This Data Protection Newsletter provides information on the latest developments as regards personal data protection and the implementation of Law No. 6698 on the Protection of Personal Data (the "Law") in light of recent publications and announcements by the Personal Data Protection Authority (the "Authority"), decisions of the Personal Data Protection Board (the "Board"), as well as the main headings from the "Wednesday seminars" organised by the Authority.
Below is the list of all the publications and announcements made by the Authority in the last quarter:
Draft Guidance on Issues to be Considered when Processing Genetic Data has been published
On 24 August 2022, the Board presented to the public the Draft Guidelines ("Draft Guidelines") on Issues to be Considered when Processing Genetic Data.
As there is no specific definition in the legislation regarding genetic data, which is considered as sensitive personal data under Article 6 of the Law, scope of genetic data is clarified through the decisions of the Board. The Draft Guidelines explicitly define genetic data as any information obtained from DNA, RNA and protein sequences encoded from the genome, cell nucleus or mitochondria of a living person, in line with the definition in the European Union General Data Protection Law.
The Draft Guidelines set out explanations regarding the general principles for processing genetic data, the transfer of data abroad and the obligations of data controllers when processing genetic data.
The administrative and technical measures still need to be adopted, as envisaged within the scope of the Information and Communications Security Guidelines prepared under the coordination of the Presidential Digital Transformation Office within the scope of the Information and Communication Security Measures Circular No. 2019/12 and announcement on "Adequate Precautions to be Taken by Data Controllers in the Processing of Sensitive Personal Data" of the Board dated 31 July 2018 and numbered 2018/10.
The Board will examine relevant opinions and evaluations that were submitted by 24 September 2022.
Hand Geometry Data is Considered as Sensitive Personal Data
In its decision No. 2022/662 dated 7 June 2022, the Board assessed the case where the data controller processes 'hand geometry' data of a data subject at the entrance to the building.
In the case subject to the decision, palm and fingerprint information are scanned by company officials and the data is processed in the company records to allow service recipients to enter the service area by placing their hand on the entry device and typing a given password. In an investigation initiated following the complaint, the data controller stated that hand geometry data may be the same for two people, and therefore it must qualify as personal data, not sensitive personal data.
In its examination, the Board decided this is sensitive personal data because based on the results obtained from the device called "Hand Geometry Terminal", the probability of being mistaken in identifying the person is extremely low.
The Board reiterated that the processing of sensitive personal data in accordance with the Law is only possible under the processing conditions set out in the Law. The Board decided to impose an administrative fine of 100,000 Turkish Liras on the data controller who processed the "hand geometry" information without any of the processing conditions in the biometric data category of the person concerned.
Guidelines on Good Practices on the Protection of Personal Data for the Banking Sector
The Authority published the Good Practices on the Protection of Personal Data for the Banking Sector on 5 August 2022. The guidelines set out examples of good practices that will guide banks to carry out personal data processing activities in compliance with the Law.
The guidelines look in some detail at the following issues: (i) data controller-data processor relations and the obligations of data controller banks concerning banking activities, (ii) conditions for personal data processing and sector-specific examples, (iii) elements of express consent and methods of obtaining express consent, (iv) the relationship between the provisions of the Banking Law, the Regulation on Sharing Confidential Information and the legislation on the protection of personal data, and (v) the obligations of banks within the scope of data processing activities they carry out.
Personal Data Protection Law Small Amendment Package
Leyla Keser, chairperson of the Scientific Commission working to harmonise the Law with the EU General Data Protection Regulation (GDPR) in line with the targets in the Judicial Reform Strategy and Human Rights Action Plan published by the Ministry of Justice, announced that amendments to the Law concerning the processing of special categories of personal data under Article 6 and on data transfer abroad under Article 9 are being prioritised. It was announced that the legislative process, known as the Personal Data Protection Law Small Amendment Package, will start in October.
Highlights from Key Decisions of the Board
- Obligation of explicit consent and disclosure in terms of employment contracts: In its decision No. 2021/1258 dated 16 December 2021, the Board evaluated the inclusion of a mixed text containing statements on disclosure and obtaining explicit consent, which was included as a provision in an employment contract. In the relevant case, the employer was processing sensitive personal data of employees based on an article in the employment contract without separately providing the employees with a clarification text containing the mandatory elements and an explicit consent form.
- In its examination, the Board evaluated that, since there is a mixed text and the person concerned cannot start working without signing the employment contract, there is no free will element of the relevant express consent, and so it is not appropriate to process sensitive personal data based on a mixed provision in the employment contract. An administrative fine of 125,000 Turkish Liras was imposed on the data controller who failed to meet the obligations regarding data security.
- A company shared personal data of a former shareholder on its website: In its decision No. 2022/6 dated 6 January 2022, the Board stated that the company published personal data of a former shareholder on the website of the company where the relevant registry information is displayed. Given that this is based on a processing condition "explicitly stipulated in the Law" – in Article 5 of the Law – the Board evaluated that the personal data can be published on a website in accordance with the regulations stipulated in the Turkish Commercial Code and the Trade Registry Regulation. The Board therefore decided that there is no action to be taken under the Law.
- Personal data was processing by a data controller operating in the health sector for the purpose of sending commercial electronic messages without the data subject’s explicit consent: In its decision No. 2022/31 dated 18 January 2022, the Board determined that an email address had been recorded while registering a patient of a health institution and was then transferred to another system. The email address of the relevant person was then inadvertently added to the list of people who had consented to receive electronic commercial messages and an electronic commercial message was sent to him. In order to prevent the unlawful processing of personal data, the Board decided to impose an administrative fine of 100,000 Turkish Liras on the data controller health institution that failed to take the necessary measures to ensure the appropriate level of security.
- An invoice was inadvertently sent to the wrong person in an on-line order: In the complaint subject to the Board's decision No. 2022/243 dated 17 March 2022, when making an on-line order, the purchaser mistakenly used the email address of a different person with the same name. The subsequent invoice was inadvertently sent to the wrong person's email address by the data controller, who did not use any authentification mechanism or any other technical measures. Following a complaint by the person who received the mistakenly addressed invoice, the Board decided to impose an administrative fine of 100,000 Turkish Liras on the data controller on the grounds that it had failed to perform its obligations regarding data security, given that there is no control system for sending invoices.
- Determination of the data controller: In the decision of the Board No. 2022/172 dated 24 March 2022, the data subject alleges that his personal data including sensitive data collected during hiring process has been transferred by a Turkish liaison office to its parent company located abroad without a legal basis. The data subject applied first to the Turkish liaison office and then to the Authority due to incompliant processing and transfer of sensitive persona data.
In its assessment, the Board determined that the employer of the data subject is not the liaison office, but the main company located abroad. Since the party concluding the employment contract is a foreign data controller, it has been evaluated that it should have been assumed by the data subject that the personal data would be transferred abroad. Therefore, the legal entity holding the title of data controller was incorrectly determined by the person concerned. The Board decided that there is no action to be taken within the scope of the Law and reminded that the data subjects should show the utmost care and diligence during their applications to the Authority.
Highlights From Seminars and Events
- The seminar on “The Protection of Personal Data and the Right to Data Portability in the Context of Competition Law”, held on 6 July 2022, looked at the scope, purpose, use and competition law aspects of data portability in the context of personal data.
- The seminar on “The Right to Privacy and the Transformation of the Law”, held on 20 July 2022, explained how the right to privacy was handled within the history of law and its development from past to present.
- The seminar on "Online Behavioural Advertising and Personal Data Protection Law", held on 3 August 2022, looked at the relationship between the General Data Protection Regulation, which is the EU's fundamental data protection regulation, advertising and data protection law within the scope of the Law.
- The seminar on “Evaluation of the Administration's Inspection Duty within the Scope of Personal Data Protection Law”, held on 17 August 2022, pointed out that the data processing activities to be carried out within the scope of the investigations by the administration as disciplinary investigations should comply with the fundamental principles, be suitable for the purpose of the audit and that the data obtained within the scope of the audit should be used only for this purpose.
- The seminar on "Processing of Personal Data in Machine Learning", held on 7 September 2022, discussed the legal problems regarding the protection of personal data through an evaluation of the processing procedure of personal data in machine learning. It was stated that the federated learning technique, which has been raised as a solution against the voluminous data set consumption created by other learning techniques through transferring to Cloud computing, consists of an entire data processing procedure from the end consumer's device and transfers only the necessary data. Therefore, this federated technique can provide data minimisation and data processing operations performed on the legal grounds of legitimate interest.
- The seminar on "Opportunities and Risks in Big Data Applications", held on 21 September 2022, explained the techniques applied to make sense of the data by using the processing phases and algorithms of big data. It was evaluated that the regulations lagged behind the rapidly developing technology.
Developments outside of Turkey concerning personal Data Protection
Ireland's Data Protection Authority announces a decision in the Instagram Inquiry
Ireland's Data Protection Authority announced the decision of its Data Protection Commission ("DPC") on Instagram’s user registration process. Instagram allowed users between the ages of 13 and 17 to open business accounts, meaning that their contact information became public. The accounts of young users were opened as public accounts by default.
The DPC imposed a fine of 405 million euro, stating that Instagram’s social networking service did not process the personal data of child users in accordance with the GDPR.
The penalty is the second-highest GDPR penalty to date, following the 746 million euro penalty imposed on Amazon in 2021 by the Semburg Data Protection Commission (CNPD).
The Information Commissioner's Office Could Impose a Multi-Million Pound Fine on Tiktok for Failing to Protect Children’s Privacy
The Information Commissioner's Office ("ICO") has launched an investigation into TikTok Inc and TikTok Information Technologies UK Limited ("TikTok").
The ICO continues to investigate whether the company may have: (i) processed the data of children under the age of 13 without appropriate parental consent, (ii) failed to provide proper information to its users in a concise, transparent and easily understood way, and (iii) processed special category data, without legal grounds to do so. TikTok may be fined £27 million if it is found that TikTok violated data protection laws and failed to protect children's privacy when using the TikTok platform.
EDPS asked the European Court of Justice to annul the newly amended Europol Regulations
On 16 September 2022, the EDPS asked the European Court of Justice to annul two provisions in the newly amended Europol regulations on the grounds that they are retroactively legalising Europol's ability to store large volumes of personal data with no established link to criminal activity. The provisions entered into force even though the EDPS notified Europol of the order to delete these datasets on 3 January 2022. EDPS, which is the data protection body for all EU institutions, bodies, and agencies argues that the two provisions "seriously undermine legal certainty for personal data and threaten the independence of the EDPS".