Monthly Newsletter – TURKEY- Legal & Regulatory Updates Regarding April 2019

Client Alert: Turkey – Data Protection Regulation Amendments
April 30, 2019
Monthly Newsletter – TURKEY – Legal & Regulatory Updates Regarding June 2019
July 11, 2019

Monthly Newsletter – TURKEY- Legal & Regulatory Updates Regarding April 2019



  • New decision summaries are published by the Personal Data Protection Authority

New decision summaries have been published by the Personal Data Protection Authority (“Authority”) on April 3rd, 2019 and April 16th, 2019. The published summaries are detailed as below:

– Decision dated 25.03.2019 and numbered 2019/78 (“Decision”): A company operating under the license of distributor in the oil market, has set up an automation system within the “Vehicle Recognition Project” (“Project”) which was developed in order to prevent faulty fuel filling problem, under the requirements of the Energy Market Regulation Authority. In this regard, the company has made an application to the Authority to determine whether the personal data processing activities within this automation system can be evaluated under the lawful processing grounds as defined in the Protection of Personal Data Law No. 6698 (the “PDP Law”) . The Personal Data Protection Board (the “Board”), in its decision, pointed out that the criteria set forth by the Board should be evaluated by data controllers in order to process personal data on the lawful processing grounds of “legitimate interest” by making a balance test. On the other hand, the Board also stated in its Decision that if the aim of the first personal data processing activities is changed in the forward processing activities, new data processing should be based on at least one of the data processing conditions and the compliance with all the principles of personal data processing will be required. On the other hand, it is also mentioned that if the purpose of the first personal data processing is changed in the subsequent processing activities, the new data processing activity should be based on at least one of the data processing conditions and that all data processing principles should be complied with. Therefore, considering the aim pursued by the Project is to protect the interest of both the distributor company and its customers, the Board decided that the use of customers’ personal data can be evaluated under the lawful processing ground of “legitimate interest” and no legal obstacle was found for the company to pursue processing activities without the explicit consent providing that the obligation to inform was fulfilled by the company.

– Decision dated 24/12/2018 and numbered 2018/156 (“Decision”);After careful review of the complaint, which is also currently pending litigation, regarding the use of the personal data of the individual to publish comments and posts on various websites, Article 15 of the PDP Law states that any notification or complaint filed for matters falling under the explicit authority of the courts shall not be investigated by the Authority and thus it has been decided that since the allegations forming the complaint contain elements of a crime and are currently pending litigation, further proceedings to review the application are deemed not necessary.

– Decision dated 05/12/2018 and numbered 2018/142 (“Decision”):Following an application by the data subject to the Authority requesting that personal data held within the data storage systems of a Bank, acting under the capacity of data controller, be erased, it has been ruled that there is no action that can be undertaken by the Authority since the mandatory legal retention period of 10 years has not yet surpassed ;

– Decision dated 19/11/2018 and numbered 2018/131 (“Decision”): In light of an application filed to the Authority by the relevant legal entity requesting that data belonging to it, held by the data controller, be electronically transferred to another data controller, it has been ruled that data belonging to legal entities does not fall within the scope of the PDP Law and since the requesting party is a legal entity, the request has been denied its request for a review.

– Decision dated 16/10/2018 and numbered 2018/118 (“Decision”): Following an application to the Authority by the data subject, in which the data subject’s request from the data controller to erase the data subject’s personal data held within the data controller’s data storage system has been denied, and that this denial was deemed unsatisfactory, the Authority has found that the data controller had not complied with the Authority’s decision within the legal time limits. The Authority has ordered the data controller, which it regards as a public entity, to delete the personal data of the complainant that has surpassed the legal retention period and inform the complainant of the erasure proceedings together with refraining from processing this data. The Authority has allotted the data controller a period of 30 days to comply with this order. In cases where the data controller does not comply with the order within the allotted time, the Authority reserves the right to enforce administrative fiduciary fines and engage in disciplinary proceedings against the data controller who must, insofar as permitted by the previous consent provided by the relevant party, inform the relevant party in a due manner;

– Decision dated 13/09/2018 and numbered 2018/106 (“Decision”):Following a complaint filed by the data subject in a document that the data subject has executed for the performance of his duties is shared online by persons unknown, it is decided that there are no proceedings that can be undertaken by the Authority regarding posts made via online applications since the mentioned complaint falls under the scope of the Turkish Criminal Code and is part of pending litigation initiated by the Complainant;

– Decision dated 26/07/2019 and numbered 2018/90 (“Decision”): Where a group of companies is the recipient of online job applications due to its position as the operator of an online job seeking platform and the personal data processing procedure that this aforementioned group of companies employs is up for automatic review by the Authority, it has come to light that explicit consent has been acquired through the use of a single check box where the reader is asked simultaneously to consent to reading the text and also agreeing to the processing of the reader’s personal data. This application has been ruled unlawful since the purpose of the PDP Law is clear in its intention to protect personal data and also since this application of explicit consent act violates Article 5/1(f) of the Communiqué on Procedure and Principles Detailing the Duty to Inform. It is therefore ruled that there must exist a clear separation between the consent requested from the data subject for having read the text and the consent requested for processing of personal data via a mechanism that utilizes, such as the one detailed in the scenario above, elective choice boxes.

  • Amendments to the Legislation on Personal Data Protection come into Effect.

Pursuant to the amendments published in the Official Gazette dated 28 April 2019, numbered 30758, “The Regulation Amending the Regulation on Data Controllers Registry”, “The Regulation Amending the Regulation on the Erasure, Destruction, or De-identification of Personal Data”, “Communiqué on Procedure and Principles Detailing the Duty to Inform” have all been duly amended. A brief overview of the amendments are as follows:

– Pursuant to the amendments to the Regulation on Data Controllers Registry, the definitions of “person of contact”, “personal data inventory”, and “data controller representative” have all been amended. Prior to the amendments, Contact Person was defined as the real person that legal entities established in Turkey appointed to the Data Controllers Registry (the “Registry”); which was amended to also include real persons that are appointed by other real persons to the Registry. The definition for Personal Data Processing Inventory (the “Inventory”) now reads to include the legal grounds and retention periods. By way of this amendment, the legal grounds and the retention periods are now included within the scope of the Inventory, however, with this comes the legal contention about whether the legislation detailing the Data Controllers Registry Information System (“VERBIS”), administered by the Directorate on Personal Data Protection (the “Directorate”), and the relevant notification duty has been amended via the Regulation.

– Information disclosed to the Registry must be in conformity with the data processing inventory; following the amendment, it is now highlighted that the data controllers obliged to comply with the registration requirement shall prepare a personal data processing inventory. The term; “a period of time suitable for the purpose” is applicable to circumstances where the data controllers must adhere to the specific destruction periods related to personal data held in the Registry, is now clarified to mean “retention” period.

– The requirement to make the person of contact information found in the Registry publically accessible is removed. In addition to this, the seven (7) days period where the Registry must be notified of the changes now commences from the date that the change was made.

– Data controllers established in Turkey together with data controllers that are not established in Turkey must both register their person of contact information to the Registry.

– The contact person is not authorized to represent the data controller as per the provisions of the Law and Regulation.

– Having established the exemptions to the registry requirement, the Board, in junction with its previous rulings, has included in its criteria that ‘the data controller’s total annual employee count together with its annual fiscal balance sheet’ is now included in the list of information that must also be accounted for when exemptions are being made.

– The Regulation Amending the Regulation on the Erasure, Destruction, or De-identification of Personal Data amends and redefines the term “personal data processing inventory”. With this amendment comes the additions of legal reasoning and retention periods which must now be included in the personal data processing inventory.

– The Communiqué Amending the Communiqué on The Procedure and Principles Detailing the Duty to Inform amends and redefines the terms “data registry system” and “data controller representative”. Data registry system is now defined as, “a registry system in which personal data is configured according to specific criteria”. The requirement in Article 5(1)(ç), which mandated that the duty to inform be separately applicable to cases where separate departments of the data controller processes separate personal data is now nullified.

  • Guide to Preparing a Personal Data Processing Inventory is now published.

Within the website of the Authority, the Personal Data Processing Inventory Guide has been published and with this guide, the Authority has highlighted the context of the inventory, the preparation methods, and differences with the VERBIS system. Due to the fact that both are areas in which the data controllers detail their personal data processes, the VERBIS system and the personal data inventory (“Inventory”), had caused confusion in practice, however, with the published guide this issue has been addressed to allow clarification. When the Inventory is being prepared, the form and structure of the Inventory must take shape in accordance with the type and amount of data, data subject groups, the number and group of people that are acting as transferees, the difficulty of the technical and administrative measures that must be implemented and other alike criteria being taken into account. To comply with the legislation when personal data is being processed, a team that possesses the awareness and knowledge of the legislation must be formed; a careful analysis of the process in which personal data is processed must be conducted, and training must be implemented on an institutional level where in conclusion awareness levels are raised.

  • Competition Authority Publishes its 2018 Annual Report

The Annual Report highlighting the 2018 year has been presented to the attention of stakeholders on 26 April 2019. A variety of topics ranging from international meetings attended by the Authority to the rulings on mergers and acquisitions is featured in the 2018 report. Out of 223 transactions that the Authority was notified of, 201 have been approved, and the Authority has initiated 24 separate investigation within the 2018 calendar year. It is ascertained that the rulings of the Authority have had a positive impact upwards of 3.28 billion Turkish Lira to the benefit of the consumer. This amount is 51 times greater than the budget of the Authority.

  • A landmark decision is published by the Information Technologies and Communication Authority regarding remotely programmable SIM technologies.

eSIM technologies, also referred to as remotely programmable SIM technologies, are increasing in importance. Due to the embedded SIM (eSIM) technology pioneered by GSMA, now the mobile manager profile can be remotely directed, which allows users to purchase service packets without having to travel to the mobile operator’s retail stores, and eliminates international roaming charges. The Information Technologies and Communication Authority (“BTK”) within its latest ruling dated 12.02.2019 and numbered 2019/DK-TED/053 states that eSIM technologies that are manufactured or imported with the purpose of domestic use in Turkey should be programmable by national operators and only permit the profiles of managers in Turkey to be installed. In a similar fashion, it has been ruled that the structure, system, and storage units envisioned in the GSMA standards should be facilitated to the use of managers authorized in Turkey and the data kept within the boundaries of Turkey. The infrastructure compliant with the technical measures detailed in the ruling must be installed in areas specified by BTK until 29 February 2020 and a domestic good certificate be procured for the components of the system. BTK has also ruled that devices manufactured for domestic use in Turkey or brought by a passenger or imported to create supply for the domestic market are now limited to 120 days of data service via the utilization of international roaming capabilities. This period of 120 days also corresponds with the IMEI registration period.

Powered by