Data Protection Board (“DPB”) with its resolution 2018/119 dated 16/10/2018 published in the Official Gazette on 1/11/2018 , resolved that transmissions of advertisement messages to e-mail addresses and mobile phones of the data subjects via e-mail messages, SMS or calls by data controllers and such activities of the data processors who use these data on behalf of the data controller without the explicit consent of the data subjects or without complying with the legal processing grounds specified in the Data Protection Law (“DPL”) shall be ceased with immediate effect.
DPB emphasized in its resolution that data controllers are obliged to take all necessary technical and organizational measures for providing an appropriate level of security and in case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the necessary measures. DPB further stipulated that administrative enforcement shall be taken against those who do not cease unlawful transmissions of advertisement messages as per the DPL and if the existence of the breach is ascertained, the data controllers and data processors in question shall be fined for an amount ranging from 15.000 TRY to 1 million TRY.
Furthermore, in case the phone numbers and e-mail addresses belonging to data subjects to which advertisement messages and calls were directed, were collected unlawfully, DPL shall also report this conduct to the Office of the Chief Public Prosecutor, as this is a crime under the Turkish Penal Code.
 Data Protection Board Decision 2018/119 dated 16/10/2018 published in the Official Gazette on 1/11/2018 numbered 30582.