Ebru Gümüş, Author at IP Tech Legal

Transferring the Health Data of a Data Subject to the Public Institution

The Personal Data Protection Board (“Board”) evaluated a complaint application regarding the transfer of a data subject's health data to a public institution for an administrative lawsuit in its decision dated 04.08.2023 and numbered 2022/790.

The complaint raised concerns about the request made by a public institution to a university hospital for information regarding the data subject, related to a lawsuit between the data subject and the public institution before an administrative court. The complaint argued that the transfer of the data subject's health data from the university hospital to the public institution constituted an unlawful processing of personal data.

The Board made the following explanations regarding the complaint;

Pursuant to Article 6/1 of the Law on the Protection of Personal Data No. 6698 (“DPL”), the health data of the data subject transferred to the public institution by the data controller falls into the scope of the special categories of personal data.
The public institution stated in its letter that the reason for requesting the data was "to serve as a basis for an ongoing administrative lawsuit." However, the data subject, in their complaint petition, stated that they were the plaintiff working in the public institution in question, while the defendant was the public institution involved in the administrative court lawsuit. Considering the data controller's defense regarding Article 8 of the DPL, it was evaluated that the conditions set forth in Article 6 of the DPL were not met in the processing activity related to the transfer of the special categories of personal data requested due to the ongoing administrative lawsuit between the data subject and the public institution.
In violation of the data minimization principle, more special categories of personal data were transferred than requested. The transfer included the medical report, anamnesis forms, epicrisis reports, consultation forms, patient medical clinical course information, pathology report, and radiology reports contained on a CD. The personal data was processed without considering the principle of "being processed for specified, explicit, and legitimate purposes" stipulated in Article 4/2-c of the Law.
The data subject claimed that the doctor misunderstood the data subject’s statements in the patient examination information section of the patient history form, where it was written that the data subject sporadically used marijuana. This information was obtained as a result of diagnostic questions asked by the doctor and contained information about the patient's current or past diseases. When the form with the statement was delivered to the public institution, a criminal complaint was filed against the data subject, but it was later determined that the data subject would not be prosecuted. The data controller did not respond to the data subject's request to delete the data and information regarding cannabis use. According to Article 13 of the Regulation on Personal Health Data, the data subject should first apply to the provincial health directorate regarding any health data claimed to be created by mistake. The data subject may request correction by applying to the provincial health directorate affiliated with the data controller, as there are regulations on the necessity of such applications and the actions to be taken to correct inadvertently created health data.
Although it has been stated by the data controller that the application of the data subject was not answered and implicitly rejected in accordance with Article 10 titled "The Silence of the Administrative Authorities" of the Administrative Procedure Law No. 2577. Article 13/2 of the DPL states that the requests of the data controller in the application must be concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.

In this regard, the Board adopted the following decisions;

Regarding the transfer of special categories of personal data, it was concluded that the conditions specified in the DPL were not met. Although explicit consent from the data subject was not applicable, it was determined that the health data was transferred to the public institution in violation of the DPL. Additionally, since the shared information was broader in scope than requested, it was considered that the data controller university hospital did not fulfill its obligation to take all kinds of technical and administrative measures regarding the security of personal data under Article 12/1 of the DPL. Therefore, the data controller was instructed to take action against those responsible through disciplinary provisions and to inform the Board accordingly.
The data controller was instructed to take the necessary actions, both within its own body and, if necessary, by directing the relevant person, in accordance with Article 11 of the DPL, to address the data subject's right to request correction of their personal data. The actions should be taken before the provincial health directorate, and the Board should be informed of the result.
The data controller was instructed to take necessary actions to ensure the destruction of the transferred data at the public institution to which the data subject filed the complaint. The Board should be informed of the result of this transaction.
The data controller was reminded of the obligation to finalize data subject requests as soon as possible and within thirty days, based on the nature of the request, in accordance with the Law and the Communique on the Principles and Procedures for the Request to Data Controller.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Processing of Personal Data of the Child without the Explicit Consent of the Parent

The Personal Data Protection Board (“Board”) evaluated the complaint application regarding the processing of the child's personal data by a data controller marketing company by sending promotional brochures without the explicit consent of the child's parents in its decision dated 03.08.2022 and numbered 2022/776.

The complaint focused on the actions of a self-employed entrepreneur, who sent a promotional brochure to an 8-year-old child as part of their marketing efforts for a product belonging to the marketing company. It was claimed that the personal data of the child had been processed unlawfully due to the lack of explicit consent from the child's parent.

The Board provided the following explanations regarding the complaint;

It was necessary to determine the data controller in this case. Pursuant to the contract between the company and the self-employed natural person entrepreneur, it is stated that the self-employed entrepreneur is responsible for determining the purpose and means of processing personal data regarding customers, as well as complying with applicable data protection laws. The relationship between the company and the self-employed entrepreneur was determined to be an independent contract rather than a dependent relationship like an agency or employer-employee relationship. When these provisions are considered, it was concluded that the self-employed natural person entrepreneur acts independently from the company in processing personal data for marketing purposes. The self-employed entrepreneur determined the purposes and means of data processing and had the role of data controller in their relationship with the data subject. The company did not have a role in the data processing activities.
The data controller claimed that that the personal data was provided by the data subject, and argued that the processing activity, carried out by sending the brochure, fell within the exception provision “Personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with” in Article 28 of the Law on the Protection of Personal Data No. 6698 (“DPL”). However, this exception provision is applicable to the processing of personal data by family members living in the same residence, which is not the case here. Therefore, this exception provision does not apply to the self-employed entrepreneur who acted as the data controller.
It has been evaluated that processing of name and address which are personal data by sending a promotional brochure for marketing purposes is not based on any of the processing conditions in Article 5 of the DPL due to the fact that the time gap of four and a half months between the order placed on the e-commerce site and the brochure, the fact that the brochure was not sent with the order, and the absence of any document showing explicit consent for the processing of personal data for promotional and marketing purposes were considered.

In this regard, the Board adopted the following decisions;

There is no action to be taken against the company within the scope of the DPL since the self-employed entrepreneur, who sent the brochure, was acting independently from the company based on the terms of the contract and maintained a service relationship with customers in selling company products, they act as a data controller independent of the company when processing personal data of their customers.
It was determined that the processing of the child's name and contact information, as personal data, by sending the promotional brochure had no connection to the order shown in the invoice submitted by the data controller. The brochure was not sent together with the order shown in the invoice. Therefore, the sending of the brochure was carried out without relying on any of the processing conditions set out in the DPL. Consequently, the obligations stipulated in Article 12/1 of the DPL were not fulfilled, and an administrative fine of TRY 30,000 (approximately 1,400 EUR) was imposed. This decision took into account the unfair content of the misdemeanor committed under the scope of Article 17 of the Misdemeanor Law, as well as the fault and economic situation of the data controller.
It was decided to notify the marketing company regarding the self-employed entrepreneurs should be informed that the explicit consent of the data subjects should be obtained, and the provisions of the DPL should be complied with in the processing of personal data for promotional and marketing purposes.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Transferring Personal Data Abroad Without Obtaining Explicit Consent

The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding the transferring of personal data without explicit consent by a bank to an insurance company in its decision dated 03.08.2022 and numbered 2022/768.

The complaint subject to the decision is that the data subject received multiple calls from an insurance company, indicating that the bank, as the data controller, had shared the data subject's phone number with the insurance company. Consequently, that the personal data of the data subject was processed unlawfully was claimed.

The Board provided the following explanations regarding the complaint;

Pursuant to Article 8 of the Law on the Protection of Personal Data, Law No. 6698 ("DPL"), the transfer of personal data must be justified by obtaining explicit consent from the data subject or by relying on provisions in other laws concerning data transfer. If the data controller cannot justify the transfer based on one of the data processing conditions listed in Article 5/2 of the DPL, explicit consent or legal justifications are necessary for the data controller's data processing activity.
The document indicating the data subject's consent to receive commercial electronic messages is the "Campaign Communication Preferences Instruction." However, no document demonstrating that the data subject was informed about the personal data transfer was submitted. This violates the principle of "based on information" for obtaining explicit consent. Therefore, the mentioned document does not qualify as explicit consent for the transfer of personal data.
The expression below the relevant instruction screen, stating that “the channels and products allowed by selecting the "all channels and products" option in this form will also include channels and products that can be used and/or defined by the Bank at a date after the form is signed.” is an ambiguous statement concerning the future. It does not comply with the "based on free will" element of the explicit consent conditions. In addition, there is suspicion that the data subject's own will was not involved in completing the boxes on the relevant document.
Therefore, the information and documents presented in the concrete case do not prove that the data subject has provided explicit consent for the transfer of personal data.
When examining the data controller bank's obligations regarding the security of personal data, it is evident that sharing a bank customer's information with third parties in the country or abroad is prohibited without the customer's instruction, even if explicit consent is obtained pursuant to Article 73 of the Banking Law. Therefore, it is unlawful to share personal data with the insurance company without any instruction from the customer.
In the concrete case, it was observed that explicit consent was not obtained for sharing the phone number with the insurance company. There was no evidence or document proving the existence of an instruction or request for the data processing activity mentioned in the complaint, and it did not fall within any exceptions. Furthermore, it has been evaluated that the conditions for transferring personal data listed in Article 8 of the DPL were not met.

In this regard, the Board adopted the following decisions;

An administrative fine of TRY 250.000 (approx. EUR 701) has been imposed on the data controller bank due to the failure to fulfill the obligation to take the necessary administrative and technical measures to ensure the appropriate level of security specified in Article 12 of the DPL and due to the Article 8 of the DPL was breached by transferring the data subject’s contact information to the insurance company without relying on any of the processing conditions outlined in Article 5 of the DPL.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Continuing to Process Personal Data of the Employee by the Employer After the Termination of the Employment Contract

The Personal Data Protection Board (“the Board”) evaluated the complaint application about continuing to process the personal data of the data subject by the employer after the termination of the employment contract in its decision dated 20.10.2022 and numbered 2022/1147.

The complaint subject to the decision is the data subject's personal data was processed unlawfully since the data controller company continues to use the photos of the data subject taken from a live broadcast, for promotional purposes, on the social media accounts of the company and the press after the termination of the employment contract, and in addition to this, the data controller company continue to use the phone number of the data subject in relations with the courier companies after the termination of the employment contract.

The Board made the following explanations regarding the complaint;

Although the photos of the data subject are included in the job description of the data subject, and it is appropriate to keep them in the archive of the data controller for legal periods, displaying the photos of the data subject for advertising and marketing purposes is against the ordinary course of life to carry out activities since the employment contract of the data subject has been terminated, and then the data subject has started to work somewhere else.
Although it is stated by the data controller that the data subject had given his/her mobile phone number to the courier companies willingly and it is seen that the relevant courier companies were not informed of the termination of the employment contract, the processed personal data must be in accordance with the principle of "accuracy and up-to-date when necessary" stipulated in Article 4 of the Law on the Protection of Personal Data No. 6698 (“DPL”). Therefore, the data controller does not pay the necessary attention to the protection of personal data.
In addition, in the expert report given during the case pending in general courts, it is stated that the data subject is shown as the responsible personnel who carried out the transaction in many sales made after the termination of the employment contract. For this reason, personal data has been processed in violation of the principle of "being accurate and up to date when necessary" in Article 4 of the DPL.
Since it is seen that personal data is processed in violation of general principles and data processing conditions, necessary technical and administrative measures have not been taken by the data controller to protect personal data.

In this regard, the Board adopted the following decision;

Processing personal data without valid reason within the scope of the DPL by continuing personal data sharing after the employment contract of the data subject is terminated, and the records in the data controller company and showing the data subject as the responsible personnel even after the termination of the employment contract violates the principle of “being accurate and up-to-date when necessary” in Article 4 of the DPL. Regarding the data controller, who is understood to have failed to fulfill its obligations outlined in Article 12 of the DPL, since it was seen that no other legal reason could be shown by the data controller in the processing of this data, it has been decided to impose an administrative fine of TRY 250,000 (approx. EUR 11.671) on the data controller, taking into account the high risk of negative consequences for the data subject, such as sales and cargo sending, using the identity and contact information of the data subject
The data controller has been instructed to destroy the phone number information, which is understood to have been processed unlawfully, from their records and to destroy name and surname information from the digital payment systems of the store, and to send the report that will be duly issued to the data subject’s representative.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Transferring Personal Data Abroad Without Obtaining Explicit Consent

The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding transferring personal data of the data subject abroad without explicit consent by a technology company in its decision dated 17.03.2022 and numbered 2022/249.

The complaint subject to the decision is that the cookie policy is not included, and the privacy policy contains statements regarding transferring personal data abroad on the website on which the data subject is signed up. However, the personal data is transferred abroad without obtaining explicit consent from the data subject, and the data controller did not duly respond to the request of the data subject within the legally specified period.

The Board made the following explanations regarding the complaint;

There is no obligation to prepare a privacy policy pursuant to the Law on the Protection of Personal Data w. no. 6698 (“DPL”) and other legislation, but the primary responsibility of data controllers is to fulfill the obligation to inform before the personal data processing activity, as a rule, in cases where personal data is obtained from the data subject.
The defense that the request made by the data subject was not responded mistakenly indicates that all necessary administrative and technical measures were not taken by the data controller in order to conclude the requests to be made by the data subjects effectively and in accordance with the law and good faith.
Despite the argument that such implementation is being made because data is stored on servers abroad due to the use of hosting services and that a mechanism offering similar security measures does not exist in Turkey, the activity of storing data in the country or abroad is a processing activity.
Personal data has been transferred abroad without meeting the conditions stipulated in DPL’s Article 9 titled "Transferring Personal Data Abroad".

In addition, the Board stated the reason why the transfer of personal data abroad is regulated in a separate provision and some other conditions are required is to ensure that the personal data is effectively protected can be effectively protected in the country where it is transferred. The aim is to enable data subjects to use their rights effectively and as close as possible to the implementation of the DPL.

It is reiterated that storing personal data in data centers located in various parts of the world is in the nature of transfer abroad, and personal data processing activities within the scope of storage services provided by data controllers/data processors whose servers are abroad are also carried out in accordance with Article 9 of the DPL in the under practices of the Board.

In this regard, the Board adopted the following decisions;

The conclusion is that the necessary technical and administrative measures have not been taken to ensure the appropriate level of security within the scope of the DPL since the transfer of personal data abroad is carried out through the use of a system whose servers are located abroad. In this regard, a commitment to provide adequate protection in the country to which the transfer will be made before the said activity is carried out has not been submitted to the Board, and also the data controller did not obtain explicit consent from the data subjects since there is no legal reason other than explicit consent in the concrete case.
The data controller company operates in many countries and a large number of personal data is collected through its economic situation, the application used to process personal data and the website have been transferred abroad unlawfully. The data subjects affected by the mentioned action are many, and it should be accepted that the act of transferring personal data abroad is not due to an individual event, but in a systematic way by the data controller deliberately and with an executive action. For all these reasons, considering that the violation constituting a misdemeanor was committed within the scope of commercial purposes and that the transfer activity abroad was not brought into compliance with the DPL, although 6 years have passed since the effective date of the DPL, an administrative fine of TRY 950.000 (approx. EUR 44.246) was imposed on the data controller.
The Board decided to instruct the data controller to make the necessary arrangements to ensure that the transactions regarding the transfer of personal data abroad are in compliance with Article 9 of the DPL and to inform the Board.
The Board decided to warn the data controller to take all necessary administrative and technical measures in order to conclude the applications to be made by the data subjects effectively, in accordance with the law and the rule of good faith.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Sharing the Photos Taken During Surgery

The Personal Data Protection Board (“the Board”) evaluated the complaint application about sharing the photos taken during surgery of the data subject and published on the social media account by a doctor who works in the data controller hospital in its decision dated 29.06.2022 and numbered 2022/630.

The complaint subject to the decision is that the data subject's personal data was processed unlawfully due to, without explicit consent, photos taken during surgery, shared on social media accounts, and kept for 2 years by a doctor who works in the data controller hospital.

The Board made the following explanations regarding the complaint;

The photos that are the subject of the complaint are evaluated as personal data since the data subject’s facial parts such as eyebrows, mustaches, etc. that make the person identifiable can are clearly included and not anonymized.
In terms of the data controller's claims that explicit consent was obtained from the data subject, it has been observed that the data subject has given explicit consent for the data controller hospital, but the said photos were processed by a doctor who works in the hospital. The explicit consent given to the hospital does not provide a legal basis for the use of photos by the doctor, therefore the personal data of the data subject has been processed unlawfully.
Sharing the photos of the data subject by a doctor who works in the hospital on social media indicates that the necessary technical and administrative measures were not taken by the data controller hospital taking into account that the data controller hospital has the knowledge of this situation.
Article 17 of the Law on the Protection of Personal Data No. 6698 (“DPL”) regulates that the provisions of Articles 135 to 140 of the Turkish Penal Code shall be applied for crimes related to personal data. In the presence of such a situation, the data subject can apply to the relevant judicial remedy in such a case.

In this regard, the Board adopted the following decision;

It is understood that the data subject has given explicit consent to the data controller hospital, and there is no explicit consent regarding sharing the images taken by the doctor, and the data controller hospital has information that the photos were shared on social media account by the doctor. Since the data controller does not take adequate technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data in terms of sharing photos of the data subject on social media accounts an administrative fine of TRY 100.000 (approx. EUR 4.657) was imposed on the data controller.

The data controller has been informed that it is possible to apply to the judiciary regarding the data subject’s proposal regarding the proposal of the data subject not to file a complaint with the Board if financial compensation is paid to them.
The data subject has been informed regarding applying for financial compensation by applying to the judiciary, and applying to the judiciary within the scope of the Turkish Penal Code.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Sending Order Information to Erroneous Email Address

The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding sending the order information of a third party from the e-commerce website which is the data controller to the data subject in its decision dated 03.08.2022 and numbered 2022/774.

The complaint that is the subject of the decision is that the order information including the identity, address, and contact information of a third-party is sent to the e-mail address of the data subject from an e-commerce website and that order details are accessible via a link accessed in the e-mail. In addition, the data subject stated in the complaint application that he/she received promotional e-mails and SMS from the data controller even though the data controller stated that his/her e-mail address was deleted from the order in question and that he/she would no longer be notified, accordingly data subject requested to be taken of necessary action within the scope of the Law on the Protection of Personal Data w. no. 6698 (“DPL”).

On the e-commerce website that is the subject of the complaint, there is an option to create a membership, and besides individuals can place an order by only giving their e-mail address and other information about the order without creating a membership.

In the explanations made by the data controller, it was stated that there is no membership account for the e-mail address used in the order subject to the complaint. The mentioned order was placed by a guest customer login without creating a membership account, by another user inadvertently notifying the e-mail address of the data subject due to name similarity, and this third party gave explicit consent for receiving SMS and e-mail.

The Board made the following explanations regarding the complaint;

Regarding the claim that the e-mail address, which is the personal data of the data subject, has been processed in a manner contrary to the DPL;

Although it is stated by the data controller that the e-mail address of the data subject was entered by the third party inadvertently while placing an order, it is possible that erroneous statements may be made in the information entries made manually by the individuals. Within the scope of the obligation to take administrative and technical measures to prevent the unlawful processing of personal data defined in Article 12 of the DPL, the data controller is obliged to take necessary administrative and technical measures in order to prevent the unlawful processing of personal data belonging to third parties due to these incorrect information entries since it is necessary to ensure that the contact information received from individuals is correct.

Although the order was not placed by the data subject, the data controller processed personal data by sending an informative e-mail to the data subject's e-mail address without relying on any of the processing conditions. In this context, since there is no confirmation mechanism in the transaction in question, all shopping transactions made with the guests' login to the e-commerce site carry the risk of a data breach.

Regarding the statements of the data controller that it provides an opportunity to reject receiving commercial electronic messages at any time, and that the addressee of such complaints is the provincial and district directorates of the Ministry of Commerce:

It is necessary to evaluate within the scope of the DPL whether the processing activity is based on legal compliance since the phone and e-mail information is also the contact information in the nature of personal data, any transaction on personal data through the means specified in the DPL is a processing activity.

In this regard, the Board adopted the following decisions;

The data controller has processed the personal data without relying on any of the processing conditions in Article 5 of the DPL by sending an e-mail regarding the order to the data subject who is an unrelated third party to the sales contract without there is not any confirmation mechanism. In this respect, it has been decided that the data controller has not taken the necessary technical and administrative measures regulated in Article 12 of the DPL in order to prevent the unlawful processing of personal data, and so an administrative fine of TRY 120.000 (approx. EUR 5.587) was imposed on the data controller.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Failure to Provide the Privacy Policy and Explicit Consent Wording for Cookies

The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding the failure of the data controller to provide the privacy policy and explicit consent wording for cookies on the website of a gaming platform in its decision dated 23.12.2022 and numbered 2022/1358.

The complaint subject to the decision is that when accessing the website of a gaming platform, users are not informed about the data processing made through cookies, explicit consent is not obtained for non-essential cookies, and also their identity and contact information is requested from the users who are members of the website, but privacy policy and explicit consent texts are not provided.

The Board made the following explanations regarding the complaint;

Cookies that are necessary for the proper functioning of a website are defined as essential cookies and can be used as exception to the explicit consent requirement in Article 5 of the Law on the Protection of Personal Data No. 6698 (“DPL”). However, the cookies used for advertising, marketing, and performance purposes are subject to the explicit consent of the data subject. If there is no processing condition other than explicit consent regarding the cookies other than essential cookies such as functional cookies, performance-analytical cookies, and advertising/marketing cookies, the data controller must obtain explicit consent from data subjects according to the “opt-in” mechanism that envisages their voluntary active action at the time of log-in, and preventing the cookies being active in default.
In this context, it is seen that there are many cookies on the website, and there is no privacy policy. In addition, it has been determined that the data controller does not obtain explicit consent for cookies that are non-essential and track user movements for purposes such as advertising or statistics.
The data controller must fulfill the obligation to inform data subjects during the first visit of the users to the website regarding the personal data collected via cookies in accordance with Article 10 of the DPL. On the other hand, it has been observed that the privacy policy on the website does not contain the mandatory elements, and the processed personal data is transferred abroad.

In this regard, the Board adopted the following decisions;

The data controller processes personal data through non-essential cookies for the purpose of advertising and marketing without relying on any legal basis on the relevant website. Since this situation constitutes a violation of the obligations in Article 12 of the DPL, an administrative fine of TRY 300.000 (approx. EUR 14.036) was imposed on the data controller.
In terms of personal data processed with cookies on the website, it has been decided to instruct the data controller to fulfill the obligation to inform in accordance with the relevant provisions of Article 10 of the DPL and the Communique on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform.
It is seen that the privacy policy on the website is presented to the users during sign-up, it has been decided to instruct the data controller to complete the deficiencies in the privacy policy.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Procedures and Principles About Social Network Provider

The new decision of the Information Technologies and Communication Authority (“BTK”) on the “Procedures and Principles About Social Network Provider” (“Procedures and Principles”) was published on the Official Gazette and entered into force on April 1, 2023.

The procedures and principles, which were first regulated by BTK in 2020 and included the responsibilities and obligations of social network providers are updated in line with the additional article 4 of the Law on the Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts with no. 5651 (“Law”).

The purpose of the Procedures and Principles is regulated as determining the obligations and the procedures and principles regarding the implementation of these obligations of the social network provider which is defined as “natural persons or legal entities that provide opportunity for users to create, view or share content such as text, images, sounds, location on the internet for the purpose of social interaction” under the Law. In addition, it is clearly stated that the content for social interaction purposes only in a certain part of the broadcast on the internet or platforms such as e-commerce sites where the content for social interaction is offered as a secondary and ancillary service is out of the scope.

Along with the Procedures and Principles, detailed regulations have been made regarding the following obligations of social network providers regulated in the Law:

Social network providers with more than one million daily access from Turkey:

Obligation to appoint a representative in Turkey
Responding to applications regarding content
Reporting to BTK statistical and categorical information on implementation of decisions to remove content and/or block access, and applications made by individuals
Creating an advertisement library
Keeping the data of users in Turkey in the country

Regardless of the number of daily accesses, all social network providers:

Informing the judicial authorities about the content subject to certain crimes
Providing segregated services for children
Protecting user rights
Establishing an effective application mechanism in order to remove title tags and featured content with warning method
Sharing information with law enforcement about contents that endanger people's life and property safety
Submitting any type of requested information and document to BTK
Creating a crisis plan for emergency situations affecting public safety and public health

The sanctions that will be applied to social network provider in the event of failing to fulfill the above-mentioned obligations are also regulated in detail with the Procedures and Principles. While the said sanctions vary according to the breached obligation and the repetition of the breach, the amounts of administrative fines to be applied vary between TRY 10.000.000 and TRY 30.000.000 (Approx. EUR 478.000 and 1.435.000). In addition, for some violations, prohibiting to give advertisement to the social network provider by taxpayers in Turkey and limiting social network bandwidth may be imposed.

Finally, it should be noted that if certain obligations set out in the Procedures and Principles are not fulfilled, including obligations related to the storage of data in the country, protection of user rights and the provision of segregated services specific to children; an administrative fine up to 3% of the social network provider's global turnover for the previous calendar year may be applied by BTK.

As a result, the Procedures and Principles contain details regarding the implementation of the regulations on social network providers that was stipulated under the Law. Within this scope, it is important for social network providers to comply with the obligations regulated under the Procedures and Principles, in order not to face administrative sanctions.

Authors: Hatice Ekici Tağa, Sümeyye Uçar, Ebru Gümüş

by Ebru Gümüş

Sosyal Ağ Sağlayıcı Hakkında Usul ve Esaslar

Bilgi Teknolojileri ve İletişim Kurumu’nun (“BTK”) “Sosyal Ağ Sağlayıcı Hakkında Usul ve Esaslar”ına (“Usul ve Esaslar”) ilişkin yeni kararı, 1 Nisan 2023 tarihinde Resmi Gazete’de yayımlanarak yürürlüğe girmiştir.

İlk olarak 2020 yılında BTK tarafından düzenlenmiş olan ve sosyal ağ sağlayıcılarına ilişkin sorumlulukları ve yükümlülükleri içeren usul ve esaslar, 5651 sayılı İnternet Ortamında Yapılan Yayınların Düzenlenmesi ve Bu Yayınlar Yoluyla İşlenen Suçlarla Mücadele Edilmesi Hakkında Kanun’da (“Kanun”) yer alan ek madde 4 doğrultusunda güncellenmiştir.

Usul ve Esaslar’ın amacının, Kanun’da “sosyal etkileşim amacıyla kullanıcıların internet ortamında metin, görüntü, ses, konum gibi içerikleri oluşturmalarına, görüntülemelerine veya paylaşmalarına imkân sağlayan gerçek veya tüzel kişiler” olarak tanımlanan sosyal ağ sağlayıcının yükümlülükleri ile bu yükümlülüklerin uygulanmasına ilişkin usul ve esasları belirlemek olduğu düzenlenmiştir. Ayrıca, internet ortamında yapılan yayının sadece belirli bir kısmında sosyal etkileşim amaçlı içeriğe yer verilmesinin veya sosyal etkileşim amaçlı içeriğin ikincil ve yan hizmet olarak sunulduğu e-ticaret siteleri gibi platformların kapsam dışı olduğu açıkça belirtilmiştir.

Usul ve Esaslar’la birlikte, Kanun’da düzenlenen sosyal ağ sağlayıcıların aşağıdaki yükümlülüklerine ilişkin ayrıntılı düzenlemeler yapılmıştır:

Türkiye’den günlük erişimi bir milyondan fazla olan sosyal ağ sağlayıcılarının:

Türkiye’de temsilci belirleme yükümlülüğü
İçeriklere yönelik olarak yapılan başvuruların cevaplandırılması
İçeriğin çıkarılması ve/veya erişimin engellenmesi kararlarının uygulanması ve kişiler tarafından yapılan başvurulara ilişkin bilgilerin istatiksel ve kategorik olarak BTK’ya raporlanması
Reklam kütüphanesi oluşturulması
Türkiye’deki kullanıcılara ait verilerin yurt içinde tutulması

Günlük erişim sayısı fark etmeksizin bütün sosyal ağ sağlayıcılarının:

Belirli suçlara konu içeriklere ilişkin adli mercilere bilgi verilmesi
Çocuklara özgü ayrıştırılmış hizmet sunulması
Kullanıcı haklarının korunması
Başlık etiketleri ve öne çıkarılan içeriklerin uyarı yöntemiyle kaldırılması için etkin bir başvuru mekanizması kurulması
Kişilerin can ve mal güvenliğini tehlikeye sokan içeriklere ilişkin bilgilerin yetkili kolluk birimleriyle paylaşılması
Talep edilen her türlü bilgi ve belgenin BTK’ya verilmesi
Kamu güvenliği ve kamu sağlığını etkileyen olağanüstü durumlara ilişkin kriz planı oluşturulması

Yukarıda bahsedilen yükümlülüklerin yerine getirilmemesi durumunda sosyal ağ sağlayıcıya uygulanacak yaptırımlar da Usul ve Esaslar ile detaylı olarak düzenlenmiştir. Söz konusu yaptırımlar ihlal edilen yükümlülüğe ve yükümlülük ihlallerinin tekrarına göre değişmekle birlikte, uygulanacak idari para cezası tutarları 10.000.000 Türk lirası ile 30.000.000 Türk lirası arasında farklılık göstermektedir. Ayrıca bazı ihlallerde Türkiye’deki vergi mükellefleri tarafından sosyal ağ sağlayıcıya reklam verilmesinin yasaklanması ve sosyal ağ bant genişliğinin daraltılması yaptırımları da uygulanabilmektedir.

Son olarak önemle belirtmek gerekir ki, verilerin yurt içinde barındırılması, kullanıcı haklarının korunması ve çocuklara özgü ayrıştırılmış hizmet sunulmasına ilişkin yükümlülükler de dahil olmak üzere Usul ve Esaslar’da belirlenen birtakım yükümlülüklerin yerine getirilmemesi durumunda ise, BTK tarafından, sosyal ağ sağlayıcının bir önceki takvim yılı küresel cirosunun %3’üne kadar idari para cezası uygulanmasına karar verilebileceği düzenlenmiştir.

Sonuç olarak, Usul ve Esaslar, sosyal ağ sağlayıcılara ilişkin Kanun’da hâlihazırda yer alan düzenlemelerin uygulanmasına yönelik detayları içermektedir. Bu kapsamda sosyal ağ sağlayıcıların idari yaptırımlarla karşılaşmamak adına Usul ve Esaslar uyarınca düzenlenen yükümlülüklere uyması önem arz etmektedir.

Yazarlar: Hatice Ekici Tağa, Sümeyye Uçar, Ebru Gümüş

by Ebru Gümüş