The Personal Data Protection Authority (“Authority”) recently published its Annual Report for 2022 (“Report”). When the Information and Assessments Regarding the Activities are analysed;
Although it is stated that the Personal Data Protection Board (“Board”) has accepted and announced the “Commitment Statements” that can be used for the data controller in Turkey and the data controller and/or data processor in the relevant foreign country to undertake an adequate protection in writing regarding the transfer of data abroad, it is observed that only five of the 45 commitments out of 75 submitted commitments were accepted.
Considering that the Law, which has very strict limits on the transfer of data abroad, also evaluates the transfer of data abroad in a very broad manner, the interpretation that data controllers often have no other way to transfer data abroad other than explicit consent and that these methods included in the Law are not reflected in practice comes to the agenda once again with this Report.
It is inevitable to evaluate the fact that the lack of disclosure of any matter that may constitute a basis for the acceptance or rejection of the undertakings submitted to the Board regarding the transfer abroad, although far from guidance, is a situation that puts the processes of data controllers in a deadlock.
The fact that the application for a Letter of Undertaking, which is defined as a way for data controllers in the Law, does not find a very high rate of response before the Board may also lead to the possibility that data controllers may not apply to this method at all, which seems to have a very low probability of obtaining results.
As it is known, the deadline for data controllers to fulfil the obligation to register and notify to the Data Controllers Registry (“VERBIS”) was set as 37 December 2027 with the Board’s Decision dated 11/03/2021 and numbered 2021/238, and it was announced on 21 April 2022 that administrative sanctions will be imposed ex officio in accordance with Article 18 of the Law on data controllers who are found not to fulfil this obligation.
In this context, unlike previous years, it is observed that the Board imposed an administrative fine of 29,790,000 TL only due to the failure to fulfil the VERBIS obligation.
It is noteworthy that the Board, which publishes the amounts of administrative fines imposed on data controllers, the reasons for the fine, and even the names of the relevant data controllers from time to time on its website, has not published any decision regarding this administrative fine during 2022.
2017 2018 2019 2020 2021 2022
Administrative Fines for Complaints and Notices 30.000 TL 670.000 TL 1.905.000 TL 11.497.000 TL 16.351.000 TL 20.738.000 TL
Administrative Fines Imposed on Data Breach Notifications 95,000 TL 200,000 TL 11,200,828 TL 9,893,000 TL 15,395,000 TL 34,955,000 TL
Violation of VERBIS Registration and Notification Obligation – – – – – 29.790.000 TL
TOTAL TL 125,000 TL 870,000 TL 13,105,828 TL 21,390,000 TL 31,746,000 TL 85,483,000 TL
In 2022, the amount of administrative fines imposed on a total of 268 data controllers, including 134 notifications and complaints, 98 data breach notifications and 36 within the scope of the obligation to register and notify the Data Controllers Registry, amounted to TL 85,483,000.
To which institutions and organisations the administrative fines imposed by the Board were paid
the data should be publicly announced in order to prevent loss of reputation.
It is a fact that it encourages the data controllers to act more actively in taking measures. In addition to this, explicitly announcing the name will contribute to the information of data subjects who are in the position of data subjects before the aforementioned institutions and organisations, as well as to the more informed choices of data subjects who are likely to become data subjects even if they do not have any relationship.
While even data breaches that have not yet been finalised and have been notified to the Board for investigation are announced with the name of the institution, the fact that there is no information about the institutions to which the administrative fines, which have reached 85 million as of 2022 and almost tripled in 2021 with VERBIS fines, have been imposed, is considered to be worth mentioning in this context.
When the distribution of notices and complaints is analysed, it is observed that while the public sector received the highest number of notices and complaints in 2021 with a clear difference, in 2022, the service sector was the sector subject to the highest number of notices and complaints with a rate of 48% and there was a significant decrease in the number of notices and complaints made to the public sector from 56% to 14%.
Subject of Application Number of Applications Application Rate
Unlawful use of personal data by the data controller
processing as 4,139 45.68
Unauthorised SMS/Search 1,750 19.31
Unlawful disclosure/transfer of personal data by the data controller to third parties 1,545 17.05
Failure by the data controller to fulfil the requests of the data subjects within the scope of the Law 957 10,56
Failure by the data controller to delete, destroy or anonymise the data/td>
447 %4,93
Claims under the right to be forgotten 100 1.10
Requests not to transfer personal data abroad 84 0.92
Failure to fulfil the disclosure obligation 37 0,45
TOTAL 9,059 100

İhbar ve şikayetlerin konu bazlı dağılımında ise yurt dışına veri aktarılmaması taleplerinin 2021 yılında %4l’lik bir oran ile sıralamada en üstte iken 2022 yılında %0,92 ile oldukça azaldığı; bununla birlikte kişisel verilerin hukuka aykırı olarak işlenmesinde %18’den %45’e ciddi bir artış bulunduğu gözlemlenmiştir.

İzinsiz SMS/Arama başlığının 2022 Raporu’nda yeni başlık olarak listeye girmesi ve %19,31 ile kişisel verilerin hukuka aykırı işlenmesinden sonra en çok ihbar ve şikayete konu olan başlık olması da önemli bir noktadır.

Bu başlıkların genel olarak değerlendirilmesi ışığında ilgili kişilerin kişisel veri farkındalığının ve bilincinin artması ile doğru orantılı olarak yapılan başvuru sayısının da arttığı, bununla birlikte veri sorumlusu bünyelerinde de özellikle kamu sektöründe gözle görülür bir farkındalık artışının olduğu rahatlıkla söylenebilecektir.