Personal Data Protection Bulletin - 2022 First Quarter

Recent Updates from Turkey

• Public Announcement on Registration in the Data Controllers Registry was published on 4 January 2022 on the Personal Data Protection Authority’s (“Authority”) website. The announcement emphasized that the notifications made to the registry by the data controllers should be prepared based on the personal data processing inventory and that only completion of registration would not eliminate other obligations under the law. The announcement aims to remove the misperception that the only obligation for data controller companies is to complete their registration and notifications. You may find the said announcement here (Turkish).
• Public Announcement regarding the Technical and Administrative Measures Recommended to be Taken by Data Controllers regarding User Security was published on 15 February 2022 on the Authority’s website. By covering the measures that the data controllers should adopt, the announcement also recommends applying the measures that they find suitable after having a risk assessment. You may find the announcement here (Turkish).
• The Booklet for the Principle Decisions of Personal Data Protection Board (“Board”), which is a compilation of all principle decisions published in the Official Gazette, was published on 16 February 2022, on the Authority’s website. You may find the said booklet in the announcement section under the official website of the Board (Turkish).
• The Administrative Fines within the scope of the Personal Data Protection Law numbered 6698 (“PDPL”) was published on 17 February 2022 on the Authority’s official website as a table showing the amounts increased by the revaluation rate determined and announced for the years 2017-2022. You may find the announcement here (Turkish).
• The Regulation on Process and Protection of Personal Data by the Social Security Institution entered into force through its publication in the Official Gazette dated 19 February 2022. The purpose of the said regulation is to determine the procedures and principles regarding the processing of personal data obtained within the scope of Social Security Institution’s duties and authority. You may find the full text of the regulation here (Turkish), and our client alert here.

Important Decisions of the Board

• Board Decision on Data Breach Notification regarding Yemek Sepeti Elektronik İletişim Perakende Gıda Lojistik A.Ş.: Upon the notification regarding the data breach of personal data such as user name, address, phone number, e-mail address, user password, and IP information of many Yemek Sepeti customers, the Board concluded that data controller Yemek Sepeti was in fault for the data breach which occurred due to the server’s vulnerability. Yemek Sepeti did not detect the breach for 8 days although there were traces on the firewall and therefore, the Board imposed administrative monetary sanctions accordingly. You may find the said decision here (Turkish).
• Board’s Principle Decision concerning car rental and software companies was published in the Official Gazette dated 20 January 2022: Following the notices to the Authority, it has been detected that car rental companies use a software with “black list” features, which allow access to personal data of customers by other car rental companies using the same software either. It was determined that the service offered by software companies is in the form of SaaS (Software as a Service) and users with admin authority are assigned to provide technical support when necessary. The Board deemed all car rental companies using this software along with the software companies as joint data controllers since they have control over the data. It has been also decided that measures will be taken against those companies. The Decision is important since it includes the notion of “joint data controller” which has not been defined in the Law yet. You may find the said decision here (Turkish).
• Board’s Decision dated 06 January 2022 regarding publication of exam results of Higher Education Institutions on website: The Board concluded that publication of the document for Higher Education Institution Exam (YKS) result, which includes personal data of the data subject, on a local news website without explicit consent cannot considered within the scope of freedom of expression established under Article 28 (1) of PDPL. Although the Board considered the removal of the relevant personal data from the website as of the date of the decision as a mitigating circumstance, it has decided to impose an administrative fine on the data controller. You may find the said decision here (Turkish).

Recent Developments from the World

• On March 25, 2022, the United States and the European Commission announced that they agreed in principle on a new Trans-Atlantic Data Privacy Framework, which will foster Trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in the Schrems II decision of July 2020. The framework will provide a lasting basis for data flows between the United States and Europe to protect individuals’ rights and reinforce commerce in all sectors. You may find the said announcement here.
• On 23 February 2022, the European Commission announced a proposal for new rules on who can use and access data generated in the EU across all economic sectors. The Data Act aims to ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all. Please find the said announcement here.
• Oman became one of the latest countries in the Middle East to issue national privacy legislation with the publication of a new Personal Data Protection Law. The Royal Decree numbered 6/2022 regarding the Personal Data Protection Law was published in Official Gazette on 09 February 2022. The said law will come into effect 1 year as of the date of its publication.
• On 22 December 2021, the Austrian Data Protection Authority found that medical news company, NetDoktor, violated Europe Union General Data Protection Regulation (“GDPR”) by using Google LLC’s data analytics platform, Google Analytics on its website, which resulted in the transfer of personal data from Europe to the United States where Google’s servers are located in. Please find the said decision here.
• On 16 February 2022, the French Data Protection Authority also ruled that an unnamed local website’s usage of Google Analytics was in violation with the GDPR. The Authority decided that personal data transfers to the United States through Google Analytics were non-compliant with Article 44 of the GDPR. Please find the said decision here (French).
• The German Conference of Data Protection Authority has released new detailed guideline dated 18 February 2022 regarding direct marketing in Germany. The guideline encapsulates the main principles of the GDPR for direct marketing and also foresees some regulations that are not binding. The guideline also tackles on the German Unfair Competition Act that contains specific rules to be applied when existing customers are contacted for marketing purposes. You may find the said guideline here.
• The European Data Protection Board started a public consultation on the draft Guidelines 01/2022 on data subject rights – Right of access on 28 January2022. The guideline addresses the overall structure of the right of access, data subject’s request and provides guidance on how to handle such requests; and discusses the limitations on the right of access. After the end of the public consultation period, the guideline will be definitively adopted. You may find the guideline here.
• International Data Transfer Agreement, UK Addendum and transitional provisions entered into force on 21 March 2022. The said agreement, the UK Addendum and transitional provisions will replace the EU Standard Contractual Clauses under the UK General Data Protection Regulation regarding the transfer of personal data. You may find the announcement here.