To print this text, all you want is to be registered or login on Mondaq.com.
In April, essentially the most important developments within the discipline of
private data safety was the Personal Data Protection
Authority’s (“Authority”) (i) public announcement on
the duty to register with the Data Controllers Registry
(“VERBIS”), (ii) the precept choice on on-line
funds and debt inquiry providers offered by municipalities and
(iii) the Constitutional Court’s choice on the suitable to
request safety of non-public data.
We set out the summaries of the developments in April in Turkey
and all over the world under.
Announcement – Announcement on the data controllers who’ve
failed to meet the VERBIS registration and notification
In the choice dated 11 March 2021 numbered 2021/238, the
Personal Data Protection Board (“Board“)
had granted the next data controllers a interval till 31
December 2021 to meet the duty to register with the
- Real or authorized individual data controllers that make use of greater than 50
workers per yr or have an annual steadiness sheet above TRY 25
million (approx. USD 2.6 million),
- Real or authorized individual data controllers that make use of lower than 50
workers per yr and have an annual steadiness sheet under TRY 25
million (approx. USD 2.6 million) and a precept enterprise exercise
of which is processing particular classes of non-public data
- Data controllers residing outdoors of Turkey
In the general public announcement dated 21 April 2022, the Authority
introduced that it has began to impose administrative sanctions on
data controllers who haven’t fulfilled the above obligation.
The Authority might impose administrative fines from TRY 53,572 to
2,678,863 (approx. USD 3,600 to USD 180,000) on data controllers
who’ve failed to meet the registration obligation.
Disciplinary provisions may also be utilized on the personnel if the
violation happens inside public establishments, organizations and
public skilled organizations.
The announcement is on the market right here (in Turkish).
Decision – Constitutional Court’s choice on proper to
request safety of non-public data
In the choice No. 2018/11988 revealed within the Official Gazette
dated 19 April 2022, the Constitutional Court evaluated an
applicant’s (“Applicant“) proper to
request safety of their private data with respect to non-public
The choice is relating to the Applicant’s declare that the
recording of fingerprints for shift monitoring violates their proper
to non-public life. The Applicant filed a lawsuit earlier than the
administrative courtroom for the annulment of such a monitoring system
and the executive courtroom determined that the system is illegal
since there aren’t any authorized grounds for shift monitoring. On the opposite
hand, the Court of Appeal determined that such a fingerprint monitoring
system doesn’t violate the regulation since public personnel are obliged
to work in the course of the shift and related administrative our bodies are
obliged to oversee.
The Constitutional Court evaluated the applying throughout the
scope of the suitable to request safety of non-public data as per
Article 20 of the Constitution of the Republic of Turkey
(“Constitution“). The Constitutional
Court identified that the restrictions on rights and freedoms
should: (i) have a lawful foundation; (ii) depend on reputable causes underneath
the Constitution; and (iii) adjust to the wants of a democratic
society and the precept of proportionality, based on Article
13 of the Constitution. The Constitutional Court analyzed the case
primarily based on the situation of the restrictions requiring lawful
The Constitutional Court referred to Law No. 6698 on the
Protection of Personal Data (“LPPD“) and
said that within the case at hand, the fingerprint data (i.e.
delicate private data) of the data topic will be processed primarily based
on the specific consent of the data topic, or in circumstances expressly
stipulated within the legal guidelines, with out in search of specific consent. The
Constitutional Court emphasised that even in circumstances the place the
specific consent of the data topics is current, the processing
exercise continues to be required to have a authorized foundation as per the Article
13 of the Constitution.
In the case at hand, it’s evident that the Applicant didn’t
give their specific consent. The Constitutional Court decided
that there’s additionally no regulation that permits for the processing of
biometric data for the needs of shift monitoring. Accordingly, the
Constitutional Court decided that the interference with private
rights doesn’t have a authorized foundation.
The choice is on the market right here (in Turkish).
Decision – Principle choice on the net funds and debt
inquiry providers offered by municipalities
In the choice numbered 2022/388 dated 21 April 2022, the board
evaluated municipalities’ on-line tax fee/ quick fee and
debt inquiry providers on which actual property info of data
topics will be accessed upon submitting the Turkish ID variety of
the related data topic.
The Board said that the two-factor authentication measure is
required the place private data will be accessed remotely in accordance
with the Personal Data Security Guide (Technical and Administrative
Measures). As per the choice, programs that request simply
accessible info of the data topics are thought-about
single-factor verification. Accordingly, programs which can be accessed
by way of (i) a password created particularly by the data topic or (ii)
an SMS code despatched to the data topic’s telephone quantity are
thought-about two-factor verification. The Board said that slightly
than requesting info that may be accessed by third events
comparable to a telephone quantity, date of delivery, mom/father’s title or
a registration quantity, programs ought to request info that solely
the data topic can entry or function primarily based on membership. The
Board additionally said that the municipalities that don’t take the
above measures can be topic to the sanctions set forth underneath
Article 18 of LPPD.
The choice is on the market right here (in Turkish).
Significant developments from all over the world
- USA (New Jersey): Law on the employers’ use of
monitoring system in autos operated by workers enters into
The regulation on the employers’ use of monitoring system in autos
operated by workers entered into impact on 18 April 2022 in New
Jersey. As per the regulation, employers who use monitoring units within the
autos operated by the worker are required to supply written
discover to the workers. Accordingly, civil penalties as much as USD
1,000 for the primary and USD 2,500 for subsequent violations will be
utilized to employers.
The regulation is on the market right here.
- EU: European Data Protection Board (EDPB) adopted a
assertion on the brand new Trans-Atlantic Data Privacy
On 6 April 2022, the EDPB adopted a press release on the settlement in
precept relating to the brand new Trans- Atlantic Data Privacy Framework
introduced on 25 March 2022. The EDPB evaluated the US’ efforts
to undertake strict measures to make sure the safety of non-public data
of the people from the European Economic Area (EEC) as a
optimistic growth. On the opposite hand, the EDPB reiterated that
the adoption of an adequacy choice for the extent of data
safety offered by the US is topic to the EDPB’s opinion
to be submitted to the European Commission. To this finish, EDPB will
look at: (i) the reforms to make sure that private data for nationwide
safety functions will be collected proportionately and solely when
strictly needed; (ii) the redress mechanism and data
topics’ proper to free trial and efficient treatment and (iii)
the supporting paperwork of the European Commission.
The assertion is on the market right here.
The content material of this text is meant to supply a normal
information to the subject material. Specialist recommendation ought to be sought
about your particular circumstances.
POPULAR ARTICLES ON: Privacy from Turkey
New EU-US Data Privacy Framework Agreed
The EU and the United States authorities have introduced they’ve agreed a framework to guard the privacy of non-public data transferred from the EEA to the US.
Data Privacy In A Quantum World
PA Consulting Group
A quantum pc can discover one merchandise in an inventory of 1 trillion in about one second. A classical pc takes a few week to do the identical.