State-Owned Turkish Bank was under the Scrutiny of the Turkish Data Protection Authority
| Data Protection
State-Owned Turkish Bank was Under the Scrutiny of the Turkish Data Protection Authority
Article by Ertuğrul Can Canbolat, Baran Can Yıldırım, and S. İrem Akın
The Turkish Data Protection Authority ("DPA") on 27.05.2019 published through its website a summary of its decision concerning a Turkish state-owned bank, T.C. Ziraat Bankası A.Ş. ("Bank") . This is the third timethe DPA has published a decision, in which a public institution is investigated, and the first time the DPA has revealed the name of the concerned public institution.
The decision is of importance as it draws the framework of the "obligation to inform" under the Turkish Personal Data Protection Law No. 6698 ("Data Protection Law"). In addition, the DPA rarely publishes the name of the data controller and this decision is an example where the DPA has chosen to publish the name of the responsible data controller, probably to raise awareness given that the data controller subject to the investigation is a well-known institution by the public.
One of the core obligations of a data controller under the Data Protection Law is "obligation to inform" as stated in Article 10. According to this provision, data controllers have to inform the data subjects on certain elements of the data processing activities. The obligation to inform is fulfilled if the Information Note contains the following aspects: (i) the identity of the data controller, (ii) the purposes of the processing, (iii) the persons to whom processed personal data might be transferred and the purposes of this transfer, (iv) the method and legal ground of collection of personal data and (v) the rights of the data subject set forth under Article 11.
The data controllers are free to choose the way of fulfilling this obligation as long as they ensure that the data subjects are informed on these specific components of the processing. Most commonly, the data controllers publish an Information Note through their website which includes the aforementioned elements for the purpose of fulfilling their obligation to inform.
According to the DPA's decision, the data subject applied to the Bank via his/her registered e-mail about the Bank's Information Note. Although the details of the application are not clear in the summary of the decision, the application may be related with the deficiencies of the said Information Note and may include a request the Bank to revise the Information Note to include all mandatory aspects stated above.
Pursuant to Article 11 of the Data Protection Law, the data subjects should first apply to the relevant data controller (and not to the DPA), if they have a query about their personal data. However, in cases where these applications are (i) rejected, (ii) replied insufficiently, or (iii) not replied in due time (as soon as possible and within 30 days at the latest) by the concerned data controller; the data subject holds the right to file a complaint to the DPA.
A similar process took place in the Bank's case. The data subject applied to the Bank, but the Bank failed to reply to the data subject's application in the 30-day period. As a result, the data subject submitted a complaint to the DPA. The complaint includes the data subject's original concern, regarding the Bank's Information Note due to its incompliance with the data protection legislation's requirements, and additionally, the Bank's failure to reply to his/her application in an appropriate and timely manner as stated in Article 14.
Assessments by the DPA on the Information Note
Upon the complaint, the DPA requested the Bank's explanations regarding the case with an official letter. However, the Bank did not reply to the DPA either. Therefore, it is understood that the DPA proceeded without obtaining the Bank's defence.
The DPA concluded that the Bank's Information Note, which was published on the Bank's website, included ambiguous terms when it comes to show the conditions and purposes for processing personal data, and this creates uncertainty for the Bank's further data processing activities. Due to this, the DPA decided that the Bank shall revise its Information Note and make necessary adjustments in accordance with Article 5(g) and (h) of the Communiqué on Principles and Procedures for Fulfilment of Obligation to Inform.
The first condition given under Article 5(g) is that the purposes of the data processing activity must be specific, clear and legitimate and any general and vague statements shall be avoided and not used while informing the data subjects about their data and its processing. Also, the same provision obliges the data controller to refrain from using statements which may enable the data controller to process the personal data for other purposes than the ones clearly specified in the Information Note. Similarly, Article 5(h) holds that the "legal grounds" for processing the data, such as "legitimate interest" or "explicit consent", shall be provided explicitly by the data controllers.
As a result of the examination, the DPA concluded that the disciplinary actions shall be taken against the responsible employees of the Bank and instructed the Bank (i) to respond to the application of the data subject and (ii) to take necessary measures for the Information Note's compliance with the data protection legislations. As known, the Data Protection Law does not allow the DPA to fine the public institutions. Instead, it foresees that the employees of the public institutions involved in a data protection violation may be subject to disciplinary investigations.
Although the "obligation to inform" is one of the mandatory obligations introduced by the Data Protection Law, the practice as to fulfilling this obligation is yet to be established among the companies operating in Turkey. Indeed, considering the publicly available privacy policies and Information Notes of the Turkish companies, the practice has a long way to go to comply with the data protection law.
With its decision, the DPA at least presented that it keeps an eye on these not yet developed practices and aims to guide the companies through their way in compliance. It is expected that the DPA soon shifts its position from publishing decisions to raise awareness into a stricter approach, where we will be likely to see significant fines.
 The DPA's decision dated 02.05.2019 and numbered 2019/122.
 The other two decisions: https://www.kvkk.gov.tr/Icerik/5422/-Kurul-Kararinin-gereginin-suresi-icinde-yerine-getirilmemesi-hakkinda-Kisisel-Verileri-Koruma-Kurulunun-16-10-2018-tarihli-ve-2018-118-sayili-Karari; https://www.kvkk.gov.tr/Icerik/5366/2018-69.