Turkey’s Personal Data Protection Board (“Board”) clarified certain matters regulated under the Law on Personal Data Protection (“DP Law”) with the decision summaries published on 3 April 2019.

The Board’s decisions and events subject to them are as follows:

The applications regarding unauthorized online disclosure of personal data and document including personal data on the internet by unknown person/persons:The Board decided that:

  • Notices and complaints related to the subjects within the judicial authorities’ remit will not be inspected as per Article 15 of the DP Law.
  • There is no need to conduct any proceedings since the subject matter incidents involve crime elements and both were submitted to judicial authorities.

Application regarding the failure to fulfill data subject’s request related to the erasure of personal data stored by the data controller bank: By considering banks’ legal retention obligations, the Board found no need to conduct any proceedings based on the fact that ten years retention period has not expired.

Application regarding the transfer of legal entity’s data: The Board decided that:

  • The request on the legal person’s data should not be evaluated under the DP Law
  • The rights regulated under Article 11 of the DP Law may only be used by the data subject himself/herself or his/her legal representative.

Application upon the non-provision of a sufficient answer following the application to the data controller regarding personal data’s erasure: The Board instructed a public establishment as a data controller:

  • To erase the personal data of which the retention period is expired,
  • To inform the complainant regarding deletion transactions,
  • Not to process the subject matter personal data except for the purpose of retention,

and gave 30 days to the data controller to comply with the decision. However, the data controller did not fulfill the necessary steps in due time and did not comply with all the instructions of the Board while informing the data subject. Therefore, the Board decided

  • To impose an administrative fine and to initiate disciplinary proceedings.
  • To instruct the data controller to inform the data subject in a sufficient manner already instructed.

Application for the examination of the personal data processing of group companies receiving job application via the online platform: The Board detected that the confirmation of the read of the privacy notice and obtaining of the explicit consent is carried out through clicking the same checkbox. Hereupon, the Board decided to instruct the data controller for separation of mechanisms to receive confirmation that privacy notice has been read and obtain explicit consent, in accordance with Article 5 of the Communiqué on Procedures and Principles to be Followed for the Data Controller’s Obligation to Inform.

You may reach the full texts of the summaries of decisions through below links (only available in Turkish):

Summary of Personal Data Protection Board’s Decision Numbered 2018/156

Summary of Personal Data Protection Board’s Decision Numbered 2018/142

Summary of Personal Data Protection Board’s Decision Numbered 2018/131

Summary of Personal Data Protection Board’s Decision Numbered 2018/118

Summary of Personal Data Protection Board’s Decision Numbered 2018/10

Summary of Personal Data Protection Board’s Decision Numbered 2018/90