At the end of 2019, we have published our first blog article that presented an overview of the Turkish Data Protection Board's ("Board") decisions based on the decisions published on the website of the Turkish Data Protection Authority ("TDPA") as of 09 January 2020. This time, we will be analysing the Board's published decisions in the first 8 months of 2020. It is worth to remind to our readers that the Board maintained its approach not to publish all of its decisions. The Turkish Data Protection Law no. 6698 does not require the Board to publish of its decisions and further does not impose any mandatory form or minimum content for the TDPA's decisions which must be or are published. Thus, not all Board's decisions are published on the TDPA's website and not all published decisions include same level of detail.1
Despite the Covid-19 pandemic, the Board has been working actively at the first 8 months of the year 2020 as usual. From the beginning of the year 2020 until 1st of September 2020, the TDPA published a total of 35 decisions2 (including decisions taken in 2019 but published in 2020).3 Only in 10 of these decisions, no administrative fine was imposed (including those decisions taken in 2019 but published in 2020). 2 of those 10 decisions are opinion decisions adopted upon a request of by an applicant4.
The Board has continued, as a principle, not to disclose the names of the data controllers in its published decisions also in the year 2020. This year, the only exception to this rule was the famous Amazon Turkey case. The Board, however, disclosed the sector of the relevant data controllers in most of the decisions in 2020. Although this may seem to be a positive development, we believe that it is not sufficient as there is still no clarity regarding the publication criteria of decisions and level of detail (publication of the data controller's name, sector names etc.) that should be expected from published decisions of the Board. Furthermore, there is no doubt that the disclosure of the data controller's name in the decision is important for due exercise of compensation rights by the data subjects, not to mention the legal clarity for other data controllers.
Below, you can find the table which demonstrates the sector breakdown of the published decisions of the Board in 2020 (including decisions taken in 2019 but published in 2020).
Considering the published decisions at the first 8 months of 2020, finance sector, which includes banks and factoring companies, is at the top of the list. It is seen that 34% of the decisions published on the TDPA's website are related with finance sector. Tourism sector which includes online ticket selling platforms and transportation, and technology sector which includes internet service provider, e-commerce and intermediary service providers share second ranking.
Based on the published decisions, the total amount of fines imposed by the Board since 2018 has reached TRY14,350,5005. Whereby, TRY 6,345,500 of this total amount was imposed in the first 8 months of the year 2020. This means, 44.2% of the total fine was imposed only on the first 8 months of 2020. 6
Considering the published decisions in 2020 until to date, top 10 highest fines imposed by the Board has changed. You can find below the new top 10 highest (published) fines as of the publication date of this blog post.
The above table shows that almost half of the top 10 highest fines were imposed in 2020. But number 1 of the list is still the same. The highest administrative fine (TRY3,250,000 in total) so far imposed by the Board was in Facebook case. This amount equals to 22% of the total fines imposed as per the published decisions.
One of the 2020 decisions that is in the spotlight is the Amazon Turkey decision. This decision addresses international data transfers and electronic commercial communications and the Board has imposed an administrative fine of TRY1,200,000. You can find our blog post regarding Amazon decision here.
Regarding the initiation of the investigations carried out by the Board we noted that;
- in 5 cases, the Board has started an investigation and initiated a decision upon the notification of another institution, for example the Provincial Health Directorate. The Amazon decision that we mentioned above is one of such decisions.
- 4 of the published decisions are related to data breach. In 2 cases regarding data breaches, the Board also imposed an extra administrative fine as these data controllers did not notify the TDPA about the breach within the shortest time (72 hours as it was decided in the Board's decision dated 24.01.2019 and numbered 2019/10).
- More than half of the published decisions were initiated upon a complaint. This shows that the citizens are becoming more aware of the Data Protection Law and their rights on this Law, and they do not refrain from filing a complaint with the TDPA. This also means, as awareness increases in the upcoming years, the rate of complaints will increase in consequence.
In terms of subject of the decisions, the Board has handled and decided regarding cases involving, among others, biometric data (entry with palm), data transfers to third countries, fulfilment of the disclosure obligation, cookie policies, data collection from publicly available sources, commercial electronic communication approvals, passengers scoring systems, offering discounted prices only to the members.
To sum up, the TDPA and the Board has been active despite the Covid-19 pandemic and the Board is very actively imposing administrative fines to the data controllers. Although data protection registry (VERBIS) deadlines have been extended again until 30 September 20208, one of the first criteria that the TDPA checks when reviewing a file is whether the controller is registered with the registry in Turkey. This is an important reminder to all data controllers as the deadline is approaching.
1 The Board has not published its 2019 Activity Report yet. Therefore, we do not know the total decision number and administrative fine amount that the Board has imposed in 2019. Among the decisions taken by the Board in 2019 and published on the website, the decision number of the latest published decision is 389. Therefore, it is estimated that the Board has decided at least around 400 files in 2019. When the decision numbers of the decision published at the first 8 months of 2020 are analysed, we see that the latest published decision's number is 481. This seems to suggest that the Board has reviewed at least two times more cases in the first 8 months of 2020 compared to the same period in 2019.
2 One announcement includes 4 different decisions on factoring companies. And another announcement includes 2 different decisions related the same data controller. Therefore, there are 31 announcements, but 35 decisions published fundamentally.
3 In the same period of the year 2019, only a total of 25 decisions were published.
4 Decisions upon a request of opinion: (i) Decision dated 26.12.2019 and numbered 2019/389: opinion about sharing candidates' points on the website of a university without consent; (ii) Decision dated 23 June 2020 and numbered 2020/471: opinion about the registration obligations to Data Controllers' Registry of a bank with a representative office in Turkey
5 As of 1 September 2020, the exchange rates (The Central Bank of the Republic of Turkey - Banknote Selling rates) are USD /TRY: 7.3553, GBP/TRY: 9.9024; EUR/TRY: 8.8137.
6 Administrative fine amount for 2018 is based on 2018 Activity Report of the TDPA but administrative fine amounts for 2019 and for the first 8 months of 2020 are based on the administrative fines imposed in the published decisions that were announced on the website.
7 Total monetary fine for 4 factoring companies.
*It is not possible to mention the publication dates of the latest Board's decisions as the TDPA stopped to publish the publication date of its decisions.
8 Please find our blog post regarding extension of the deadlines here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.