The decision of the Constitutional Court with application number 2020/7518 and decision date 12 October 2023, was published in Official Gazette number 32400 on 15 December 2023. In the decision, the Constitutional Court determined that the rejection of objections to the administrative fine imposed on the data controller by the Personal Data Protection Board without evaluation by the Criminal Court of Peace constitutes a violation of property rights.
The data controller (“Applicant“), who made an individual application to the Constitutional Court, is a data controller operating hotels in different countries with its headquarters located abroad. In 2016, the Applicant acquired another accommodation company and found out on 19 November 2018, that an unauthorized third party had accessed the database of the acquired accommodation company. The Applicant reported the data breach to the Personal Data Protection Authority on 3 December 2018.
The Personal Data Protection Board (“Board“) decided to impose an administrative fine on the Applicant on 15 May 2019 pursuant to Article 12 of Law on the Protection of Personal Data (“DP Law“) numbered 6698. The fine was imposed for the Applicant’s failure to take necessary technical and administrative measures to ensure data security, amounting to TRY 1,100,000, and for non-compliance with the obligation to report the breach promptly, resulting in an additional TRY 350,000. The total administrative fine amounted to TRY 1,450,000.
The Applicant applied to the Istanbul Anatolian 1st Criminal Peace Judgeship to have the imposed administrative fine lifted, but the application was rejected. Despite the Applicant’s objection, the request was definitively denied by the decision of the Istanbul Anatolian 2nd Criminal Court of Peace. Subsequently, within the statutory period, the Applicant filed an individual application to the Constitutional Court (“CC“) claiming that the administrative fine imposed by the Board, alleging the violation of property rights due to the failure to take necessary technical and administrative measures to ensure data security, had been violated.
In the individual application made to the CC, the Applicant argued the following:
- That the accommodation company where the data breach occurred is to be considered as the data controller, asserting that the administrative fines were not applicable to the Applicant, and contending that the personal nature of the administrative penalty was violated,
- That the implementation of the DP Law, which came into effect after the alleged offense, violated the principle of non-retroactivity of laws,
- That the decision of the Board regarding the administrative fine was not properly notified, lacked sufficient justification, and the objection was rejected without adequate and necessary examination by the appellate court,
- That all technical and administrative measures were taken, the breach was promptly detected and reported, and there is no restrictive time frame in the DP Law for such reporting. The Applicant argued that the failure of the appellate courts to consider this matter was contrary to the principles of legality in both the offense and the penalty. Additionally, the Applicant asserted that the imposition of the maximum administrative fine was disproportionate and infringed upon property rights.
The noteworthy points in the decision of the CC with Application Number 2020/7518 and Decision Date 12 October 2023 (“Decision“) can be outlined as follows:
- The imposition of administrative fines has led to a depletion of the Applicant’s assets, and it is acknowledged that this money constitutes property for the Applicant. Accordingly, it has been stated that the imposition of administrative fines on the Applicant for not taking necessary technical and administrative measures to ensure data security and for not promptly reporting data security breaches constitutes an interference with the right to property.
- The CC deemed it necessary to assess the situation in light of the principle of “proportionality”, even though it was argued that there is no specific timeframe in the DP Law for the detection and reporting of data breaches.
- It is noted that property rights can be limited for the purpose of public interest. In order to be constitutionally permissible, interference with property rights must be suitable and necessary to achieve its purpose. While public authorities have some discretion in choosing the means of interference, it is emphasized that there must be very strong reasons when the selected means do not meet the necessity criteria due to the absence of alternative means or the ineffectiveness of existing alternatives in achieving the intended legitimate purpose. In this regard, it is stated that decisions of appellate courts must contain relevant and sufficient justification.
- The distinction between the protection of personal data and the protection of data security is emphasized. The protection of personal data primarily corresponds to safeguarding fundamental rights and freedoms during the processing of personal data, while the protection of data security involves taking technical and administrative measures to protect the data itself.
- It is emphasized that all necessary technical and administrative measures must be taken to ensure an appropriate level of security for the protection of personal data. When assessing the appropriateness of the security level, the risks posed by the processing activities, including accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, should be taken into account. Moreover, it is highlighted that the determination of the appropriate security level depends not only on the size or financial status of the company but also on the nature of the data being protected. Accordingly, the data controller is obliged to conduct or ensure necessary audits within its organization to ensure compliance with the provisions of the DP Law.
- While authorities have some discretion in determining the measures to be implemented for ensuring data security, it is emphasized that this discretion is not unlimited. Especially, if the preferred means significantly exacerbate the interference concerning the intended purpose, it is concluded that the interference is not necessary.
- The CC concluded that the entity where the data breach occurred, acquired as the data controller, is the accommodation company.
- The CC acknowledged that the arguments presented by the Applicant regarding the decision given by the Board, which were submitted during the objection to the Criminal Peace Judgeship, were important and must have been addressed throughout the entire legal process. The CC determined that the Criminal Peace Judgeship’s failure to examine these arguments in any way did not fulfill the procedural safeguards for the protection of property rights and constituted a violation of property rights.
You can access the Decision through this link.