Turkey: Data Protection Newsletter

In May 2022, the Personal Data Protection Authority ("Authority") published several decisions. Our newsletter summarizes these decisions and highlights other developments from around the world.

Decision: Decision regarding the circulation of an attendance list in a university

In the complaint submitted to the Authority, it was claimed that the attendance list containing the personal data of certain students in a university was circulated among and signed by the class attendees.

According to its decision no. 2021/1214 dated 2 December 2021, the Personal Data Protection Board ("Board") concluded that: (i) the ministry and the university are both data controllers; (ii) the ministry responded to the application of the data subject after the expiry of 30- day legal period; (iii) the names-surnames and identity numbers of the data subjects were on the attendance list circulated among the attendees, and therefore, third parties unlawfully accessed these personal data; and (iv) the university did not fulfill its obligation to inform the data subjects. The Board emphasized that although the collection of the identity number of the data subjects can be necessary given the possibility of more than one student using the same name, the data must be collected by masking.

In this regard, the Board decided to remind the ministry that it must respond to data subjects' applications within 30 days and instructed the university to mask the personal data other than names and surnames while collecting and fulfill its obligation to inform.

The decision is available online here (in Turkish).

Decision: Decision on an employer's access to a former employee's corporate e-mail account

In the complaint submitted to the Authority, the data subject claimed that its former employer accessed its corporate e-mail account without fulfilling the obligation to inform.

According to the Board's decision no. 2021/1187 dated 25 November 2021:

• Information such as name-surname, e-mail address, private correspondence and bank account statements in the corporate e-mail account are personal data.
• In accordance with the Constitutional Court's decisions (i) no. 2016/13010 dated 7 September 2020 and (ii) no. 2018/31036 dated 12 January 2021, employers must ensure the following for inspection of communication means: (i) informing the employees beforehand; (ii) the proportionality of the intervention and its legitimate purpose; (iii) balance between the employer's legitimate interests and the employee's fundamental rights and freedoms; and (iv) distinguishing between the inspection on content and the flow of communication wherein further justifications are sought for content inspection.
• Pursuant to the Bărbulescu/Romania Decision of the European Court of Human Rights (ECHR), the right to respect of privacy and the employer's right to take the necessary measures must be balanced and the intervention must be proportionate and based on clear information with justification.
• The presence of the will to publicize is the prerequisite for making personal data public; therefore, the employee cannot be deemed to have made their email correspondence public in light of the possibility of the employer's inspection.

In light of the above, the Board decided to (i) initiate an ex officio investigation regarding the storage of the data in a cloud system located abroad; (ii) impose an administrative fine of TRY 250,000 on the data controller for failing to fulfill the obligation to inform; and (iii) not to impose any sanctions regarding the data subject's request of deletion of the personal data on the grounds that they are submitted as evidence to the court.

The decision is available online here (in Turkish).

Decision: Decision on the commercial SMS messages sent by a company

In the complaint submitted to the Authority, the data subject claimed that a data controller which sells medical products recorded the data subject's phone number into its systems mistakenly and sent electronic commercial messages without their consent.

In its decision no. 2021/1153 dated 11 November 2021, the Board determined that the phone number of the data subject was provided to the data controller by another customer who consented to electronic commercial messages; however, the data controller continued data processing activities by blacklisting the relevant phone number upon request of the data subject who is the owner of the phone number.

Accordingly, the Board did not impose any sanctions on the data controller who did not process the inadvertently recorded phone number with the data subject and decided to instruct the data controller to destruct the personal data in question and inform the Board.

The decision is available online here (in Turkish).

Decision: Decision on the data processing activity of a job search platform

In the complaint submitted to the Authority, a data subject claimed that a data controller job search platform unlawfully processes personal data regarding job applications and interviews and fails to fulfill the data subject's requests.

In its decision no. 2021/1051 dated 14 October 2021, the Board determined that the data controller (i) fulfilled the request of the data subject within the 30-day legal period; (ii) immediately ceased the deletion and destruction process upon the data subject's reply; and (iii) no information or document has been submitted regarding the allegation that personal data on the job applications are transferred to other employers without informing and obtaining the consent of the data subject.

Accordingly, the Board decided not to impose any sanctions on the data controller

The decision is available online here (in Turkish).

Decision: Decision on an employer's processing of personal data of a former employee

In the complaint submitted to the Authority, the data subject claimed that their former employer, who resides abroad, processed their personal data without informing the data subject and the data processing activities upon termination of the employment relationship is unlawful.

The Authority initiated an investigation against the data controller employer since the liaison office of the employer's company is not a legal entity. In its decision no. 2021/1218 dated 2 December 2021, the Board determined that (i) the employee's name and surname, phone number, e-mail address, address, photograph and the information in the personnel file are processed by the data controller; (ii) fulfilling the obligation to inform pursuant to the General Data Protection Regulation (GDPR) is insufficient for the personal data processed in Turkey; and (iii) placing the information of the employee on the employer's website during the employment relationship is lawful.

Accordingly, the Board decided to instruct the employer to respond to the data subjects applications in compliance with the relevant laws.

The decision is available online here (in Turkish).

Other decisions published by the Board in May:

• In the decision regarding the emails sent by a human resources company for advertising and commercial purposes, the Board determined that there are no documents evidencing a data subject's email information was made public as part of a survey and the data controller failed to fulfill the data subject's request on the deletion of the personal data. Therefore, the Board decided to impose an administrative fine of TRY 50,000 on the data controller, instruct the data controller to destruct the relevant data and submit log records to the Authority. This decision no. 2021/1243 dated 9 December 2021 is available online here (in Turkish)

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.