In May 2022, the Turkish Personal Data Protection Board (the “Board”) announced three data breach notifications and issued 15 decisions on various practice areas including banking, e-commerce, recruitment, and pharmaceuticals.
On 23 May, the Board issued a decision based on the complaint of an employee against their former employer residing outside of Turkey. The employee alleged that the employer continued to process their personal data after the termination of the employment agreement without any legal ground.
The Board determined that the employer has fulfilled its obligation arising from GDPR. However, the employer did not fulfil its obligations under Turkish DP Law and continued to share the employee’s photograph on its website without any legal grounds. Accordingly, the Board concluded that compliance with the GDPR is not solely adequate and that the data controller must comply with Turkish DP Law as well.
The employee worked in a liaison office of a foreign employer. The employee alleged that the employer continued to store their personal data and share it on the website of the employer after the termination of the employment relation. In addition, the employee also alleged that the employer failed to fulfil its obligation to inform either during the employment relationship or after the period of termination.
As the liaison office is not a legal entity, the Board initiated an investigation against the foreign employer.
In its decision, the Board concluded as follows:
1. Failing to fulfil the obligation to inform arising from the DP Law: The Board determined that the employer fulfilled its obligation to inform under the GDPR when the data subject worked in the London office of the employer. However, the employer failed to perform its obligation to inform arising from the DP Law once the employee started to work in Turkey.
2. Continuing to share the employee’s personal data on the website: The Board concluded that if the data controller (employer) shares personal data on a website based on the explicit consent given by the data subject (employee), it should be deemed that the employee has withdrawn their consent after the termination of employment.
As a result, this decision of the Board is a reminder that compliance with GDPR is not solely adequate for data processing activities carried out in Turkey, and that data controllers must comply with the obligations arising from DP Law in terms of data processing activities in Turkey.
On 23 May 2022, the Board issued a decision on “cookies” used on websites and/or mobile apps by an e-commerce company. In its decision, the Board decided to impose a monetary fine of TRY 800,000 (approx. EUR 45,000) due to unlawful data processing activity through cookies and made a distinction between strictly necessary cookies and not strictly necessary cookies. For detailed information, please see our article here.
In short, the Board has clarified that cookies that are essential for directly operating a website and/or mobile app are classified as strictly necessary, whereas cookies that are not necessary for operating a web-site/mobile app, such as ‘performance-analytical cookies’ and ‘advertising/marketing cookies’ are classified as not strictly necessary. Furthermore, the Board touched on the processing principles for cookie practices and stated that:
On 23 May 2022, the Board issued a decision on the power of employers to access employee corporate e-mail accounts. The Board examined the complaint of an employee who claimed that their employer monitors their corporate e-mail address and imposed a monetary fine of TRY 250,000 (approx. EUR 14,215) on the employer. In addition, the Board decided to initiate an ex officio investigation on the transferring of personal data outside of Turkey, as the employer use the Microsoft cloud system OneDrive. For detailed information, please see our article here.
In its decision, the Board stated as follows:
| Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| Yıldız Teknoloji Geliştirme Bölgesi Teknopark AŞ | Employees, Users, Customers | Identity, Communication Information, Location, Information on Consumer Transaction, Personnel Information, Finance, Information on Professional Experience | N/A |
| ZkSoftware The Advanced Biometric Solution Elektronik San. ve Tic. Ltd. Şti. | Employees, Customers | Identity, Communication Information, Personnel Information, Consumer Transaction, Finance, Marketing Information | Approx. 1,000 |
| Baydöner Restoranları A.Ş. | Employees, Users, Members/Subsribers | Identity, Communication Information | 505,337 |
For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Hatice Nur Arslan, Legal Intern, at narslan@gentemizerozer.com.
For detailed information on how we processes your personal data, please see the Clarification Text here.
© 2022 2minrecap.com | All rights reserved.
developed by mare.design