Turkey’s Data Protection Board (“Board”) imposed an administrative fine in the amount of TRY 900,000 on a data controller for transferring personal data abroad without having a valid legal basis. The data controller’s claim that Convention 108 is sufficient per se for data transfer abroad among the parties has been declined by the Turkish Data Protection Board.

Upon a data subject’s complaint on sending an unsolicited marketing message by the data controller operating in the automotive sector; the Board carried out an investigation. As the bulk messaging system that the data controller used is a web-based software, personal data were transferred to a cloud database located in an EU country for marketing text messages to be sent to data subjects. Therefore, the main dispute was concentrated on whether data were processed and transferred abroad in compliance with Turkey’s Personal Data Protection Law number 6698 (“DP Law”) or not.

As a result of the investigation, the Board has determined that:

  • Article 12 of Convention 108 states that a party to the treaty may not prohibit data transfer abroad by asserting only the protection of private life claims. Such provision; however, does not in any way restrict contracting parties’ right to regulate data processing activities with their local law or right to bring any rules and restrictions governing data transferring abroad. Being a party to Convention 108 is not sufficient to accept such a party as a safe country, yet can be considered by the Board when determining safe countries. Although the data controller relies on Convention 108 for abroad data transfer, the requirements under the DP Law are not met.
  • In order to rely on a legitimate interest legal ground, balancing exercise is required. The data controller did not present any arguments on the matter.
  • The legal ground of transferring abroad is not clearly stated in the privacy notice by the data controller. Such notice contains inconsistencies.
  • The data controller did not duly obtain explicit consent from the data subject since the privacy notice and the explicit consent was not aligned and did not explicitly state abroad data transfer in the context of such notice.
  • Since (i) the data controller’s legitime interest could not be clearly expressed, (ii) the explicit consent is not duly obtained, and, (iii) the Convention 108 is not sufficient to justify abroad data transfer and the requirements stipulated under the DP Law for transferring personal data is not followed, the abroad transfer constitutes unlawful processing.

In this regard, the Board decided to impose the following sanctions pursuant to article 18/1/b of the Law:

  • Administrative fine in the amount of TRY 900,000 for failing to take the necessary technical and administrative measures as stipulated under article 12/1 of the Law,
  • Deletion and/or destruction of the abroad transferred personal data and then to inform the Board accordingly

Please see this link for the summarized decision numbered 2020/559 published on the Board’s official website on 4 September 2020 (only available in Turkish).