Turkish Personal Data Protection Board’s Principle Decision

Turkish Personal Data Protection Board’s (“Board”) principle decision Decree No: 2019/308 dated 18.10.2019 published in the Official Gazette on November 21, 2019 and at Board’s official website.

As a result of the notifications made to the board, the Board detected that some data controllers operating in the service sector such as Lawyers/Law Firms and finance, real estate consultancy, insurance etc. use software/programs/applications which enable to questioning personal data of citizens through using data gained by various ways. The Board designated that using this kind of software/programs/applications is illegal according to article 12 which regulates the data controllers’ obligation to secure data of the Turkish Law on Protection of Personal Data (“KVKK”) numbered 6698.

The Board enlightened public by its stated principle decision to prevent data security breaches on that;

  • The criminal process will start for determined data controllers who use this kind of software/programs/applications by reporting them as a notice to the Chief Public Prosecutor’s Offices according to article 158 of Turkish Criminal Law (“TCK”) numbered 5271,
  • Administrative transactions will also be installed for determined data controllers who use this kind of software/program/applications according to article 18 of KVKK in grounds of the Board’s jurisdiction.

As a result of the Board’s principle decision using software/programs/applications which enable to questioning personal data of citizens through using data gained by various ways is illegal according to article 12 of KVKK. Also, both administrative and criminal transactions will be installed for determined data controllers who use this kind of software/program/applications based on KVKK and TCK.