Advancements in technology have resulted in increased concerns regarding the privacy for both individuals and businesses. There were always concerns around privacy and data protection. People started to use smartphones, fitness trackers, and other devices connected to cars which did not exist before, both in business and in personal life. Because of the social and technological development, there was no special legislation which protected personal data and privacy manners in Turkey. We believe that the Turkish Personal Data Protection Law no. 6698 is a significant step in Turkey in order to prevent unlawful activities in the field of data protection and privacy. Apart from that as we can see from the decision the commission also makes significant steps to protect privacy.
The Commission of Data Protection has published a milestone decision 01.11.2018. They stated in their decision that they are getting a number of compliments from personal data subject in regards to advertisement through email, text messages or calls. As a result of the subject of these compliments, the commission made a decision. In this article we will provide a summary about commission decision.
It is stated in the decision that if data processors or whoever is acting on behalf of them are sending text messages or email, making phone call to personal data subject without their consent in order to do advertisement, these actions have to be stopped immediately. Hence the article 5 in the Turkish Personal Data Protection Law No.6698 highlighted the importance of consent:
“Personal data shall not be processed without obtaining the explicit consent of the data subject.”
According to Turkish Personal Data Protection Law, personal data subject must be informed. This means that the personal data subject must be informed in a manner in which the process ought to be clarified in an understandable and simply accessible form, using clear and basic language which does not contain unfair terms; and the data subject should be aware at least of the identity of the controller and the aim for which the personal data will be processed.
Moreover, another significant outcome of this decision is related to taking measures in order to prevent unlawful actions. According to Article 12 of the Turkish Personal Data Protection Law no. 6698, the data controller has to take all necessary technical and administrative measures in order to ensure that the personal data is protected against unlawful processing of personal data. Data controller also has a common liability with who is acting on behalf of them.
As a summary the decision highlighted the two main reasons which occur to liability data processors. The first one is that if the data processor has liability if they are using personal data without the consent of the personal data subject. The second one is that if the data processors do not take the necessary steps in order to prevent these unlawful actions, there are liabilities. The liabilities defined from two perspectives in the decision. The first is the legal liability.
In the Turkish Personal Data Protection Law no. 6698 article 18 states that:
ARTICLE 18 – (1) To the ones who do not fulfil
a) Obligation to inform stipulated in article 10 of this Law, an administrative fine of 5.000 Turkish liras to 100.000 Turkish liras;
b) Obligations regarding data security stipulated in article 12 of this Law, an administrative fine of 15.000 Turkish liras to 1.000.000 Turkish liras;
c) Decisions of the Board as per article 15 of this Law, an administrative fine of 25.000 Turkish liras to 1.000.000 Turkish liras;
ç) Obligation to register with the Data Controllers Registry and notification stipulated by article 16 of this Law, an administrative fine of 20.000 Turkish liras to 1.000.000 Turkish liras
shall be imposed.
(2) Administrative fines envisaged by this article shall apply to natural persons and private law legal persons who are data controllers.
(3) In case the acts listed in the first paragraph are conducted within public institutions and organizations or professional organizations with public institution status, upon notification of the Board, disciplinary action shall be taken with regard to the officers and other public officials who serve under the relevant public institution or organization and the ones who serve under the professional organizations with public institution status, and the result shall be reported to the Board.
The second responsibility is from criminal liability. If the personal data was obtained unlawfully, then criminal procedure will be applied.