Recent Development
The Constitutional Court’s decision dated 27 January 2026 and No. 2020/32193 (the “Application”), in which the Court assessed the administrative fine imposed by the Personal Data Protection Authority (the “Authority”) regarding a data controller’s processing activities, particularly in terms of the concept of “intention to make data public” within the legislation, and the application of the principle of legality in crimes and penalties, was published in the Official Gazette dated 16 June 2026 and No. 33282.
The Application is available here (in Turkish).
Background
The Application concerns the allegation that the principle of legality in crimes and penalties was violated due to an administrative fine imposed on a data controller, an insurance company. The data controller company operating in the insurance sector (the “Applicant”) obtained the data subject’s name, surname, and phone number from a publicly available website and contacted the individual by phone to offer its services. The data subject subsequently applied to the Personal Data Protection Authority (the “Authority”), claiming that their personal data had been obtained and used without their explicit consent by the Applicant. The Personal Data Protection Board (the “Board”) assessed that, although the relevant personal data had been made publicly available by the data subject on the relevant website, the Applicant had used such data for commercial purposes without the data subject’s explicit consent and beyond the purpose for which the data had been made public. In other words, the Board concluded that the Applicant processed the personal data outside the data subject’s “intention to make the data public”. Based on this assessment, the Board decided to impose an administrative fine on the Applicant on the grounds that the necessary technical and administrative measures to prevent unlawful processing of personal data had not been implemented (the “Decision”).
The Applicant filed an objection to the Decision before the Criminal Judgeship of Peace, arguing that the personal data had been made publicly available by the data subject itself and that its processing activities were therefore lawful. However, the Criminal Judgeship of Peace rejected the request, finding the administrative sanction justified, and the Applicant’s subsequent objection was also dismissed. In this regard, the Applicant filed an individual application with the Constitutional Court, claiming that concepts such as the “intention to make data public” referred to in the Board’s Decision are not explicitly defined in Turkish Data Protection Law No. 6698 (the “Law”), and that imposing an administrative fine based on concepts which are not defined in the Law violates the principles of foreseeability and legal certainty, as well as the principle of legality in crimes and penalties.
Evaluation of the Constitutional Court
In its evaluation, the Constitutional Court first emphasized that, pursuant to the principle of legality in crimes and penalties protected in Article 38 of the Constitution, individuals must be able to determine, in a clear and foreseeable manner, whether an act constitutes an offence or a crime and the sanctions attached thereto, based on the statutory provisions in force at the time the act was committed. Within this framework, the Constitutional Court examined the legal basis set out under Article 5 of the Law, namely that “the personal data has been made public by the data subject”. However, the Constitutional Court found that the Law does not provide clear rules regarding the scope and limits of making data public, how the data subject’s intention to make data public should be interpreted, or, in particular, whether and to what extent data processing activities that are contrary to such intention are subject to sanctions. In this respect, the Court noted that the criterion of “compliance with the data subject’s intent to make data public” as developed by the Board, does not have an explicit basis in statutory law and rather relies on guidelines published by the Authority.
Against this background, the Constitutional Court concluded that the administrative fine imposed by the Board, on the grounds that the data controller had processed the data beyond the data subject’s purpose of making it public, was based on an interpretation that expanded the foreseeable limits of the statutory framework. Accordingly, the Constitutional Court held that the requirements of clarity and foreseeability inherent in the principle of legality in crimes and penalties were not met, and that the sanction was imposed without a sufficient legal basis. On this basis, the Constitutional Court ruled that the administrative fine imposed on the Applicant constituted a violation of the principle of legality in crimes and penalties.
Conclusion
The Application is of particular significance for data controllers, as it clarifies the limits of the principle of legality in relation to administrative sanctions concerning the processing of personal data. Indeed, through this decision, the Constitutional Court emphasized that, in order for the activities of data controllers to be subject to administrative sanctions, the relevant obligations and the scope of the violation must be regulated at the statutory level in a clear, precise, and foreseeable manner.
In particular, in data processing activities based on the legal ground of “making data public”, although this ground has already been explicitly regulated under Article 6 for processing sensitive personal data, the fact that Article 5, which sets out the legal grounds for processing personal data, does not expressly regulate (i) the criterion that processing must be in line with the data subject’s intent to make the data public, or (ii) the consequences of exceeding such purpose, has been considered as a factor that undermines the compliance of the administrative sanctions imposed by the Authority with the principle of legality. This, in turn, has narrowed the Authority’s margin of discretion, particularly in terms of relying on rules introduced through its guidelines in the future.
