Monthly Newsletter – TURKEY – Legal & Regulatory Updates Regarding July 2019

Client Alert: Turkish Personal Data Protection Board Decision Regarding Corporate E-mail Hosting.
July 31, 2019
Client Alert Turkey
September 5, 2019

Monthly Newsletter – TURKEY – Legal & Regulatory Updates Regarding July 2019

  • New decision summaries have been published by the Personal Data Protection Authority

New decision summaries have been published by the Personal Data Protection Authority (the “Authority”) through the month of July 2019.The details of the published summaries are detailed below:

  • Decision dated 31.05.2019 and numbered 2019/159 (“Decision”):

The data subject has lodged a complaint before the Personal Data Protection Board (the “Board”) asserting that an asset management company (the “Company”) as the data controller has on multiple occasions sent text messages on the same subject matter, lacking explicit consent of the data subject, and that the data subject has not received any response from the data controller in relation to its inquiry application on this matter.

The Board decided to impose an administrative fine in the amount of TL 20,000 on the data controller by taking into consideration that: (i) there is no need to take action against the data controller as the data controller proved through post records that the response letter including the response of the data controller regarding the data subject’s inquiries has been sent and received by the data subjects within the legal period and also that the response covered all of the inquiries addressed by the data subject, (ii) the data processing activity may be carried out without obtaining the explicit consent of the data subject due to data controller, asset management company, processing personal data being within the scope of the reasons for lawfulness regulated under article 5 of the Law on the Protection of Personal Data numbered 6698 (“the Law”), (iii) the data controller misused its priviledge to send messages by sending messages with the same contents on different dates and as a consequence of that has failed to process personal data lawfully and in good faith.

  • Decision dated 31.05.2019 and numbered 2019/162 (“Decision”):

A data controller, duly incorporated as a joint stock company, has sent commercial electronic communications to the data subject without receiving the prior explicit consent of the said data subject, to which the data subject has responded by requesting further information from the data controller about how he came to acquire the data subject’s data since the data subject did not know how and where his data was procured from. The data controller never responded to the request and this was duly followed by a complaint being lodged at the Board against the data controller. Pursuant to the phone number of the data subject, which itself is classified as personal data, being used to send marketing texts, an investigation by the Board has found that the complainant’s personal data has been processed without any legal basis stemming from the Law. As a result, the Board imposed an administrative fine equaling TL 50,000 to the data controller for failing to take technical and administrative measures in order to ensure an adequate level of security to safeguard and prevent unlawful processing of and access to personal data.

  • Decision dated 25.03.2019 and numbered 2019/81 and Decision dated 31.05.2019 and numbered 2019/165 (“Decisions”):

The Board has evaluated two different data controllers, both operating fitness centers which use a palm print system, due to several appeals to the Board regarding the processing of biometric and genetic data through such system, and whether such data is being stored in a safe and lawful manner. The Board indicated that the data controllers in question are processing special categories of personal data by using biometric information for member identifications by referring General Data Protection Regulation’s (“GDPR”) Recital and decision numbered 2014/4562 and rendered by the 15th Department of Turkish Council of State.

In light of the foregoing, the Board decided to impose an administrative fine on the data controllers for;

  • (i) processing special categories of personal data with hand and finger print scanning for member identification and entrance controls,
  • (ii) non-compliance with the principle that personal data must be relevant, limited and not excessive in relation to the purposes for which they are processed and data controllers’ practice of requiring their members to use hand and finger print scanning method as the obligatory and only way of obtaining the services provided in the relevant fitness centers,
  • (iii) failing to receive explicit consent based on free will when considering members would not be able to receive the services provided by the data controllers unless they give their explicit consent and use hand and finger print scanning method as the obligatory and only way of obtaining the services.

The Board’s decision is as follows:

(i) within the framework of Board’s decision no. 2017/62 on the date of 21/12/2017 ‘‘Protection of Personal Data in Service Areas such as Banks, Desks and Counters’’ it is stated that the necessary technical and administrative precautions have not been taken in order to prevent third parties from reaching sensitive personal data of data subjects;

(ii) the Board instructed that the data controllers adopt alternative methods for the maintenance of entrance and exits and security within the relevant locations other than the processing of biometric data of customers who benefit from the services, and that the data controllers immediately cease the use and processing of biometric data, and;

(iii) the Board instructed that the data controllers immediately destruct the handprint data, finger print data and palm data that have been processed and stored until now; in accordance with the provisions of Article 7 of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data and inform the third parties to whom personal data has been transferred during this time period in case of transfer of special categories of personal data.

  • Decision dated 31.05.2019 and numbered 2019/166 (“Decision”):

A text message with irrelevant content has been sent to the receiver’s cell phone and the data subject lodged an inquiry to the data controller, as a response the data controller stated that the respective transmission occurred in result of its employee’s fault, who miswrote the relevant phone number by one digit and that the mistake has been corrected immediately. The data subject in his/her statement points out that the respective text message sent to him/her included personal data of his/her nephew and that there is more than one digit difference between his/her phone number and his/her nephew’s phone number, and requests that the necessary actions be taken by the Board.

Since the data controller;

(i) sent the personal data of the data subject understood to be the nephew of the complainant to the cell phone of the complainant;

(ii) processed the phone number of the complainant without relying on any of personal data processing terms;

it was determined by the Board that two different data processing activities have been carried out in connection with one activity by the data controller, and that the data controller thus the Board decided to impose an administrative fine of TL 50,000 on the data controller in accordance with the article 18 paragraph (1) sub-article (b) of respective Law, due to the data controller’s failure to fulfill its “obligation to prevent unlawful processing of personal data” regulated under article 12 (a) of the Law.

Decision dated 01.07.2019 and numbered 2019/188 (“Decision”):

Various applications have been submitted to the Board in relation to the practice of Mimar Sinan Fine Arts University (“University”) which publishes exam results of the students that constitute personal data, on the webpage of the University. As a result of the evaluation of the Board which has been made by taking into consideration that the information request made towards the University was not responded within the legal time period in violation of paragraph 3 article 15. It was ruled that;

(i) Within the written response rendered by the Board of Higher Education, it was ruled that the universities through the rights granted to them pursuant to the legislation permitting their incorporation, hold the discretion on deciding what methods and procedures can be utilized regarding the announcement of exam results and the relevant access periods permitting availability to the respective exam results,

(ii) The University stated that pursuant to Article 8 of the Regulation on Master Education of the University; “The list of students admitted to masters programs is finalized rendered by a decision by the institutions directors and announced by the directorate of the institute” and in this present case, the exam announcement system is carried out in such a way that it is accessible by third parties,

(iii) However it was determined that the University’s announcement system is not privacy oriented and the personal data of the data subjects who take the exam are being published in such a way that is easily accessible by third parties, without having to meet any processing conditions and thus;

(iv) instructed that the exam announcement system should be revised by the University and implement a privacy oriented system for sharing personal data.

The Board following its research, decided to start proceedings in accordance with the disciplinary provisions within the framework of the paragraph (3) of article 18 of the Law regarding the authorized persons working in the University and instructed that the University should redesign the University exam result announcement system.

  • The Board has decided that the use of e-mail services with servers abroad for corporate e-mail hosting constitutes data transfer abroad.

The Board rendered an important decision on whether personal e-mail services provided by a company whose servers are located abroad can be used for corporate e-mail hosting through the open source e-mail service upon request by a data controller.

The Board, in the decision dated 31.05.2019 and numbered 2019/157, since G-mail’s data centers are located in various countries, the e-mails being sent and received by individuals using the G-mail mail services infrastructure constitute personal data transfer abroad. Therefore, it is stated that the data controllers who use G-mail services for corporate e-mail hosting shall be obliged to comply with Article 9 of the Law numbered 6698 and such data controllers shall be obliged to take the necessary precautions. The Board also decided that storage services provided by data controllers whose servers are located abroad, such as G-mail, should also be carried out and the relevant data should be processed in accordance with the regulations regarding the personal data transfer abroad.

  • 11th Development Plan has been published in the Official Gazette.

11th Development Plan (“Plan”) of Turkey has been approved on the date of 18.07.2019 and published on the date of 24.07.2019 in the Official Gazette by the Grand National Assembly of Turkey in accordance with the Enactment and Protection of Unity of Development Plans Law No. 3067.  Plan, reveals Republic of Turkey’s roadmap related to its long term vision and goals between the years 2019 – 2023 (“Plan Term”). During the Plan Term, the goals are, changing the economic structure to ensure its stability and sustainability, increasing human capital through education and increasing technological and innovational ability through national technology. In the Plan where Global developments and tendencies are dealt with, the strengthening of digitalization in industry; proliferation of sharing economy business models and information platforms such as social media, e-commerce are underlined. Some remarkable goals within the Plan under the title of ‘‘Sustainable and Strong Economy’’ and ‘‘Competitive Production and Productivity’’ are herein below:

  • For the financing of innovative projects, modern and new generation financing models such as crowdfunding will be brought in to the national capital markets.
  • With the purpose of developing alternative money and payment systems, which will be eligible for the international trade system, cross-country cooperation will be established and sustained.
  • Central bank’s blockchain based cryptocurrency will be put into practice.
  • A secure fintech ecosystem development ensuring equality in opportunity benefiting from good international applications will be supported.
  • Payment Services and Electronic Money Institutions Association will be established.
  • With the purpose of strengthening the legal infrastructure of open banking, legislative alignment well be made with the EU Payment Services Directive 2.
  • Regulations on the protection of personal data will be updated in accordance with the technological innovations and newly adopted approaches in the international platform and technological development in this area will be encouraged.
  • The Law on Protection of the Personal Data No. 6698 will be updated in accordance with EU GDPR.
  • TUSIAD published its third e-commerce report.

Turkish Industry and Business Association (“TUSIAD”), has been publishing reports about the importance and potential of e-commerce since 2014 and has been sharing these reports with public opinion. TUSIAD, that has published its first two e-commerce reports in 2014 and 2017 respectively, published its 3rd E-commerce report titled ‘‘Development of E-Commerce, Crossing the Limits and New Norms’’ (“Report”) in the past few days.  In this report, which is prepared with the partnership of TUSIAD and Deloitte Digital; B2B, e-commerce, developments in digital born services are put under the microscope alongside B2C oriented look at the e-commerce. Global and local e-commerce market developments in the period of 2017-2018, are evaluated in this Report, within the frame of factors such as logistics, payment services and regulations. Primarily, Report systematically handled the state of e-commerce in the world and after that it’s state in Turkey. Under the title of regulation, Trust Stamp system, Electronic Commerce Information Platform (ETBIS) and ‘‘Turkey’s Communication Platform (TRIP)” are emphasized as Regulation developments affecting e-commerce in Turkey. The Personal Data Protection Law no. 6698 (“Law”) is handled as another title in the Report and evaluations related to stakeholder’s subject to Law are made. In the Report under the tilt of Law:

  • Public enterprises and businesses in Turkey are yet to fulfill their adaptation to Law and in the event of those businesses being subject to GDPR, it will be hard for those businesses to adapt to GDPR for the time being,
  • There are different implementations of receiving direct consent as required by Law and approval of commercial electronic messages in the market,
  • Necessity for informative and awareness raising actions related to Law for SMEs with purpose of raising mindfulness,
  • Necessity for a detailed guide or a rule to be published by the Board evaluated within the B2B companies according to Turkish Commercial Code,
  • The list of countries that are trusted at transfer of personal data abroad by the Bard is awaited and;
  • Uncertainties in the area of cloud computing should be cleared for investments to be able to continue

these issues and recommendations are underlined.

Powered by themekiller.com