August 2024 – In August, the Turkish Data Protection Authority (“DPA”) focused on several key issues including updates on personal data processing, the release of translated by-laws and standard contract clauses, the announcement of an intergovernmental partnership, and details of two data breach notifications.
Quick reminder: Cross-border data transferring rules effective from 1 September!
As of 1 September 2024, data controllers must comply with the new rules on cross-border data transfers introduced by the amendments to the Turkish Data Protection Law (“DP Law”) on 12 March 2024. Importantly, data controllers will no longer be allowed to rely on explicit consent for ongoing cross-border data transfers.
You can read our article on these new rules here.
Dive into August updates
1. Official English translation of the “By-Law on Cross-Border Transfers of Personal Data and Standard Contractual Clauses” is published
On 10 July 2024, the DPA issued the "By-Law on the Procedures and Principles for the Transfer of Personal Data Abroad" (“By-Law”) together with essential documents for cross-border data transfers.
On 29 August 2024, the DPA published English translations of the By-Law and templates for standard contractual clauses. However, under Article 14 of the By-Law, it is mandatory to use the standard contract text without modifications, and if executed in a foreign language, the Turkish text prevails. Therefore, the English versions are provided for informational purposes only.
You can access the English versions of these documents here.
2. Close examination of VERBIS registration: DPA fines data controllers for non-compliance
On 1 August 2024, the DPA reminded data controllers of their obligation to register with the data controllers’ registry, VERBIS, and announced fines for non-compliance.
As part of this announcement, it was revealed that out of approximately 130,600 data controllers required to register, 16,350 failed to meet this obligation. As of 1 August 2024, the DPA imposed administrative fines totaling TRY 503,935,000 (approx. EUR 14 million) on non-compliant data controllers, including domestic and foreign data controllers. The fines were determined based on an algorithm prepared according to the total assets of the annual financial balance sheet.
3. The DPA and Ministry of Trade sign cooperation protocol
On 28 August 2024, the DPA and Ministry of Trade announced that they have signed a cooperation protocol to enhance consumer awareness about digital advertisements and applications and to strengthen control over consumers' personal data.
The protocol addresses issues such as targeted advertising based on personal data and deceptive commercial designs (“dark patterns”) that are aimed at consumers in digital environments. It was noted that a large amount and variety of personal data are used in these processes, posing certain risks to personal data that enable decision-making specific to individuals and make them identifiable.
The announcement also exlained that the Ministry of Trade's Directorate General for Consumer Protection and Market Surveillance and the DPA signed the cooperation protocol to raise awareness across all segments of society about targeted advertising and deceptive commercial design practices, to monitor international regulations and practices related to the use of personal data in digital advertising and applications, and to develop joint policies against existing or potential violations.
4. Informative note on personal data processing based on law
On 5 August 2024, the DPA published an informative note clarifying the personal data processing activities conducted based on the legal ground of "explicitly provided by law" Under Article 5 of the DP Law.
The note discusses this condition within the framework of the GDPR and provides examples of the relevant legal regulations. It also clarifies that personal data processing based on secondary regulations established under a specific law provision falls under the "explicitly provided by law" condition.
5. Public announcement regarding telephone surveys conducted through random number dialing
On 26 August 2024, the DPA addressed complaints about surveys conducted by research companies using random number dialing. The DPA concluded that this activity does not fall under the statistical purposes provision of the DP Law. However, recording such calls may be justified under legitimate interest, provided explicit consent is obtained from those willing to participate in the relevant survey.
The DPA determined that the following factors could justify the legality of processing personal data under the necessity of processing for the legitimate interests of the data controller:
- The phone numbers are generated through the "random number dialing" method used in public opinion research and are not obtained from any source.
- The generated number is not visible to the interviewer.
- The processing of personal data, including the call date and duration, the calling and called numbers in the traffic log, and the inclusion of numbers in a do-not-call list for those who request not to be called again, as well as recording the call, is done to monitor the quality control of the research, ensure that the researcher fulfills their obligations, and provide evidence in case of legal disputes.
Additionally, the DPA emphasised that individuals must be informed at the outset about who is making the call, which personal data is being processed, that their phone number was generated through a random number dialing method, and the purpose of the processing. The DPA emphasised that the phone conversation and data processing may only continue if the individual provides explicit consent after being informed.
Data breach notifications
- A cyber-attack on Maltepe Üniversitesi's user account resulted in a data breach with ransomware. Details of the affected data subjects have not yet been disclosed.
- A data breach at Gündoğdu Mobilya Sanayi affected the personal data of users, employees and customers. Accordingly, the identity, contact, location, personnel information, legal transaction and customer transaction-related data of specified data subjects have been affected.