Turkey’s Data Protection Authority has published a number of recent decisions by the Data Protection Board (“Board”). The summarized and anonymized decisions help to clarify legislation and practices in this developing area, giving some insight on how the Board will treat certain aspects of data processing, transfers, and security breaches.

Notable points from the decisions include:

  • The Board ruled that notifying data subjects about a breach of personal data security 17 months after the breach exceeds the reasonable period, constituting a breach of data security.
  • Obtaining explicit consent from data subjects in circumstances where explicit consent is not required (circumstances outlined under Article 5(2) of the Law) constitutes an abuse of rights by the data controller.
  • The Board ruled that transferring personal data to courts which exceeds the requested amount violates the principle of data minimisation.
  • The Board warned data controllers which do not respond to data subjects who wish to exercise their rights within 30 days about the administrative fines which apply under Article 18 of the Law.
  • The Board warned a company for processing personal data for purposes other than its legal obligations where the company kept personal data for ten years on the basis of its legal obligations.
  • The Board sanctioned a data controller which sent a customer’s personal data to another customer with the same name on the basis that the error indicates a lack of technical and administrative measures.
  • The Board noted that requesting an unnecessary document which contains personal data violates the principles of compliance with the law and good faith.
  • The Board ruled that adding an employee’s residential address to sample contracts which were sent to third parties without any legal basis is a violation.

Please see this link for the full text of the Board’s decisions (only available in Turkish).