To print this article, all you need to do is be registered or log in to Mondaq.com.
May 2022 – In April 2022, the Turkish Personal Data Protection Board (“Plank“) issued a landmark decision, issued a public announcement and announced five data breach notifications. In addition, the Constitutional Court of Turkey (“constitutional Court“) issued two judgments on the protection of personal data.
The Council reminds data controllers of the obligation to register with VERBIS
On April 21, the Council made an announcement and reminded data controllers of the obligation to register in the register of data controllers (“VERBIS“). In its announcement, the Council emphasized that the deadline for fulfilling the obligation to register with VERBIS was 31 December 2021, and that the Council has the power to impose administrative sanctions against controllers who have not fulfilled this obligation.As a result, the Council announced that it may impose pecuniary administrative fines ranging from TRY 53,576 to TRY 2,678,866 (approximately EUR 3,404 to EUR 170,161) to controllers who do not comply with the registration obligation.
More steps for authentication and more secure data protection!
Based on several complaints against municipal authorities, the Council issued a key decision assessing systems used by authorities that only require one-step authentication for property tax payment and/or utility services. debt survey provided online.
The Council underlined the importance of organizational and technical measures when processing personal data and assessed the practices of municipal authorities for login processes on their websites. During the login process, the system only requires one-step authentication to access real estate information.
In its decision, the Commission stated that:
- In the event of remote access to personal data, data controllers must implement a two-step authentication control to ensure data security in accordance with personal data security guidelines.
- Data controllers can implement identity validation through two-step authentication methods (i.e. after the first step, verification is completed by a system such as an SMS personalized, code or password sent to the user’s e-mail or telephone).
Accordingly, this landmark decision demonstrates the two-step authentication method necessary to ensure data security not only for municipal authorities but for all data controllers who provide online services that include personal data.
Warning: Employee fingerprints capture employers
On April 19, the Constitutional Court concluded a case involving a municipality that wanted to process employees’ biometric data to track employees’ shifts. Accordingly, the Constitutional Court ruled that the processing of fingerprint data to track employees’ shifts without explicit consent or authorization by law violates the right to seek protection of personal data.
Background to the case:
- The applicant lodged a complaint with the municipality on the grounds that fingerprints are considered personal data allowing the physical identification of an individual and that they must therefore remain within the framework of the intimacy of his private life.
- The municipality dismissed this objection on the grounds that it had put in place the relevant system of monitoring the working hours of employees to contribute to the public interest.
In conclusion, the Constitutional Court stated that, since fingerprint data is considered sensitive personal data, the municipality can only process such sensitive data if (i) the data subject gives his explicit consent or (ii) such activity of treatment is stipulated by law. However, in this concrete case, it was determined that the applicant had not given his explicit consent to the processing of his fingerprints and that no law stipulates such data processing activity. As a result, the municipality’s data processing activity was deemed illegal.
From the Constitutional Court: “Personal letters from detainees must remain personal.”
On April 7, the Constitutional Court concluded a case on the registration of personal letters of detainees through the official national judicial computer system, which is an online justice system that covers all judicial institutions and other government departments. . In its decision, the Constitutional Court unanimously found that the applicant’s right to privacy and freedom of communication had been violated. For detailed information, please see our article here.
The Council announced the following data breach notifications in April
|Data controller||Persons concerned||Personal data concerned||Number of people concerned|
|Keyubu Internet and Bilisim Hizmetleri||Customers||Identity, communication, customer transaction, transaction security information||N / A|
|Paketman E-Ticaret Sanayi Ticaret Anonim Sirketi||Users||Identity, communication, location information||1,362|
|Magna Ventures Yazilim ve Teknoloji Girisimleri Ticaret Anonim Sirketi||Member users||Identity, communication information||7,823|
|Villacim Emlak Turizm Insaat Sanayi ve Ticaret Limited Sirketi||Customers||Identity, communication information||35,956|
|Yildizlar Yatirim Holding AS, Yildiz Demir Çelik Sanayi AS, Yildiz Entegre Agaç Sanayi AS v Istanbul Gübre Sanayi AS (IGSAS)||N / A||N / A||N / A|
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: Privacy from Turkey