Turkey's Personal Data Protection Board Released Three New Decisions
| Data Protection
Turkey's Personal Data Protection Board Released Three New Decisions
Article by Ertuğrul Can Canbolat, Baran Can Yıldırım, and S.İrem Akın
The Turkish data protection legislation has become one of the hot topics since its announcement in the Official Gazette in 2016. This has not only raised the question for the companies how to minimize the risks of non-compliance thus to reduce the possibility to be fined, but also lead to some controversies with regard to its both substantive and procedural parts. On the other hand, the Turkish Data Protection Authority ("DPA") continues its activities in an efficient manner given its guidelines and decisions published on its website.
In this regard, the DPA recently announced three decisions that may provide guidance for freedom of press, social media platforms, and job application process. Within this article, we are highlighting the main aspects of these decisions.
One of the decisions relates to the application of an individual requesting for a column in a newspaper, which gives a reference to her/his name, to be deleted. In this regard, the DPA concluded that considering the concerned individual is a "public figure", the relevant column is protected under the freedom of press (i.e. freedom of speech), according to the Turkish data protection legislation. There, the concerned individual's request has been rejected.
Another recent decision concerns the share of applicant's medical report which is deemed as one of the "special categories of personal data" under the Turkish data protection legislation. In its short decision, the DPA states that the doctors involved in the treatment took photos of the screenshot (concerning the data subject's health report) obtained from the data controller's mobile application and shared them through their social media platforms.
Accordingly, the DPA imposed a fine on the data controller due to the fact that it failed to take all the necessary technical and organizational measures for providing an appropriate level of security in order to safeguard personal data.
Lastly, the DPA imposed fines on an online human resources services company and to a company group, based upon unlawful sharing of personal data of the job applicants. In this regard, the DPA has found that:
- after the online job application made by a data subject via a platform, the sharing of the information about the application, name/surname, and e-mail address of the applicant with other job applicants without a legal basis constitutes a violation of the obligations of a data controller under the Turkish data protection legislation.
- transfer of personal data between the data controller companies within the same group is considered as a transfer of data to third parties and any transfer of a job applicant without his/her consent between those companies is against the Turkish data protection legislation.
Finally, it should be noted that none of the decisions refers to the amount or calculation method of fine imposed to the concerned data controllers.
In the light of the above, it appears that the Turkish companies are facing problems in ensuring that all necessary technical and organizational measures for providing an appropriate level of security in compliance with the Turkish data protection legislation. Furthermore, those decisions also highlight that (i) any analysis under the Turkish data protection law is in connection with other fundamental legal principles such as freedom of speech and (ii) special attention should be paid by the online service providers and company groups. Consequently, it appears that as anticipated, the DPA has become more and more effective in each year.
It will be interesting to observe whether authorities in other jurisdictions will monitor the DPA's decisions and take actions to find out whether the concerned companies are violating the data protection rules in their jurisdiction.