On June 26, 2020, the Turkish Data Protection Authority (“the Authority”) has made a public announcement on privacy notices.
The announcement relates to the violations of the legislation and the issues that data controllers should pay particular attention while fulfilling their obligation to inform via privacy notices.
Data controllers’ obligation to inform means informing the data subject regarding processed personal data. This obligation specified in Article 10 of the Law on the Protection of Personal Data (“the Law”) is one of the most significant obligations for the data controller. Obligation to inform is the right for the data subject and the obligation for the data controller; however, it is not an obligation subject to the request of the data subject. The data controller must fulfill its obligation to inform where the data subject’s explicit consent or any other personal data processing conditions regulated in Article 5 of the Law exist when processing personal data.
Based on the privacy notices submitted to the Authority by the data controllers and other privacy notices that the Authority has reviewed and examined, the Authority determined following deficiencies and violations;
The data controller does not fulfill the obligation to inform at the time of obtaining personal data from the data subject (they do later it or not at all),
The privacy notice content does not cover the points in Article 10 of the Law,
The privacy notices contain expressions that mean that the controller can further process personal data for other purposes in the future and therefore the processing is not limited to, specific, transparent or legitimate with the purpose,
“Legal justifications” and “the purpose of processing,” which are minimum elements of the privacy notices, are used in the same meaning or “legal justification” is entirely omitted in the privacy notice,
Understandable, clear, and plain language is not used in the privacy notices and the language used is very general, open to misinterpretation, lacking in transparency, and fallacious,
The privacy notices do not sufficiently explain the purpose of transfer and the group or groups of recipients of personal data,
The privacy notices that are in use are texts such as “privacy policies” or “data processing policies” which cover the general data processing practices of the controller and not specific and limited to specific processing activities,
The privacy notices are not easily accessible by data subjects,
When a layered approach is in use, the data controllers do not provide sufficient information in the first stage before directing data subjects to other channels. Further, data controllers do not follow the appropriate mechanisms for data subjects’ access to privacy notices and refer data subjects to “privacy policies” or “data processing policies”
Data controllers present the privacy notice and explicit consent in the same text or platform under the same title,
Data controllers request approval from data subjects that they are presented with the privacy notice, and if data subjects do not provide the approval, data controllers refuse to provide the service.
The data controllers have to act under the Law, Communiqué on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform, the decisions of the Authority, and the Guide on Fulfillment of Obligation to Inform while fulfilling the obligation to inform.
Under Article 18 of the Law, “those who fail to comply with the obligation to inform provided for in Article 10 herein shall be required to pay an administrative fine of TRY 9.013 to TRY 180.264. (approx. 1,158 EUR to 23,1675 EUR on July 14, 2020)” Therefore, the Authority announced the following evaluations;
The burden of proof that the obligation to inform is fulfilled is on the data controller,
The data controller or the persons authorized by the data controller should fulfill the obligation to inform while collecting personal data from the data subject,
The privacy notice shall cover the issues listed in Article 10 of the Law at a minimum,
Under the Communiqué on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform published in the Official Gazette dated 10.03.2018; where personal data is not obtained from the data subject because of the actual impossibility or inaccessibility to the data subject; data controllers shall fulfill the obligation to inform: (a) within a reasonable time following the collection of the personal data, b) at the first contact in case personal data is used to communicate with the data subject, c) at the time of the first transfer of personal data to a third party,
The language of the privacy notices shall be clear and plain,
“Legal justification” and “the purpose of processing” are separate points that should be placed separately in privacy notices. Further, with “Legal justifications” data controllers must identify which legal justification (s) under Articles 5 and 6 of the Law are relied on for processing personal data,
Privacy policies or data processing policies are not limited to the processing activity and are general data processing documents of the data controller, therefore these documents should not be used as privacy notices,
Privacy notices shall be easily accessible by the data subjects,
The data controller shall specify the purpose of transfer, the recipients' group, or groups in privacy notices,
When a layered approach is preferred, the data controllers shall provide sufficient basic information (i.e. identity of the controller and the purpose of processing) in the first stage before directing data subjects to other channels. Further, data controllers shall make sure that the referred texts are specific to the current data processing activity.