In October 2021, the Turkish Personal Data Protection Board (the “Board”) published its evaluation regarding the right to be forgotten in the context of search engines and announced two data breach notifications.
Can a search engine forget?
The Board evaluated the right to be forgotten in the context of search engines. In its evaluation, the Board states that search engines should also be considered as data controllers. The Board expressly states that data subjects are entitled to apply to the Board if a data controller does not respond to the requests of the data subjects concerned to remove the results displayed as a result of searches with their own names and surnames on search engines.
The Board underlines the right to be forgotten is not an absolute right but a right that can be asserted exceptionally in a specific case. The Board also states that the application can only be made by the data subject himself/herself.
The Board provides a list of criteria that it will consider while evaluating such requests. Accordingly, the Board evaluates whether:
- the data subject plays an important role in public life;
- the data subject is a child;
- the information is accurate and actual;
- the information is related to the working life of the data subject;
- the information has the nature of insulting, humiliating or slandering the data subject;
- the information contains sensitive data;
- the information causes prejudice against the data subject;
- the information creates a risk against the data subject;
- the information was made public by the data subject himself/herself;
- the information covers the data processed within the scope of journalistic activity;
- there is a legal obligation to publish the information; and
- the information is related to a criminal offense.
If a data subject would like to exercise this right, he/she must follow the general procedures to make a complaint to the Board. Accordingly, the data subject must first apply to the data controller, i.e., the search engine.
It should be noted that data subjects can only prevent the display of results from searches with their names and surnames on search engines. If different words regarding the data subject are used in the search engines, the information may continue to appear.
Cooperation Between the Board and the RTÜK
The Board and the Turkish state agency for monitoring, regulating and sanctioning radio and television broadcasts, the Radio and Television Supreme Council (the “RTÜK”), have signed a cooperation protocol aimed at preventing situations where personal data can be easily disclosed knowingly or unknowingly, especially on morning news broadcasts, which disregards the right to privacy and constitutes a crime.
RTÜK President Ebubekir Şahin stated that they have received many complaints about this issue, while saying that as an institution they attach great importance to the protection of personal data. According to the protocol, experts to be appointed from both institutions will organise joint trainings, seminars and workshops about personal data protection in media broadcasts.
The Board announced the following data breach notifications in October
| Data Controller | Affected Data Subjects | Affected Personal Data | Number of Data Subjects |
| Panasonic Business Support Europe GmbH | Customers, Service Centre Employees | Identity (name-surname), business contact (address, e-mail and telephone), contact (address, e-mail and telephone), photograph (for a few people) and video (for a few people) | N/A |
| İzmir Bakırçay University | Students, Academic and Administrative Staff | Identity (name-surname, ID No.), contact (institutional e-mail and telephone) and student ID numbers and enrolled programs for students | Total: 5,814 people (5,389 students and 425 staff) |
For more information please contact Ceren Ceyhan, Associate, at cceyhan@gentemizerozer.com, and Osman Tuğberk Çakırca, Legal Trainee, at ocakirca@gentemizerozer.com.