The Turkish Personal Data Protection Authority publishes new decisions and hands down administrative fines

On 3 August 2018, the Turkish Personal Data Protection Authority (the "Authority") published on its website the summaries of two newly rendered decisions, focusing on:

• unlawful sharing of sensitive personal data on the Internet and social media; and
• unlawful sharing of personal data processed as part of a job application procedure.

Unlawful sharing of sensitive personal data on the Internet and social media

In one of these decisions rendered following an ex officio investigation conducted by the Authority, the fact that doctors made publicly available medical reports of their patients on the Internet and social media through screenshots of the mobile application of the data controller (hospital) was considered an unlawful disclosure of sensitive personal data.

Consequently, an administrative fine was imposed by the Authority on the data controller for breach of Article 12/1-c of the Law, which requires the safekeeping of personal data within the scope of the data controller’s responsibility to ensure data safety.

Unlawful sharing of personal data as part of a job application procedure

In two other decisions, the Authority focused on the protection of personal data in the scope of job applications:

• in the first decision, it was shown that the data controller (operating an online human resources services platform) had shared the personal data of a data subject, including application information, name/surname and e-mail address, with other job applicants without any legal ground.
   
• in the second decision, the Authority ruled that intragroup transfers of data regarding a job applicant through a database jointly used by group companies (qualifying as data controllers) must be considered as a transfer of data to third parties, and must therefore require the explicit consent of the data subject.

In both cases, the Authority imposed an administrative fine on the data sharing company for breach by the data controller of its responsibility to ensure data safety (Article 12/1 of the Law).

All three decisions show that the Authority keeps a consistent approach in the sanctions imposed for failure to comply with data security obligations of data controllers, thus confirming its willingness to carefully monitor the implementation of the data protection legislation in Turkey.

The decision relating to intragroup sharing of data also emphasises the importance given by the Authority to the segregation of data processed among group companies. Future decisions in this particular respect will therefore be most useful to better understand the level of scrutiny that the Authority is willing to put on group companies and their sharing of personal data.

In compliance with Turkish bar regulations, opinions relating to Turkish law matters included in this client alert have been issued by Özdirekcan Dündar Şenocak Avukatlık Ortaklığı, a Turkish law firm acting as correspondent firm of Gide in Turkey.

This Client Alert is not intended to constitute legal advice and should not be taken as a recommendation to take action or withhold from taking action.