The Personal Data Protection Law (the "Law") entered into force upon being promulgated on the Official Journal dated April 7, 2016 and bearing the issue number #29677. The Law imposes certain obligations on data controllers regarding the procedures and principles to be followed in the processing of personal data. The Personal Data Protection Authority (the "Authority") published new decision summaries on its website on 27.12.2023 in order to emphasize the obligations of data controllers and the procedures and principles to be followed. These recent decisions of the Authority are important in revising the PDPL policies of the institutions, and please find below the summaries of the decisions.
1.Taking the Necessary Administrative and Technical Measures to Provide the Appropriate Level of Security to Ensure Personal Data Security
Pursuant to the Article 12 of the Law, data controllers are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, to prevent unlawful access to personal data, and to ensure the preservation of personal data. In order to ensure the security of personal data, first of all, it is necessary to determine what all personal data processed by the data controller are and the probability of realization of the risks that might arise regarding the protection of such data.
When identifying these risks;
•Whether personal data are of sensitive nature, or not
•The level of confidentiality required by its nature
•The nature and quantity of the damage that might arise for the concerned person due to breach of security should be determined.
After identifying the risks, control and solution alternatives should be put forward to reduce or eliminate these risks. [1]
Accordingly, organizations /authorities must provide training to their employees on issues such as personal data, data security, and systems used for data protection.
In cases such as unlawful disclosure or sharing of personal data, employees will be the first to intervene within their knowledge. Therefore, the roles and responsibilities of everyone working for the data controller regarding personal data security, regardless of their position, should be determined in their job descriptions, and it should be ensured that the employees are aware of their roles and responsibilities to that end.
The decision, dated 18/05/2023 and numbered #2023/845, of the Personal Data Protection Authority;
Briefly; it was stated, under the complaint submitted to the Authority, that the concerned person made a purchase through an online shopping site, the product purchased by the same was delivered by the courier working within the data controller one day after the order date, and then the courier sent a harassing message to its mobile phone number by the courier, the data controller failed to ensure personal data security and its employee disturbed the concerned person, and requested the necessary action to be taken.
As a result of the examination made on the subject;
According to the relevant provisions of the Turkish Code of Obligations and the Labor Law, it is evaluated that the data controller is responsible for the unlawful data processing incident in question, however, from the response letter sent by the data controller's representative to the Authority, it is understood that the person who carried out the incident in question and worked on behalf of the data controller at the time of the incident was not given any training on protection of personal data and data security and that the necessary information was not provided. [2]
The decision dated, 06/07/2023 and numbered #2023/1130, of the Personal Data Protection Authority;
Briefly, it was understood, under the complaint submitted to the Authority, that the person concerned divorced its spouse, but there is still an ongoing custody case with its ex-spouse, the person concerned went to the pharmacy where it has been a customer for a long time, and under various pretexts, it ensured that the hospital report and medication records of its ex-spouse were supplied from the system called Medula used by pharmacies, and submitted these documents to the case file as evidence, and it was requested that the necessary action be taken within the scope of the Personal Data Protection Law Nr. #6698 (the “Law”).
As a result of the examination made on the subject, it is evaluated that the data controller has not fulfilled its obligation to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data, as set out under the Article 12 of the Personal Data Protection Law, and it has been decided to impose an administrative fine of TRY 50,000.- on the data controller within the scope of subparagraph (b) of paragraph (1) of the Article 18 of the Law. [3]
2. Processing/Transferring Personal Data More Than Required by the Purpose of Processing (Violation of the Data Minimization Principle)
The principle of proportionality ensures that a reasonable balance is established between data processing and the purpose to be achieved.
In line with the principle, there must be a connection between the personal data and the purpose foreseen upon processing, and the personal data to be processed must be suitable to fulfil the specific purpose.
In addition, one of the important issues is related to the amount of personal data collected. The amount of personal data to be obtained and processed must be limited to the amount necessary for the purpose determined by the data controller. Processing of data that is not appropriate for the purpose in question should be avoided. [4]
The decision, dated 17/08/2023 and numbered #2023/1430, of the Personal Data Protection Authority;
The Personal Data Protection Authority (the “Authority”) initiated an ex officio examination upon the notification received by the Authority stating that the Turkish Republic ID number information of the persons was requested when registering to use the mobile application of the data controller providing meal card service. During examination of the mobile application, it was determined that name, surname, telephone number, date of birth, e-mail information were requested when registering to the mobile application; and when the person wanted to register a meal card to its profile, it was stated that the information entered would be compared with the Turkish Republic ID number.
In the event that physical meal cards are registered in the mobile application, since it is possible to verify the card in ways that will protect the data subjects more, such as processing the card and phone number information through the employer, without processing the T.R. ID number information of the persons, it was decided to impose an administrative fine of TRY 200,000.- on the data controller who is considered to have failed to fulfil its obligations under the first paragraph of the Article 12 of the Law. [5]
3. Evaluation of the Evidence Submitted to the Court within the Scope of PDPL
In accordance with subparagraph (d) of paragraph (1) of the Article 28 titled "Exceptions" of the Personal Data Protection Law sets out that the provisions of the "Law" shall not apply in cases where personal data must be processed by judicial authorities or execution authorities in relation to investigation, prosecution, judgement, or execution procedures.
Accordingly, personal data may be submitted to the court as evidence without the explicit consent of the person.
Although explicit consent is not required for submission of personal data obtained under the Law/Court to any judicial and execution authorities, in order for the evidence to be evaluated by the court, the processed data must comply with the principles of compliance with the law and good faith, processing for clear and legitimate purposes and being related to the purpose for which they are processed.
The decision, dated 07/09/2023 and numbered #2023/1548, of the Personal Data Protection Authority;
It was stated briefly, under the complaint petition submitted to the Institution, that the relevant person working within the data controller was dismissed based on the code46, an lawsuit for collection of labor receivables was filed against the data controller with the labor court, and it was stated, under the petition submitted by the data controller to the court file, that the telephone conversation with the relevant person was taken, the recordings are still stored in encrypted environment within the data controller in accordance with the PDPL, and that the voice recording will be submitted to the file in encrypted form upon the request of the court. Thereupon, the data subject claimed that the data controller acted contrary to the scope of the Personal Data Protection Law numbered #6698 (the "Law"), and that the voice recording, which was clearly taken unfairly and unlawfully, was kept within the data controller without an obligation to inspect it.
Under the rebuttal petition submitted by the data controller to the records of the Institution; it was stated that the voice recording was not shared with any employee, and that it was transferred to an encrypted disk and deleted from the unsafe environment by taking the necessary administrative and technical measures, and that it was kept in an encrypted form limited to the legal retention period.
Based on the evaluations; it was decided that the voice recording of the data subject was transferred to the court in accordance with the provision of "Data processing is mandatory for establishment, exercise or protection of a right" under the paragraph (e) of paragraph (2) of the Article 5 of the Law with the reference of paragraph (2) of the Article 8, and that there is no action to be taken against the data controller under the Law. [6]
As per the Law, personal data relating to health of individuals are sensitive personal data. Among the sensitive personal data, personal data relating to health and sexual life are considered more important and can only be processed by persons or authorized institutions and organizations under the obligation of confidentiality within the scope of protection of public health without seeking explicit consent.
Nevertheless, the Article 28 of the Law shall also apply in cases where sensitive personal data are required to be processed by judicial or execution authorities in relation to investigations, prosecutions, trials or execution proceedings, and the provisions of the Personal Data Protection Law shall not apply.
The decision, dated 14/09/2023 and numbered #2023/1578, of the Personal Data Protection Authority;
It was stated briefly, under the complaint petition submitted to the Authority, that the person concerned received a treatment service at a medical center, the files containing the records of the personal therapy received within the scope of the treatment and the marriage therapy received with its spouse were submitted to the court file within the scope of the divorce case between the person concerned and its spouse, the information requested by the court is the reason for the treatment and its duration. It was stated that sharing of the notes, kept during the session itself, which were listed as a result of the type of treatment (inpatient/outpatient treatment), was read and learned by everyone, including the court staff, the opposing party and its attorney, by recording the private life of the person concerned in NJNP(National Judicial Network Project), and it was requested that the necessary action be taken against the Medical Center under the Personal Data Protection Law numbered #6698 (the “Law”).
Although it is also stated among the allegations of the person concerned that the document in question was made accessible to third parties by uploading it to NJNP, it has been decided that there is no action to be taken under the Law since the provision "Processing of personal data by judicial authorities or execution authorities in relation to investigation, prosecution, trial or execution procedures" in subparagraph (d) of paragraph (1) of the Article 28 of the Law is applicable in terms of the works and transactions carried out by the court. [7]
4. Processing of Personal Data without Explicit Consent Due to the Explicit Provision of the Law
Based on the idea that some personal data are more damaging to the fundamental rights and freedoms of the individual as a result of unlawful use compared to other data, these data are considered to be of sensitive nature. Although the Turkish Republic ID information is not among the sensitive personal data, as listed under the Article 6 of the Law, since the Turkish Republic ID information enables citizens to be uniquely identified, its processing by the Authority is subject to stricter criteria as it may cause negative effects.
The Law Nr. #5549 on Prevention of Laundering Proceeds of Crime sets out the obliged parties to determine the IDs of those who carry out transactions before them and those on whose behalf or accounts transactions are carried out. Again, when the transaction amount or the total amount of multiple interconnected transactions is above a certain amount, it is obliged to determine the ID of the customers or those acting on their behalf and account by obtaining information regarding the ID and confirming the accuracy of this information. Since there is a possibility of money laundering activity, which is characterized as laundering of proceeds of crime in the field of activity of the data controller, it should be taken into account that there is a public interest in determining the ID of the users.
The decision, dated 11/04/2023 and numbered #2023/570, of the Personal Data Protection Authority;
It was stated briefly, under the complaint submitted to the Authority, that the photograph of the front and back side of the ID card of the person concerned was requested together with its own photograph in accordance with the request to increase the membership level on the platform belonging to the data controller, which is a crypto asset service provider, and that personal data was processed by the data controller more than necessary and disproportionately, and it was requested to take the necessary action under the Personal Data Protection Law numbered #6698 (the “Law”).
Considering that the data controller has an obligation arising from the relevant legislation, especially the Law Nr. #5549 on Prevention of Laundering Proceeds of Crime, and in this respect, processing of personal data by the data controller in order to determine the ID of the users and to determine and confirm the transaction made by the relevant user is based on the legal processing condition of "clearly stipulated by law" within the framework of subparagraph (a) of paragraph 2 of the Article 5 of the Law, it has been decided that there is no action to be taken under the Law regarding the complaint of the data subject. [8]
Berfin Dicle Onar, Legal Intern
References:
1. Personal Data Protection Authority - Personal Data Security Guide https://www.kvkk.gov.tr/yayinlar/veri_guvenligi_rehberi.pdf
2. The decision, dated 18/05/2023 and numbered #2023/845, of the Personal Data Protection Authority
3. The decision, dated 06/07/2023 and numbered #2023/1130, of the Personal Data Protection Authority
4. Dülger, Murat Volkan, 2019, p. 126
5. The decision, dated 17/08/2023 and numbered #2023/1430, of the Personal Data Protection Authority
6. The decision, dated 07/09/2023 and numbered #2023/1548, of the Personal Data Protection Authority
7. The decision, dated 14/09/2023 and numbered #2023/1578, of the Personal Data Protection Authority
8. The decision, dated 11/04/2023 and numbered #2023/570, of the Personal Data Protection Authority
