PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.
We believe that the most essential action taken by the Board in May was the Summary of Decisions published as a set on 23 May 2022. This set, which contains 15 decision summaries, introduces quite radical rules for implementation. You can access the details of the Board Decision Summaries, which we have summarised for you and emphasised the important points, below.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In May 2022, three data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Yıldız Technology Development Zone Teknopark A.Ş.
The breach occurred on 03.05.2022 with the disabling of the systems as a result of a cyber attack on the systems of the data controller on 03.05.2022, 05.05. 2022, the data breach was detected as a result of the discovery of a ransom demanded note on 05.05.2022, the systems affected by the breach are Argeportal, EBYS, eBA, PDKS, Logo software and in-house common area belonging to the data controller, personal data categories are identity, contact, location, personal, customer transaction, finance, professional experience information, person groups are employees, users and customers, the number of people has not yet been determined.
ZkSoftware The Advanced Biometric Solution Elektronik San. ve Tic. Ltd. Şti
The breach occurred on 22.05.2022 and was detected on 23.05. 2022, the files of the data controller in two data storage areas were locked with crypto encryption, the relevant groups of people affected by the breach are the employees of the data controller and customers, approximately 1000 real persons are affected, and the categories of personal data are; Identity, Contact, Personality, Customer Transaction (invoice and order information of the products purchased by customers in the past), Finance (receivables or debt information of customers), Marketing information (product information purchased by customers).
Baydöner Restoranları A.Ş.
It was stated that the breach occurred as a result of the computer of the IT Manager of the data controller being attacked with malicious software and the web service passwords being captured, that it occurred on 21.05.2022 and was detected on 22.05.2022, that the affected person groups are employees, users and subscribers / members, personal data; customers’ name, e-mail, mobile phone, gender, city of residence information, the number of people is 505,337.
BOARD DECISION SUMMARIES
In order to keep up with the pace of the data world, the most important source has been the Board’s Principle Decisions and Summaries of Decisions for administrative sanctions. The legislation has been shaped in line with these decisions, and many procedures and principles, as well as adjectives and expressions familiar from the GDPR world, are included here. Article 22 of the LPPD lists the duties and powers of the Board, and the binding nature of the Decision Summaries is based on this provision.
Summary of the Decision of the Personal Data Protection Board dated 14/10/2021 and numbered 2021/1051 on “An employment platform that carries out job search and recruitment processes engages in practices contrary to the Law on the Protection of Personal Data”
It has been the subject of the complaint that the data controller has made practices contrary to the LPPD in terms of confidentiality and processing of personal data for employers as a result of job applications made by the data subject through his/her membership account on the employment platform of the data controller, that the information/access request of the data subject to be provided with a digital copy of all information and documents submitted to employers regarding job applications and interviews was not fulfilled by the data controller, and that it was stated that the data would be deleted without the consent of the data subject. In its explanation, the data controller stated that a number of personal data processing activities were carried out based on the service contract between them and in this context, the clarification texts were notified to the data subject.
It was determined that the 30-day period was complied with regarding the complaint of the data subject that his/her request for access to personal data was not met and it was decided that there was no action to be taken within the scope of the Law. In view of the fact that the data subject did not provide any corroborating information or document that goes beyond suspicion regarding the allegation that his personal data regarding job applications and job interviews were transferred to other employers without his knowledge and consent, and that there is no such practice as transferring the notes and impressions taken by employers about employee candidates to other employers; it was decided that there is no action to be taken within the scope of the Law regarding this complaint of the data subject.
Summary of the Decision of the Personal Data Protection Board dated 21/10/2021 and numbered 2021/1069 “Regarding the processing of personal data by sending a foreclosure notice to the relevant person, who is a relative of the debtor, by the bank’s lawyer”
As a relative of the debtor, it was stated that with the foreclosure notice sent to him by a Bank lawyer within the scope of Article 89/1 of the Execution and Bankruptcy Law, he determined that his personal data was shared with third parties in the notice without his explicit consent, and that he applied to both the Bank and the Bank lawyer. In the Bank’s response letter, it is stated that the Bank processes personal data for legal proceedings and other legal proceedings in order to collect its receivables in accordance with the principle of being connected, limited and proportionate to the purpose for which they are processed in Article 4 of the LPPD, and that Article 5/2/a-c and ç of the LPPD are relied upon; however, it is emphasised that the attachment notice was issued and sent personally by the Enforcement Directorate and that the Bank’s contracted lawyer did not have the opportunity to intervene in the notice. In the reply letter of the lawyer, it was stated that the Enforcement Directorate requested the Execution Directorate to send a notice of attachment to third parties, which is among the routine procedures for the attachment of the debtor’s rights and receivables for the collection of his client’s receivables, and that no other action was taken against third parties.
Since the bank is not the data controller in the concrete case, there is no action to be taken against it within the scope of the LPPD, and the processing of the name, surname, identification number and address information of the relevant person in order to send a notice of attachment to third parties within the scope of paragraph 89/1 of Article 89/1 of the Execution Law for the establishment of the transactions that the lawyer is obliged to carry out in order to collect the receivables of the bank that the lawyer is the representative of the bank. 5/2/e of the LPPD, “the provision that data processing is mandatory for the establishment, exercise or protection of a right”, it has been decided that there is no action to be taken against the data controller Lawyer within the scope of the LPPD regarding the complaint.
Summary of the Decision of the Personal Data Protection Board dated 02/11/2021 and numbered 2021/1104 on “Unlawful processing of personal data by the bank by sending SMS to the mobile phone number of the relevant person”
The data subject, who requested the data controller Bank to delete his/her data, states that the Bank continues to send information messages via SMS and e-mail and that he/she has applied to the Bank in this regard. In the reply letter sent by the Bank, it is stated that banks are obliged to keep all kinds of information and documents belonging to their customers for ten years, the ten-year storage period starts from the closing date of the accounts and products, which is the last transaction date, and considering that the 10-year storage period has not yet expired, the request for deletion of the personal data of the data subject cannot be answered positively, but necessary steps have been taken by the Bank in order to prevent the processing of personal data for secondary purposes; In cases where the Bank is legally obliged to provide information, it is stated that there is no obligation to obtain prior consent and the fact that the data subject has exercised his/her right to refuse does not constitute an obstacle to the notifications that must be sent to the recipients in accordance with the provisions of the relevant legislation to which the Bank is subject as a service provider.
It was decided to impose an administrative fine of 50.000 TL due to the processing of the personal data of the data subject by sending SMS, and it was concluded that it was not unlawful for the data controller not to fulfil the deletion request due to the expiration of the 10-year period.
Summary of the Decision of the Personal Data Protection Board dated 02/11/2021 and numbered 2021/1107 on “Failure to correct the credit rating of the data subject by the Bank and sharing his/her personal data with third parties”
Although the payment of the personal credit card was not delayed by the data subject, legal proceedings were initiated by the data controller Bank and unlawful transactions affecting the credit rating of the data subject were repeatedly carried out, the credit rating of the data subject was lowered, this transaction was corrected by the Bank upon the objection made and the credit rating was restored to a high level, but this transaction was repeated several more times by the Bank in the following months and each time it was corrected as a result of the insistent reactions of the data subject, financial information was shared unlawfully in violation of the truth, transactions such as loans, personal cards, etc. could not be made between the data subject and any financial institution, the reputation of the data subject was damaged and the applications made to the Bank were not responded. It has been stated that the reputation of the person concerned has been damaged and the applications made to the Bank have not been responded and it has been requested that the necessary action be taken against the data controller.
It has been stated that the data controller is obliged to be a member of the Risk Centre pursuant to Law No. 5411 and that it is required to notify the Risk Centre of the credit information, credit risk, etc. of its customers, that the notification of the financial data of the data subject to the Risk Centre by the data controller means transfer within the meaning of Article 8 of the LPPD and that the transfer activity in question is one of the processing conditions specified in Article 5 of the LPPD. 5 of the LPPD, it is within the scope of Art. 5/2/a-ç of the LPPD, but the active duty of care to ensure that personal data is accurate and, where necessary, up-to-date pursuant to Art. 4 of the LPPD is valid if the data controller draws a conclusion about the data subject based on this data. It has been observed that the data subject contacted the data controller via e-mail at different times and repeatedly requested the correction of the incorrectly transferred financial data to the Risk Centre. Considering these issues, the Board decided to impose an administrative fine of 150,000 TL as a result of violation of Article 4 of the LPPD.
Summary of the Decision of the Personal Data Protection Board dated 02/11/2021 and numbered 2021/1110 on “The data controller publishes the personal data of the customers for whom enforcement proceedings are initiated on a publicly accessible website”
It has been stated that the data controller company operating within a holding company shares the Turkish ID number, telephone number, vehicle registration plate and address information of its customers for whom enforcement proceedings have been initiated on an internet address, and that the purpose of this process is to ensure that if the persons to whom they give the internet address find the vehicles with the arrest warrant written here, these vehicles are caught and banned from traffic by making a 155 notification. In the response letter of the data controller, it was stated that their company sells second-hand vehicles in instalments and in cash, that if the payments are not made, legal action is taken by the company and enforcement proceedings are initiated and no transfer is made to third parties; when the internet address is examined, it is stated that such an address does not exist on their servers and that the application should be rejected since there is no content on the internet address that proves the claims of the person concerned.
It is stated that the notification petition was submitted to the Board via CİMER, that pursuant to Article 15/1 of the LPPD, the Board may initiate an ex officio examination on matters within its jurisdiction even if there is no complaint or notification, and that as a result of the examination of the internet address subject to the examination before the information and document request was sent to the data controller by the Authority, the names, T.R. ID numbers, addresses, arrest numbers of the persons concerned on the internet address. identification numbers, addresses, licence plates and models of the vehicles for which arrest warrants have been issued and by which law office the execution files are followed up, and when the website was tried to be accessed after the notification of the Authority’s request to the data controller, a warning was received that the website could not be reached. 5 of the LPPD, it was decided to impose an administrative fine of 200,000 TL, taking into account the intensity of the security risk posed by the unlawful data processing activity due to the large number and importance of personal data and the disclosure of these data on the internet.
Summary of the Decision of the Personal Data Protection Board dated 02/11/2021 and numbered 2021/1111 on “Illegally obtaining the criminal conviction information of the data subject by the data controller, who is a lawyer, and submitting it to the court file”
Within the scope of the labour receivables case, it was stated that the data subject’s testimony should not be complied with by presenting criminal conviction information by the data controller lawyer while the data subject’s knowledge and experience was applied as a witness of the defendant. In the reply letter given by the data controller lawyer, it was stated that the testimony of the person concerned is of a nature to affect the course of the case, and that the criminal record data can be learnt by every lawyer through the T.C. identification number of the person concerned. identity number of the person concerned, that the criminal record data was not obtained unlawfully by the parties, on the contrary, it was obtained through a judicial body on the threshold of information that is open to the parties due to the fact that they are attorneys, moreover, the criminal records of the persons are already accessible data by judges and prosecutors through UYAP, therefore, it is stated that the submission of this information to the court by the parties will not constitute a violation of the LPPD and Article 2 of the Attorneyship Law is referred to.
The provision in Article 2 of the Attorneyship Law is in contrast to the “special provision” in Article 7 of the Criminal Registry Law. It is clear that the regulation in Article 2 of the Law on Attorneys has the nature of a “general provision” in the face of the “special provision” in Article 7 of the Judicial Registry Law and does not authorise lawyers to access the criminal record information of the relevant persons ex officio, therefore, it is concluded that the criminal record information of the relevant person has been obtained unlawfully by the data controller, and for this reason, the personal data processing activity carried out by the data controller about the relevant person is unlawful, Based on the assessments that the fact that the judicial registry information, which is in the nature of special categories of personal data, was obtained unlawfully in the first place makes all processing activities of the data controller unlawful from the beginning, since there is no doubt that something legitimate cannot be built on something that is not in accordance with the law, it was decided to impose an administrative fine of 75. 000 TL administrative fine on the data controller, deletion of the personal data of the data subject kept by the data controller and linked to the unlawful processing purpose, and reminding that the data subject may file a criminal complaint under the Turkish Penal Code.
Summary of the Decision of the Personal Data Protection Board dated 04/11/2021 and numbered 2021/1127 on “The data controller university publishing the documents containing the personal data of the data subject on its website”
A 40-page letter containing personal data was sent by the Presidency of TÜBİTAK to the Presidency of the Council of Higher Education for information purposes, then the relevant letter was sent by the Legal Counselling Office of the Presidency of the Council of Higher Education to the universities for information purposes, and the said letter and documents labelled “CONFIDENTIAL” were sent by the data controller University to all University employees via e-mail to all academic or non-academic relevant or irrelevant personnel, It was stated that the documents were published on the website by the data controller, the Rectorate of the University, and in the response given by the data controller in response to the application made by the data subject regarding the subject, it was stated that this was done by mistake, and it was requested that the necessary action be taken against the data controller within the scope of the KVKK due to the sharing of the documents related to the ongoing litigation process with unrelated third parties both via e-mail and website.
Since it is evaluated that sharing the personal data of the person concerned in the document, which will affect academic incentives, appointments and promotions, with the deans of the faculties through the EBYS system of the Institution is legal within the framework of Article 5/2/ç-e subparagraphs of the LPPD, there is no action to be taken within the scope of the LPPD, and the personal data of the person concerned in the document is published on the website of the University used for academic studies in accordance with Article 5/2/e of the LPPD. 5/2/e of the LPPD by publishing the personal data of the person concerned in the document on the website of the University used for academic studies by publishing the personal data of the person concerned in the document on the website of the University used for academic studies in accordance with Article 5/2/e of the LPPD. 4/2/ç, and it was decided to take action against the responsible persons within the framework of Article 18/3. paragraph and to inform the Board about the result of the transaction.
Summary of the Decision of the Personal Data Protection Board dated 11/11/2021 and numbered 2021/1153 on “Processing of personal data by sending SMS with advertisement content to the data subject by the data controller selling medical products”
It was stated that a commercial electronic message with advertisement content was sent to his mobile phone number from a data controller selling medical products, that he applied to the data controller with a petition requesting information about how his personal data was obtained and the deletion of his personal data by declaring that he did not have his explicit consent for the processing of his personal data, that they did not have any data other than the phone number of the person concerned, that the mobile phone number was the number given by another patient registered within the data controller as contact information, that this patient had consent to receive advertising and promotional messages and that it was thought that he may have given the number of the person concerned by mistake; However, it was stated that this answer given by the data controller was insufficient and that the data controller was negligent in the incident in question due to the realisation of the approval mechanism without verification, and it was requested that the necessary action be taken.
Regarding the unlawful processing of personal data by sending commercial electronic messages to the data subject; it has been concluded that the mobile phone number in question is not processed as a data associated with the data subject in the records of the data controller, that the incident subject to the complaint occurred as a result of an inadvertent notification of an incorrect number by a customer, and that these issues can be confirmed by the data controller with documents, and that there is no action to be taken against the data controller within the scope of KVKK, Article 7 of the Law regulating the deletion, destruction or anonymisation of personal data and Article 7 of the Law regulating the deletion, destruction or anonymisation of personal data. Article 7 of the Law regulating the deletion, destruction or anonymisation of personal data and the Regulation on the Deletion, Destruction or Anonymisation of Personal Data, and to instruct the data controller to destroy the personal data of the data subject and to inform the Board in this regard.
As GRC Legal, we believe that the concrete case constitutes a good example for data controllers to query whether the publicised contact addresses regarding the sending of commercial electronic messages belong to the publicised person.
Summary of the Decision of the Personal Data Protection Board dated 25/11/2021 and numbered 2021/1187 on “Access to the corporate e-mail account of the data subject, who is a former employee, by the data controller employer without disclosure”
It is stated that the data controller is a former employee of the company, in the content of the evidence lists submitted to the case files in which the data subject and the data controller are mutual parties, it is seen that the contents of the conversations made by the data subject with his fiancée via e-mail, personal bank account statements and expenditure records, which are personal data of the data subject, are accessed, that no explanation or notification has been made by the data controller stating that the e-mail addresses given to the company employees should be used only for business purposes, that as a result of the platforms used, as per Art. 9 of the LPPD as a result of the platforms used, but it was not carried out in accordance with the procedure and personal data were not deleted despite the request regarding Article 11 of the LPPD.
It is clear that corporate e-mail accounts will only be used for the purpose of performing the work, therefore, a personnel working as an expert in the field of informatics should be aware of this requirement, applying additional audit criteria to the relevant person in this regard would be contrary to the ordinary course of life and there is no need to warn the relevant person not to use the corporate e-mail account, Within the scope of the employer’s management authority, it is stated that as a rule, the employer may monitor the communication tools that the employee uses and may stipulate limitations on their use, that the relevant person completely deleted the e-mail address containing twelve years of commercial information at the time of leaving the job and when the e-mail address was restored in order to access this information, it was clearly and clearly determined that the relevant person obtained unfair gain in complete violation of the obligation of loyalty.
While deciding on the matter, the Board referred to more than one Constitutional Court Decision and Human Rights Court Decision and mentioned the criteria that will guide the employer to monitor the communication. As a result of the decision evaluated within the framework of these criteria, it was decided to impose an administrative fine of 250,000 TL on the data controller who did not inform.
Summary of the Decision of the Personal Data Protection Board dated 02/12/2021 and numbered 2021/1214 “On the arrangement of the attendance list containing the personal data of the people receiving the training in the training given by a university in a way that can be seen by other participants”
Since it is understood that the Ministry responded to the application of the relevant person after the 30-day period, a reminder to observe the 30-day period while responding to the applications, in case it is necessary to include another data identifying the person other than the name and surname of the person in the attendance tracking chart used by the data controller University while fulfilling the legal obligation for attendance tracking; to instruct the data controller University to mask the relevant data, to review the attendance tracking chart again and put it into practice, to inform the Ministry to inform other educational institutions that provide the training, considering the fact that there are other institutions that provide the relevant training and that there may be similar practices, to inform the Ministry to inform other educational institutions that provide the training, to inform the data controller University in the process of processing the personal data of the trainees while providing training, Article 10 of the KVKK titled “Obligation of the data controller to inform” and Article 10 of the Obligation to Inform. Article 10 of the LPPD titled “Obligation of the data controller to inform” and the provisions of the Communiqué on the Procedures and Principles to be followed in the Fulfilment of the Obligation to Inform.
Summary of the Decision of the Personal Data Protection Board dated 02/12/2021 and numbered 2021/1217 on the “allegation that an unrealistic, honour and dignity-damaging television news was made about the relevant person by using the photographs of the mother and her child who has the title of the relevant person”
In the main news programme, photographs of the person concerned and his child were used to broadcast the statements that the person concerned had a son and a daughter from his first marriage, that he had been married to someone else for six years, that his son from his first marriage stabbed the person concerned, that one of the stab wounds hit the person concerned in the heart, that the person concerned was fighting for his life and that the murderous son was arrested, It was stated that the use and dissemination of the photograph taken from the Facebook page of the person concerned, which was not related to the incident subject to the news, was clearly against the law, that despite the application made to the media company, the violation of the law was not eliminated within the thirty-day legal period, and that the applicants were not informed.
Due to the fact that the name and surname information of the relevant person is mentioned in the news content and it is possible to confirm the photographs from open sources by using this name and surname information, it should be accepted that there is no reasonable balance between the form and substance of the news, in other words, the news is disproportionate, in addition, it can be argued that it is not necessary to reflect the photographs on the screen, even in a blurred / frosted form, in terms of the form of the news, and that the news made by the data controller by using the information and photographs of the relevant person and her child is in violation of Art. 28/1/c of the LPPD, it was decided to impose an administrative fine of 300,000 TL since it was concluded that the personal data was processed by the data controller without any processing conditions.
Summary of the Decision of the Personal Data Protection Board dated 25/11/2021 and numbered 2021/1187 on “Access to the corporate e-mail account of the data subject, who is a former employee, by the data controller employer without disclosure”
The complaint made by the data subject has focused on three allegations that “the data controller failed to fulfil its obligation to inform the data subject arising from Article 10 of the LPPD during the continuation of the employment contract between them”, “after the termination of the employment contract with the data controller through termination by action, the photographs and other personal data of the data subject continued to be kept on the website of the data controller, the keeping of such data on this website depends on the explicit consent of the data subject, but the explicit consent of the data subject was not obtained on the subject and this situation constitutes unlawful personal data processing activity” and “the application made by the data subject in accordance with Article 13 of the LPPD was not responded adequately by the data controller”. The complaint subject to review has been evaluated under three headings under which the allegations of the data subject are concentrated. Although the data subject has been informed within the scope of GDPR obligations, the data controller is reminded to take care to fulfil the obligation to inform in accordance with Article 10 of the LPPD in terms of personal data processed in Turkey, the data subject is informed that he/she should take action before the judicial authorities for the resolution of disputes arising from the business relationship between the data controller and the data subject, the data subject is informed that he/she should take action before the judicial authorities for the resolution of disputes arising from the business relationship between the data controller and the data subject, and the data controller is informed by the data subject that he/she should take action before the judicial authorities for the resolution of disputes arising from the business relationship between the data subject and the data controller in accordance with Art. 11 and 13 of the LPPD and Article 5 of the Communiqué on the Procedures and Principles of Application to the Data Controller, and to instruct the data controller to finalise the applications to be made by the data subject in accordance with the effective, lawful and honesty rule.
Summary of the Decision of the Personal Data Protection Board dated 09/12/2021 and numbered 2021/1239 on “Sharing of personal data by the data controller Bank by making calls over the phones of the family of the data subject”
Considering that the debtor follow-up made by the data controller due to the risk incurred was made for the phone number registered in the Risk Centre system, no determination could be made that personal data was shared by the data controller from the available information and documents, and the necessary action was taken in a short time regarding the calls upon the request of the data subject, it was decided to remind the data controller that there is no action to be taken against the data controller within the scope of KVKK, to be more careful in terms of the protection of personal data in telephone calls and to inform the personnel on this issue.
Summary of the Decision of the Personal Data Protection Board dated 09/12/2021 and numbered 2021/1243 “Regarding the processing of the e-mail address, which is the personal data of the data subject, by a human resources company for the purpose of sending e-mails for advertising and marketing purposes”
It is stated by the data controller that the e-mail address information of the data subject is obtained within the scope of survey and promotion works within the framework of economic activities and processed within the framework of Art. 5/2/d of the LPPD, however, the data controller did not include any explanation by the data subject regarding the method and on which platform or medium the data subject has the will to make his/her e-mail address information public, nor did it include any document proving how it was obtained within the framework of survey and promotional activities in the annex of the letter, the data controller’s explanations regarding how the personal data of the data subject was obtained and under which processing condition it was processed lacked legal basis, it carried out data processing activities without any legal processing conditions within the framework of Article 5 of the LPPD. article 5 of the LPPD, it is understood that the data controller has carried out data processing activities without any legal processing conditions within the framework of Article 5 of the LPPD, and that the data subject has also requested the deletion of his personal data; since it is understood that the data controller has acted contrary to the obligation to “prevent unlawful processing of personal data”, it has been decided to impose an administrative fine of 50,000 TL on the data controller, and to instruct the data controller to inform the Board by destroying the personal data of the data subject and transmitting the log records regarding the destruction process to the Authority.
Summary of the Decision of the Personal Data Protection Board dated 10/03/2022 and numbered 2022/229 on “Unlawful processing of personal data through cookies used in the website/mobile applications by the data controller company operating in the e-commerce sector”
That information is provided with a pop-up in the lower left corner of the page and a box containing explanations as soon as the data controller’s website is entered, that there is no indication that the explicit consent of the persons concerned is applied in terms of cookies that are not strictly necessary, and that the visiting users consent to the operation of the cookies in question with the voluntary active movement of the relevant persons at the time of entry to the website / mobile application, Therefore, it is necessary to obtain explicit consent according to the “opt-in” mechanism, which stipulates that cookies do not work as the default setting, adding a link that can direct to the Cookie Policy is important in order to make the clarification on cookies more easily accessible, therefore, it is necessary to update the text in question to add a direct link to cookies, based on the evaluations; KVKK 5 and 6. The Board imposed an administrative fine of TL 800,000 on the data controller since the processing activity was carried out without relying on any of the conditions set out in Articles 5 and 6 of the LPPD, personal data was transferred without relying on any of the transfer procedures set out in Article 9, and these issues constituted a violation of the provision of Article 12/1.
If there is no data processing condition other than explicit consent in the operation of non-mandatory cookies, it was decided to instruct the users to obtain explicit consent according to the “opt-in” mechanism, which ensures that the users give consent to the operation of the cookies in question with the voluntary active action of the relevant persons at the time of entry to the website / mobile application, and therefore, cookies should not work as the default setting, and to be finalised within 30 days.