Tue, Mar
40 New Articles

Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – May 2023

Two-minute Recap of Recent Developments in Turkish Personal Data Protection Law – May 2023

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

June 2023 – In May 2023, the Turkish Personal Data Protection Authority (the “DPA”) published two data breach notifications but did not publish decision.

On 3 May 2023, the DPA hosted the "e-safe Personal Data Protection Summit" covering various aspects of personal data protection, including legal, sector-specific, and technological developments. The discussions also emphasised the benefits of artificial intelligence and highlighted data subjects’ rights, specifically the right to object, as outlined in the Personal Data Protection Law (the "DP Law").

In this month's two-minute recap, we have also compiled the highlights from the 40 decisions issued by the DPA in April.
Ensuring Compliance: Establishing a Valid Legal Basis for Personal Data Transfers!

In its decision published on 24 April 2023, the DPA emphasised the importance of fundamental principles of explicit consent, particularly based on information and free will. In addition, the DPA issued its findings on the sharing of customer data with relevant institutions in the banking sector. With this decision, the data controller bank, which failed to (i) transfer customer data based on a valid legal basis and (ii) obtain explicit consent based on information and free will, has been subject to an administrative fine of TRY 250,000 (approx. EUR 11,200)


The data subject, which repeatedly received contact from an insurance company on their personal phone, discovered that the data controller bank had shared their phone number with the insurance company. Consequently, the data subject lodged a complaint with the DPA

Considerations by the DPA:

The DPA evaluated a document entitled “Campaign Communication Preferences Instruction” through which the data subject granted authorisation for receiving messages. Upon examining the instruction, several issues were identified:

i. ambiguous expressions were used concerning future actions,
ii. consent boxes were pre-selected by default, and
iii. the data subject was not adequately informed about the transfer of their personal data.

As a result, the DPA has determined that these practices contradict the fundamental principles of explicit consent specifically the principles of being "based on information" and "based on free will".

Despite the data controller bank asserting that (i) under Turkish banking law, it had the authority to share specific limited data with the institutions it collaborates with for services and support, and (ii) the data subject had given consent to receive commercial messages, these claims were rejected. The DPA concluded that the data controller had no valid legal basis totransfer the data subject’s contact data to the insurance company, since there was no exemption from the confidentiality obligation under Turkish banking legislation, and explicit consent for such transfer was not obtained in line with the DP Law.

What is the Decision?

As a result, the DPA imposed an administrative fine of TRY 250,000 (approx. EUR 11,200) on the data controller due to (i) lack of a valid legal basis for the data transfer and (ii) failure to implement adequate technical and organisational measures when transferring the data subject’s contact data to a third party.

Enhancing Data Security: Embrace the Power of Identity Verification!

The unauthorized sharing of processed personal data with third parties through unlawful means is a matter of significant concern for both the DPA and the companies involved. The DPA has received numerous complaints on this issue and made decisions accordingly. You can find our article on these decisions from here.

Based on the non-discriminatory assessments across sectors made by the DPA, during the processing of personal data, data controllers should follow the below principles:

• Accuracy and timelines: data controllers must ensure that personal data is accurate and kept up to date when necessary.
• Periodic verification: regularly verifying the communication information of the data subjects and establishing the necessary mechanisms to keep data up to date; and
• Robust identity verification: implementing a robust identity verification mechanisms, as suggested in relevant decisions of the DPA, in order to prevent unauthorised accessing by third parties.

The Board announced the following data breach notification in May:

• Data controller: Boyner Büyük Mağazacılık

o Affected Data Subjects: Customers (Users)
o Affected Personal Data: Identity, Communication Information, Finance
o Number of Data Subjects: Approx. 3,055,907

• Data controller: Trabzonspor Sportif Yatırım ve Futbol İşletmeciliği Ticaret

o Affected Data Subjects: Employees, Users, Students, Customers and Potential Customers
o Affected Personal Data: Identity, Communication Information, Personnel Information, Customer Transaction, Finance, Professional Experience, Marketing, Visual and Audio Records and Other
o Number of Data Subjects: N/A

By Ceren Ceyhan, Associate, Hatice Nur Arslan, Junior Associate and Bahar Bozdemi, Legal Trainee, Kinstellar

Our Latest Issue