Personal Data Protection Bulletin - 2022 Second Quarter

Recent Updates from Turkey

• On 21.04.2022, Personal Data Protection Authority (“Authority”) announced that it has started to impose administrative sanctions on data controllers, who have not fulfilled the obligation to register to the Data Controllers’ Registry and obligation to notify. You may find the announcement here (Turkish).
• As announced with the Client Alert dated 17.06.2022, the Regulation on Processing of Land Registry and Cadastre Data and Transactions Held in Electronic Environment entered into force through publication in the Official Gazette dated 08.06.2022 and numbered 31860. The said regulation establishes the procedure and principles regarding data processing in the Central Database of the General Directorate of Land Registry and electronic transactions. You can find the regulation here (Turkish) and the client alert here.
• The Guideline on the Use of Cookies has been published on the Authority’s website. The guideline includes recommendations for the protection of personal data within the scope of the Law No. 6698 on the Protection of Personal Data (“LPPD”) for website operators processing personal data through cookies. You may find the Guideline here (Turkish). 
• On 16.06.2022, the Authority published the Draft Guideline on Assessment of Loyalty Programs Within the Scope of Personal Data Legislation (“Draft”) for public consultation. The Draft includes detailed information along with various examples of processing activities for loyalty programs. You may find the Draft Guideline here (Turkish). 

Important Decisions of the Board and Constitutional Court

Constitutional Court’s Decision dated 19.04.2022 and numbered 2018/11999

• In the relevant decision, the Constitutional Court evaluates whether recording fingerprints for shift tracking violates the right to request protection of personal data within the scope of the right to private life. The Constitutional Court emphasizes the fact that the applicant does not give consent to the processing of fingerprint data. Moreover, the Constitutional Court states that there is no legal regulation that enables the processing of special categories of personal data for shift tracking and that establishes the principles for processing of those data, and the processing subject to the application was found to be in violation of legality principle. You may find the relevant decision here (Turkish).

Decision of Personal Data Protection Board (“Board”) dated 02.12.2021 and numbered 2021/1214

• In the complaint submitted before the Authority, it was stated that the attendance list containing personal data of certain students in a university was circulated and signed by the class attendees. The Board established that; (i) the ministry and the university are both data controllers; (ii) the ministry responded to the application after the expiry of the 30-day legal period; (iii) the attendance list that was circulated included names, surnames and identity numbers of data subjects, and therefore, third parties unlawfully accessed those data; and (iv) the university did not fulfill its obligation to inform. In this respect, the Board decided to remind the ministry to fulfill its obligation to respond within 30 days and instructed the university to mask personal data other than names and surnames and fulfill its obligation to inform. You can find the summary of the relevant Decision here (Turkish). 

Decision of The Board dated 21.11.2021 and numbered 2021/1187

• In the complaint submitted before the Authority, the data subject claimed that his/her former employer accessed his/her corporate e-mail account without fulfilling the obligation to inform. The Board stated that information such as name-surname, e-mail address, private correspondence and bank account statements in the corporate e-mail account are personal data and making such personal data public is only possible with the presence of will in this regard. Therefore, the employer shall not make the email correspondence public. Moreover, the Board decided to (i) initiate an investigation ex officio regarding the storage of data in a cloud system located abroad; (ii) impose an administrative fine of TRY 250,000 on the data controller for failing to fulfill the obligation to inform; and (iii) not to impose any action regarding the data subject’s request for deletion of personal data on the grounds that they are submitted as evidence before the court. You may find the summary of the relevant Decision here (Turkish).

Decision of the Board dated 10.03.2022 and numbered 2022/229

• The complaint submitted before the Authority is related to the violation of fundamental rights and freedoms by way of a cookie policy implemented by a company operating in e-commerce and failure to provide information as required. With the decision, the Board handles cookies in two separate groups: “strictly mandatory cookies” and “others”. In this respect, the Board establishes that it is mandatory to obtain explicit consent from data subjects by using the opt-in mechanism, especially for cookies that are in the status of “other”, and that the data controller is obliged to provide clarification regarding the data processing activities and if applicable, reasons for data transfer, and states that cookies used are also within this scope. In this regard, the Board decided to impose an administrative fine and to give instruction to adapt the activities of the data controller to the legislation. You may find the summary of the relevant Decision here (Turkish). 

Decision of the Board dated 21.04.2022 and numbered 2022/388 

• The principle decision discusses whether rendering real estate information of citizens accessible by only providing their ID numbers for online payment and debt inquiries by municipalities poses a problem in terms of protection of personal data. The Board decides that municipalities should take necessary technical and administrative measures by using membership and password or two-factor authentication methods for real estate tax payment/quick payment and debt inquiry services. You may find the relevant Decision here (Turkish).

Recent Developments from the World 

• On 03.06.2022, the Data Governance Act (“DGA”) was published in the Official Journal of the European Union, and entered into force on 23.06.2022. The DGA will be legally binding for companies 15 months after its effective date. The DGA seeks to promote and increase data sharing across the European Union, facilitate the re-use of public sector data and assist businesses with the development of new products rich with date and services, including those based on artificial intelligence. You may find the adopted law here. 
• Starting from 30.06.2022, all applications that are available on Apple App Store and that offer account creation must also allow users to initiate account deletion process within the applications. You may find the relevant announcement here.
• On 03.05.2022, the European Commission published a proposed regulation for the establishment of a European health data space. The aim of the data space is establishing efficient use of heath data. Additionally, the data space is envisaged to be an ecosystem with standards, practices, infrastructure and governance rules. By doing so, individuals will have access to their health data digitally on national level and as well as across Europe, and health data will be stored in one system. You may find the regulation proposal here.
• On 16.05.2022, the European Data Protection Board (EDPB) announced that the Guideline 04/2022 on the calculation of administrative fines under the General Data Protection Regulation is open for public consultation until 27.06.2022. You may find the relevant guideline here.
• The UK government announced public consultation for proposals to reform the UK’s data protection laws on 10.09.2021. Moreover, the government’s response to public consultation was announced on 23.06.2022. The response established important principles that will be regarded for the reforms; providing flexibility to organizations to find effective and proportionate protection for personal data, keeping pace with changes; keeping new requirements limited for organizations that comply with the UK’s current regime; creating benefit for businesses and society together, enhancing governance, accountability and transparency of the Information Commissioner's Office (“ICO”). You may find the relevant press release here.
• ICO published an announcement including recommendations about employers’ liabilities for data protection as Covid-19 measures are gradually relaxing. One of the recommendations is to assess whether data collected within the scope of Covid-19 measures is still necessary, reconsider their approach and establish whether their data processing activities are reasonable, fair and proportionate. Moreover, being clear about the purpose for collection of vaccine information and how asking vaccination status serves the established purposes is another recommendation. You may find the relevant announcement here. 
• The Office of the Privacy Commissioner for Personal Data, Hong Kong published a guidance on recommended model contractual clauses for cross-border transfers of personal data. The model contract clauses are categorized in two groups as transfers from a data controller to data controller, and transfers from a data controller to a data processor. Additionally, model contract clauses apply to transfers from a Hong Kong entity to another entity outside Hong Kong; or between two entities which are outside Hong Kong. Model contractual clauses are considered to be best practice and they are not mandatory. You may find the relevant Guideline here.
• On 25.05.2022, the European Commission published a set of 44 questions and answers regarding the EU Standard Contractual Clause. The standard contractual clauses (SCC) were categorized into two groups namely as SCCs between data controllers and data processors, and SCCs regarding data transfers to third countries. The set also includes a brief introduction to SCCs that include clarification regarding signature, modifications, their relationship to other contractual provisions and changes in parties. You may find the relevant document here.
• On 21.04.2022, Google announced that the update for cookie consents and infrastructure handling cookies has been finalized. Accordingly, update will be rolled out to Google search and YouTube, and will apply to the users in Europe. With this update, the users will be offered equal “Reject all” and “Accept all” buttons on their first cookie consent screens. You may find the announcement here.
• Following the Austrian and French Authorities for Data Protection, the Italian Authority for Data Protection decided that the use of Google Analytics constituted violation of EU data protection regulations with its decision dated 09.06.2022. With the relevant decision, the Italian Authority for Data Protection established that the use of the said services offered by Google by the company Caffeina Media S.r.l. resulted with data transfer to the USA and the company did not adopt adequate protection level and ruled that the use of Google Analytics constituted violation of EU General Data Protection Regulation. You may find the decision here.
• With its decision dated 15.04.2022, The French Authority for Data Protection fined Dedalus Biologie 1.5 million euros mainly for failing to comply with data security obligation; following a health data leak disclosed in the press concerning approximately 500,000 persons. You may find the press release relevant Decision here.
• On 23 May 2022, the ICO fined US-based world’s leading facial network Clearview AI Inc., £ 7,552,800 for violating the UK General Data Protection Regulation and ordered the company to stop obtaining and using personal data of UK residents that is publicly available online and to delete data from its systems. You may find the relevant decision here.
• With its decision published on 19.05.2022, Italian Data Protection Authority fines Uber 4.2 million euros for data processing infringements including data processing without consent, as well as failure to notify the Italian Data Protection Authority. You may find the relevant decision here.
• On 14.07.2022, European Parliament Research Service published a briefing for the impact assessment of the regulation of the European Parliament and the European Council on harmonized rules on fair access to and use of data (“Data Act”), submitted on 23.02.2022 as a proposal. You may find our relevant Newsletter here and the Briefing here.
• European Parliament Research Service published the study referred as “the governing data and artificial intelligence for all.” With a particular focus on artificial intelligence, this study identifies and examines policy options for the EU's data governance framework that align with a data justice perspective. You may find the study here.
• The Italian Authority for Data Protection has formally warned Chinese video-sharing app TikTok about an alleged breach of existing European Union rules to safeguard user privacy. You may find the decision here and the summary of the decision here.