("Summary of the Decision of the Personal Data Protection Board dated 02/12/2021 and numbered 2021/1218")

In this case, the data subject (employee), after working under a foreign company incorporated abroad, started working in the Istanbul Liaison Office of the relevant company. The data subject claims that the data controller terminated the employment contract through an act of the employer in April 2021; however, after the termination his/her personal data continues to be retained on the data controller's website.

He/she made an "application to the data controller" under Article 13 of the Law on the Protection of Personal Data ("Law") on 26/05/2021 and, according to his/her claim, received an insufficient response.

Moreover, the data subject claims that during the period of his/her employment in the Istanbul Liaison Office of the company, who is the data controller did not comply with the data controller's obligation to inform stipulated in Article 10 of the Law.

In summary, the data subject made a official complain Personal Data Protection Board ("Board") because;

  1. Data controller's obligation to inform under the Article 10 of the Law, does not comply during the employment period by not informing the data subject regarding the purpose, scope and legal basis of the processing of personal data, to whom the data is transferred, how and for what period it is retained and data subject's rights to request from the data controller under the Law,
  2. The request made under Article 13 of the Law is responded to insufficiently by the data controller.
  3. After the employment contract is terminated through an act of the data controller, the personal data continues to be retained on the data controller's website. However, data retention relies on the explicit consent of the data subject, and it constitutes unlawful processing of personal data.

In the decision, Board firstly states that the Liason office do not have legal personality, although a complaint has been lodged against the Istanbul Liaison Office, under Article 2 of the Law, the data subjects can only apply the provisions of the Law to real persons and legal persons.

Based on the data subject's claims, The Board initiates an examination against the data controller incorporated abroad.

According to the decision;

  1. Since the data subject worked in the data controller's office in London, he/she was informed under the European Union's General Data Protection Regulation, "GDPR", which is the primary personal data protection regulation of the European Union. Then, the data subject has quit his/her job in London and started to work within the liaison office in Istanbul. Therefore, the information given to the data subject within the scope of the European General Data Protection Regulation (GDPR) is sufficient for the personal data processing activities carried out by the data controller. Still, for the personal data processed in Turkey according to Article 10 of the Law, the data controller was reminded to be careful in complying with the obligation to inform.
  2. Board officially instructed the data controller to reply to all Data Subject Access Requests in terms of the information requests made by the data subject under Articles 11 and 13 of the Law
  3. From all the information and documents submitted to the file, the employment contract of the data subject did not expire as of April 2021. The Board has concluded that the processing can be based on the legal basis Article 5/2-f ("Legitimate Interest of Data Controller") regarding the claim that retaining personal data on the website depends on the explicit consent of the data subject. However, the data controller did not obtain the data subject's explicit consent; therefore, there is no action to be taken against the data controller under the Law due to the activity mentioned above.

Finally, the Authority has concluded that a Privacy Notice based on GDPR is sufficient; however, the foreign data controller with a liaison office in Turkey shall fulfil the obligations regarding KVKK in terms of Data Subject Access Requests and notification obligations. In a nutshell, the foreign data controller shall comply with the VERBIS registration, notification and DSR management obligations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.