Practical guide on opposition against the decisions of The Personal Data Protection Board ("Board")

The Turkish Personal Data Protection Board ("Board") had applied for accreditation on January 4th, 2018  in accordance with the vision it announced as "being an effective and internationally competent authority in the protection of personal data and the public awareness on the issue" . This application was accepted as a result of the voting at the 29th European Conference of Data Protection Authorities (Spring Conference) which was held between 8-10 May 2019. Since Turkey is now entitled as "accredited country" internationally, It has led the Board to accelerate its activities. Recently, based on the Turkish Law on the Protection of Personal Data ("Law")  Article 18 titled Misdemeanors, the Board may impose administrative fines up to 1,000,000 Turkish Liras for each violation, and it appears that these fines will apply without slowing down if companies fail to comply with the regulations of the Board and the Law. This guide contains information about precautions to avoid confronting administrative fines imposed by the Board and remedies to oppose against the Board's decisions.

What are the violations that the Board mostly takes into consideration in its decisions so far while evalating on violations to apply administrative fines?

When we examine the decisions made until today, as a striking example decision of Facebook, we see that the Board mostly takes violation decision against the companies that do not take the necessary technical and administrative measures to ensure the data security in accordance with article 12 (1) of the Law. The Data Security Guide ("Guide"), which the Board has established and referred to in its decisions in order to determine the "necessary technical and administrative measures", has been published publicly and is accessible on the Board's website. In accordance with the Law and the Guide, the data controller shall take all necessary technical and administrative measures to ensure the proper level of security in order to prevent unlawful access to personal data. If the period between the date of the violation and the detection of the violation is long enough, the Board accepts that the necessary audits and controls are not performed by the company, although it varies according to circumstances. Also, once the violation has occurred and the company's data has been accessed, if the attackers are able to move through the system, that is, access to other information from the database first accessed, Board decides that the company's hardware and software are not properly configured and the security measures taken are insufficient.

Another type of violation, which often causes the fines imposed by the Board, is violation of the obligation to notify the Board and data subjects as soon as possible under paragraph (5) of Article 12 of the Law. If the processed personal data is obtained by third parties illegally , the data controller shall inform the data subjects and the Board as soon as possible. With the decision dated 24.01.2019 and numbered 2019/10, and taking into account the European General Data Protection Regulation, which abolished the Directive 95/46 / EC of the European Union which is the source of the Law, the Board decides the relative term of "as soon as possible" should be interpreted as 72 hours. In practice, those who are responsible for the protection of the personel data generally fulfill the obligation of notification to the Board, but if they do not notify the data subject concerned, they will still confront with fines.

How to prevent data protection and what shall be done in case of violation?

Firstly, the obligation to take measures; which is taking all necessary technical and administrative measures to ensure the proper level of security to prevent unlawful access to personal data, and the technical infrastructure needs to be well established. Technical inspections and audits should be increased.

In case of violation, it will be useful to have the necessary technical infrastructures to be able to communicate directly and immediately with the concerned data subjects in order to fulfill the notification obligation.

Our legal advice is that each company should have "due diligence" applied by the professional lawyers who are familiar with legislation and practice regarding the protection of personal data. Thus, possible implementation of large amounts of fines and the remedy procedure can be prohibited.

Where and how to oppose against Board decisions?

Article 18 of the Data Protection Law regulates misdemeanors and administrative fines. The Law itself does not regulate the opposition process against the decisions of the Board. However, law's preamble states that when there is no provision related to misdemeanors, the related provisions of Misdemeanor Law no. 5326 will apply.

Article 27 of the Misdemeanor Law stipulates that administrative fine decisions should be opposed before the competent Magistrates' Court within 15 days following the notification of the decision and if the decision is not opposed within the time limit, the decision becomes final and binding. The competent Magistrate Criminal Court is determined in Art. 12 of Misdemeanor Law as the court where the crime was committed or the court where the victim resident at. Court's ruling wouldn't result in secure an injunction against execution of the decision, but the Board who issued the decision or the Court may review the decision and may suspend the execution. Therefore, the opposition alone does not prevent the Board from requesting execution.

As a result of the examination of the Court according to Misdemeanor Law Article 28, the application may be rejected, the application may be accepted and administrative fines may be removed, or the amount of fines can be amended by Court. However, in order to get results, it is very important that the petition of objection is prepared well and that it is based on solid legal arguments in accordance with legislation and decisions of the Board itself.

What are the points to be considered when objecting to the decisions of the Board?

First of all, in order to benefit from the regulation in the Misdemeanors Law that three-quarters of the fines will be collected from the person who pays the administrative fine before applying to remedy procedure, thus the objection should be applied after the fine penalty is paid. This payment does not affect the right of the person to take legal action against the decision. Appeal without paying the fine penalty will result in the loss of early payment advantage.

Furthermore, as a result of the cancellation of Articles 12 and 13 of the Law Amending Certain Laws for the Acceleration of Judicial Services No. 6217 on the grounds that it violates the constitutional right of audience by the Constitutional Court Decision no. 2011/54. In this case, even if the opposition is rejected, there will be no fee, only the costs of the file will be paid.

Data controllers who are resident outside of Turkey but process the personal data of Turkish residents must be aware that the obligations of the Data Protection Law may also apply to them as well as to the data controllers within Turkey.