The Principle Decision of the Turkish Personal Data Protection Authority
The principle decision of the Personal Data Protection Authority (“the Authority”) dated 18.09.2019 and numbered 2019/308 has been published on the website of the Authority, and the Official Gazette dated 21.11.2019 and numbered 30955.
The decision regarding the unlawful processing of personal data using the software, programs, and applications by certain institutes and organizations.
In the case, it is stated that the Authority has received various complaints that certain profession groups, law firms and some individuals and organizations operating in finance, real estate consultancy, insurance, and similar sectors have processed personal data unlawfully. Further, it has been determined that certain software, programs, and applications were being used that allow for those parties to search and process personal data, which is not obtained legally, of individuals such as the identity and contact information. This situation was found to be contrary to the data security obligations of the data controller regulated in Article 12 of the Law on Protection of Personal Data w.no. 6698. (“the Law”)
In this context, the Authority has decided that;
The Authority will submit official complaints, against those who use the software, programs, and applications, to the relevant Chief Public Prosecutor's Office pursuant to Article 158 of the Code of Criminal Procedure w.no. 5271, and
Administrative action shall taken (administrative fines) against those parties in accordance with Article 18 of the Law by the Authority.
We evaluate that the Authority's decision on this issue, which has been continuing for years and causing grievances for the data subjects, is very appropriate and timely.
In this context, we believe it is worth mentioning that as a result of the complaints made to the Chief Public Prosecutor's Office against the parties who process the personal data unlawfully by using the said software and programs; such parties may be sentenced to 2 to 4 years imprisonment for unlawful collection of personal data and 1 to 3 years imprisonment for illegal processing of personal data.