Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – July 2023

Two-Minute Recap of Recent Developments in Turkish Personal Data Protection Law – July 2023

Turkiye
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In July 2023, the Turkish Personal Data Protection Authority (the “DPA”) issued a decision, a bulletin and published nine data breach notifications.

The DPA also announced the dates for the forthcoming II International Personal Data Protection Congress, set for 16-17 November 2023. Jointly organised by the DPA and Bilkent University Faculty of Law, the main theme of this year’s event is “Privacy: A Priority in the Digital Age”. The congress will offer various types of sessions, including international, plenary, and simultaneous hybrid sessions conducted in Turkish and English as the official languages.

Attention for Data Controllers: Threshold Value for VERBIS Obligation Raised to TRY 100 Million.

On 25 July, with the decision of the DPA published in the Official Gazette, the financial balance threshold considered for the obligation to register in the Data Controllers Registry (“VERBIS”) has been raised from TRY 25 million (approx. EUR 855,000) to TRY 100 million (approx. EUR 3,420,000). 

The DPA’s decision numbered 2018/87, which governs the VERBIS registration obligation, has been revised to update the threshold related to the annual total of the financial balance sheet. Previously, local data controllers with (i) fewer than 50 employees annually and (ii) an annual total on their financial balance sheet of less than TRY 25 million were exempted from the VERBIS registration obligation, unless they primarily process sensitive personal data. With this recent decision, the threshold for the exemption related to the balance sheet has been increased from TRY 25 million to TRY 100 million.

In order to calculate the annual financial balance sheet:

  • There must be a completed year;
  • The financial balance included in the financial statements attached to the income or corporate tax declaration given annually submitted to the competent public authority for this completed year should be evaluated, and;
  • The total amount that is equal in the “assets” or “liabilities” section of this financial balance information should be considered.

Regulation on Advertising and Promotion related to Health Services is in Effect!

On 29 July, the Ministry of Health introduced the “Regulation on Promotional and Informative Activities in Health Services” (the “Regulation”), with its primary purpose being the regulation of advertising, promotional, and information activities related to health services. The Regulation outlines the scope of these activities, sets forth the principles that must be complied with, and determines the sanctions to be imposed in cases of non-compliance. 

Key points addressed within the Regulation include:

  • A prohibition on both implicit and explicit advertising in the delivery of health services;
  • A set of rules and principles governing promotional and informative activities for health services and sanctions for non-compliance;
  • A provision stipulating that the activities should be carried out in accordance with the Law on the Protection of Personal Data numbered 6698.

First Issue of DPA Bulletin Published!

The first issue of the DPA Bulletin, prepared to increase awareness and share information about the protection of personal data, has been published. This initial edition covers the subject of generative artificial intelligence, including global developments, and highlights current developments made during the period from January to June 2023. It has been announced that the bulletin is planned to be published quarterly. Below you can find one of the interesting topics from this new Bulletin:

The DPA asked the ChatGPT:

In this Bulletin, the DPA raised a question to ChatGPT concerning the importance of privacy in generative AI implementations. In response, ChatGPT emphasised that this technology poses a significant risk to privacy, highlighting the necessity for enhanced transparency.

ChatGPT’s response highlights the crucial importance of privacy in the age of Generative AI. By using vast databases containing millions of data points from both public and private sources, generative artificial intelligence poses a significant risk to individual privacy. As per the generated response of ChatGPT, to effectively addresses these challenges (i) enhanced transparency regarding the training and usage of AI models, and (ii) implementing policies to ensure responsible data usage and developing ethical guidelines for AI practices are necessary.

The DPA announced the following data breach notification in July:

  • Data controller: Oden İnşaat Turizm ve Ticaret
    • Affected Data Subjects: Customers
    • Affected Personal Data: Identity, Communication, Finance and Customer Transaction Data
    • Number of Data Subjects: 155
  • Data controller: Anadolu Isuzu Otomotiv Sanayi Ticaret
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 1,113
  • Data controller: Çelik Motor Ticaret
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 2,242
  • Data controller: Geberit Tesisat Sistemleri Ticaret
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 743
  • Data controller: Mais Motorlu Araçlar İmal ve Satış
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 4,776
  • Data controller: Schneider Elektrik Sanayi ve Ticaret
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 12,249
  • Data controller: Toyota Türkiye Pazarlama ve Satış
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 286
  • Data controller: Vodafone Dağıtım Servis ve İçerik Hizmetleri
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity, Communication and Personal Information Data
    • Number of Data Subjects: 26,698
  • Data controller: Vestel Ticaret
    • Affected Data Subjects: Employees
    • Affected Personal Data: Identity and Communication Data
    • Number of Data Subjects: 7,560

By Ceren Ceyhan, Associate, Hatice Nur Arslan, Junior Associate and Bahar Bozdemi, Legal Trainee, Kinstellar