PDPL 2023 ACTIVITY REPORT

The Personal Data Protection Authority (“Authority”) published its Annual Report for 2023 (“Report”) in recent weeks.

When Information and Evaluations on Activities are examined;

Although it is stated that the Personal Data Protection Board (“Board”) has accepted and announced the “Letter of Undertaking” that can be used for the data controller in Turkey and the data controller and/or data processor in the relevant foreign country to undertake in writing an adequate protection for the transfer of data abroad, it is observed that only 7 of the 48 letters of undertaking out of 81 letters of undertaking submitted were accepted.

Within the scope of Article 9 of the Law, which entered into force on June 1, 2024 and will be applied until September 1, 2024, including the current first paragraph, new methods for the transfer of personal data abroad have been offered to data controllers. In this framework, although it would not be wrong to say that a new era will begin for transfers abroad, it is expected that the Board will publish information such as Guidelines, Public Announcements, etc. for data controllers in order to guide the data controllers who will enter the adaptation process in order to carry out the processes completely and smoothly.

As it is known, the deadline for data controllers to fulfill the obligation to register and notify to the Data Controllers Registry (“VERBIS”) was set as December 31, 2021 with the Board’s Decision dated March 11, 2021 and numbered 2021/238, and it was announced on April 21, 2022 that administrative sanctions would be imposed ex officio in accordance with Article 18 of the Law on data controllers who were found to have failed to fulfill this obligation.

When a comparison is made in this context, it is seen that the Board imposed an administrative fine of TRY 150,710,000 for failure to fulfill the VERBIS obligation, 5 times more than the previous year.

When the administrative fines imposed by the Board on data controllers regarding VERBIS registration processes are evaluated, it is seen that an administrative fine of TRY 1 million was imposed on average per data controller, and in this sense, VERBIS-contacted processes were strictly audited even though no notification or announcement was made on the website.

In 2023, administrative fines amounting to TRY 241,082,000 were imposed on a total of 531 data controllers, of which 279 were imposed through notifications and complaints, 128 through VERBIS and 124 through data breach notifications.

When the distribution of notifications and complaints is analyzed, it is seen that the service sector is the sector subject to the most notifications and complaints with a rate of 25%, as in 2022, but the rate has almost halved compared to 2022. In addition, after the service sector, telecommunications was the sector with the highest number of notices and complaints, while the number of notices and complaints filed against the public sector decreased by more than half compared to 2022.

In the subject-based distribution of notifications and complaints, it was observed that the highest application rate in 2023, as in 2022, belonged to the unlawful processing of personal data, but the ranking remained constant within the scope of application subjects. It is observed that there is a decrease by half compared to 2022 regarding the non-fulfillment of the requests of the data subjects by the data controller within the scope of the Law. In this context, it can be interpreted that the awareness of data controllers regarding the obligations arising from the Law has increased and the requests of data subjects are taken into consideration

Applications for unauthorized SMS and calls, which are increasing day by day, increased by approximately 4% compared to 2022, reaching 23%, and in 2023, it was included in the Report as the title subject to the second highest number of notifications and complaints.

In the light of the evaluation of these headings, it is seen that the number of applications made has also increased with the increase in the personal data awareness and consciousness of the data subjects. However, in light of the fact that 58% of the applications were rejected because they did not meet the procedural requirements and 31% were rejected because they were outside the scope of the Law, the importance of making the applications correctly should be remembered once again.