Two-minute recap of recent developments in Turkish Data Protection Law

August ’23

Turkish Data Protection Law

Reading time: 163 seconds

In August 2023, the Turkish Personal Data Protection Authority (the “DPA”) issued two decisions and published 12 data breach notifications.

Newly announced: Google now has permission for cross-border data transfers

In August, the DPA granted approval for Google Reklamcılık ve Pazarlama Limited Şirketi (“Google”) to transfer personal data abroad. The decision, dated 17 August 2023, came after a thorough evaluation of Google’s application with written undertaking for cross-border personal data transfers.

Healthcare institutions’ activities based on explicit consent under scrutiny

On 14 August, the DPA published two violation decisions concerning the processing of personal data by healthcare institutions based on the explicit consent of data subjects.

Key points addressed within the decisions include:

In the first decision, the DPA found that a private healthcare institution’s activity was unlawful, ruling that they had engaged in promotional activities by sharing patients’ data on social media, despite having the explicit consent of the patients.

In its assessment, the DPA emphasised that data processing activities must align with legal regulations in the broadest sense to be considered legitimate under the principle of processing data for specific, clear, and lawful purposes. Although the healthcare institution claimed that they can carry out informational and promotional activity and that it is legitimate, the DPA stated that to consider an activity as legitimate, it should be in line with the applicable legislation. In this regard, the DPA stated that, despite the fact that the healthcare institution had acquired patients’ explicit consent, the activity in the concrete case exceeded informational and promotional activities permitted by Turkish law. Therefore, this processing of personal data was found unlawful, and as a result, the data controller faced an administrative fine of TRY 250,000 (approx. EUR 8,450).

In the second decision, the DPA reiterated that explicit consent should not be conditional. In this case, a private healthcare institution required patients seeking an appointment to explicitly consent to marketing activities. The DPA ruled that this condition violated the element of “free will”. As a result, an administrative fine of TRY 300,000 (approx. EUR 10,140) was imposed on the healthcare institution.

For more details on these decisions, you can access our article summarising them here.

The DPA announced the following data breach notifications in August:

Data Controller	Affected Data Subjects	Affected Personal Data	Number of Data Subjects
Vodatech Bilişim Proje Danışmanlık Sanayi ve Dış Ticaret	Employees, Family Relatives of Employees, Suppliers, Business Partners, Customer Employees and Employee Candidates	Identity, Communication, Personnel Information, Finance, Professional Experience Data	9,746
Diler Holding and Below Group Companies Atlas Enerji Üretim Bodova Turizm Yatçılık San. ve Tic. Diler Demir Çelik Endüstri ve Ticaret Diler Denizcilik ve Tic. Diler Elektrik Üretim Diler Dış Ticaret Esm Denizcilik ve Ticaret Eti Toprak Endüstrisi ve Ticaret Renar Bitkisel Üretim Sanayi ve Ticaret Resa Demir Sanayi ve Ticaret Yazıcı Demir Çelik San. ve Turizm Ticaret	Employees and Users	Identity, Communication, Personnel Information, Legal Transaction, Customer Transaction, Physical Place Security, Transaction Security, Risk Management, Finance, Professional Experience, Marketing Data and Audio and Visual Recordings	1,200
UPS Hızlı Kargo Taşımacılığı	Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	N/A
AgeSA Hayat ve Emeklilik	Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	N/A
Derimod Deri Konfeksiyon Pazarlama Sanayi ve Ticaret	Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	N/A
Oto Plan Operasyonel Taşıt Kiralama Ticaret	Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	1,236
YOYO Bilgi Teknolojileri ve Turizm Ticaret	Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	5,464
Gulf Sigorta	Employees and Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	295,288
Atatürk Üniversitesi	Employees and Students	Identity, Communication, Data, Information on the Department of Education	Approx. 12,000
Puma Spor Giyim Sanayi ve Ticaret	N/A	N/A	N/A
Dagi Giyim Sanayi ve Ticaret	Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	6,936
Beşiktaş Sportif Ürünleri Sanayi ve Ticaret	Customers and Potential Customers	Identity, Communication, Customer Transaction Data, Audio and Visual Recordings	Approx. 27,920

For further information please contact Ceren Ceyhan, Associate at cceyhan@gentemizerozer.com, Hatice Nur Arslan, Junior Associate, narslan@gentemizerozer.com, or Bahar Bozdemir, Legal Trainee, at bbozdemi@gentemizerozer.com.

All Turkish Data Protection Law

Found this interesting? Subscribe to our monthly Turkish Data Protection Law newsletter to get the latest news delivered to your inbox.

For detailed information on how we processes your personal data, please see the Clarification Text here.

JOIN NOW

JOIN NOW

August ’23

August ’23

July ’23

June ’23

May ’23

April ’23

March ’23

January & February ’23

December ’22

November ’22

October ’22

September ’22

August ’22

July ’22

June ’22

May ’22

April ’22

March ’22

February ’22

January ’22

December ’21

November ’21

October ’21

September ’21

August ’21

July 21′

June ’21

May ’21

April ’21

March ’21

February ’21

January ’21

Found this interesting? Subscribe to our monthly Turkish Data Protection Law newsletter to get the latest news delivered to your inbox.