In January 2022, the Turkish Personal Data Protection Board (the “Board”) published two decisions—one of which is a principle decision—and announced four data breach notifications. In addition, in January the Board released its draft guidelines on the use of cookies and announced that the draft guidelines will be available for public opinion until 10 February 2022. The Board also approved the application of the Turkish Football Federation regarding cross-border data transfer.
On 28 January, the Board organised a conference in honour of Data Protection Day. During the conference, the participants underlined the importance of personal data protection and highlighted that the importance of privacy will increase in the age of digital technologies. You can find detailed information about the conference here (in Turkish only).
New Concept Alert: Joint Data Controller
On 20 January 2022, the Board issued a principal decision in the Official Gazette on the practice of blacklisting customers in the car-leasing sector. Privacy violations arising from the usage of software providing blacklisting practices were evaluated, and a new concept—the term “joint controller”—was introduced within Turkish Personal Data Protection Law (“DP Law”). For detailed information, please see our article here.
As background to its decision, the Board received several complaints that car-leasing companies are using software that provides a blacklisting tool. Allegedly, this tool allows the recording of customer information, including their personal data, and the ability to share this data with other car-leasing companies.
The Board underlined that car rental transactions are concluded within the scope of an agreement and stated that data controllers (i.e., car-leasing companies) may process the personal data of the data subject through a blacklist within the scope of the legitimate interest of the data controller. However, the Board pointed out the importance of applying a balance test between the legitimate interest of data controllers and real persons’ fundamental rights and freedoms.
As a result, the Board concluded that:
- if the personal data of customers on the “blacklist” is disclosed to other car-leasing companies by using the same software/application, this constitutes a violation of the fundamental rights and freedoms of customers;
- if the blacklist is disclosed to other car-leasing companies, all car-leasing companies and the software company providing the blacklist application will be considered as joint controller. Thereby, the concept of joint controller has been defined in Turkish data protection law for the first time; and
- data processing procedures shall be scrutinised in each concrete case in order to determine the liabilities and negligence of the joint controllers.
The Board is “cooking” draft guidelines on cookies
On 11 January 2022, the Board published draft guidelines (“Guidelines”) in order to ensure an advisory and guiding document for data controllers who process personal data through cookies. Guidelines have been provided for those wishing to give their opinion and will be remain open for public opinion until 10 February 2022. You can find the Turkish version of the Guidelines here.
In the Guidelines, the Board mainly elaborates the following matters:
- the definition of and types of cookies;
- the relationship between the DP Law and Turkey’s Electronic Communications Law (numbered 58090;
- guidance on when explicit consent is necessary regarding the use of cookies;
- several cookie implementation examples (both correct and incorrect ways of usage).
The purpose of the Guidelines is for data controllers to act in compliance with the law during the operation of their websites while using cookies and for the processing of personal data. In addition, the Board states that data controllers do not need to obtain explicit consent in circumstances where:
- the use of cookies relates to the provision of communication on electronic communication networks; or
- the use of cookies is strictly necessary for the information society services that are explicitly requested by the subscriber or user.
The Board announced the following data breach notifications in January
| Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| Logo Yazılım Sanayi ve Ticaret A.Ş. | Users, Customers, Potential Customers | Name and surname, title, identity, tax ID No., contact, finance, customer transaction data | N/A |
| Industries S.p.A. | Customers | Identity, contact, shopping history | 31,748 |
| Moncler İstanbul Giyim ve Tekstil Ticaret Ltd. Şti. | Employers, Customers, Business Partners, Suppliers | Identity, contact, shopping history, payroll, health and commercial data | 20,005 |
| Pizza Restaurantları A.Ş. (Domino’s Pizza) | Customers | Year of birth, name and surname, mobile phone number, e-mail address, customer ID | 180,000 |
For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Legal Trainees Osman Tuğberk Çakırca, at ocakirca@gentemizerozer.com, and Hatice Nur Arslan, at narslan@gentemizerozer.com.