Three Years Of Data Protection In Turkey
Three years have passed since the enaction of Turkey's long-awaited data protection legislation, the Law on Protection of Personal Data numbered 6698 ("DP Law"), on 7 April 2016. Since then the, DP Law and in particular the risk of being imposed with the monetary sanctions included therein are a hanging sword over the head of data controllers in Turkey. And yet the sword has gone even sharper, since the beginning of 2017, as of which, the Turkish Personal Data Protection Authority ("Authority"), established by the DP Law, became active with the inauguration of the members of its Personal Data Protection Board ("Board").
The responsibility of the Board, without a doubt is a heavy one. They have no established local data protection practice to rely on and they are expected to lay the foundations of a data protection culture in a country which met with the concept just recently. Be that as it may, the previous three years have verified that the Board is up for that challenge. The works of the Authority in the past years include publishing 8 pieces of secondary regulations to the DP Law, more than 20 guidelines and educational videos; establishing the national registry for data controllers, signing co-operation agreements with the foreign data protection authorities and universities, arranging awareness projects and educational seminars.
The things haven't been quiet on the 'enforcement' front either. The Authority is given the power to issue administrative fines reaching up to 1.000.000 Turkish Liras (approx. USD 200.000 - the amount of fines are increased each year on the basis of legal yearly reevaluation ratio) to the data controllers violating the DP Law. Unfortunate for the data protection practitioners in Turkey, the enforcement decisions of the Board are not open to public. Nevertheless, the Authority occasionally publishes decision summaries on their website.
To this date, 13 Board decision summaries are published with 10 of them being resulted in imposing of administrative fines. Although the exact amounts of fines are not disclosed, all administrative fines included in the summaries are issued for failing to comply with 'the obligation to take necessary administrative and technical measures for ensuring data security'; which is sanctioned with an administrative fine from 15.000 to 1.000.000 Turkish Liras. Based on the summaries, it can be deduced that the Board have been interpreting the 'data security' obligation rather broadly. In instances where the data controller has made the 'explicit consent as a precondition of offering a service' or violated the 'data minimization principle'; the Board have issued the administrative fine on the grounds of failing to comply with the 'data security' obligation.
Even though the summaries provide a brief glance to the Board's line of reasoning when applying the DP Law, they are not detailed or do not include the amounts or the identity of the data controllers. However, it is known that the Board is getting more active every day and the penalties are getting higher. To acquire more information on the enforcement decisions given last year, we are waiting for the Board to publish its yearly activity report for 2018, which is expected to include consolidated data on the data subject complaints made to the Authority and more information on the monetary fines issued thus far.
Another issue the Board has been rather active on is the 'data breach notifications'. The DP Law obliges data controllers to make notification to the Authority upon becoming aware of the personal data breaches concerning the data that they process (on a side note, according to a recent decision of the Board such notifications must be done within 72 hours of becoming aware of the breach. You may read our article on the decision here). Upon receiving such notifications, the Board may decide to publish the breaches on the Authority's website, if and when it deems necessary. Such public announcements of data breaches are, without a doubt, a serious blow to the public image of companies.
The Board published its first data breach notification in May 2018 and since then, 22 other notifications have been published. The initial 4 notifications were concerning globally known companies and brands. Based on the notifications published to date, the publicly shared information regarding the notifications generally includes the following:
Two of the outstanding obligations that the data controllers are subjected under DP Law are registering with the data controller registry prior to processing personal data and following certain procedures when transferring personal data from Turkey to abroad.
The data controller registry (also known as VERBIS) have been active and accepting registrations since September 2018. The Board has yet set-out the exceptions for registration. Accordingly, data controllers whose (i) annual headcount is less than 50, and (ii) its annual sum of financial turnover is less than 25,000,000 TL, are exempt from the obligation to register with VERBIS. However, this exception does not apply to foreign data controllers; the Board expects all data controllers located abroad and processes data of Turkish citizens to register with VERBIS. For foreign data controllers, the deadline to register is 30 September 2019.
Another critical development - or more correctly, the lack of it – concerns the personal data transfers abroad. To legally transfer personal data abroad from Turkey, DP Law provides three options: (i) "explicit consent of the data subject", (ii) "safe country exception" and (iii) "signing a written undertaking between the sender and the receiver; and then getting Board's approval". The least burdensome option to transfer personal data in the list is the "safe country exception". The Board was expected to publish the list of safe countries – the list of foreign countries offering the adequate level of personal data protection – by the end of 2018. However, the list is not published as of April 2019. Moreover, based on a recent guide published by the Board, all third countries that are not explicitly declared as providing an adequate level of protection for the personal data will be deemed as "unsecure" countries. Therefore, currently any data controller wishes to transfer personal data from Turkey to 3rd countries should either obtain explicit consent from the data subjects or conclude an undertaking with the foreign party it transfers the data to, regarding provision of an adequate protection and then get the approval of the Board.
It was an interesting journey in the last 3 years for us the data protection practitioners to witness the emergence whole new branch of law in Turkey. Personal data protection in Turkey is becoming more and more topical. It is not uncommon these days for statesman and CEOs of large local corporations to refer personal data of the citizens and customers as a valuable asset - something to be kept safe; which was not the case three years ago. Therefore, it can be said that the DP Law is surely fulfilling its purpose to create an awareness on the subject.