Republic of Türkiye

[TR] Summary of Recent Decisions and Current Developments regarding the Turkish Data Protection Authority

IRIS 2018-9:1/33

Gizem Gültekin Várkonyi

University of Szeged, Faculty of Law and Political Science

The Turkish Data Protection Authority (DPA) was established in 2016 as a result of a referendum held in 2010, known as the “2010 Constitutional Amendments Package.”

Since 2016, the Turkish DPA has been developing both organisational and legal frameworks to ensure the effective safeguarding of data protection rights in the country. In the course of this, the DPA has ruled on several cases, and those rulings have been now published in a summary on the official DPA website, as follows:

- A data subject applied to the DPA requesting that his/her name be removed from an online newspaper’s opinion column section where his/her name was mentioned. The DPA rejected the request in the light of the public role of the data subject, newspapers’ right to freedom of expression, and freedom of the media.

- An ex officio procedure was launched by the DPA concerning a case regarding a picture - shared on the Internet and on social media platforms - that depicted the health report of a data subject. The data controller was fined because of its failure to ensure the data protection rights of the data subject in question.

- A data controller was fined by the DPA for obliging data subjects to give their consent to receiving certain services, even though such consent was not necessary for the performance of the relationship between data subjects and the controller.

The Turkish DPA furthermore announced the establishment of a system called the “Data Controllers’ Registry Information System”, for which data controllers will have to register. The process will start in October 2018 and will last until 30 June 2020. In respect of this procedure, four types of data controllers were specified: The first category of data controllers are companies whose number of employees amounts to more than 50 annually or whose financial balance is more than 25 million Turkish Liras (TRL - approximately EUR 3 million). The second category is composed of data controllers located outside the country. The third category covers data controllers with less than 50 employees and whose annual turnover is less than TRL 25 million, but whose main field of operation consists of processing special categories of personal data. The final category of data controllers comprises public institutions. Of these categories, the first two should complete their registration process within 12 months, and the last two categories should complete their registration within 15 months of the establishment of the Data Controllers’ Registry.