In July 2022, the Turkish Personal Data Protection Authority (“Authority”) announced five breach notifications and issued 12 decisions relating to various industries and sectors including insurance, health, and banking.
On 18 July 2022, the Authority published its decision on a data subject’s complaint alleging that a data controller in the health sector sent a commercial electronic message to the data subject without obtaining their explicit consent to send messages. The Authority found that the data controller had obtained the contact data of the data subject for another purpose other than sending commercial electronic messages and therefore decided to impose a monetary fine on the data controller.
In its decision, the Authority stated that:
Based on the above-mentioned evaluation, the Authority decided to impose a monetary fine of TRY 100,000 (approx. EUR 5,470) on the data controller for the unlawful data processing activity of sending a commercial electronic message to the data subject’s e-mail address for advertising and marketing purposes without any legal basis. You can access the decision here (available in Turkish only).
On 18 July 2022, the Authority published its decision on a data subject’s complaint alleging that an insurance company had processed their personal data without legal grounds. As a result of the examination, the Authority concluded that the insurance company had processed the individual’s personal data to carry out the insurance policy executed between the data subject and the insurance company.
The most important aspect of the decision is that the Authority has highlighted that data subjects are able to apply to data controllers via a lawyer without a power of attorney involving a special authority to apply to data controllers.
During the examination, the insurance company stated in its defence that the application was made by the data subject’s lawyer with a general power of attorney, but that, a special power of attorney is required to make such an application. Following its investigation, the Authority concluded that data controllers cannot seek a special power of attorney for applications made by data subjects’ lawyers, as there is no provision stipulating such a requirement in Turkish law. For detailed information, please see our article here.
| Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| NeoPets Inc. | Users, Members, Children | Identity, Information on Communication and Transaction Security | N/A |
| Surtaş Otomotiv ve Servis Hizmetleri Sanayi Ticaret Limited Şirketi | Employees, Customers, Potential Customers | Identity, Communication Information and Audio and Visual Records | 1200 |
| Türkiye Elektrik Dağıtım A.Ş. | Employees, Citizens | Identity, Communication Information | 208,000 |
| Knauf İnşaat ve Yapı Elemanları San. And Tic. A.Ş ile Knauf Insulation Izolation San. ve Tic. A.Ş |
N/A |
N/A |
N/A |
| Meklas Otomotiv San. ve Tic. A.Ş. | Employees, Users, Customers, Potential Customers | Identity, Information on Communication, Personnel, Transaction Security, Finance, Marketing, Audio and Visual Records, Health, Philosophical Belief, Religion | 142 |
For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com.
For detailed information on how we processes your personal data, please see the Clarification Text here.
© 2022 2minrecap.com | All rights reserved.
developed by mare.design