obligations of the European General Data Protection Regulation (GDPR), (ii) to inform the data subject that it is necessary to take action before the judicial authorities to resolve the disputes arising from the employment relationship with the data controller, (iii) that the data controller to be instructed to conclude applications to be made by the data subjects pursuant to articles 11 and 13 of the Law and article 5 of the Communiqué on the Principles and Procedures for the Request to Data Controller (“Communiqué”) effectively, in accordance with the law and honesty rules within the framework of article 13 of the Law and article 6 of the Communiqué.
- Summary of Decision No. 2021/1217: The Board evaluated a case where a data breach is caused by a media company by broadcasting of an untrue, dishonorable television news about the data subject, by using the photos of her and her child. The Board ruled to impose an administrative fine on the data controller based on the reason that the personal data of the data subjects were processed by the data controller without relying on any processing conditions.
- Summary of Decision No. 2021/1187: The Board evaluated a case where a data breach is caused by a former employer. In the case at, the data controller accessed the corporate e-mail account of the data subject, who is a former employee, without notification. The Board ruled to impose an administrative fine on the data controller in line with article 5 of the Law on the grounds that the data controller failed to notify the data subject in line with the Law and the Communiqué, and that the data controller’s access to the data subject’s e-mails is not based on any data processing condition outlined in article 5 of the Law.
Furthermore, the Board also decided to initiate an ex officio investigation within the scope of paragraph (1) of article 15 of the Law regarding the claim of the data subject that “the personal data processing in question must be carried out in accordance with article 9 of the Law, since the Microsoft servers, the service provider company where the information of its customers and employees are kept, are located abroad.”