The Personal Data Protection Board (“Board“) published a decision in the Official Gazette on May 31, 2018 in relation to the processing of personal data done by employees of data controllers with access to personal data outside of their authority and purpose of processing.
What Does the Decision Say?
Article 12(1) of Law No. 6698 on the Protection of Personal Data (“Data Protection Law“) requires data controllers to take all necessary technical and administrative measures to ensure the appropriate level of security of the personal data processed. In this context, the Board underlines the obligation of data controllers to prevent those who have the authority to access personal data based on their position or duty from processing or sharing personal data with third parties, except for authorized processing. The Board notes that data controllers are obliged to ensure the appropriate level of security to prevent potential violations caused by their employees who unlawfully process data, either deliberately or negligently.
The Board continues to provide guidance on data controllers’ obligations under the Data Protection Law. Considering that failure to comply with the data security obligations may be subject to administrative fines ranging from TRY 15,000 to TRY 1,000,000, data controllers must carefully follow the Board’s guidance and decisions on data controllers’ obligations and take the necessary steps to ensure compliance.