“.tr” Uzantılı Alan Adlarında Uyuşmazlık Çözüm Mekanizması

Türkiye’de ".tr" uzantılı alan adlarının tahsis işlemleri, uzun yıllar boyunca Orta Doğu Teknik Üniversitesi yetkisindekiNic.TR sistemi üzerinden yürütülmekteydi. ODTÜ ile Bilgi Teknolojileri ve İletişim Kurumu (“BTK”) arasında yapılan protokol ve IANA/ICANN onayları sonucunda, bu yetki BTK’ya devredildi ve 14 Eylül 2022 tarihinden itibaren .tr Ağ Bilgi Sistemi’ne (“TRABİS”) geçiş yapıldı.

TRABİS’in faaliyete geçmesi ile, öncesinde sadece belgeli olarak tahsis edilen “.tr” uzantılı alan adları için “önce gelen alır” prensibi uygulanmaya başlandı. Bu prensip, “com.tr”, “org.tr” ve “net.tr” gibi alan adlarını tahsis etmek isteyen kişilerin, o alan adı için başvuruda bulunan ilk kişi olmalarının yeterli olacağı anlamına gelmektedir. Hak sahipliğine ilişkin herhangi bir marka başvurusu/tescili veya ticari evrak gibi kanıtlayıcı nitelikte belge sunulmasına gerek yoktur.

Önce gelen alır prensibi ile alan adı almanın kolaylaştığı ve sürecin hızlandığı açıktır. Ancak bu durum, hak sahibi olmayan kişiler tarafından kötü niyetli bir şekilde alan adlarının temin edilmesi ve hak sahibi tarafından kullanılmasının engellenmesi sonucunu da doğurabilmektedir.

Bu kapsamda, Ulaştırma ve Altyapı Bakanlığı tarafından yürürlüğe konan İnternet Alan Adları Yönetmeliği’nin ilgili maddeleri ve İnternet Alan Adları Uyuşmazlık Çözüm Mekanizması Tebliği (“Tebliğ”) ile alan adları ile ilgili uyuşmazlık çözüm mekanizmasının işletilmesine, uyuşmazlık çözüm hizmet sağlayıcıların belirlenmesine ve yükümlülüklerine ilişkin usul ve esaslar düzenlenmiştir.

Böylece, Dünya Fikri Mülkiyet Örgütü’nün (“WIPO”) Alan Adı Uyuşmazlıklarının Yeknesak Çözüm Politikası (“UDRP”) sistemine benzer bir sistem ülkemizde de uygulanmaya başlamıştır. Uyuşmazlık Çözüm Hizmet Sağlayıcılar (“UÇHS”) tarafından internet alan adı uyuşmazlıkları yaklaşık 1 ay içerisinde çözüme kavuşturulmaktadır ve bu sayede alan adı ile ilgili hak kayıplarının önüne hızlıca geçilebilmektedir.

I. UYUŞMAZLIK ÇÖZÜM MEKANİZMASINA BAŞVURU

Öncelikle belirtilmelidir ki, TRABİS’in faaliyete geçmesinden önce tahsis edilmiş olan alan adları için, bu alternatif uyuşmazlık çözüm mekanizmasına başvurulamaz. Bu alan adlarından, TRABİS faaliyete geçtikten sonra yenileme işlemi yapılanlar için ise başvuru yapılabilmesi mümkündür.

Uyuşmazlıklar, alternatif olarak UÇHS tarafından çözülmektedir. Mevcut durumda, BTK tarafından UÇHS olarak faaliyet göstermesine izin verilen 2 adet kuruluş (Bilgi Teknolojileri ve İnternet Güvenliği Derneği (BTİDER) ve TOBB UYUM Arabuluculuk ve Uyuşmazlık Çözüm Merkezi) bulunmaktadır.

Şikâyet sahibi, UÇHS’lerden istediğini tercih ederek başvurusunu çevrimiçi olarak yapabilir. Başvuru yaparken, hak sahipliğini kanıtlayıcı ilgili bilgi ve belgeler ile birlikte alan adına yönelik talebini ve hakem/heyet tercihini belirtmelidir. Başvurunun ardından, uyuşmazlığa konu alan adı uyuşmazlık süresi boyunca dondurulur.

Başvuruda herhangi bir eksiklik tespit edilmesi halinde UÇHS’ler bu durumu şikâyet sahibine bildirir ve eksikliğin giderilmesi için 5 gün süre verir. Bu süre içinde eksikliklerin giderilmemesi halinde ise başvuru geçersiz sayılır. Ancak bu durum, şikâyet sahibinin yeniden başvuru yapmasına engel teşkil etmemektedir.

Başvurunun kabul edilmesini takip eden 1 iş günü içerisinde, şikâyet ile ilgili bilgiler ve cevap için gereken bilgi ve belgelere ilişkin açıklamalar, UÇHS tarafından şikâyet edilene gönderilir. Şikâyet edilen, 10 gün içerisinde varsa ek süre talebini, gerekli ve destekleyici bilgi ve belgeleri, hakem/heyet tercihini ve iletişim bilgilerini UÇHS’ye iletmelidir.

Tarafların hakem/heyet tercihine göre UÇHS tarafından 1 veya 3 adet hakem belirlenir. Taraflardan birinin heyet tercih etmesi durumunda UÇHS’nin internet sitesinde yer alan hakem listesinden, biri yedek olmak üzere 2 adet hakem tercihi UÇHS’ye bildirilir; aksi halde hakem seçimi UÇHS tarafından yapılır. Hakemlerin tarafsızlığını etkileyebilecek bir durumun ortaya çıkması halinde ret isteminde bulunulması mümkündür.

Taraflarca aksi kararlaştırılmadıkça, uyuşmazlık çözüm sürecinde kullanılacak dil Türkçedir.

II. BAŞVURU ŞARTLARI

Bir alan adı ile ilgili olarak aşağıda sayılan şartların oluşması halinde, uyuşmazlık çözüm mekanizmasına başvurulabilmektedir. UÇHS’lerin internet sitelerinde yayımlanan kararlar incelendiğinde, bazı hakemler/heyetlerin, bu şartları değerlendirirken, UDRP içtihatlarına ve Seçilmiş UDRP Soruları ile ilgili WIPO İdari Hakem Görüşlerinin WIPO Değerlendirmesi Üçüncü Baskısı’na (WIPO Overview 3.0) atıfta bulunduğu görülmektedir.

a. İhtilaf konusu alan adının, sahip olunan ya da ticarette kullanılan marka, ticaret unvanı, işletme adı ya da diğer tanıtıcı işaretlerle benzer ya da aynı olması

Şikâyet eden, öncelikle hak sahibi olduğu marka, ticaret unvanı, işletme adı veya diğer tanıtıcı unsurları ispatlayabilmeli ve şikâyet konusu alan adının bu unsurlarla aynı veya benzer olduğunu ortaya koyabilmelidir.

Konu ile ilgili UDRP davası olan Magnum Piering, Inc. v. The Mudjackers and Garwood S. Wilson, Sr., WIPO Dava No. D2000-1525 kararında, “bir alan adı şikâyet edenin tescilli markasını tamamen içeriyorsa, bu politika çerçevesinde ayniyet ve iltibas oluşturacak düzeyde benzerliği ortaya koymaya yeterlidir,” denilmektedir. Bu kapsamda, bir alan adının bir markanın tamamını içerdiği ya da ilgili markanın en az bir hakim özelliğinin alan adı içerisinde tanınabilir olduğu davalarda, alan adının normal şartlar altında marka ile iltibas oluşturacak kadar benzer olduğu kabul edilmektedir. Ancak, her somut olaya özgü benzerlik değerlendirmesi yapılmaktadır.

b. Alan adını tahsis ettiren tarafın bu alan adı ile ilgili yasal bir hakkı ya da bağlantısının olmaması

Her ne kadar uyuşmazlık çözüm mekanizmasına başvuru için gerekli olan şartları ispatlamak zorunda olan taraf şikâyet edense de menfi bir durumu kanıtlamanın şikâyet eden için güç olduğu sıklıkla değerlendirilmektedir. Bu nedenle, şikâyet edenin şikâyet edilenin alan adı üzerinde hak veya meşru menfaatlerden yoksun olduğunu ilk bakışta (prima facie) açıkça göstermesi halinde, ispat yükünün şikâyet edilene geçtiği kabul edilmektedir. Bu durumda, şikâyet edilen alan adı ile ilgili bir hak veya meşru menfaati olduğunu ispat etmelidir.

UHÇS hakemleri/heyetleri tarafından da kabul edilen UDRP kurallarına göre ise aşağıdaki durumların kanıtlanması halinde şikâyet edilenin hak veya meşru menfaatinin var olduğu kabul edilmektedir:

  • Şikâyet edilenin herhangi bir uyuşmazlık bildiriminden önce, alan adını veya alan adına karşılık gelen bir adı mal veya hizmetlerin iyi niyetli (bona fide) sunumuyla bağlantılı olarak kullanımı veya kanıtlanabilir kullanım hazırlığı,

  • Şikâyet edilenin, herhangi bir marka veya hizmet markası hakkı elde edinmemiş olsa bile, söz konusu alan adı ile yaygın şekilde tanınıyor olması,

  • Şikâyet edilenin, tüketicileri yanıltıcı bir şekilde yönlendirmek veya söz konusu markayı veya hizmet markasını lekelemek amacıyla ticari kazanç elde etmek niyetinde olmadan, alan adını meşru bir şekilde ticari amaç gütmeyen veya adil kullanımı.

Şikâyet edilenin alan adı ile ilgili yasal bir hakkı veya bağlantısını kanıtlayamadığı ve şikâyet edenin şikâyet edilene alan adının kullanımı için herhangi bir lisans, izin veya yetki vermediği durumlarda ise, alan adının şikâyet eden ile zımni bağı olduğunu gösterme riski taşıdığı değerlendirilmektedir.

c. Alan adının alan adı sahibi tarafından kötü niyetle tahsis ettirilmesi veya kullanılması

Şikâyet edenin haklı bulunması için ayrıca kötü niyet şartı da bulunmaktadır. Tebliğ’de, alan adının şikâyet edilen tarafından kötü niyetle tahsis ettirilmesi veya kullandırılması olarak değerlendirilecek durumlara yer verilmektedir:

i. Alan adının, ticaret veya hizmet markası, ticaret unvanı, işletme adı veya kişi adı ya da diğer tanıtıcı işaretin sahibi olan şikâyetçiye veya şikâyetçinin ticari olarak rekabette bulunduğu tarafa, bu alan adının belgelenmiş tahsis masraflarını ve yatırım maliyetini aşan miktardaki bir meblağ karşılığında satma veya devretme amacıyla tahsis ettirilmiş olması,

ii. Alan adının, ticarette kullanılan marka, ticaret unvanı, işletme adı ya da diğer tanıtıcı işaretin sahibinin, bu marka, unvan, ad ya da işareti alan adında kullanmasını engellemek amacıyla tahsis ettirilmiş olması,

iii. Alan adının, esasen ticari rakiplerin işlerine ya da faaliyetlerine zarar vermek amacıyla tahsis ettirilmiş olması,

iv. Alan adının, ticari kazanç elde etmek amacıyla, şikâyetçinin sahibi olduğu ticarette kullanılan marka, ticaret unvanı, işletme adı ya da diğer tanıtıcı işareti ile benzerlik sağlayarak karışıklık meydana getirmek suretiyle internet kullanıcılarının alan adı sahibinin internet sitesine veya herhangi bir internet sitesine yönlendirilmesi amacıyla bu alan adının kullanılması.

Ancak, kötü niyetle tahsis/kullanma durumları yukarıda sayılanlarla sınırlı olmayıp somut olaya göre hakem/heyetin takdirindedir. Bu kapsamda, aşağıdaki haller de alan adının kötü niyetle tahsisi veya kullanılması olarak değerlendirilebilmektedir:

  • Yaygın olarak bilinen markalarla ilişkili alan adlarının tescil edilmesi ve kullanılması

  • Uyuşmazlık konusu alan adının tescil ettirildiği tarihin, aralarında benzerlik bulunan markanın tescil tarihinden sonra olması

  • Şikâyet edilenin bir alan adına ilişkin kendi haklarının veya meşru çıkarlarının olmaması ve makul herhangi bir iyi niyetli kullanımın olmaması

  • Şikâyet edilenin başvuruya cevap vermemesi veya uyuşmazlık konusu alan adını mevcut iyi niyetli kullanımına ya da bu şekildeki kullanım planlamasına ilişkin delil gösterememesi

  • Belirli durumlarda şikâyet edilenin hareketsiz kalması/alan adının aktif olarak kullanılmaması (pasif sahiplik doktrini)

  • Şikâyet edilenin kimliğini gizlemesi ya da doğru olmayan iletişim bilgilerine yer vermesi

  • Şikâyet edilenin ihtilaf konusu alan adını tahsis ettirmeye karar verdiği sırada yapacağı basit bir marka araştırması ve/veya bir internet arama motoru aramasının, şikâyet edenin önceki marka hakkını ve com alan adını kolaylıkla ortaya çıkarabilecek olması.

C. KARAR AŞAMASI

Hakem/heyet, şikâyet edilenin cevabını UÇHS’ye iletmesinden sonra 15 gün içerisinde:

  • alan adının iptaline,

  • şikâyetçi tarafa devrine, veya

  • talebin reddine karar verir.

Bu süreçte, hakem/heyet ek bilgi ve belge talep edebilir ve yine bu süre içerisinde karar verilemezse, 5 güne kadar ek süre kullanabilir. Karar alınmadan önce şikâyetçi ve şikâyet edilenin aralarında anlaşarak uyuşmazlık çözüm sürecinin sona erdirilmesini talep etmeleri halinde ise hakem/heyet çalışmasını sonlandırır. Yalnızca şikâyetçinin süreci sona erdirme talebi olması halinde ise çalışmanın devam edip etmeyeceği hakeme/heyete bağlıdır.

UÇHS, hakem/heyet kararını ve gerekçesini, 1 gün içerisinde taraflara iletir ve kendi internet sitesinde yayımlar.

Kararın taraflara gönderilmesinden sonra 10 iş günü içinde veya uyuşmazlık çözüm mekanizması sürecinin daha önceki bir aşamasında, konu hakkında ihtiyati tedbir kararının alındığının UÇHS’ye bildirilmesi halinde uyuşmazlık çözüm mekanizması süreci devam eder ancak hakem ya da hakem heyeti kararı uygulanmaz. Bu durumda dava sürecinin tamamlanması beklenir.

Alan adının şikâyetçi tarafa devri kararı verilmesi halinde, karardan sonra 10 iş günü içerisinde ihtiyati tedbir kararı alınmazsa, UÇHS tarafından şikâyetçi tarafa alan adının transferi için bir kod gönderilir. Şikâyetçi taraf, bu kodu kullanarak alan adını kendisine transfer edebilir.

D. SONUÇ

TRABİS’in faaliyete geçmesi ile birlikte, “.tr” uzantılı alan adlarının hak ihlaline sebep olacak şekilde tahsis edilmesi halinde, uyuşmazlık çözüm mekanizması aracılığıyla uyuşmazlıklar hızlıca sonuçlandırılabilmektedir. Bunun için, başvuru usulüne ve sürelerine dikkat etmek ve şikâyetin taraflarınca iddiaların ve savunmaların düzgün bir şekilde ortaya konması oldukça önem arz etmektedir.

Yazarlar: Hatice Ekici Tağa, Sümeyye Uçar, Öykü Su Sabancı, Ebru Gümüş

by Ebru Gümüş

Sharing Statements Received from a Data Subject During a Job Interview

The Personal Data Protection Board (“Board”) evaluated a complaint regarding a company sharing the information about a data subject's current employer received in a job interview with the data subject's current employer in its decision dated 04.08.2022 and numbered 2022/798.

In the complaint subject to the decision, it was claimed that the personal data of the data subject is processed and transferred unlawfully since the statements made by the data subject during the job interview with the data controller company are shared with the data subject’s current company.

The Board provided the following explanations regarding the complaint;

  • The data subject both filed a complaint with the Board and filed a criminal complaint against the data controller company. The data controller has stated in its defense that the application of the data subject was not answered since the result of the investigation initiated against the data controller's manager was awaited. However, the investigation in question is related to the employee of the company, and the data controller’s obligation to respond within the scope of the Personal Data Protection Law No. 6698 (“DPL”) and the Communiqué on Application Procedures and Principles to the Data Controller (“Communiqué”) is not affected by this investigation. Therefore, the data controller violated Article 6 of the Communiqué.
  • It is clear that the party which the data subject lodged a complaint against processes the personal data in the capacity of the data controller, and this should be evaluated within the framework of the DPL. In this context, the decision of the Office of the Chief Public Prosecutor not to prosecute was given as a result of the evaluation made within the framework of the Turkish Penal Code and has no effect within the scope of the examination carried out by the Board.

In this regard, the Board adopted the following decisions;

  • Since the applications of the data subject made in accordance with the Communiqué are not answered within the legal period, it has been decided to warn the data controller about paying maximum attention and care to comply with the provisions of the Communiqué.
  • The transfer of the information by the data controller that the data subject had a job interview with their company and that the data subject made many statements about his/her current company was not carried out in accordance with Article 8 of the DPL. Therefore, an administrative fine of TRY 100.000 (approx. 4.420 EUR) has been imposed on the data controller considering that this situation is in violation of the obligation of the data controller to take the necessary technical and administrative measures in order to prevent the unlawful processing of personal data in Article 12 of the DPL.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

The Regulation Amending the Regulation on Medical Device Sales, Advertisement and Promotion

The scope of medical devices, their sale to third parties, the scope and limitations of advertising and promotion activities are regulated by the Regulation on Medical Device Sales, Advertisement and Promotion (“Regulation”) issued by the Turkish Medicines and Medical Devices Authority (“Authority”).

The Regulation Amending the Regulation on Medical Device Sales, Advertisement and Promotion (“Amendment Regulation”) was published on the Official Gazette dated 26.05.2023 and numbered 32202.

Devices within the scope of Regulation on In Vitro Diagnostic Medical Devices have been added to the scope of the Regulation and the definition of medical device with the aforementioned Amendment Regulation.

In addition, the Amendment Regulation regulates new provisions regarding the production and maintenance of medical devices, new definitions such as "use life, usage error, technical service, spare parts" and the obligations of the seller and importer and/or manufacturer after the sale of medical devices. Accordingly, some of the obligations imposed on the seller and importer and/or manufacturers are as follows:

  • Manufacturers producing medical devices in Turkey are obliged to submit a document showing that they have established and implemented the quality management system within the scope of the "EN ISO 13485 Quality Management System in Medical Devices" standard. (enters into force on 01.01.2027.)
  • Except for the devices that do not require technical service activities, sales centers are obliged to issue a guaranteed certificate in an understandable language, in a clear, plain, and readable manner, in accordance with the provisions of the Regulation, for the devices to be used within the scope of the health service provision of which they are manufacturers or importers.
  • Sales centers provide or ensure that the basic technical training of the devices which they are the manufacturer or importer of has been provided free of charge and for once before the first use, upon the written request of the relevant health service provider. (enters into force on 01.2025.)
  • Sales centers may provide technical service training for the devices they are manufacturers or importers of throughout their lifetime at a price. (enters into force on 01.2025.)
  • The healthcare provider has the right to request free repair for the device during the currency of the warranty certificate. The sales centers in the supply chain of the device are responsible for the fulfillment of this request and cannot charge any fee under any name such as labor cost, part replacement or carriage. In case the health service provider uses the right to free repair, the health service provider may request a refund or replacement of the device with an unused product from the sales center, which is the manufacturer or importer of the device on condition where the manufacturer or importer of the device, the sales center, or the authorized technical service of the device, determines that the repair is not suitable, or the total time spent in the repair exceeds the annual maximum total repair period.
  • All sales centers that supply and keep the sanctioned product on the market are jointly responsible for the implementation of the administrative sanction decisions taken by the Authority within the scope of the Regulation or Law w. No. 7223.

However, it is regulated that exceptions can be made by the Authority regarding obligation and restrictions in the Regulation concerning the sale, advertisement, and promotion of medical devices as for device requests by public institutions and organizations and in cases that will occur against public health hazard recognized by the World Health Organization or the European Union or accepted by the Ministry of Health.

In summary, the scope of the regulations regarding the sale, advertisement and promotion of medical devices has been expanded and some additional obligations regarding sales and after-sales support have been introduced for sellers, importers and/or manufacturers selling medical devices with the Amendment Regulation.

The amendments brought by the Amendment Regulation entered into force on 26.05.2023 (except those stated otherwise).

You can access the Amendment Regulation through the link below:

https://www.resmigazete.gov.tr/eskiler/2023/05/20230526-9.htm

Authors: Hatice Ekici Tağa, Ebru Gümüş

by Ebru Gümüş

Tıbbi Cihaz Satış, Reklam ve Tanıtım Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik

Tıbbi cihazların kapsamı, üçüncü kişilere satışının yapılması, reklam ve tanıtım faaliyetlerinin kapsamı ve sınırlamaları Türkiye İlaç ve Tıbbi Cihaz Kurumu (“Kurum”) tarafından çıkartılan Tıbbi Cihaz Satış, Reklam ve Tanıtım Yönetmeliği (“Yönetmelik”) ile düzenlenmektedir.

26.05.2023 tarihli 32202 tarihli Resmi Gazete’de Tıbbi Cihaz Satış, Reklam ve Tanıtım Yönetmeliğinde Değişiklik Yapılmasına Dair Yönetmelik (“Değişiklik Yönetmeliği”) yayınlanmıştır.

Söz konusu Değişiklik Yönetmeliği ile öncelikle Yönetmelik’in kapsamı ve tıbbi cihaz tanımı içerisine İn Vitro Tanı Amaçlı Tıbbi Cihaz Yönetmeliği kapsamına giren cihazlar eklenmiştir.

Buna ek olarak, Değişiklik Yönetmeliği ile tıbbi cihazların üretim ve bakımına ilişkin hükümler de eklenerek “kullanım ömrü, kullanım hatası, teknik servis, yedek parça” gibi tanımlar eklenerek tıbbi cihazların satışı sonrasında satıcı ve ithalatçı ve/veya imalatçının yükümlülükleri düzenlenmiştir. Buna göre satıcı ve ithalatçı ve/veya imalatçılar bakımından getirilen yükümlülüklerden bazıları aşağıdaki gibidir:

  • Yurtiçinde tıbbi cihaz imalatı yapan imalatçılar, başvurularında “EN ISO 13485 Tıbbi Cihazlarda Kalite Yönetim Sistemi” standardı kapsamında kalite yönetim sistemini kurduğunu ve uyguladığını gösterir belge sunmakla yükümlüdür. (01.2027 tarihinde yürürlüğe girer.)
  • Teknik servis faaliyeti gerektirmeyen cihazlar hariç olmak üzere satış merkezleri, imalatçısı veya ithalatçısı oldukları sağlık hizmet sunumu kapsamında kullanılacak olan cihazlar için Yönetmelik hükümlerine uygun olarak anlaşılabilir bir dilde, açık, sade ve okunabilir bir şekilde garanti belgesi düzenlemek zorundadır.
  • Satış merkezleri, imalatçısı veya ithalatçısı oldukları cihazların ilk kullanım öncesinde temel teknik eğitimini, ilgili sağlık hizmet sunucusunun yazılı talebi olması halinde, sağlık hizmet sunucusuna bedelsiz olarak ve bir defaya mahsus olmak üzere verir veya verilmesini sağlar. (01.2025 tarihinde yürürlüğe girer.)
  • Satış merkezleri, imalatçısı veya ithalatçısı oldukları cihazlara ilişkin olarak kullanım ömrü boyunca bedeli karşılığı bu cihazın teknik servis eğitimini verebilir. (01.2025 tarihinde yürürlüğe girer.)
  • Sağlık hizmet sunucusu, garanti belgesinin geçerli olduğu süre boyunca cihaza ücretsiz onarım isteme hakkına sahiptir. Bu talebin yerine getirilmesinden cihazın tedarik zincirinde yer alan satış merkezleri sorumlu olup işçilik masrafı, değiştirilen parça veya kargo bedeli gibi herhangi bir ad altında hiçbir ücret talep edemez. Sağlık hizmet sunucusunun ücretsiz onarım hakkını kullanması halinde; tamirinin uygun olmadığının, cihazın imalatçısı veya ithalatçısı olan satış merkezi veya cihazın yetkili teknik servisi tarafından bir raporla belirlenmesi veya tamirde geçen süre toplamının yıllık azami toplam tamir süresini aşması, durumlarında; sağlık hizmet sunucusu cihazın bedel iadesini veya cihazın kullanılmamış misli ile değiştirilmesini cihazın imalatçısı veya ithalatçısı olan satış merkezinden talep edebilir.
  • Kurum tarafından Yönetmelik veya 7223 sayılı Kanun kapsamında alınan idari yaptırım kararlarının uygulanmasında, yaptırıma konu ürünü piyasaya arz eden ve piyasada bulunduran tüm satış merkezleri müteselsilen sorumludur.

Bununla birlikte kamu kurum ve kuruluşlarının yapacakları cihaz taleplerine ilişkin olarak; sermayesinin tamamı devlete ait, iktisadi alanda ticari esaslara göre faaliyet göstermek üzere kurulan yerlere ve Dünya Sağlık Örgütü veya Avrupa Birliği tarafından tanınan veya Sağlık Bakanlığı tarafından kabul edilen halk sağlığı tehditlerine karşı oluşacak durumlarda tıbbi cihazların satışı, tanıtımı ve reklamı yapılmasına ilişkin Yönetmelik’teki yükümlülüklere ve yasaklamalara Kurum tarafından istisnalar getirilebileceği düzenlenmiştir.

Özetle, Değişiklik Yönetmeliği ile halihazırda tıbbi cihaz satışı, reklamı ve tanıtımına ilişkin düzenlemelerin kapsamı genişletilmiş ve tıbbi cihaz satışı yapan satıcı, ithalatçı ve/veya imalatçılar bakımından satış ve satış sonrası desteğe ilişkin birtakım ek yükümlülükler getirilmiştir.

Değişiklik Yönetmeliği ile getirilen yenilikler (aksi belirtilenler hariç), 26.05.2023 tarihinde yürürlüğe girmiştir.

İlgili Değişiklik Yönetmeliği’ne aşağıdaki linkten ulaşabilirsiniz.

https://www.resmigazete.gov.tr/eskiler/2023/05/20230526-9.htm

Yazarlar: Hatice Ekici Tağa, Ebru Gümüş

by Ebru Gümüş

Turkey Cracks Down on Rise of Greenwashing in Ads

Introduction

Consumers are increasingly seeking out products and services that align with their desire to make eco-friendly choices. As some companies take steps to capitalise on environmental awareness, a practice known as "greenwashing" has emerged.

Environmentalist Jay Westerveld coined the term "greenwashing" in a 1986 critical essay inspired by the irony of the "save the towel" movement in hotels that had little impact beyond saving hotels money in laundry costs. "Greenwashing" refers to the practice of:

  • presenting a product, brand or institution as if it is environmentally friendly;

  • making misleading ads with unfounded environmental claims; and

  • including these claims in marketing material or on product packaging.

The rise of greenwashing poses a significant challenge to a transparent and accountable marketplace in which consumers can make informed decisions. While it is true that consumers play a vital role in the fight against greenwashing, regulatory bodies and businesses must also take action.

Misleading advertising regulation

In Turkey, misleading ads are regulated under the Regulation on Commercial Advertising and Unfair Commercial Practices. The regulation forbids ads that contain expressions or images which may directly or indirectly mislead consumers on any subject. It specifically refers to "information on environmental impact" as one of those subjects.

The regulation also provides that:

  • ads cannot be made in a way that exploits consumers' environmental awareness or possible lack of knowledge in this area;

  • environmental signs, symbols and approvals cannot be used in ads to deceive consumers;

  • only scientific findings and technical representations based on scientific studies accepted by academic institutions on environmental impact can be used in ads; and

  • in ads for goods that require energy labelling, if information on energy efficiency or price is included, the energy efficiency class of the relevant product must be specified.

Advertisement Board

The body authorised to regulate, investigate, audit and apply sanctions regarding commercial advertising in Turkey is the Advertisement Board. The board's aim is to protect and inform consumers against unfair commercial practices, one of which is greenwashing. At the beginning of 2023, the board published the Guideline on Environmental Claims in Advertisements (1) to inform individuals and institutions in advertising about how to ensure that environmental claims and images used in commercial ads are compliant. In addition to the regulation, this guideline includes information on the following with respect to ads that contain environmental claims:

  • core principles;

  • certificates and permits;

  • claims regarding the degradability and recyclability of a product or its packaging;

  • claims regarding renewable energy; and

  • claims regarding water saving.

Case studies

Energy saving device The board imposed an administrative fine on a company that was advertising an energy saving device and prevented the advertisement thereof (2). The energy rates could not be proven by scientific reports. Therefore, the board found that the ad deliberately misled consumers by misdirecting their economic interests.

Plant-based dishwasher tablet The board decided to prevent the advertisement of a dishwasher tablet product (3). The following statements, used in the ad, could not be proven:

  • "100% Plant Based";

  • "Odourless";

  • "Completely organic";

  • "Biodegradable";

  • "Vegan";

  • "Consists of 100% natural and ecological components";

  • "Does not contain Paraben, Phosphate, Perfume, Gluten Dye SLES, GMO, Chlorine, Ammonia";

  • "Does not contain animal and chemical ingredients";

  • "Not tested on animals"; and

  • "Has a Hypoallergenic test".

Electronic scooter The board sanctioned a company for using the phrase "saved CO2 emissions equivalent to 250 thousand trees" in an ad for an electronic scooter. The company was unable to prove the veracity of that statement (4).

Electronic marketplace The board sanctioned a company for using the phrase "all purchased products are delivered in 100% eco-friendly renewable cardboard packaging" in an ad for an electronic marketplace (5). The company was unable to prove the veracity of that statement.

Comment

Turkey has clear regulations and an authorised body to fight against greenwashing and protect consumers. Companies must comply with the regulations and be transparent and able to support their environmental claims to avoid facing administrative fines and sanctions.

Endnotes

(1) Decision No. 2022/2.

(2) Decision No. 2010/1162.

(3) Decision No. 2021/2343.

(4) Decision No. 2022/1641.

(5) Decision No. 2022/2593.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Ebru Gümüş

by Ebru Gümüş

Transferring the Health Data of a Data Subject to the Public Institution

The Personal Data Protection Board (“Board”) evaluated a complaint application regarding the transfer of a data subject's health data to a public institution for an administrative lawsuit in its decision dated 04.08.2023 and numbered 2022/790.

The complaint raised concerns about the request made by a public institution to a university hospital for information regarding the data subject, related to a lawsuit between the data subject and the public institution before an administrative court. The complaint argued that the transfer of the data subject's health data from the university hospital to the public institution constituted an unlawful processing of personal data.

The Board made the following explanations regarding the complaint;

  • Pursuant to Article 6/1 of the Law on the Protection of Personal Data No. 6698 (“DPL”), the health data of the data subject transferred to the public institution by the data controller falls into the scope of the special categories of personal data.
  • The public institution stated in its letter that the reason for requesting the data was "to serve as a basis for an ongoing administrative lawsuit." However, the data subject, in their complaint petition, stated that they were the plaintiff working in the public institution in question, while the defendant was the public institution involved in the administrative court lawsuit. Considering the data controller's defense regarding Article 8 of the DPL, it was evaluated that the conditions set forth in Article 6 of the DPL were not met in the processing activity related to the transfer of the special categories of personal data requested due to the ongoing administrative lawsuit between the data subject and the public institution.
  • In violation of the data minimization principle, more special categories of personal data were transferred than requested. The transfer included the medical report, anamnesis forms, epicrisis reports, consultation forms, patient medical clinical course information, pathology report, and radiology reports contained on a CD. The personal data was processed without considering the principle of "being processed for specified, explicit, and legitimate purposes" stipulated in Article 4/2-c of the Law.
  • The data subject claimed that the doctor misunderstood the data subject’s statements in the patient examination information section of the patient history form, where it was written that the data subject sporadically used marijuana. This information was obtained as a result of diagnostic questions asked by the doctor and contained information about the patient's current or past diseases. When the form with the statement was delivered to the public institution, a criminal complaint was filed against the data subject, but it was later determined that the data subject would not be prosecuted. The data controller did not respond to the data subject's request to delete the data and information regarding cannabis use. According to Article 13 of the Regulation on Personal Health Data, the data subject should first apply to the provincial health directorate regarding any health data claimed to be created by mistake. The data subject may request correction by applying to the provincial health directorate affiliated with the data controller, as there are regulations on the necessity of such applications and the actions to be taken to correct inadvertently created health data.
  • Although it has been stated by the data controller that the application of the data subject was not answered and implicitly rejected in accordance with Article 10 titled "The Silence of the Administrative Authorities" of the Administrative Procedure Law No. 2577. Article 13/2 of the DPL states that the requests of the data controller in the application must be concluded free of charge as soon as possible and within thirty days at the latest, depending on the nature of the request.

In this regard, the Board adopted the following decisions;

  • Regarding the transfer of special categories of personal data, it was concluded that the conditions specified in the DPL were not met. Although explicit consent from the data subject was not applicable, it was determined that the health data was transferred to the public institution in violation of the DPL. Additionally, since the shared information was broader in scope than requested, it was considered that the data controller university hospital did not fulfill its obligation to take all kinds of technical and administrative measures regarding the security of personal data under Article 12/1 of the DPL. Therefore, the data controller was instructed to take action against those responsible through disciplinary provisions and to inform the Board accordingly.
  • The data controller was instructed to take the necessary actions, both within its own body and, if necessary, by directing the relevant person, in accordance with Article 11 of the DPL, to address the data subject's right to request correction of their personal data. The actions should be taken before the provincial health directorate, and the Board should be informed of the result.
  • The data controller was instructed to take necessary actions to ensure the destruction of the transferred data at the public institution to which the data subject filed the complaint. The Board should be informed of the result of this transaction.
  • The data controller was reminded of the obligation to finalize data subject requests as soon as possible and within thirty days, based on the nature of the request, in accordance with the Law and the Communique on the Principles and Procedures for the Request to Data Controller.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Processing of Personal Data of the Child without the Explicit Consent of the Parent

The Personal Data Protection Board (“Board”) evaluated the complaint application regarding the processing of the child's personal data by a data controller marketing company by sending promotional brochures without the explicit consent of the child's parents in its decision dated 03.08.2022 and numbered 2022/776.

The complaint focused on the actions of a self-employed entrepreneur, who sent a promotional brochure to an 8-year-old child as part of their marketing efforts for a product belonging to the marketing company. It was claimed that the personal data of the child had been processed unlawfully due to the lack of explicit consent from the child's parent.

The Board provided the following explanations regarding the complaint;

  • It was necessary to determine the data controller in this case. Pursuant to the contract between the company and the self-employed natural person entrepreneur, it is stated that the self-employed entrepreneur is responsible for determining the purpose and means of processing personal data regarding customers, as well as complying with applicable data protection laws. The relationship between the company and the self-employed entrepreneur was determined to be an independent contract rather than a dependent relationship like an agency or employer-employee relationship. When these provisions are considered, it was concluded that the self-employed natural person entrepreneur acts independently from the company in processing personal data for marketing purposes. The self-employed entrepreneur determined the purposes and means of data processing and had the role of data controller in their relationship with the data subject. The company did not have a role in the data processing activities.
  • The data controller claimed that that the personal data was provided by the data subject, and argued that the processing activity, carried out by sending the brochure, fell within the exception provision “Personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with” in Article 28 of the Law on the Protection of Personal Data No. 6698 (“DPL”). However, this exception provision is applicable to the processing of personal data by family members living in the same residence, which is not the case here. Therefore, this exception provision does not apply to the self-employed entrepreneur who acted as the data controller.
  • It has been evaluated that processing of name and address which are personal data by sending a promotional brochure for marketing purposes is not based on any of the processing conditions in Article 5 of the DPL due to the fact that the time gap of four and a half months between the order placed on the e-commerce site and the brochure, the fact that the brochure was not sent with the order, and the absence of any document showing explicit consent for the processing of personal data for promotional and marketing purposes were considered.

In this regard, the Board adopted the following decisions;

  • There is no action to be taken against the company within the scope of the DPL since the self-employed entrepreneur, who sent the brochure, was acting independently from the company based on the terms of the contract and maintained a service relationship with customers in selling company products, they act as a data controller independent of the company when processing personal data of their customers.
  • It was determined that the processing of the child's name and contact information, as personal data, by sending the promotional brochure had no connection to the order shown in the invoice submitted by the data controller. The brochure was not sent together with the order shown in the invoice. Therefore, the sending of the brochure was carried out without relying on any of the processing conditions set out in the DPL. Consequently, the obligations stipulated in Article 12/1 of the DPL were not fulfilled, and an administrative fine of TRY 30,000 (approximately 1,400 EUR) was imposed. This decision took into account the unfair content of the misdemeanor committed under the scope of Article 17 of the Misdemeanor Law, as well as the fault and economic situation of the data controller.
  • It was decided to notify the marketing company regarding the self-employed entrepreneurs should be informed that the explicit consent of the data subjects should be obtained, and the provisions of the DPL should be complied with in the processing of personal data for promotional and marketing purposes.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

 

by Ebru Gümüş

Transferring Personal Data Abroad Without Obtaining Explicit Consent

The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding the transferring of personal data without explicit consent by a bank to an insurance company in its decision dated 03.08.2022 and numbered 2022/768.

The complaint subject to the decision is that the data subject received multiple calls from an insurance company, indicating that the bank, as the data controller, had shared the data subject's phone number with the insurance company. Consequently, that the personal data of the data subject was processed unlawfully was claimed.

The Board provided the following explanations regarding the complaint;

  • Pursuant to Article 8 of the Law on the Protection of Personal Data, Law No. 6698 ("DPL"), the transfer of personal data must be justified by obtaining explicit consent from the data subject or by relying on provisions in other laws concerning data transfer. If the data controller cannot justify the transfer based on one of the data processing conditions listed in Article 5/2 of the DPL, explicit consent or legal justifications are necessary for the data controller's data processing activity.
  • The document indicating the data subject's consent to receive commercial electronic messages is the "Campaign Communication Preferences Instruction." However, no document demonstrating that the data subject was informed about the personal data transfer was submitted. This violates the principle of "based on information" for obtaining explicit consent. Therefore, the mentioned document does not qualify as explicit consent for the transfer of personal data.
  • The expression below the relevant instruction screen, stating that “the channels and products allowed by selecting the "all channels and products" option in this form will also include channels and products that can be used and/or defined by the Bank at a date after the form is signed.” is an ambiguous statement concerning the future. It does not comply with the "based on free will" element of the explicit consent conditions. In addition, there is suspicion that the data subject's own will was not involved in completing the boxes on the relevant document.
  • Therefore, the information and documents presented in the concrete case do not prove that the data subject has provided explicit consent for the transfer of personal data.
  • When examining the data controller bank's obligations regarding the security of personal data, it is evident that sharing a bank customer's information with third parties in the country or abroad is prohibited without the customer's instruction, even if explicit consent is obtained pursuant to Article 73 of the Banking Law. Therefore, it is unlawful to share personal data with the insurance company without any instruction from the customer.
  • In the concrete case, it was observed that explicit consent was not obtained for sharing the phone number with the insurance company. There was no evidence or document proving the existence of an instruction or request for the data processing activity mentioned in the complaint, and it did not fall within any exceptions. Furthermore, it has been evaluated that the conditions for transferring personal data listed in Article 8 of the DPL were not met.

In this regard, the Board adopted the following decisions;

  • An administrative fine of TRY 250.000 (approx. EUR 701) has been imposed on the data controller bank due to the failure to fulfill the obligation to take the necessary administrative and technical measures to ensure the appropriate level of security specified in Article 12 of the DPL and due to the Article 8 of the DPL was breached by transferring the data subject’s contact information to the insurance company without relying on any of the processing conditions outlined in Article 5 of the DPL.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Continuing to Process Personal Data of the Employee by the Employer After the Termination of the Employment Contract

The Personal Data Protection Board (“the Board”) evaluated the complaint application about continuing to process the personal data of the data subject by the employer after the termination of the employment contract in its decision dated 20.10.2022 and numbered 2022/1147.

The complaint subject to the decision is the data subject's personal data was processed unlawfully since the data controller company continues to use the photos of the data subject taken from a live broadcast, for promotional purposes, on the social media accounts of the company and the press after the termination of the employment contract, and in addition to this, the data controller company continue to use the phone number of the data subject in relations with the courier companies after the termination of the employment contract.

The Board made the following explanations regarding the complaint;

  • Although the photos of the data subject are included in the job description of the data subject, and it is appropriate to keep them in the archive of the data controller for legal periods, displaying the photos of the data subject for advertising and marketing purposes is against the ordinary course of life to carry out activities since the employment contract of the data subject has been terminated, and then the data subject has started to work somewhere else.
  • Although it is stated by the data controller that the data subject had given his/her mobile phone number to the courier companies willingly and it is seen that the relevant courier companies were not informed of the termination of the employment contract, the processed personal data must be in accordance with the principle of "accuracy and up-to-date when necessary" stipulated in Article 4 of the Law on the Protection of Personal Data No. 6698 (“DPL”). Therefore, the data controller does not pay the necessary attention to the protection of personal data.
  • In addition, in the expert report given during the case pending in general courts, it is stated that the data subject is shown as the responsible personnel who carried out the transaction in many sales made after the termination of the employment contract. For this reason, personal data has been processed in violation of the principle of "being accurate and up to date when necessary" in Article 4 of the DPL.
  • Since it is seen that personal data is processed in violation of general principles and data processing conditions, necessary technical and administrative measures have not been taken by the data controller to protect personal data.

In this regard, the Board adopted the following decision;

  • Processing personal data without valid reason within the scope of the DPL by continuing personal data sharing after the employment contract of the data subject is terminated, and the records in the data controller company and showing the data subject as the responsible personnel even after the termination of the employment contract violates the principle of “being accurate and up-to-date when necessary” in Article 4 of the DPL. Regarding the data controller, who is understood to have failed to fulfill its obligations outlined in Article 12 of the DPL, since it was seen that no other legal reason could be shown by the data controller in the processing of this data, it has been decided to impose an administrative fine of TRY 250,000 (approx. EUR 11.671) on the data controller, taking into account the high risk of negative consequences for the data subject, such as sales and cargo sending, using the identity and contact information of the data subject
  • The data controller has been instructed to destroy the phone number information, which is understood to have been processed unlawfully, from their records and to destroy name and surname information from the digital payment systems of the store, and to send the report that will be duly issued to the data subject’s representative.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş

Transferring Personal Data Abroad Without Obtaining Explicit Consent

The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding transferring personal data of the data subject abroad without explicit consent by a technology company in its decision dated 17.03.2022 and numbered 2022/249.

The complaint subject to the decision is that the cookie policy is not included, and the privacy policy contains statements regarding transferring personal data abroad on the website on which the data subject is signed up. However, the personal data is transferred abroad without obtaining explicit consent from the data subject, and the data controller did not duly respond to the request of the data subject within the legally specified period.

The Board made the following explanations regarding the complaint;

  • There is no obligation to prepare a privacy policy pursuant to the Law on the Protection of Personal Data w. no. 6698 (“DPL”) and other legislation, but the primary responsibility of data controllers is to fulfill the obligation to inform before the personal data processing activity, as a rule, in cases where personal data is obtained from the data subject.
  • The defense that the request made by the data subject was not responded mistakenly indicates that all necessary administrative and technical measures were not taken by the data controller in order to conclude the requests to be made by the data subjects effectively and in accordance with the law and good faith.
  • Despite the argument that such implementation is being made because data is stored on servers abroad due to the use of hosting services and that a mechanism offering similar security measures does not exist in Turkey, the activity of storing data in the country or abroad is a processing activity.
  • Personal data has been transferred abroad without meeting the conditions stipulated in DPL’s Article 9 titled "Transferring Personal Data Abroad".

In addition, the Board stated the reason why the transfer of personal data abroad is regulated in a separate provision and some other conditions are required is to ensure that the personal data is effectively protected can be effectively protected in the country where it is transferred. The aim is to enable data subjects to use their rights effectively and as close as possible to the implementation of the DPL.

It is reiterated that storing personal data in data centers located in various parts of the world is in the nature of transfer abroad, and personal data processing activities within the scope of storage services provided by data controllers/data processors whose servers are abroad are also carried out in accordance with Article 9 of the DPL in the under practices of the Board.

In this regard, the Board adopted the following decisions;

  • The conclusion is that the necessary technical and administrative measures have not been taken to ensure the appropriate level of security within the scope of the DPL since the transfer of personal data abroad is carried out through the use of a system whose servers are located abroad. In this regard, a commitment to provide adequate protection in the country to which the transfer will be made before the said activity is carried out has not been submitted to the Board, and also the data controller did not obtain explicit consent from the data subjects since there is no legal reason other than explicit consent in the concrete case.
  • The data controller company operates in many countries and a large number of personal data is collected through its economic situation, the application used to process personal data and the website have been transferred abroad unlawfully. The data subjects affected by the mentioned action are many, and it should be accepted that the act of transferring personal data abroad is not due to an individual event, but in a systematic way by the data controller deliberately and with an executive action. For all these reasons, considering that the violation constituting a misdemeanor was committed within the scope of commercial purposes and that the transfer activity abroad was not brought into compliance with the DPL, although 6 years have passed since the effective date of the DPL, an administrative fine of TRY 950.000 (approx. EUR 44.246) was imposed on the data controller.
  • The Board decided to instruct the data controller to make the necessary arrangements to ensure that the transactions regarding the transfer of personal data abroad are in compliance with Article 9 of the DPL and to inform the Board.
  • The Board decided to warn the data controller to take all necessary administrative and technical measures in order to conclude the applications to be made by the data subjects effectively, in accordance with the law and the rule of good faith.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş

by Ebru Gümüş