The Turkish Data Protection Board (“DPB”), the decision making body of the Turkish Data Protection Authority (“DPA”), has recently published on its website a number of enforcement actions it has taken against the data controllers for the breach of the Turkish Personal Data Protection Law (“Data Protection Law”).
The DPB has already been publishing summaries of its enforcement actions, although the most recent ones signal a relatively more aggressive stance. One such action regards a case in which the personal data of a job applicant was shared with the other applicants in the recruitment process, resulting in a series of fines amounting to TRY 200,000 (c. EUR 30,000) in total. In this article, we provide a summary of this decision first and then compile all the other public enforcement actions taken by the DPB thus far, all of which have important implications for the data controllers. [1]
Unlawful Processing of Personal Data during Recruitment
Disclosure of Applicant’s Personal Data to Other Applicants
During the recruitment process of a company providing online human resources services, the information that the applicant has applied for a position, accompanied by his email address composed of his name and surname, was shared with the other applicants. Finding no legal processing ground, the DPB decided that this was in contravention of the data controller’s obligation to prevent unlawful processing and access to personal data and issued an administrative fine in the amount of TRY 100,000 (c. EUR 15,000).
Transfer of Applicant’s Personal Data within a Group of Companies
The DPB also decided that data transfers between companies within a group should be deemed as transfer to a third party and therefore such processing is subject to relying on explicit consent or another processing ground. The DPB went on to explain that uploading the job application information to a single database shared among the group companies constitutes a data transfer. Finding neither explicit consent nor any other processing ground that applies to the transfer, the DPB issued an administrative fine in the amount of TRY 25,000 (c. EUR 3,750).
Ambiguous Wording in the Consent Form
The DPB further stated that the explicit consent form collected from the data subjects before profiling operations performed by the company included general, ambiguous, and open-ended wording. Finding that such wording is in violation of the general principle that requires the processing to be performed lawfully and in good faith, the DPB issued an administrative fine in the amount of TRY 50.000 (c. EUR 7,500) [2].
General Information Notice and Transparency Requirements
Finally, the DPB found that data subjects were not duly provided with an information notice before their personal data was processed for profiling purposes. Although a general information notice did exist at the time on the controller’s website, the DPB stated that the data subject was not directed to such notice before the processing. The DPB further stipulated that the information notice included general and ambiguous wording and the processing purposes were not clearly stated. The DPB, therefore, decided that the obligation to inform data subjects was not duly fulfilled and issued an administrative fine in the amount of TRY 25,000 (c. EUR 3,750) [2].
Other Enforcement Actions
Deletion of a Person’s Name from a Newspaper Column
Upon a removal request from a data subject in relation to her/his name being used in a newspaper column, the DPB decided not to take any action since the data subject was still in a position of public interest and processing of personal data within the column could be considered within the scope of the exemption provided for freedom of expression under the Data Protection Law.
Sharing Special Categories of Personal Data Illegally on Internet and Social Media
The DPB fined a hospital for failure to maintain an adequate level of security for personal data because a doctor was able to take a screenshot of the health certificate of a public figure from the mobile application of the hospital and share it on the internet and social media. Unlike other administrative fines which were issued upon a compliant from the data subjects, the DPB has taken action on its own accord (i.e. ex officio) in this case.
Late Notification of Data Breach
A data controller notified the DPB 10 months and the data subjects 17 months after the occurrence of a data breach, and the DPB decided that the breach was not notified “as soon as possible” as stipulated under the Data Protection Law and issued an administrative fine.
Explicit Consent as a Condition for Service
A data controller required data subjects to give consent before it provided the service, although other processing grounds were available. The DPB fined the controller by stipulating this practice as misleading to the data subject, which has long been the position of the DPB that explicit consent should only be obtained if other processing grounds are not applicable.
Excessive Transfer of Personal Data
A controller received a writ from a court requesting “payment information” in relation to a lawsuit between the bank’s customer and a fitness centre for the refund of the payment made by the customer. The controller has sent to the court the full credit card statements of the past six months belonging to the customer. The DPB decided that the transfer of personal data was disproportionate to the purpose of the court’s request and thus contrary to the principle of data minimisation, leading to an administrative fine in the amount of TRY 30,000 (c. EUR 4,500).
Failure to Respond to Data Subject’s Request
A controller failed to duly respond to a data subject’s application within the scope of Data Protection Law, and the DPB instructed the controller to provide its answer to the data subject’s application, warning that it will issue administrative fines if its instruction is not complied with by the controller.
Declining to Delete Customer’s Personal Data
A controller declined its customer’s request for deletion of her/his personal data arguing that it is obliged to keep the personal data for 10 years according to the regulations it is subject to. The DPB did not issue an administrative fine but instructed the data controller not to process the personal data of its inactive customers for reasons other than storage.
Failure to Implement Adequate Measures for Data Security
A controller erroneously sent a document containing personal data of a customer to another customer who had the same name and surname, and the DPB decided to impose administrative fines arguing that the practice reveals a systemic problem within the data controller’s data processing systems, meaning the controller had failed to implement necessary technical and organisational measures to ensure the security of personal data.
A similar fine was issued to a controller because one of its employees was able to process personal data of the company’s customers for personal reasons using her/his authorization in the controller’s system.
Failure to Comply with General Principles
A controller requested an additional document from its customer, which was not necessary for the performance of the transaction in question. The DPB decided that since the data controller’s request does not derive from the legislation and it does not conform with the processing purpose, such request of additional personal data is contrary to the data minimisation principle. As such, the data controller was fined for failure to comply with the general principles under the Data Protection Law.
Unlawful Disclosure of Personal Data
A controller has included the personal home address of an employee within the company address field in a sample contract and sent it to other employees via email. Finding no legal processing ground, the DPB decided that the data controller failed to maintain an appropriate level of security for personal data and imposed an administrative fine.
Conclusion
The recent developments in the data protection legislation and the above enforcement actions clearly illustrate the DPB’s desire to enforce the Data Protection Law to the fullest extent, demonstrating the increasing importance of regulatory compliance. We recommend our clients to engage in compliance projects as soon as possible, and build a compliance program under which they can respond effectively to data protection-related matters.
[1] The administrative fine amounts mentioned in this article were not published by the DPB itself but were found via other sources on the internet.
[2] These enforcement actions were not published by the DPB itself but were found via other sources on the internet.
