On November 8, 2019, the Turkish Data Protection Authority (“DPA“) published a public announcement on its website providing further guidance on data controllers’ obligation to inform data subjects about data collection provided under Article 10 of Law No. 6698 on the Protection of Personal Data (“Data Protection Law“).
What Does the Decision Say?
As per Article 10 of the Data Protection Law, data controllers must inform data subjects on several points prior to the collection of personal data. Many companies choose to fulfill their information obligations by placing a privacy notice on their websites.
The DPA observed during its recent investigations that the website privacy notices provided by many data controllers, in particular media organizations, directly refer to the European General Data Protection Regulation (“GDPR“) when explaining the applicable policies and rules regarding the processing of personal data and their compliance with the applicable data privacy laws.
The DPA has underlined that a data controller’s compliance with the GDPR does not guarantee its compliance with the Data Protection Law, and that the data controllers must primarily ensure that their operations are in line with the provisions of the Data Protection Law. In this respect, the DPA stated that a sole reference to the GDPR in privacy notices is insufficient in fulfilling the information obligation under Article 11 of the Data Protection Law. Accordingly, data controllers must explicitly refer to the provisions of the Data Protection Law in their privacy notices, refrain from providing ambiguous and general explanations, and provide clear and detailed information on each of the following points:
- identity of the data controller and its representative (if any);
- the purposes of the data processing;
- the third parties to whom data may be transferred (in Turkey or abroad) and the purposes of such transfer;
- the methods and legal grounds for the data collection (by explicitly mentioning which legal grounds are invoked from those listed under Articles 5 and 6 of the Data Protection Law); and
- the data subjects’ rights listed under Article 11 of the Data Protection Law.
The DPA has been tentatively focusing more on the data processing activities of foreign companies processing data relating to individuals located in Turkey and the Turkish affiliates of multinational companies. Considering that failure to comply with the information obligation may be subject to administrative fines, data controllers must not rely solely on their compliance with the GDPR and must evaluate their data processing activities specifically in light of the requirements of the Data Protection Law.