Selin OZBEK CITTONE
Attorney at Law / Managing Partner
09 January 2020
This document sets out an overview on the implementation of the Turkish Data Protection Law no. 6698 (‘TDPL’) in light of the decisions and orders of the Data Protection Authority (“DPA”) in Turkey. We aimed to analyze the decisions and orders published on the DPA’s website since 2018 and provide you with an overall understanding on how the TDPL has been interpreted up until now.
The Legislative Framework in Turkey and the Turkish Supervisory Authority
In Turkey, protection of personal data is a constitutional right since 2010. Data protection was mainly regulated in the Turkish Constitution and Turkish Criminal Code until the enactment of the TDPL on 7 April 2016. The TDPL introduced a new legislative framework in Turkey. The secondary legislation promulgated under the TDPL as well as supervisory authority’s decisions about implementation of the TDPL have been the key factors for the development of this new regime.
The Turkish DPA, namely Kişisel Verileri Koruma Kurumu, has been established as an independent data protection supervisory authority, with key responsibilities under the TDPL,. The data protection board, namely Kişisel Verileri Koruma Kurulu, composed of a total of 9 members appointed as per the election procedures set forth in the TDPL, is the decision-making body of the Turkish DPA and has been actively working since January 2017 (“Board”). The President of the DPA is responsible for the administration and representation of Turkey’s supervisory authority.
Under the TDPL, the Board must carry out necessary investigations on the matters falling within its scope of work upon a complaint or ex officio (Article 15 of the TDPL) and may publish its decisions as it deems necessary (Article 23/5 of the TDPL). The TDPL does not impose any mandatory form or minimum content for the Turkish DPA’s decisions which must be or are published. Thus, not all Board decisions are published on the Turkish DPA’s website and not all published decisions include same level of detail.
A Brief Analysis of the Board Decisions published by the Turkish DPA
Until to date, two different types of decisions are published on the DPA’s website: (i) Board decisions (consisting of opinion decisions and regulatory decisions) and (ii) orders and enforcement decisions. Here, we will try to analyze the latter (including monetary fines imposed by the DPA).
The Turkish DPA published Board decisions for the first time on 2 August 2018 and since then a total of 49 decisions are published by the DPA. After the first publication, which contained 11 decisions, it is observed that there was a significant time gap (almost 6 months) until the second round of publication of decisions. However, this time gap has reduced over time. In 2019, the Turkish DPA published a round of decisions every month or 2 months, signaling a regular publication trend for the future. Also it is worthy to note that the Turkish DPA’s recent decisions are more detailed than the previous ones. The first decisions did not include the name of the data controller or the amounts of monetary fines or even the sector names. In its more recent decisions, however, the Turkish DPA started to mention some or all of those details or specifics of the data breach.
Breakdown by Type of Breaches and Applicable Provisions
Article 18 of the TDPL lists administrative fines applicable for 4 types of infringements:
Breach of obligation to inform (lack of due privacy processing notice)
Art.18/1 (a) Any person who does not fulfil obligation to inform stipulated in Article 10 of the TDPL, may be imposed an administrative fine of TRY 5,000 to TRY 100,000;
Breach of obligations regarding data security
Art. 18/1 (b) Any person who does not fulfil obligations regarding data security stipulated in Article 12 of the TDPL, may be imposed an administrative fine of TRY 15,000 to TRY 1,000,000;
Non-performance of Board’s decisions/orders
Art. 18/1 (c) Any person who does not fulfil decisions of the Board as per Article 15 of the TDPL, an administrative fine of TRY 25,000 to TRY 1,000,000;
Breach of obligation to register with the Data Controllers’ Registry and notification
Art. 18/1 (ç) Any person who does not fulfil obligation to register with the Data Controllers’ Registry and notification stipulated by Article 16 of the TDPL, an administrative fine of TRY 20,000 to TRY 1,000,000
Below table demonstrates breakdown of the Board’s published decisions based on type of infringement or action taken:
Board decisions based on data security breach
Art. 18/1 (b)
Orders to controllers (no fines imposed)
No actions needed
Answers to opinion requests/ legislative interpretations or clarifications
Infringement of Board’s decisions /Board’s orders
Art. 18/1 (c)
Application of disciplinary provisions to public institutions / public authorities
(*) Out of 25 cases where the Board applied an administrative fine based on Article 18/1 (b), 14 cases were related to actual data security breaches and/or failure to take necessary technical and administrative measures, 11 cases were related to breach of data processing principles and lawful grounds for processing. It is worthy to note that the TDPL does not have an explicit provision imposing an administrative fine for breach of principles relating to processing of personal data (Article 4 of the TDPL) and/or infringement of article concerning lawfulness of processing (Article 5 of the TDPL). Some serious infringements of the principles or lawful grounds may arguably be scrutinized under the criminal liability provisions of the TDPL. Turkish DPA, therefore, broadly interprets first paragraph Article 12 of the TDPL regarding data security and applies administrative fines based on infringement of principles or lawful grounds for processing based on Article 18/1 (b).
(*) In 6 cases the DPA initiated an investigation on data security upon the data breach notification made by the controller.
It is no surprise that the data security provisions of the TDPL have been the major reason for the Turkish DPA imposing fines to the data controllers.
Breakdown by Sectors
Below table demonstrates sector breakdown of the Board’s published decisions:
Number of Decision
Technology Media Telecom
(Telecom, Media, Social Media, Internet, App. etc.)
Finance (Bank, Asset Management Company, etc.)
Tourism (Travel agency, Airlines, Hotel, etc.)
Health (Hospital, Pharmacy, Doctors, etc.)
Enegy (Oil and Gas)
In 2018 and 2019, the TMT sector, which includes social media and internet companies, was at the top of the list. Tourism sector (which includes travel agencies, airlines, bus companies, hotels) and finance sector (which includes banks, asset management companies) was in second place. But, as almost 30% of the decisions published on the Turkish DPA’s website do not include information on the concerned sector, it is hard to deduce an exact conclusion in terms of sector rankings by simply reviewing the published decisions. This being the case, 2018 Activity Report of the Turkish DPA confirms that services (general), telecommunication, technology (informatics), and finance sectors were the top sectors in terms of complaints and applications.
When the sector breakdown is analyzed, it is observed that public legal bodies were also subject to scrutiny by the Turkish DPA. In one case, the claimant (public servant) requested deletion of his/her disciplinary file by the public authority (details unknown) and in another case the state-owned controller (details unknown) did not comply with the order of the DPA regarding a data subject request. Apart from the foregoing, in one of the finance sector decisions mentioned in the above list, the controller was a state bank, namely T.C. Ziraat Bankası A.Ş. According to 2018 Activity Report of the Turkish DPA, there were 73 out of 310 applications concerning public legal bodies in the year 2018.
In only 11 cases reviewed by the Board (i.e. approximately 1/4th of the published decisions of the Board), the data controllers’ names were published on the Turkish DPA’s website. Especially in the early days of the TDPL, the Turkish DPA was reluctant to disclose the name of the data controller, fearing that such would negatively impact the reputation and the credibility of concerned data controllers. 6 out of 11 decisions mentioned below were published in the second half of the year 2019. Hopefully, this means that the Board may continue to disclose more data controllers’ names in its future decisions.
Obviously, disclosure of the controllers’ names is important for due exercise of compensation rights by the data subjects. Article 11 of the TDPL provides each data subject the right to apply to the controller to request compensation for his/her damages, if any, arising from the unlawful processing of personal data or data breach. There is no doubt that the announcement of the names of the data controllers by the Turkish DPA could make it convenient for the data subjects to exercise their rights.
The below table lists the names of the data controllers which were subject to the decisions of the Board in the said famous cases:
Complaint/Application/ Ex Officio
·Data breach (re photo API bug) shows that the controllers did not take necessary technical and administrative measures to provide a sufficient level of data security.
·Turkish DPA was not notified within the shortest time regarding the data breach.
T.C. Ziraat Bankası A.Ş. (Public Bank)
Disciplinary procedure & order
·Privacy notice not compliant with the Communique On Principles And Procedures To Be Followed In Fulfillment Of The Obligation To Inform
Failure to answer to the formal request of information by the data subject
Clickbus Seyahat Hizmetleri A.Ş.
·Data breach shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security.
·Turkish DPA was not notified within the shortest time about the breach.
Marriott International Inc.
·Turkish DPA was not notified within the shortest time about the breach.
Cathay Pasific Airway Limited
No Applicant name
In case of using Gmail, e-mails will be stored in the servers of Google around the world; so this means that data is transferred abroad. Therefore, data should be restored in accordance with the rules regulating data transfers to outside of Turkey (Article 9 of the TDPL).
Request of opinion
Mimar Sinan University (Public University)
Disciplinary procedure & order
·Failure to respond to data subject’s information request.
·Announcement of all exam results explicitly though internet without encrypting.
·Data breach shows that the controller did not take necessary technical and administrative measures to provide a sufficient level of security.
·Turkish DPA was not notified within the shortest time about the data breach.
·Data breach (re View As, Birthday Celebrator and Video Uploader) shows that controller did not take necessary technical and administrative measures to provide a sufficient level of security. ·
Turkish DPA was not notified within the shortest time about the data breach. (Sending an informative e-mail to Turkish DPA does not qualify as a breach notification as no formal notification was made thereafter)
S Şans Oyunları A.Ş.
(Online Betting Co)
·The data subjects were not notified about the data breach.
Sevinç Eğitim Kurumları
·Sending text messages for advertising without legal grounds for processing of personal data means unlawful processing of personal data
The above table also shows that the two known highest administrative fines were imposed by the Board to Facebook. Both decisions are based on the following two infringements: (i) data breach, which shows that the controller failed to take implement technical and administrative measures to provide a sufficient level of security (infringement of Article 12(1)) and (ii) the controller did not notify the data subjects and/or the DPA about the data breach within the legal time frame (infringement of the Article 12(5)).
Based on 19 published decisions, the Board has imposed a total amount of TRY 8,005,000 as administrative fines to controllers as of 6 November 2019.   As the DPA did not publish its 2019 Activity Report yet we do not know the total amount of fines imposed in 2019. But as per 2018 Activity Report of the Turkish DPA a total amount of TRY 870,000 was imposed to controllers as administrative fines in a total of 8 cases.
On a separate note, the Board may also decide to send an order (talimatlandırma) to data controllers for compliance with the TDPL. However, it is seen that only in 6 published decisions the Turkish DPA solely sent an order. In other 9 cases, the Turkish DPA sent an order to the controller in addition to imposition of administrative fine.
Although the Turkish DPA is relatively young compared to its European peers, it has been working hard for due implementation of the TDPL. We are aware of few cases initiated against the Board’s decisions before Turkish courts, but there are very limited court precedents on the subject matter.
There is no doubt that Board’s decisions and administrative fines are two powerful tools to make certain that rules are followed and awareness is raised on data protection rights in Turkey.