The following are summaries of four recent decisions of the Personal Data Protection Board (“Board”).

  • Decision No. 2021/140: Complainant alleged that third party’s accessing certain real property tax and valuation information, using complainant’s ID number alone as a search query, from online data bases of certain municipalities violated Personal Data Protection Law numbered 6698 (“DP Law”). The Board agreed, and reaffirmed that municipalities, in order to combat fraud, must implement two factor authentication for online searches.
  • Decision No. 2021/359: Complainant alleged that data controllers sharing, with mobile application company, certain personal data without complainant’s consent violated the DP Law. The Board agreed, and found that under the particular circumstances presented – which must be evaluated anew in every case – the data was of a kind processable only with consent of the data subject. The Board levied on the offending data controller a fine of TRY 100,000.
  • Decision No. 2021/389: Complaint alleged that an insurance company’s individual pension contract procedure violated the DP Law by including in its general consent a specific consent to processing of personal data. The Board agreed, and found the procedure to be violative not only of the DP Law , but the principle of good faith, and reaffirmed that consent to personal data processing must be physically separate from all other contractual consents and written in plain and unambiguous language. The Board levied upon the offending insurance company/data controller an administrative fine of TRY 250,000, and ordered it to comply with applicable law.
  • Decision No. 2021/407: Complaint alleged that data breach at hospital violated the DP Law. The Board agreed, finding that the hospital/data controller failed to implement measures required by law to protect personal data, levied an administrative fine of TRY 150,000, and ordered notice to be served on all persons affected or potentially affected by the data breach.