In April 2021, the Turkish Personal Data Protection Board (the “Board”) published significant decisions regarding a lawyer’s position vis-à-vis third parties and data protection, as well as on the obligations relating to the transfer of personal data as part of the transfer of assets.
The Board also organised in April two webinars: one on data privacy in the digital era, and another on medical ethics and data privacy. During the webinar on the data privacy in the digital era, the president of the Board, Faruk Bilir, underlined that the Board is working to align Turkish Data Protection Law (“DP Law”) with the GDPR.
The Board makes an evaluation regarding a lawyer
The Board assessed a lawyer’s position in a case where a bank (the “Bank”), acting as a data controller, transferred its customer’s data to its contracted lawyer (the “Lawyer”). In the case in question, the customer’s data included a telephone number belonging to the customer’s sister. As a result, the Board imposed an administrative fine of TRL 175,000 (approximately EUR 17,500) against the Bank, as the processing of the customer’s sister’s data and transfer to a third party constituted a violation of DP Law. (See our detailed analysis of the decision here).
Concerning the Lawyer’s position, the Board concluded that:
- The Lawyer is the data processor, as he processes personal data on behalf of the Bank within the framework of the instructions given by the Bank based on a attorney-client relationship.
- The Lawyer processed the personal data to fulfil his liabilities arising under (i) the Law on the Legal Profession and (ii) the Bankruptcy and Enforcement law and secondary laws.
- The Lawyer is not able to know that the telephone number in the system belongs to the customer’s sister, as who the telephone number belongs to is not stated in the system.
- Once the Lawyer realised that the number does not belong to the customer, he immediately removed the telephone number from the records and notified this matter to the Bank.
- As a result, no sanction has been imposed against the Lawyer.
The Board evaluates obligations arising from the transfer of assets
In April the Board also evaluated the enforcement of the DP Law in relation to health data processed by workplace doctors transferred as part of an asset transfer transaction. In the case in question, the assets of a company were acquired by another company (the “Transferee”). (Our detailed analysis of the decision is here).
In its conclusion, the Board underlined that the Transferee processed the personal data in question in 2014–2015, before the effective date of the DP Law, and therefore failure to fulfil the obligation to inform the data subject was not deemed as a violation of the DP Law.
The Board also confirmed that data controllers can process the health data of both current and former employees in a manner that limits the access of workplace doctors, as workplace doctors are under the obligation of confidentiality. In this respect, workplace doctors may process health data without obtaining the explicit consents of employees, provided that the data controllers take adequate measures to protect sensitive data.
The Board announced the following data breach notifications in April
| Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| Air India Limited | Customers | Identity, membership status, username, e-mail address, telephone, flight code, date of birth, gender, credit card information | N/A |
| Pierre Fabre Dermokozmetik Ltd. Şti. | Employees, users, customers, and potential customers | Identity, contact, location, personnel information, transaction, customer transaction, risk management, financial, professional experience and marketing, and association membership information | N/A |
| Pierre Fabre İlaç AŞ | Employees, users, customers, and potential customers | Identity, contact, location, personnel information, transaction, customer transaction, transaction security, risk management, financial, professional experience and marketing, and association membership information | N/A |
| Sine İtriyat Par. Tem. Ür. Gıd. İnş. Mim. Müh. İth. İhr. ve Tic. AŞ | Employees, users and customers | Identity, contact, personnel information, customer transaction, transaction security and financial information | N/A |
| Karacabay Turizm San. ve Dış Tic. Ltd. Şti. | Employees and customers | Identity and personnel information | N/A |
| Yapı ve Kredi Bankası AŞ | N/A | Identity, contact, credit risk and collateral standing, payment performance and, bounced check and protested bill payment information | Appx. 2,484 |
| Akademisyen Yayınevi Kitabevi Dağıtım Bilgisayar Tercümanlık İth. İhr. Tic. AŞ | Users, subscribers, customers and potential customers | Identity, contact, location and customer transaction information. | 63,294 |
| DLSY Adi Ortaklığı | Employees, employee relatives and subcontractor employees | Identity, communication, location, personnel information, legal transaction, physical space security, transaction security, financial, professional experience, audio-visual records, association membership, foundation membership, union membership, health information, criminal conviction and security measures | Appx. 20,000 |