Personal Data Protection Bulletin - 2024 First Quarter

Current Developments from Türkiye

Administrative Fine Amounts Under the Personal Data Protection Law No. 6698 Was Determined

Under Article 17 of Law No. 5326 on Misdemeanors; administrative fines shall be applied by increasing the revaluation rate determined and announced following the provisions of the repeated Article 298 of the Tax Procedure Law No. 213 for that year, effective from the beginning of each calendar year. For the year 2024, the revaluation rate was determined as 58.46%. In this context, the current amounts of the lower and upper limits of the administrative fines stipulated in the Personal Data Protection Law No. 6698 (KVKK) are as follows:

• In case of failure to fulfill the obligation to inform; 47.303 - 946.308 TRY,
• Failure to fulfill obligations regarding data security; 141.934 - 9.463.213 TRY,
• In case of non-fulfillment of the Board decisions; 236.557 - 9.463.213 TRY and
• In case of violation of the obligation to register and notify the Data Controllers Registry; 189.245 - 9.463.213 TRY.

You may access the announcement published by the Personal Data Protection Authority ("Authority") here.

The Constitutional Court Annulled Certain Provisions of Law No. 5651 on the Regulation of Publications on the Internet and Combating Crimes Committed through These Publications (Law No. 5651)

With its decision dated 11.10.2023 and numbered 2020/76 E., 2023/172 K. (Decision) published in the Official Gazette dated 10 January 2024 and numbered 32425, the Constitutional Court evaluated the requests for the annulment of certain articles of Law No. 7253 on the Amendment of the Law on the Regulation of Publications on the Internet and Combating Crimes Committed through these Publications. In this context, the Constitutional Court annulled part of Art. 8 (Removal of content and fulfillment of access blocking decisions) and all of Art. 9 (Removal of content and access blocking) of Law No. 5651. The grounds for annulment emphasized that the relevant rules gravely violate the presumption of innocence and freedom of expression and press freedom. The decision enters into force on 10.10.2024.

You can access the Constitutional Court's decision here and our Newsletter article on this decision here.

The Personal Data Protection Board's Decision on the Exemption of Village Public Entities from the Obligation to Register with the Data Controllers Registry was Published

Under Article 16 of the KVKK, natural and legal persons who process personal data are obliged to register with the Data Controllers' Registry before commencing data processing. However, with objective criteria to be determined by the Personal Data Protection Board (Board), an exception to the obligation to register with the Data Controllers' Registry (VERBIS) may be made for certain data controllers. With its decision dated 14.12.2023 and numbered 2023/2135, the Board decided to exempt village public legal entities from the obligation to register with VERBIS.

You can access the decision published by the Board here and our announcement on this issue here.

The Authority's Strategic Plan for 2024-2028 was Published

On 12.01.2024, the Authority published the Strategic Plan for the Period 2024-2028 (Plan). The main purpose of the Plan is to increase awareness of the KVKK, to encourage a culture of seeking rights by resolving notifications and complaints within the scope of the KVKK through a fast decision-making process, and thus to ensure that personal data is processed by fundamental rights and freedoms. To achieve these objectives, the Plan envisages a roadmap consisting of 5 sections: preparation process, current situation analysis, future outlook, strategy development, monitoring, and evaluation.

You may access the Plan published by the Authority here (in Turkish).

Guidelines on the Processing of Republic of Türkiye Identity Numbers Published

On 16.01.2024, the Authority published the Guidelines on the Processing of the Republic of Türkiye Identity Numbers (Guidelines). The purpose of the Guidelines is to emphasize the issues to be considered during the processing of the Republic of Türkiye identification numbers, which may lead to victimization since it may provide access to other personal data of the data subjects due to its nature. The Guidelines guides data controllers by setting out the relevant legislation provisions regarding the processing of identification numbers in sectors such as e-commerce, cargo, transportation, electronic communication, and insurance, as well as in services provided by public institutions and organizations.

You can access the Guidelines published by the Authority here and our announcement on this subject here.

Public Announcement on "Requests of Turkish Citizens Living Abroad Regarding the Non-Transfer of Financial Account Data Abroad"

On 17.01.2024, the Authority published a Public Announcement (Announcement) on "Requests of Turkish Citizens Residing Abroad Regarding the Non-Transfer of Financial Account Data Abroad". In the Announcement, it was stated that many citizens of the Republic of Türkiye residing abroad applied to the Turkish Revenue Administration and the relevant banks and requested information on whether their financial data was transferred to the authorities abroad, and that the citizens applied to the Authority on the subject because they did not receive sufficient responses to the relevant applications. Referring to its decision dated December 28, 2023, and numbered 2023/2199, the Board emphasized that the data transfer activities in question comply with legal standards and that no further action is required regarding the relevant applications. Additionally, the Board announced that it will not consider any complaints submitted to the Authority, past or future, about this decision.

You can access the Announcement published by the Authority here.

Deep Fake Information Note was Published

The Authority published a Deep Fake Information Note on 19.01.2024. Deep Fake Information Note aims to provide a better understanding of "deepfake" technology, which is formed from the words deep learning and fake. The Deepfake Information Note includes information on the definition of Deepfake, what it is used for, the threats it poses to personal data, how it can be detected, and what individuals and organizations can do against such technology.

You may access the Deepfake Information Note published by the Authority here and our announcement here.

Information Note on the Personal Data Processing Condition of Explicit Provision in Laws was Published

On 12.02.2024, the Authority released an Information Note regarding the Personal Data Processing Condition of Explicit Provision in Laws. This note aims to elucidate the scope and interpretation of the condition "expressly stipulated by law" as outlined in Article 5/2(a) of the KVKK. The document provides evaluations under both KVKK and European Union (EU) law.

You can access the Information Note published by the Authority here and our related announcement here.

KVKK Bulletin on Online Privacy and Cookies was Published

On 15.02.2024, the Authority published the third issue of the KVKK Bulletin (Bulletin), focusing on online privacy and cookies. This edition includes detailed information on the history and function of cookies, how cookies operate, examples of best and bad practices concerning cookie usage, as well as insights into digital fingerprinting and the privacy implications.

You can access the Bulletin published by the Authority here.

KVKK Amendment was Published in the Official Gazette

Law No. 7499 on Amendments to the Code of Criminal Procedure and Certain Laws (Law), which introduces amendments to the KVKK, was published in the Official Gazette dated 12.03.2024 and numbered 32487. The Law revises the processing conditions for special categories of personal data to align with the European Union General Data Protection Regulation (GDPR). It introduces new conditions for data processing and creates a new system for the international transfer of personal data, mirroring the framework used in the GDPR. Additionally, the Law changes the appellate process for administrative fines issued by the Board, assigning administrative courts as the new authority for objections.

You may access the announcement published by the Authority here and our announcement on here.

Key Actions

• For data controllers and data processors subject to the KVKK, the new systematic on the processing of special categories of personal data and cross-border data transfers will enter into force in June 2024. During this period, those who carry out personal data processing activities should closely follow the developments and start their preparations for compliance with the new system when the implementation regulation and the announcements of the Authority are published. 

Recent Developments from the World

The OECD (Organization for Economic Co-Operation and Development) Started a New Expert Group for Policy Synergies in AI, Data, and Privacy 

The OECD formally announced the establishment of a new expert group, namely, the OECD.AI Expert Group on Artificial Intelligence (AI), Data, and Privacy. The expert group consists of leading experts worldwide from various sectors such as data protection authorities, policymakers, industry, civil society, and academia. The group aims to share insights and perspectives on how different jurisdictions address AI-related privacy challenges and explore ways to ensure AI technology respects and enhances privacy. To promote interoperability and coordination, experts will address differences in terminology usage between the AI and privacy fields. They will explore intersections between concepts like algorithmic fairness and contextual fairness, aiming to develop fair AI systems that process personal data ethically.

You may find the news here.

European Union (EU) Data Act is in Force 

On 11.01.2024, Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13.12.2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), has completed its legislative process and came into force. The Data Act is a robust initiative designed to tackle the challenges and capitalize on the opportunities that data presents within the EU, prioritizing fair access and user rights while safeguarding personal data protection. It will mainly be applicable as of 12.09.2025. However, certain obligations may have different dates of effect. To exemplify, the requirement for connected products and services to be designed to allow user data access will apply to products and services introduced to the market after 12.09.2026.

You may find the full Data Act here.

The European Commission Announced Its Decision to Establish the European AI Office 

On 24.01.2024, the European Commission (EC) announced its decision regarding the establishment of the European Artificial Intelligence Office the Commission as part of the administrative structure of the Directorate-General for Communication Networks, Content and Technology and subject to its annual management plan. The European Artificial Intelligence Office will operate in line with the EC’s internal procedures, without diminishing the authority of national competent bodies and EU agencies overseeing AI systems. The office will issue guides, ensuring no redundancy with existing EU bodies under sector-specific laws.

You may find the decision here.

The European Data Protection Board Launches Website Auditing Tool

On 29.01.2024, the European Data Protection Board (EDPB) announced the launch of a website auditing tool designed to assist in analyzing website compliance with data protection laws. Developed within the EDPB Support Pool of Experts, the tool is suitable for use by both legal and technical auditors at data protection authorities, as well as by controllers and processors seeking to assess their websites. The tool enables easy preparation, execution, and evaluation of audits directly within the tool interface. It also allows for compatibility with other auditing tools and generates comprehensive reports. This initiative aligns with the EDPB’s strategy to enhance data protection authorities’ enforcement capacity through common tools and access to a diverse pool of experts.

You may find the full announcement here.

Information Commissioner’s Office (ICO) Warns Organizations to Proactively Make Advertising Cookies Compliant After Positive Response to November Call to Action  

On 31.01.2024, ICO reported significant progress in ensuring compliance with data protection law regarding the use of advertising cookies on websites after their November Call to Action. After contacting 53 of the country’s top 100 websites in their Call to Action, the ICO stated that 38 have already made their cookie banners compliant, with four more pledging to do so within a month. Furthermore, ICO highlighted that this initiative will expand beyond the top 100 websites, with plans to address the next 100 and the 100 after that, and includes the development of an AI tool to identify non-compliant cookie banners more efficiently.

You may find the news here.

ICO Approved A Certification Scheme Aimed at Legal Service Providers Who Process Personal Data

On 13.02.2024, certification schemes were introduced under the UK GDPR to help legal service providers such as law firms and barristers demonstrate compliance with data protection requirements and in turn, inspire trust and confidence in the people who use their products, processes, and services. 

You may find the news here.

EDPB Clarifies the Notion of “Main Establishment” under the GDPR 

On 13.02.2024, the EDPB issued an opinion in response to a request from the French Supervisory Authority regarding the definition of a controller’s “main establishment” under the GDPR and the criteria for applying the one-stop-shop mechanism. In the opinion, EDPB stated that a controller’s “place of central administration” in the EU can be considered a main establishment only if it makes the decisions on the purposes and means of the processing of personal data and it has the power to have these decisions implemented. Furthermore, EDPB highlighted that the one-stop-shop mechanism applies only if an EU establishment of the controller makes and implements decisions about processing operations. Therefore, if decisions about processing and their implementation occur outside the EU, there is no main establishment under the GDPR, and the one-stop-shop mechanism does not apply.

You may find the full opinion here.

Key Actions

• The concept of "main establishment" under the GDPR has a key role in determining whether companies located outside the EU are subject to the GDPR. Therefore, the EDPB's opinion should be taken into consideration when assessing under which conditions an organization established in the EU will be considered as the "main establishment ".

Digital Services Act Starts Applying to All Online Platforms in the EU 

On 17.02.2024, the Digital Services Act (DSA), the EU’s landmark rulebook that aims to make the online environment safer, fairer and more transparent, started to apply to all online intermediaries in the EU. All online platforms with users in the EU, except for small and micro enterprises employing fewer than 50 persons and with an annual turnover below €10 million, must implement measures to (i) counter illegal content, goods, and services, (ii) empower users with information about advertisements, (iii) ban advertisements that target users based on sensitive data, (iv) provide statements of reasons to users affected by any content moderation decision, (v) provide users with access to a complaint mechanism to challenge content moderation decisions, (vi) publish a report of content moderation procedures at least once per year, provide users with clear terms and conditions, and designate a point of contact for authorities, as well as users.

You may find the EC’s press release here.

European Parliament Approves the AI Act 

On 13.03.2024, the European Parliament adopted the AI Act with 523 votes in favor, 461 votes against, and 49 abstentions. The European Council is anticipated to formally endorse the finalized text of the AI Act in April 2024. The AI Act has a wide-reaching jurisdiction, covering providers, deployers, importers, and distributors, with significant fines for non-compliance. It introduces new regulations for AI, with separate requirements for “foundation models” providers. It applies a risk-based approach, imposing substantial obligations on AI systems considered “high-risk.” Furthermore, certain applications with “unacceptable risk” will be prohibited, with exceptions.

You may find the full AI Act here.

Key Actions

Sector actors that fall within the scope of the AI Act are required to review the law, the rules, and the obligations to which they are subject, and start preparations to comply and create a compliance roadmap.

ICO Released Guidance Regarding Biometric Recognition

On 23.02.2024, ICO released a Biometric Recognition Guidance that explains how data protection law applies when biometric data is used in biometric recognition systems. The guidance defines biometric data under the UK GDPR and focuses on biometric recognition uses and explains how these involve processing special categories of personal data. The guide covers; what biometric data is, when it is considered special category data, its use in biometric recognition systems, and the data protection requirements that must be complied with.

You may find the guidance here.

Key Actions

It would be useful for anyone using biometric recognition systems, particularly UK-based data controllers or data processing organizations, to review the ICO's Guidance.

ICO Launches “Consent or Pay” Call for Views and Updates on Cookie Compliance Work

On 06.03.2024, in their efforts to ensure compliance with data protection laws in online advertising, ICO introduced the “consent or pay” model. This approach offers users a choice between consenting to personalized advertising in exchange for free website access or opting out of tracking by paying a fee. In addition, a “call for views” has been launched to gather opinions on this regulatory strategy from various stakeholders, including publishers, advertisers, and academics.

You may find the news here.

Court of Justice of the European Union Issues a Judgment Regarding Personal Data and Online Advertising 

On 07.03.2024, the Court of Justice of the European Union (CJEU) ruled on 2 key questions related to "Real-Time Bidding" (RTB) in online advertising, referred by the Belgian Court of Appeal. The first question dealt with whether a Transparency and Consent String (TC String), a code representing a user’s consent preferences and potentially linked to identifiable data like an IP address, is considered personal data under GDPR. The CJEU affirmed that a TC String does qualify as personal data.

The second question concerned whether a sectoral organization providing its members with consent handling rules qualifies as a "data controller" and if this implicates joint controllership in data processing by third parties for targeted advertising. The CJEU determined such an organization can be considered a "joint controller" if it significantly influences how personal data is processed, although joint controllership does not extend automatically to third-party data processing like that by websites or app providers for targeted advertising.

You may find the judgment here.

The CJEU Ruled That Providing Information Regarding Criminal Conviction Falls Within the Scope of the GDPR

On 07.03.2024, the CJEU delivered a judgment on a case involving a national court's refusal to share data related to the criminal convictions of a third party. The CJEU concluded that the oral disclosure of information on possible ongoing or completed criminal proceedings constitutes “processing of personal data” under GDPR if it is or is intended to be part of a filing system. The CJEU also determined that the GDPR prohibits the oral disclosure of such data from court files to anyone, without requiring the requester to demonstrate a specific interest, regardless of whether the requester is a commercial entity or an individual. This judgment clarifies GDPR's stance on the oral processing and disclosure of personal data concerning criminal convictions.

You may find the judgment here.

Key Actions

Data controllers or processors should take into account the rules stipulated in the applicable data protection legislation as well as the current decisions during the processing and disclosure of special categories of personal data related to criminal convictions and security measures; along with acting in accordance with the data protection rules even when sharing information verbally.

CJEU Affirms Powers of Data Protection Authority to Erase Unlawfully Processed Data

On 14.03.2024, the CJEU ruled that the supervisory authority of a member state is entitled, in the exercise of its corrective powers foreseen under the GDPR, to order the controller or processor to erase unlawfully processed personal data, even though no request to that effect has been made by the data subject. Furthermore, the CJEU also highlighted that the authority of a member state’s supervisory authority to order the erasure of unlawfully processed personal data extends to both data obtained directly from the data subject and data acquired from alternative sources.Formun Üstü

You may find the full judgment here.

To download the bulletin in pdf format, click here.