PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board and to keep them up-to-date.
In April 2023, the Personal Data Protection Board (“Board”), which broke its long-standing silence by publishing 40 decision summaries, also published the Annual Report for 2022 and celebrated the Personal Data Protection Day on 7 April. You can access the relevant report, which we have reviewed, on our GRC-Legal LinkedIn account. We include 12 decisions that we consider to be of high importance among the Board Decision Summaries in this month’s bulletin.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions on administrative sanctions. The legislation has been shaped in line with these decisions, and many procedures and principles as well as adjectives and expressions familiar from the European General Data Protection Regulation (“GDPR”) are included here. The duties and powers of the Board are listed in Article 22 of the KVKK and the binding nature of the summaries of the Decision is based on this provision.
BEWARE OF SOCIAL MEDIA POSTS UNDER ALL CIRCUMSTANCES!
In the complaint of the data subject, in summary; it was stated that his employment contract was terminated unfairly while he was working as a company manager within the data controller and that a post was made on the social media account of the data controller with the content “… We apologise for the inconvenience caused to you by ….., who was dismissed due to irregularities …” and that the data controller did not respond despite the request to remove this post within the framework of other legislation and to publish a correction text.
In his defence submitted to the Authority, the data controller stated that he was a party to various disputes with his former employee, that the employee was malicious and that he acted to prevent the customers in his portfolio from being victimised due to his malicious actions.
Although the data controller defended that it acted in accordance with the processing conditions stipulated in the Law in the incident subject to the complaint, the Board decided that sharing the announcement, which includes the open name and surname of the person concerned and the accusations about the person concerned, on the social media account, which is accessible not only to the company customers but also to everyone, constitutes a violation of the principle of proportionality on the grounds that there is no reasonable balance between the data processing and the purpose to be achieved, and imposed an administrative fine of 30,000 TL on the data controller and instructed the data controller to remove the post. While determining the amount of the administrative fine, the economic situation of the data controller was taken into account.
IF IT IS THE PERSONAL DATA OF THE DATA SUBJECT, THE CONTRACTUAL RIGHT OF THE DATA CONTROLLER
In the complaint of the data subject, in summary; it was stated that the promotions and images of the products offered for sale by a clothing store were shared on the website of the data controller, that although the business relationship with the data controller, in which the data subject worked as a catalogue model, was terminated, the photographs continued to be published on the internet addresses of the data controller without his explicit consent, and that the photographs continued to be published despite the application of the data subject to the data controller with the request to remove the photographs, and it was requested that the necessary action be taken.
In its defence submitted to the Institution, the data controller stated that there is an unwritten work contract between them based on the photomodelling service of the data subject, and that the photographs made available to the public under this contract are published in the data
the data subject has received payment and waived his/her additional financial rights for the use by the data controller, and even if the data subject does not have a written consent, it will be accepted that he/she has given consent by taking a photograph with his/her own active will.
In its final decision, the Board ruled that there is no action to be taken against the data controller company within the scope of the Law on the grounds that the photographs of the data subject are shared until the stocks of the clothes are exhausted and the processing activity is based on the legal reason of the performance of the contract between the data subject and the data controller.
THE ONLY REFERENCE FOR SHARING HEALTH INFORMATION: CONFIDENTIALITY OBLIGATION
In the complaints of the data subjects, in summary; it is stated that all data subjects working within the employer were forced to take a drug test under pressure without any reason and explanation, they were called from their homes and tested at the data controller private health institution, no consent was obtained or clarification was made to them during this process, and the test results were sent to the e-mail address of another employee (“third party”) at the workplace of the data subjects, thus there are unlawfulness in the processing of personal health data.
In the detailed investigation conducted in the case of the data controller health institution and the employer of the complainant data subjects, the Board investigated why the health institution, which is the data controller, sent all the test results to the third party, rather than whether the employer had a reasonable suspicion to conduct the drug test. As a result of the investigation, it was declared that the persons concerned verbally consented to the test results being shown to the e-mail address of the third party, and for this reason, the third party gave his e-mail address to the staff at the clinic.
In the concrete case, the Board decided to impose an administrative fine of 75,000 TL, taking into account the fact that the data controller shared the data in question without relying on any data processing activity specified in Article 6 of the Law and that the data controller provides health services in many provinces with approximately 600 employees, with the effect that the third person to whom the data was shared is not a person who has a confidentiality obligation.
BEWARE OF REFERENCE CALLS, REQUESTS & WORKPLACE FEEDBACKS!
In the complaint of the data subject, in summary; it was reported that the data subject was invited to another company for a job interview while he was already working for a company and that the job interview was conducted, that the data controller company that conducted the job interview shared with the current workplace of the data subject the information that the data subject made many statements about the company he was working for that damaged his reputation, and that this sharing was confirmed by the current workplace during some dispute processes with the current workplace.
In the defence statements submitted to the Board; in addition to the defence that the sharing subject to the complaint did not contain personal data, it was stated that it was decided that there was no ground for prosecution upon the complaint made against them by the relevant person to the Chief Public Prosecutor’s Office for the offence of “Unlawfully Recording Personal Data, Violating the Privacy of Private Life, Obtaining or Disseminating Unlawful Data” and that the action would not constitute the offence of violation of the privacy of private life.
In the final examination of the Board; it was determined that the criminal complaint was ruled within the scope of criminal law and that it was not bound by this criminal decision in terms of private law, that in the concrete case, the violation of the right of personality came to the fore, that the data controller illegally transferred the information that the data subject had a job interview and the information that the data subject made many statements about the workplace where the person was working to the company where the person worked, that the transfer was made without relying on any of the conditions in Article 8 of the Law, and that the data controller did not respond to the application of the data subject within the legal period of 30 days. 000 TL administrative fine against the data controller.
PAY ATTENTION TO EXACTLY TO WHOM THE EXPLICIT CONSENT IS GIVEN!
In the complaint of the data subject, in summary; it was stated that the photographs of his personal data, which were taken during a nose surgery performed in a private hospital, were shared for advertising purposes on the social media account of the doctor working in the hospital and performing the surgery, and that the photographs in question were kept in this account for approximately two years.
In the concrete case, although it has been declared by the data controller that the image subject to the complaint does not identify the person concerned, that there is only a nose image before and after the operation, and that the elements that would make the identity of the person concerned identifiable have been eliminated through the shooting angle and anonymisations, it has been determined that other identifying elements in the photograph have transformed the relevant photograph into personal data. At the same time, it was defended that the data subject consented to the sharing.
As a result of the Board’s investigation, it was seen that the party to which the data subject gave explicit consent to the use of his/her personal data was the health institution that performed the treatment, but in the concrete case, since it was a doctor working in the hospital who shared the images of the data subject taken during the surgery on his/her social media account, an administrative fine of 100,000 TL was imposed on the grounds that both the transfer of personal data by the data controller health institution to the doctor working within its own body was unlawful and the necessary technical and administrative measures were not taken to prevent this sharing.
THE BALANCE BETWEEN DATA PROCESSING AS A LEGAL OBLIGATION AND CONFLICT OF RIGHTS
In summary in the complaint of the person concerned; the images of the person concerned were shared with news agencies and websites without the explicit consent of the person concerned, offensive comments were made about the person concerned due to the sharing of the images of the person concerned on the aforementioned news sites and this situation caused the person concerned to be damaged in a moral sense, there is no warning sign that the data controller has made a video recording at the workplace, in this respect, the obligation to inform was not fulfilled, and personal data was shared unlawfully.
In summary, in the defence statement received from the data controller foreign exchange office; it was stated that the data subject was overcharged due to the error of the teller officer while making a transaction at the foreign exchange office, afterwards, after it was not possible to reach him in any way, the camera recording with only partial and sometimes ambiguous image recordings was shared through the agency that fulfilled a standard procedure, and the data subject learned about this situation through his daughter, the sharing of the images of the data subject was not for the purpose and nature of violating any constitutional rights, and the competing rights did not constitute a situation against the data subject, considering that there is no other way to identify the person concerned due to the legitimate interests of the data controller. In the full summary text of the Board’s decision, a detailed analysis of the issue of competing rights is also set forth.
With the final Board review, it was evaluated that it is a legal obligation to have a camera in the foreign exchange offices, therefore, recording the images of the data subject by making camera-video recording is in accordance with the law, and the camera signs are hung in the foreign exchange office.
In addition, in order to ensure the return of the over-unjustified payment made by the data controller to the person concerned and to prevent economic loss, it was decided that there is no action to be taken within the scope of the Law by evaluating the transfer of the camera recording images, in which the eye contour and silhouette of the person concerned are displayed, to the local news channel for the purpose of announcement, in accordance with the equity and data processing conditions.
THE DATA CONTROLLER SHOULD CHECK THE ACCURACY AND TIMELINESS OF THE DATA IT PROCESSES!
In the complaint of the data subject, in summary; it was stated that after the termination of the employment contract, his/her image was used for advertising and marketing purposes, the data subject still appeared as the person who carried out the transaction in the sales and collection transactions carried out within the data controller, the phone number of the data subject was still given as the recipient in the cargo of the products sent to the store, and this situation became illegal with the termination of the employment contract.
The data controller stated that in the sixth paragraph of the article titled “Domestic transfer of your processed personal data” in the clarification text signed by the data subject, it is stated that “data can be shared with suppliers and solution partners in order to fulfil functions such as software, corporate resource planning, reporting, marketing, etc.”, for this reason, the data subject will be deemed to have given consent to the processing of personal data for marketing purposes by taking part in the company’s advertisements, and the claim that the data subject’s “mobile phone information continues to be processed by the company, claiming that it is seen on the cargo package” is not based on any evidence.
In the concrete case, the Board assessed that it would be contrary to the ordinary course of life to carry out advertising and marketing activities by using the images of the data subject due to the termination of the employment contract and that the data controller failed to ensure the accuracy and timeliness of the personal data processed under its responsibility.
As a result of the aforementioned evaluation, it has been decided to impose an administrative fine of 250.000 TL on the data controller and to remove the personal telephone information of the person concerned from the records of the cargo company and to remove the name and surname information of the person concerned from various documents and forms, taking into account the issues that the data controller acts against the principle of “being accurate and up-to-date when necessary”.
THE EMPLOYEE’S CORPORATE E-MAIL ADDRESS CAN BE INSPECTED, PROVIDED THAT IT DOES NOT EXCEED THE LIMIT!
In summary, the complaint submitted to the Authority relates to the processing of personal data by monitoring, accessing and storing the contents of the corporate e-mail address allocated by the data controller to its employees. The data subject claims that this monitoring activity is excessive.
The data controller detected during an audit that the data subject transmitted company information containing commercial data to his personal e-mail address in violation of confidentiality measures and secretly recorded a telephone conversation with a company employee without the knowledge and consent of this employee.
Data controller; has stated that it has informed its employees within the scope of various policies and clarification texts that it is both authorised and responsible for monitoring and supervising that its employees comply with the legislation, company policies, confidentiality obligations, information security procedures, disciplinary provisions, and has provided the details of the use of computers and corporate e-mails entrusted to its employees by the company in the relevant clarifications, The data controller stated that the data processing is carried out within a specific, clear and legitimate purpose in order to protect its legitimate interests based on the data processing conditions of “data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject”.
As a result of the investigation, the Board concluded that the data controller has a legitimate interest in carrying out the audit activity subject to the complaint, referring to the fact that the criteria evaluated in the Constitutional Court Decision dated 17/09/2020 and application number 2016/13010 and the European Court of Human Rights (ECtHR) Decision dated 12/01/2016 “Bărbulescu v. Romania” should also be taken into account in the concrete case.
Considering that the data controller can determine whether the data subject has committed any violation only through the audit it will implement, it has been ruled that there is no action to be taken against the data controller employer company within the scope of the Law, since it has been concluded that the data controller has carried out a personal data processing activity limited only to the relevant personnel and personal data for the purpose and only within the intended framework.
EXPLICIT CONSENT IS REQUIRED FOR DATA TRANSFERS ABROAD!
In the complaint petition submitted to the Authority, in summary; it was stated that the data subject subscribed to the system of the data controller via the website, it was reported in the disclosure text that the data was transferred abroad, but the data subject did not have an explicit consent in this direction, and although information was requested with an application to the e-mail address in the disclosure text on the website, no response was received from the data controller within the legal period of 30 days.
The data controller stated that it created an e-mail address specific to data subject applications, but the data subject application sent to this e-mail address remained unanswered due to inadvertent overlooking, that the data controller based in Turkey provides services in many countries and provides its services with cloud service technologies located abroad, that the notification of transfer abroad in the disclosure text on the website was made due to the data being kept on this server, that the data controller has been working on a commitment letter with the company from which it receives hosting services for a long time, and that it will submit the said commitment letter to the Board for approval as soon as possible.
In its final decision, the Board stated that, although it has been determined that the data controller has not taken all necessary administrative and technical measures to finalise the applications to be made by the data subjects effectively and in accordance with the law and good faith, the transfer of personal data abroad is subject to certain conditions pursuant to Article 9 of the Law. In accordance with Article 9 of the Law, considering that the transfer of personal data abroad is subject to certain conditions, and if the relevant conditions are not met, there is no legal reason other than explicit consent in order for the transfer activity to be in accordance with the law, it has been decided to impose an administrative fine of 950,000 TL for the data controller due to the fact that the data controller has not made the transfer activity abroad in accordance with the Law and to warn the data controller to take the necessary measures.
E-MAIL CONFIRMATION MECHANISM AS A TECHNICAL MEASURE
In summary from the complaint of the data subject; It has been determined that an e-mail was sent to the e-mail address of the data subject stating all order information including the sender and recipient data of a third party shopping on an e-commerce site, the details of the order content and the order cancellation button is active.
In the defence of the data controller, in summary; it was stated that the order in question was created by a user with customer login by notifying the second e-mail address of another person who does not have a membership due to name similarity, and that explicit consent was given for e-mail and SMS sending, that there was no intention of the data controller, and that technical development studies have been initiated in order to confirm the erroneous transactions by the e-commerce site.
As a result of the Board’s examination, it was decided to impose an administrative fine of 120,000 TL on the grounds that the data controller did not fulfil its obligation to take administrative and technical measures to prevent the unlawful processing of personal data by not establishing a confirmation mechanism that will verify the contact information reported for the recipient groups to which the e-mail will be sent by negligent behaviour and thus ensure that the principle of keeping personal data accurate and up-to-date when necessary.
THE REASON FOR PUBLICISATION, WHICH DOES NOT REQUIRE EXPLICIT CONSENT, SHOULD NOT GO BEYOND THE PURPOSE!
In the complaint of the data subject, in summary; it was stated that the workplace e-mail of the data subject obtained from the searches made on internet search engines was processed by a marketing company by sending commercial electronic messages without obtaining explicit consent.
In summary, in the defence of the data controller, it was stated that the e-mail with marketing content was sent based on Article 6 of the Law No. 6563 on the Regulation of Electronic Commerce “Commercial electronic messages can be sent to tradesmen and merchants without prior approval” and that the relevant e-mail was for the promotion of a software product related to the person’s profession.
As a result of the Board’s examination, it was determined that the business e-mail address of the relevant person was made public within the scope of the communications to be made for the lawyer’s profession, not for marketing/advertising purposes, and therefore, although the relevant data is accessible on the internet, it is not limited and connected with the purpose of publicisation.
In addition, pursuant to Article 11 of the Attorneyship Law No. 1136, lawyers cannot act as neither tradesmen nor merchants, and therefore, commercial messages cannot be sent without the consent of the data subject, an administrative fine of 150,000 TL was imposed on the data controller for unlawful data processing without any personal data processing conditions.
SANCTIONS AGAINST EMPLOYERS WITH LOW AWARENESS!
In the complaint of the data subject, in summary, it was stated that the data controller employer, with whom there is a labour relationship until the termination of the employment relationship for just cause, forwarded the judicial correspondence information in the criminal investigation file in which the name of the data subject was mentioned to the e-mail address of the brother of the data subject without any connection with the file.
In the content of the e-mails stated to have been sent from the data controller to the relevant person’s brother, there are statements that the relevant document was notified to the address of their family and in the attachment of the same e-mail, there is a petition of complaint sent to the Chief Public Prosecutor’s Office on the grounds that the relevant person stole the software and trade secrets of the company, and in the suspects section of the petition of complaint, not only the relevant person, In addition, based on the outputs that the data controller did not respond to the allegation that the Prosecutor’s Office complaint petition of the relevant person was shared with the brother of the relevant person and on what legal grounds, an administrative fine of 150. 000 TL administrative fine was decided.
DATA BREACH NOTIFICATION
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In April 2023, one data breach notification was published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Beytıp Sağlık Hizmetleri Ltd. Şti.
In the data breach notification submitted to the Board by Beytıp Sağlık Hizmetleri Ltd. Şti. which has the title of data controller, in summary On 18.02.2023, it was stated that the program in which the records of all transactions related to medical issues related to patients and their relatives who were treated within the medical centre and some computers accessed to the program could not be opened, the computers of the data controller and the network and information system to which these computers are connected were unauthorisedly entered by unidentified persons, access to the program in question was encrypted, the personal data affected by the breach are identity, communication, personal, legal transaction, customer transaction, transaction security, risk management, finance, marketing, audio and visual records, race and ethnicity and health information.
The number of people affected by the breach is not known exactly; however, it is estimated to be 5000 and the records of the last year are affected, and the relevant group of people affected by the breach are employees, users and patients.