The Personal Data Protection Board (“Board”) published on its website summaries of its recent decisions in relation to (i) the request for deletion of a column in a newspaper consisting of personal data; (ii) the unlawful disclosure of sensitive personal data; and (iii) the unlawful transfer of personal data disclosed during the recruitment process. The decision summaries are available here (in Turkish).
What Do the Decisions Say?
The first decision published on the Board’s website relates to a deletion request for a column in a newspaper consisting of an individual’s name. The Board evaluated the request based on Article 28(1) of Law No. 6698 on the Protection of Personal Data (“Data Protection Law“) stating that the provisions of the Data Protection Law do not apply in the event of “processing personal data for the purposes of art, history, literature or science or within the framework of freedom of expression, on the condition that it does not violate national defense, national security, public safety, financial safety, right of privacy or it does not constitute a crime.” The Board ultimately decided that considering the position of the data subject within the public, the processing is within the scope of the freedom of the press.
The second decision concerns the unlawful disclosure of sensitive personal data on the internet and social media platforms. Doctors took a screenshot of a patient’s medical report a mobile application belonging to the data controller shared the screenshot on the internet and social media platforms. The Board decided this screenshot violated Article 12(1) of the Data Protection Law, and thus imposed an administrative fine on the relevant company under Article 18 of the Data Protection Law.
The last decision concerns the unlawful transfer of personal data containing the application details, name, surname and e- mail address disclosed by a data subject during the recruitment process through the online platform operated by the data controller with other applicants without any legal basis. The Board also evaluated the transfer of this data between the group
companies under the main organization and stated that such transfers also qualify as data transfer to third parties. Accordingly, the Board fined the relevant data controller in line with Article 18 of the Data Protection Law.