Legal AlertUp-dates Regarding December 2018

18 January 2019


  • Public Announcement from Personal Data Protection Board

The Personal Data Protection Board, with the public announcement on 5 December 2018, shared information of data breach notification from a USA-based hotel chain Marriot Inc. In the public announcement published on the website of the Personal Data Protection Board, the relevant company has received a warning regarding the attempt to access the Starwood guest reservation database from the in house security system. Following the investigation of the breach, it is revealed that the unauthorized access to the Starwood network begun in 2014, and the person who carried out the unauthorized access had copied and encrypted the information. Additionally, it has been stated that the personal data of approximately 500 million guests who have made a reservation at the Starwood facility on 20 September 2018 or earlier date are included in the infringement database. In addition to the personal data of the guests, credit card information is also available in the database and no information has been given by the company to determine if the passwords for the cards that have been decrypted or not. Detailed information about the violation is available at

  • Decision of the Personal Data Protection Board for unauthorized electronic commercial messages  

The Personal Data Protection Board, with its principle resolution numbered 2018/119 and dated 16/10/2018, determined that transmissions of advertisement messages to e-mail addresses and mobile phones of the data subjects via e-mail messages, SMS or phone calls by data controllers and such activities of the data processors who use these data on behalf of the data controller without the explicit consent of the data subjects or without complying with the legal processing grounds specified in the Data Protection Law shall be ceased with immediate effect. 

Data officers who continue to carry out the activities stated in the resolution may face with sanctions up to 1 million Turkish Liras. In addition to administrative fines, it is stated in the resolution that if the data belonging to data subjects to which advertisement messages and calls were directed, were collected unlawfully, criminal complaint will be filled to Public Prosecution Office about the data collectors for the violation of Article 136 of Turkish Penal Code titled “Unlawful  Giving or Obtaining Data”.

  • The Council of State once again suspended the implementation of the Regulation on Processing and Protecting the Privacy of Personal Data Concerning Health 

The execution of the Regulation on Processing and Protecting the Privacy of Personal Data Concerning Health, (“Data Concerning Health Regulation/Regulation“) which had been  promulgated in the Official Gazette of 22 October 2016 by the Ministry of Health, had been suspended by the decision of the  15th Chamber of Council of State, numbered 2016/10488, on the grounds that the Regulation had been unlawful since it had contained general provisions on protecting personal data and had been prepared without obtaining any opinion of the Personal Data Protection Board. 

Upon the decision for stay of execution; in the Official Journal dated 24/11/2017 and numbered 30250 “The Regulation for Amending the Regulation on Processing and Protecting the Privacy of Personal Data Concerning Health” (“Amending Regulation”) had been published and Data Concerning Health Regulation had been entered in force yet again by being amended. Concerning the Amending Regulation, Turkish Medical Association and Turkish Dental Association had commenced a lawsuit and the Amending Regulation was suspended. In the preamble of the mentioned decision numbered 2018/1490, the 15th Chamber of the Council of State stated that reviving the Regulation which had been suspended before, by amending partially and avoiding from abiding the decision which was totally enforceable in terms of material and legal conditions, was unlawful while the Regulation had been supposed to be amended in compliance with the decision of the 15th Chamber of Council of State, numbered 2016/10488. For both preambles of mentioned decisions, Council of State highlighted audit and control power of the Authority of Protection of Personal Data, by emphasizing the regulations which must be taken into consideration within the scope of protection of personal data.