Two-minute recap of recent developments in Turkish Data Protection Law – March 2021
In March 2021, the Personal Data Protection Board (the “Board”) postponed the registration deadline with the Turkish Data Controllers Registry (“VERBIS”) until 31 December 2021. (Our detailed analysis of the announcement is here.) The Board also approved Amazon’s written undertakings for the transfer of personal data abroad—only the second time that the Board provided its approval for the transfer of personal data abroad. (Our detailed analysis of the decision is here.)
It was also recently announced officially that changes will be made to the Turkish Data Protection Law (“DP Law”) by 31 March 2022, in line with the provisions of GDPR on data transfer abroad.
Decision on employee personal data
In a decision published on 19 March 2021, the Board assessed the obligations of employers as data controllers. In the case in question, the Board imposed an administrative fine of TRL 250,000 (approximately EUR 26,500) against an employer (data controller) following a complaint from an employee (data subject). (Our detailed analysis of the decision is here.)
In a nutshell, the Board specified the obligations of employers as data controllers. The Board underlined that:
- The employer must fulfil the obligation to inform before starting any data processing activity, regardless of whether the data processing activity is based on explicit consent or not.
- Explicit consent must be declared by free will. In the case in question, the employer’s manner was deemed harmful to the principle of free will.
- An employee cannot submit explicit consent on behalf of her/his partner or children.
- The employer must behave in accordance with the proportionality principle. In the case in question, the employer violated this principle by processing fingerprint data for emergency management, physical facility security, and to provide information to public institutions.
- Using cloud systems located outside of Turkey constitutes the transfer of personal data abroad. In this case, the employer must behave accordingly.
Decision on voice recording via security cameras
The Board evaluated the data processing activity via security cameras with a voice-recording feature and concluded that this is too interfering. In general, the Board outlined the balance between data processing activities and the proportionality principle. (Our detailed analysis of the decision is here.)
The Board underlined that the limitation of the right to the protection of personal data should not be interpreted broadly. In the case in question, the Board concluded that recording audio via security cameras restricts the right to the protection of personal data. In this respect, the Board stated that if a data controller wishes to use security cameras with a voice-recording feature, they should assess whether the targeted purpose can be achieved without recording audio. If the data controller concludes that targeted purpose can be achieved without voice recording, any voice data processing will be in contradiction to the proportionality principle.
The Board announced the following data breach notifications in March