EVALUATION ON THE DECISION OF THE CONSTITUTIONAL COURT DATED 12.10.2023 AND APPLICATION NUMBER 2020/7518

With its decision dated 12.10.2023 and numbered 2020/7518, the Constitutional Court (“Constitutional Court”) decided that the applicant’s right to property was violated due to the administrative fine imposed by the Personal Data Protection Board (“Board”) on the grounds that the necessary technical and administrative measures to ensure data security were not taken.

1. Subject and Grounds of Application

In the case subject to the relevant decision, the applicant is a holding company headquartered abroad, operating hotels in different countries, providing franchise services to hotels and licensing timeshare properties through its subsidiaries.

The Applicant Company received a warning on 08.09.2018 from its in-house security tool regarding the suspicious transaction in the guest reservation database of the accommodation company it took over in 2016. As a result of the investigation made following this warning, it was determined that the guest reservation database of the accommodation company was accessed by an unauthorised third party on 19.11.2018.

Following the confirmation of the breach, the Applicant Company published a press release on 30.11.2018, provided information about the breach by opening a website regarding the breach, informed the relevant persons on how to protect themselves and sent an e-mail to its guests who were affected by the breach and had a valid e-mail address.

On 03.12.2018, the Applicant Company made a data breach notification to the Personal Data Protection Authority (“Authority”) regarding the security incident concerning Turkish citizens. In this notification

500 million customer data was copied due to data breach,
There has been unauthorised access to the company’s network where the database is kept since July 2014 and the unauthorised access to the guest database was detected on 08.09.2018,
Out of 500 million customers, approximately 327 million customers had their personal data stolen,
It is stated that the data affected by the breach include name, surname, postal address, telephone number, date of birth, gender, passport number, accommodation company account information, hotel information, check-in and check-out information, payment card numbers and payment card expiry dates, reservation date and contact preferences.

Upon the evaluation of the breach notification, the Board, in its decision dated 05.12.2018, decided to inform the applicants about the breach that occurred as a result of the failure to take adequate measures for the security of the data network in the taken over accommodation company, whether the citizens residing in Turkey are affected by this breach, and if there are citizens residing in Turkey affected by the data breach, the details of the work carried out and planned about the breach, and to announce the breach in question on the website of the institution.

In the applicant’s petition dated 28.03.2019

There are approximately 383 million customer records, the fact that the region/country address of approximately 1.24 million of these customers is specified as Turkey does not mean that 383 million separate customers or 1.24 million Turkish customers are involved in the incident, there are multiple records for the same customer,
Given the nature and size of the stolen data, the deduplication of the data was not easily performed, and the information that could be recovered was limited, given the competence of the attacker in this area during the time that had elapsed,
It was stated that the taken-over accommodation company should be accepted as the data controller.

On 16.05.2019, the Board imposed an administrative fine of TRY 1,100,000 due to the applicant’s failure to take the necessary technical and administrative measures to ensure data security in accordance with Article 12 paragraph (1) of the Law No. 6698 on the Protection of Personal Data (“Law”), and a total of TRY 1,450,000, provided that the obligation to notify the violation as soon as possible pursuant to paragraph 5 of the same provision of the Law was not fulfilled. It was decided to impose an administrative fine of 1,450,000 TL in total, 350,000 TL for not fulfilling the obligation to notify the violation as soon as possible pursuant to paragraph 5 of the same provision of the Law, and this decision was notified to the indirect subsidiary of the applicant operating the applicant’s hotels in Turkey on 12.07.2019.

The applicant filed an objection with the request to lift the administrative fine on the grounds that the administrative sanction decision was not duly notified, it was applied to decisions before the effective date of the Law, he could not be accepted as a data controller, the Board’s decision was not reasoned, the Law stipulates that the notification of violation must be made as soon as possible, no restrictive period is stipulated, and the imposition of the administrative fine at the maximum limit is disproportionate.

Istanbul Anatolian Anatolian 1st Criminal Judgeship of Peace rejected the appeal against the administrative sanction decision on the grounds that “it is understood that the action is fixed with the report issued by the administration, and that the administrative sanction issued for the misdemeanour caused by the fixed action is in accordance with the law and procedure”.

The applicant appealed against this decision of the Istanbul Anatolian 1st Criminal Judgeship of Peace. This objection was rejected by the 2nd Criminal Judgeship of Peace on the grounds that “there is no procedural and legal violation in the decision of Istanbul Anatolian 1st Criminal Judgeship of Peace and there is nothing to change in the decision”.

As a result of the relevant decision, the applicant made an individual application to the Constitutional Court and the Constitutional Court examined the application within the scope of the right to property.

2. Constitutional Court’s Review and Conclusion

The Constitutional Court, in its assessment regarding the applicant’s claim that his right to property was violated:

In the concrete case, the imposition of an administrative fine on the applicant for not taking the necessary technical and administrative measures to ensure data security within the scope of the Law and not reporting the data security breach as soon as possible constitutes an interference with the right to property, the said interference aims to prevent the violation of the regulations on the protection of personal data, and in this case, considering the purpose of the interference in the case of the application, the interference should be examined within the framework of the rule regarding the control of the use of property for public benefit,
Article 35 of the Constitution does not regulate the right to property as an unlimited right, this right can be restricted by law and for the purpose of public interest, and Article 13 of the Constitution, which regulates the general principles regarding the limitation of fundamental rights and freedoms, should also be taken into consideration when interfering with the right to property,
Although the applicant claims that there is no restrictive period in the Law in terms of notification of the data breach, and therefore the interference has no legal basis, he stated that it would be appropriate to make the evaluation under the title of proportionality,
In addition, the applicant’s objection to the Criminal Judgeship of Peace;
that they should not be recognised as the data controller under the Law, but the taken-over accommodation company where the data breach occurred,
Applicant; The administrative fine imposed by the Board is not applicable in terms of time and is contrary to the individuality of the penalty,
Despite fulfilling the obligation to notify in a short period of time, the ambiguity in the legislation regarding the time period is interpreted against it,
The claims that fault liability is essential in the protection of personal data; that it is unlawful to impose a penalty despite taking all measures and having no fault,

The Constitutional Court, assessing that there are important claims that affect the whole judicial process and that must be met, concluded that the applicant’s right to property was violated, stating that the fact that no evaluation was made about these objections led to the conclusion that the guarantees for the protection of the right to property were not fulfilled in the concrete case.

What Happened?

The violation mentioned in the decision occurred within Marriott International Inc. (“Company”) and it was announced to the public that the Personal Data Protection Board decided to impose an administrative fine on the Company as a result of the violation in its Decision dated 16.05.2019 and numbered 2019/143. In the decision, it was stated that “Although there are web event logs (log records) showing the unauthorised access and installation of the command prompt, which have been available since 2014, the fact that the incident could not be detected and lasted for about 4 years is a very serious security vulnerability, it is a concrete indicator that the necessary audits and controls were not carried out by the Company and that the technical and administrative measures to be taken by the Company were not taken”.

GRC LEGAL Comment

The interpretation of the administrative fine imposed by the Board as a violation of the right to property by the Constitutional Court emphasises the importance of compliance with data protection regulations and the fair functioning of the legal process.

The question marks created by the relevant legislation and practice regarding the legal remedies to be applied for the administrative fine imposed by the Board lead to uncertainties in judicial processes and superficial, unjustified decisions. The fact that the application against the administrative sanction decision is evaluated by the Criminal Judgeships of Peace instead of the administrative judiciary raises the issue of the appropriateness of the Criminal Judgeship of Peace’s judicial review of the Board’s decisions. In particular, the criterion of notification within a short period of time, which was not framed by the Board’s decisions at the time of the incident, should be accompanied by criteria such as the measures taken, the position of the data controllers before and after the transfer and the division of responsibilities, and the elimination of ambiguities regarding the duty and authority specifically; It will be extremely important in terms of making decisions that are equitable and do not violate fundamental rights and freedoms and establishing a jurisprudence in this direction.