Nowadays, technology is progressing rapidly, and with this progress, data sharing and storage in the digital world is constantly increasing. With the widespread use of the internet and mobile devices, the need to protect individuals’ personal data is becoming more prioritized than ever. Protection of individuals’ personal data is possible through legal regulations on the subject .
For this reason, both national laws and regulations as well as international conventions have placed the protection of personal data under legal protection. In recent years, many countries, including Turkey, have legislated on the protection of personal data and regulated issues related to the protection of personal data, such as the collection, retention, destruction and notification of data subjects. The most comprehensive work in this area is the European General Data Protection Regulation (“GDPR”), which entered into force in 2018. In Turkey, primarily the right to request the protection of personal data was constitutionally protected in 2010, and the next step following this development was the enactment of the Personal Data Protection Law No. 6698 on March 24, 2016.
In the framework of Turkish law, sanctions for crimes and misdemeanors related to personal data violations are regulated in the Turkish Penal Code and the Personal Data Protection Law. Within the scope of the Turkish Penal Code, “Recording Personal Data (Art.135), Unlawfully Giving or Obtaining Data (Art.136), Failure to Destroy Data (Art.138)” constitute crimes related to personal data. Article 18 of the Law on the Protection of Personal Data regulates misdemeanors regarding personal data. Failure to fulfill the obligation to clarify, failure to fulfill the obligations regarding data security, failure to fulfill the decisions made by the Personal Data Protection Board, violation of the obligation to register and notify the Data Controllers Registry” constitute misdemeanors under the Personal Data Protection Law .
Although personal data breach is not explicitly defined in the Protection of Personal Data Law (“Law”), the GDPR defines “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.In recent years, many countries have imposed striking penalties in case of data breach. With the implementation of these penalties, it is aimed to prevent personal data breaches.
Personal Data Breaches Resulted in What Sort of High Penalties Under Turkish Law?
Penalties that may be imposed in the event of a personal data breach can include fines, often in the millions or even billions of euros. These fines are determined depending on the level of the data breach, the nature and the impact of the breach. In particular, even large companies known worldwide can be subject to these fines, and for companies or organizations involved in data breaches, such fines may seriously damage their reputation. In Turkey, high fines imposed by the Personal Data Protection Board in recent years within the scope of the protection of personal data and the acts that caused these fines are as follows:
The Personal Data Protection Board fined WhatsApp and Meta 2 million 665 thousand Liras each.
Article 16/2 of the Law stipulates that natural and legal persons who process personal data must register with the Data Controllers’ Registry before starting data processing. The Personal Data Protection Board has determined, as part of its investigation, that Whatsapp and Meta have failed to fulfill their obligation to register with the Data Controllers Registry. As a result, they have been fined 2,665,000 Turkish Liras each.
The Personal Data Protection Board fined TikTok 1 million 750 thousand Liras.
Various news and complaints on the internet and social media platforms regarding TikTok application, claimed that the app was not duly obtaining explicit consent of the users within the scope of the Personal Data Protection Law No. 6698 (“Law”), that there are illegalities in obtaining and storing personal data and that there are many security vulnerabilities of the software. Based on these claims the Personal Data Protection Board decided to initiate an ex officio investigation. As a result of the investigation, it has been determined that children’s personal data was being unlawfully accessed, the Confidentiality Agreement on the website did not specify the purposes for processing personal data, the Terms of Service section was not presented to the data subject’s consent and was not translated into Turkish, no explicit consent was obtained during the account creation process, and no explicit consent was obtained for the processing of cookies. Therefore, Tiktok has been fined 1,750,000 Turkish Liras.
The Personal Data Protection Board imposed a fine of 950 thousand Turkish Liras after a technology company, whose name was not disclosed by the Personal Data Protection Board, transferred the personal data of the data subject abroad without explicit consent.
The data subject applied to the Personal Data Protection Board on the grounds that the website he is a member of does not include a cookie policy, that it is reported in the disclosure text that the data subject’s personal data is transferred abroad, however, the data subject does not have an explicit consent in this direction and that there was no response from the data controller although an application has been made to the data controller. As a result of the Board’s inspection , it was determined that the data controller transferred personal data abroad without obtaining explicit consent for this transfer activity, and imposed a fine of 950 thousand Turkish Liras.
According to the Personal Data Protection Board’s own data, the Personal Data Protection Board imposed a fine of 300 thousand Liras upon the unlawful processing of personal data by an unnamed data controller shopping center by obtaining e-Government password from the relevant persons for bonded purchases and T.R. identity number to create membership on the website.
A notification petition was filed to the Personal Data Protection Board due to the fact that the data-subjects’ e-Government passwords were requested during their purchasing a phone with a promissory note via the website of a shopping center, and that the order confirmation did not take place unless the e-Government passwords were entered. As a result of the investigation, it was also determined that in order for the e-Government password in question to make sense, the customers must first provide their Turkish ID number to the data controller and that the Turkish ID number was provided to create a membership. Data subjects have been required to provide e-Government passwords and Turkish ID numbers for creating a membership on the website. It has been determined that the personal data processing activities carried out in this manner were conducted without relying on any of the data processing conditions specified in the Law, and a fine of 300,000 TL has been imposed.
In addition to the examples mentioned above, acts that can be frequently encountered in daily life such as “sending e-invoices belonging to other subscribers to the e-mail address of the data subject, processing the phone number of the data subject by sending SMS by the doctor resigning from the hospital, continuing to process the personal data of the data subject by the employer after the termination of the employment contract, processing the phone number of the data subject by contacting for the debt of a third party by the data controller selling household items” may constitute a violation of personal data and may be subject to large fines by the Board.
You may access the summaries of the violation decisions made by the Personal Data Protection Board for various reasons from the link below:
https://www.kvkk.gov.tr/Icerik/5406/Kurul-Karar-Ozetleri
Deniz Öner
