A New Era in Cross-Border Data Transfers in Turkey

The Law Proposal Amending the Code of Criminal Procedure and Certain Laws and Decree Law No. 659 (“Law Proposal”), which embodies significant changes to the Law No. 6698 on the Personal Data Protection (“DPL”) has been submitted to the Turkish Grand National Assembly (“Assembly”) on February 16, 2024. The Law Proposal mainly includes amendments under the DPL regarding (i) processing conditions for the special categories of personal data,(ii) rules governing cross-border data transfers and (iii) appeal process and venue related to decision of the Data Protection Authority (“Authority”).

The Law Proposal, specifically the provisions on cross-border data transfers, has been eagerly anticipated by the relevant stakeholders as they facilitate a smoother mechanism for the data transfers abroad, which are also aligned with the European Union’s General Data Protection Regulation (“GDPR”). By adopting similar rules and principles with the GDPR, the Law Proposal aims to foster international compatibility and to ensure consistency with established international norms. This alignment not only facilitates compliance for entities operating in multiple jurisdictions but also enhances the coherence and effectiveness of global data governance frameworks.

Once adopted by the Assembly, the Law Proposal is expected to enter into force in the upcoming weeks.

Amendments to the Conditions for Processing of Special Categories of Personal Data

Currently, the DPL regulates that special categories of personal data shall only be processed based on (i) the explicit consent of the data subjects and (ii) it is explicitly stipulated by law, except for data concerning health and sexual life. Moreover, data concerning health and sexual life shall only be processed, without the explicit consent of the data subject, when it is necessary for the purposes of protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations.

As the practice in the past several years revealed the necessity to process health data in the fields of health insurance, employment and social services; and with the purpose of alignment with the GDPR, the Law Proposal abolishes the different processing conditions for different types of special categories of personal data and introduces additional conditions for all special categories of personal data.

Accordingly, the Law Proposal forbids processing special categories of personal data, unless:

  1. Explicit consent of the data subject is obtained,
  2. It is explicitly stipulated by law,
  3. Processing is necessary to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent,
  4. Processing relates to personal data made public by the data subject and is in accordance with the will of the data subject to make it public,
  5. Processing is necessary for the establishment, exercise or protection of a right,
  6. Processing is necessary for the protection of public health, preventive medicine, medical diagnosis, treatment and care services, and the planning, management and financing of health services by persons under the obligation of secrecy or authorized institutions and organizations,
  7. Processing is necessary for carrying out legal obligations in the field of employment, occupational health and safety, social security, social services and social assistance,
  8. Processing is carried for current or former members of or for persons who are in regular contact with the foundations, associations and other non-profit organizations or formations established for political, philosophical, religious or trade union purposes, provided that it is in accordance with the legislation to which they are subject and their purposes, limited to their fields of activity and not disclosed to third parties.

While these amendments seem to be able to fill the necessity risen from the practical implementations, e.g. sharing blood type information in emergencies, or for people with disabilities to benefit from government policies, the processing condition related to employment stands out as one of the most significant changes under the Law Proposal. This amendment will result in correction of the wrong but mandatory practice developed in Turkey where various special categories of personal data (i.e. criminal records, health data, disability etc.) of employees had to be processed by the employers with explicit consent of employees, of which the free-will element was questionable.

Another important impact will also happen in the health insurance sector. Because of shortcomings of the current law, health insurance providers did not have the legal basis to process health data of their customers, which was required to pay the treatment costs. As a result, another absurd but mandatory practice had to be created where health insurance providers had to ask for explicit consent when an insured customer requested payment of their treatment costs. Of course, the free-will element of the consent was questionable in this practice, however this was the only workable method. With the changes, this practice will no longer apply.

Amendments to the Cross-Border Data Transfer Regimes

The existing cross-border data transfer mechanisms under the DPL have been subject to criticism due to their challenging and not business-friendly nature. Additionally, the current mechanisms prevent the use cloud-based software and applications, which are widely used by almost all companies and individuals doing business, whose servers are located abroad; and it is evaluated that these mechanisms also became an obstacle against the potential foreign investments.

Currently, the DPL regulates that cross-border data transfers shall only be initiated from Turkey to third countries based on the fulfillment of one of the following criteria:

  • Explicit consent of the data subject is obtained, provided that such consent is freely given, specific and informed,
  • The Personal Data Protection Authority (“Authority”) determines that the recipient country provides an adequate level of protection of personal data,
  • Both the data controller and the data processor, parties to the cross-border data transfer, sign an agreement (an undertaking or binding corporate rules) ensuring adequate protection of personal data and the Authority approves such transfer.

As a response to the criticisms, the Law Proposal introduces novel appropriate safeguards and derogations for specific cases, while introducing international organization or sectors as subjects of adequacy decisions, in addition to countries. Moreover, the explicit consent is no longer a criterion for cross-border data transfers, and may only be relied upon within the framework of derogations for specific cases, as explained below.

The Law Proposal further regulates that these novel mechanisms shall apply to the onward transfers of the personal data; and that where the interests of Turkey or the data subject would be seriously harmed, personal data shall only be transferred abroad with the permission of the Authority, along with the opinion of the relevant public institution or organization.

The Authority is expected to prepare secondary regulations for the procedures and principles regarding the implementation of the cross-border data transfer mechanisms.

Adequacy Decision for Third Countries, International Organizations and Sectors

Even though one of the existing conditions for cross border data transfers is set out for transfers to a recipient country determined by the Authority to have an adequate level of protection; the Authority has not determined any country safe since the effective date of the DPL.

The Law Proposal does not abolish the safe country condition for cross border data transfers; however, amends the adequacy decision to also cover (i) international organizations and (ii) sectors within a country.

Furthermore, the Law Proposal sets forth the following criteria to be taken into consideration while the Authority renders an adequacy decision:

  1. The reciprocity status regarding the transfer of personal data between Turkey and the recipient country, sectors within the country or international organizations.
  2. The relevant legislation and practice of the recipient country and the rules governing the recipient international organization.
  3. The existence of an independent and effective data protection authority in the recipient country or to which the recipient international organization is subject and the existence of administrative and judicial remedies.
  4. The status of the recipient country or international organization as a party to international conventions on the protection of personal data or as a member of international organizations.
  5. The membership status of the recipient country or international organization to global or regional organizations of which Turkey is a member.
  6. International conventions to which Turkey is a party.

With the amendment, the Authority’s adequacy decisions will be published in the Official Gazette; and will be evaluated by the Authority every four years at the latest. As a result of the evaluation or in other cases deemed necessary, the Authority may change, suspend or revoke the adequacy decision with future effect.

Appropriate Safeguards for Cross-Border Data Transfers

In the event that there is no adequacy decision, the Law Proposal also introduces appropriate safeguard mechanisms for cross border data transfers. With the condition that the data subject has the possibility to exercise their rights and to apply for effective legal remedies in the country where the transfer will be made, if any of the following safeguard is provided by the parties, the data controllers and data processors will be able to transfer personal data abroad;

1. Standard Contractual Clauses

The standard contractual clauses (“SCCs") will be finally introduced as a safeguard with the Law Proposal. The clauses that will enable the cross-border data transfers will be announced by the Authority, and will contain:

  • data categories,
  • purposes of data transfer,
  • recipients and recipient groups,
  • technical and administrative measures to be taken by the data recipient,
  • additional measures taken for special categories of personal data.

However, unlike GDPR, the standard contractual clauses under the DPL will be required to be notified to the Authority, by the data controller or data processor, within 5 business days following its signature.

2. Corporate Binding Rules

Although the corporate binding rules (“BCR”) are already utilized by data controllers in practice for cross-border data transfers, the Law Proposal sets forth BCR as an appropriate safeguard in a clear manner. Accordingly, in the presence of BCRs approved by the Authority, which contain provisions on the protection of personal data and which the companies in the same group of undertakings are obliged to comply with, personal data can be transferred between these companies without the need to obtain separate authorization from the Authority.

Thus, it is (and will continue to be) possible to transfer personal data from a company of an undertaking group in Turkey that has BCRs approved by the Authority to the company of the same group in a foreign country without obtaining a separate authorization from the Board.

On the other hand, the details of BCRs are not determined and it is expected that the secondary regulations of the Authority will establish the procedures and principles regarding the BCRs.

3. Signing of an Undertaking and Obtaining the Approval of the Authority

The existing condition for cross border data transfer, where parties sign an undertaking with provisions ensuring adequate protection and obtains the Authority’s authorization for the transfer, remains as a safeguard under the Law Proposal. Different from the current practice where the Authority published model clauses, it is possible that the parties to have more freedom as to the content of the undertaking. Having said that, considering that the Authority has authorized only a handful of applications so far and the existence of SCCs, this option may become obsolete in the near future.

4. Agreements of Public Institutions

Existence of an agreement, that is not in the nature of an international agreement, between public institutions and organizations or international organizations abroad and the public institutions and organizations or professional organizations in the nature of a public institution in Turkey, will enable cross border data transfer, provided that the Authority gives permission for such transfer.

Derogations for Specific Situations

The Law Proposal introduces several novel and exceptional conditions for cross-border data transfers that are incidental and not repetitive. These exceptional conditions correspond to the derogations for specific situations under the Article 49 of GDPR.

Accordingly, in the absence of an adequacy decision and appropriate safeguards, data controllers and data processors will be able to transfer personal data abroad, only in one of the following cases:

  • The data subject gives explicit consent to the transfer and is informed about the possible risks of the cross-border data transfer,
  • The transfer is necessary for:
    • the performance of a contract between the data subject and the data controller, or
    • the implementation of pre-contractual measures taken upon the request of the data subject;
    • the establishment or performance of a contract between the data controller and another party for the benefit of the data subject.
  • The transfer is necessary for an overriding public interest.
  • The transfer is necessary for the establishment, exercise or protection of a right.
  • The transfer is necessary to protect the life or bodily integrity of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
  • The transfer from a registry open to the public or persons with a legitimate interest, provided that the conditions required to access the registry in the relevant legislation are met and the person with a legitimate interest requests the transfer.

Another important point we must make here is, while these changes are positive, we evaluate that direct collection of personal data by a foreign controller remains questionable. This is not due to the legislation but due to the interpretation of the legislation by the Authority.

Contrary to EDPBs direct collection opinion in Guidelines 05/2021, the Authority’s decision on WhatsApp (numbered 2021/891 and dated September 3, 2021) underlines that, after the initial collection of personal data, all kinds of processing activities conducted in servers located outside Turkey constitutes a cross-border transfer. If the Authority does not align its interpretation with the EDPB, this will continue to be a problem for many foreign controllers that directly collect personal data from data subjects since there will be no data exporters in Turkey to run the mechanisms (SCCs, undertaking, BCR etc.) in the legislation.

Therefore, we hope that the Authority will reconsider the interpretation of what a transfer is and will clarify that direct collection scenarios where there is no exporter of personal data is not a data transfer.

Amendments to the Sanctions

The Law Proposal adds a sanction clause for the newly introduced notification obligation, where the data controller or data processor are required to notify the Authority the standard contractual clauses, within 5 business days following its signature, where failure to comply will result in administrative fine from 50.000 to 1.000.000 Turkish Liras (approx. EUR 1,500 to 30,000).

Unlike the other sanctions under the DPL, the implementation of this new sanction is regulated not only for data controllers, but also for the data processors.

Lastly, with the amendments, the Authority’s administrative fines will be able to be challenged before administrative courts instead of magistrate courts.

Transition Periods

By taking into account the disruptions that may occur after the amendments enter into force, the Law Proposal foresees that:

  • the cross-border data transfers with data subjects’ explicit consents shall remain applicable until September 1, 2024; and
  • the proceedings pending before the magistrate courts as of 1/6/2024 shall continue to be heard by these courts.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya, Ebru Gümüş Karasu, Göksu Tuğrul


Cybersquatting under Different Dispute Resolution Mechanisms

The World Intellectual Property Organization ("WIPO") defines cybersquatting as “the preemptive, bad faith registration of trademarks as domain names by third parties who do not have rights in such names”. Cybersquatting takes advantage of the "first come, first served" principle of domain name registration and in most cases, the primary motivation for cybersquatting is to receive commercial offers from the rightful owners. As a result, effective alternative dispute resolution mechanisms have had to be adopted to meet the needs and challenges arising from the disputes between domain name registrants and trademark owners.

While the Internet Corporation for Assigned Names and Numbers ("ICANN") adopted the globally recognized dispute resolution mechanisms, the Uniform Domain Name Dispute Resolution Policy ("UDPR") and the Uniform Rapid Suspension ("URS"); Turkey also adopted a dispute resolution mechanism for “.tr” domain names in 2022, called the TR Network Information System (“TRABIS”). The rules for TRABIS are regulated under the Regulation on Internet Domain Names (“Regulation”) and the Communiqué on Internet Domain Names Dispute Resolution Mechanism ("Communiqué"), which are secondary legislation to the Electronic Communications Law No. 5809 ("Law").

This article presents a comparative approach to the domain name dispute resolution mechanisms to be applied in the event of a cybersquatting incident.

UDPR

UDPR establishes the terms and conditions of a dispute between a registrant and a third party regarding the use of an Internet domain name. Under the UDPR, the following criteria must be met in order for the UDPR to apply:

  • The domain name must be identical or confusingly similar to a trademark or service mark in which the third party has rights,
  • The registrant must not have any legal interest in the domain name,
  • The domain name must be registered and used in bad faith.

An important point to note is that the UDRP allows filing more than one application.

It should be noted that the UDRP costs applicants between USD 1,500 and 4,000. In addition, the entire process takes approximately 8 weeks to complete. Notably, the UDRP does not provide a quick resolution for the applicants.

URS

The URS was adopted by ICANN in 2013, to address the need to suspend the use of the domain name. The main difference between the UDRP and the URS is that the URS provides a temporary suspension of the domain name registration during the registration period. In addition, the URS is less expensive (approx. USD 375) and faster than the UDRP, as the process takes approximately 3 weeks to complete. Another element of the URS that differs from the UDRP is the burden of proof. In the case of the URS, the complainant only has to provide clear and convincing evidence, while the UDRP requires more detailed evidence.

It should be noted that,  under the relevant ICANN provisions, a URS complaint may not be filed if there is a pending URS or UDRP proceeding involving the same domain name. Nevertheless, there is no impediment to filing a URS or UDRP complaint after the conclusion of the first case, provided it was filed before the other mechanism.

TRABIS

The Law has granted the Information Technologies and Communications Authority ("Authority") broad powers with respect to Internet domain names and cybersecurity. Pursuant to the Law, the Authority handles ".tr" domain name disputes through TRABIS. The Communiqué states that disputes arising from .tr domain names are resolved by an Internet domain name dispute resolution service provider (Currently, the Information Technologies and Internet Security Association (BTIDER) and the TOBB UYUM Mediation and Dispute Resolution Center), which follows a path similar to the UDRP.

The requirements for application are set out in the Regulation as follows:

  • The disputed domain name is similar or identical to a trademark, trade name, business name or other identifying mark owned or used in commerce,
  • The registrant has no legal right or connection to the domain name,
  • Allocation or use of this domain name by the domain name owner is in bad faith.

It should be noted that TRABIS costs applicants between TRY 4.500 and 13.500 (approx. USD 145 and 440) depending on whether a single arbitrator or a panel of arbitrators is selected. In addition, the entire process takes approximately 3-4 weeks to complete.

Like the UDRP, the Internet Domain Name Dispute Resolution Service Provider allows multiple applications.

Conclusion

In light of all of the above, we can conclude that both the UDRP and the URS serve different aspects of domain name disputes, each of which is specific to the needs of Internet law. The URS, on the other hand, largely follows the principles set forth in the UDRP. As the threat of cybersquatting incidents increases by the day, it is critical for trademark owners to have a clear understanding of how to protect their rights.

 

Authors: Hatice Ekici Tağa, Sümeyye Uçar, Ebru Gümüş Karasu, Göksu Tuğrul


Küresel Ekonomide Rekabet Yasağı

Rekabet yasağı, işverenlere ticari sırların korunması ve çalışanların iş değiştirme sıklıklarının azaltılması açısından güvenli bir alan sağladığı için iş sözleşmelerinin temel taşlarından biri olmuştur. Öte yandan, rekabet yasağının kapsamını sınırlayan kurallar, çalışanlara hareket serbestisi sağlamakta ve dolayısıyla, ilgili sektörlerin gelişimine ve yenilikçiliğine katkıda bulunmaktadır.

Türkiye'de Rekabet Yasağına İlişkin Kurallar

Türkiye'de çalışanların işverenlerine karşı özen ve sadakat yükümlülüğü 6098 sayılı Türk Borçlar Kanunu'nda düzenlenmektedir. Bu kapsamda çalışanlar, işverenlerinin haklı menfaatlerini korumak için sadakatle hareket etmekle yükümlüdürler. İş ilişkisi devam ettiği sürece, çalışanların sadakat yükümlülüklerine aykırı olarak üçüncü kişilere ücret karşılığı hizmet vermeleri ve özellikle kendi işverenleri ile rekabet etmeleri yasaktır. Ayrıca, işverenin haklı menfaatlerinin korunması için gerekli olduğu ölçüde, çalışanlar iş ilişkisi sona erdikten sonra da ticari sırları saklamakla yükümlüdür.

Borçlar Kanunu ayrıca, çalışanların iş sözleşmesinin sona ermesinden sonra işverenleriyle rekabet etmekten kaçınmasını, yani kendi hesaplarına rakip bir işletme açmaktan, başka bir rakip işletmede çalışmaktan veya bunların dışında, rakip işletmeyle başka bir menfaat ilişkisine girmekten kaçınmasını, ek bir sözleşme imzalayarak veya iş sözleşmelerine buna ilişkin bir madde ekleyerek kabul edebileceklerini öngörmektedir. Öte yandan, rekabet yasağı yalnızca (i) iş ilişkisinin çalışana işverenin müşteri çevresi veya ticari sırları hakkında bilgi edinme imkanı sağladığı ve (ii) bu bilgilerin kullanılmasının işverene önemli ölçüde zarar verebileceği durumlarda uygulanabilmektedir.

Aynı zamanda rekabet yasağına ilişkin hükümler Borçlar Kanunu’nda, çalışanların ekonomik geleceklerinin haksız yere tehlikeye atılmasını önleyecek şekilde düzenlenmektedir. Buna göre, rekabet yasağı (i) yer, zaman ve işin türü bakımından uygun olmayan sınırlamalar içeremez ve (ii) özel durum ve koşullar dışında iki yıllık süreyi aşamaz.

Ek olarak rekabet yasağı, iş ilişkisinin sona ermesinden sonra çalışanların mevcut bilgi ve deneyimleri ile iş yapmalarını tamamen engellememelidir. Bu bağlamda mahkemeler, bütün durum ve koşulları değerlendirerek ve işverenlerin üstlenmiş olabilecekleri karşı edimi göz önünde bulundurarak, aşırı nitelikteki rekabet yasaklarını kapsam veya süre bakımından sınırlandırma yetkisine sahiptir.

Küreselleşen Dünyada Rekabet Yasağına İlişkin Kuralların Yorumlanması

Dünyanın dinamik yapısı göz önünde bulundurulduğunda, rekabet yasağına ilişkin bölgesel kısıtlamaların uygulanması hem çalışanlar hem de işverenler için önem teşkil eden zorluklar ortaya çıkarmaktadır. İşyerlerini ve müşterilerin alanlarını tanımlayan geleneksel sınırların giderek daha esnek ve sınırsız hale gelmesi, bu tür kısıtlamaların uygulanmasını ve pratikliğini zorlaştırmaktadır. Örneğin, bölgesel sınır kavramının neredeyse geçersiz olduğu dijital oyun sektöründe, rekabet yasaklarına konu olan bölgesel kısıtlamalar uygulanabilir olmamaktadır.

Bu konuda rekabet yasağına ilişkin mevzuat hükümleri yetersiz olsa da mahkemeler tarafından verilen kararlar bu alanda yön göstermektedir. Yargıtay Hukuk Genel Kurulu bir kararında (Esas No. 2019/667, Karar No. 2022/33), aşırı kısıtlayıcı rekabet yasaklarına mahkemeler tarafından müdahale edilebileceğini, böylece hem anlaşmanın canlı tutulabileceğini hem de aşırı kısıtlamaların önlenebileceğini belirtmektedir.

Sakarya Bölge Adliye Mahkemesi 7. Hukuk Dairesi’nin kararı ise (Esas No. 2022/1742, Karar No. 2023/1725) çalışanların işyerinin bir bölgede bulunuyor olmasının, fiilen aynı bölgede rekabet ettikleri anlamına gelmediğini vurgulamaktadır. Uzaktan çalışmanın benimsenmesiyle birlikte, bir işyerinin bulunduğu bölge ile rekabet edilen bölgenin aynı olduğu şeklindeki geleneksel anlayış geçerliliğini yitirmiştir. Bunun yerine Türk mahkemeleri, ilgili tarafların fiziksel işyerlerine bakmaksızın, fiili rekabetin gerçekleştiği yerlere vurgu yapmaktadır.

Her ne kadar mahkeme kararları yol gösterici olsa da mevzuat hükümleri ve içtihatlar, küreselleşen rekabetin karmaşıklığını ele almakta yetersiz kalmaktadır ve rekabet yasağının hedeflenen amaçlara ulaşabilmesi için mevzuat değişikliklerinin yapılması gerekmektedir.

 

Authors: Hatice Ekici Tağa, Begüm Alara Şahinkaya, Göksu Tuğrul


Non-Compete Clauses in a Borderless Economy

Non-compete clauses have been one of the cornerstones of employment agreements as they provide a safe space to employers in terms of safeguarding know-how and reducing employee turnovers. On the other hand, rules restricting the scope of non-compete clauses are applied to liberate the employee mobility, which also contributes to the development and innovation of the relevant sector.

Rules on Non-Compete Clauses in Turkey

In Turkey, employees’ duty of diligence and loyalty to their employers are regulated under the Code of Obligations with no. 6098, where employees are obliged to act faithfully in protecting the rightful interests of the employer. As long as the employment relationship continues, employees are prohibited to serve third parties for a fee contrary to their loyalty duty and in particular, to compete with their employer. Additionally, to the extent necessary for the protection of employers’ rightful interests, employees are also obliged to keep trade secrets after the employment relationship end.

The Code of Obligations further sets forth that employees may agree to refrain from competing with their employer after the termination of the employment agreement, i.e. from establishing a competing business on their own account, working for another competing business or entering into a relationship of interest with a competing business, by signing an additional agreement or including a clause in their employment agreement. On the other hand, the non-compete clauses are only applicable in cases where (i) the employment relationship provides the employee with the opportunity to obtain information about the employer’s customer portfolio or trade secrets, and (ii) the use of this information will cause significant harm to the employer.

The terms of non-compete clauses are also defined under the Code of Obligations in a way to prevent unfairly jeopardizing the economic future of employees. Accordingly, the non-compete clauses may not impose (i) unreasonable restrictions in terms of place, time and type of work, and (ii) its duration may not exceed two years, except in special circumstances and conditions.

Furthermore, non-compete clauses should not completely restrict employees from performing work with their existing knowledge and experience after the termination of the employment relationship. In this regard, the courts have the authority to limit the excessive non-compete clauses in terms of its scope or duration, by evaluating all the circumstances and conditions and considering the counteraction that employers may have undertaken in return.

Interpretation of the Rules on Non-Compete in a Globalized Landscape

Considering the dynamic nature of the world, the application of territorial restrictions in non-compete clauses present significant challenges for both the employees and the employers. The traditional boundaries defining workplaces and customer residencies have become increasingly fluid and limitless, complicating the enforcement and practicality of such restrictions. For instance, the territorial restrictions in non-compete clauses are hardly applicable in the gaming industry, which stands out as one of the most global and interconnected sectors, where the notion of territorial boundaries is virtually obsolete.

Although the rules on non-compete clauses lack sufficiency in this regard, the case-law provides a direction in individual cases. The Court of Cassation’s decision (No. 2019/6672) underlines that excessive restrictions in non-compete clauses may be intervened and amended by the courts, where the agreement of the parties is kept alive, but the excessive restrictions are prevented.

Another decision by a Regional Courts of Justice (No. 2023/1725, File No. 2022/1742) emphasizes that the workplaces of employees do not indicate that they are actually competing in that region. With the adoption of remote work policies, the traditional understanding of a workplace, where the workplace of an establishment is the region where it competes, has become obsolete. Instead, the Turkish courts are placing emphasis on the locations where actual competition occurs, regardless of the physical workplaces of the parties involved.

Even though the case-laws may provide a guidance, legislative rules and legal precedents still fall short in adequately addressing the complexities of competition in a globalized context; and legislation changes are a necessity to achieve the objective of non-compete clauses.

 

Authors: Hatice Ekici Tağa, Begüm Alara Şahinkaya, Göksu Tuğrul


Turkish Data Protection Board Decision: Processing Special Categories of Employee Data

In its decision dated August 10, 2023 w. no 2023/1356, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an employer that submitted the camera footage of its employee praying in a masjid in a reinstatement lawsuit.

In summary, the employee (“Data Subject”) argued that the employer (“Data Controller”) recorded the footage of the Data Subject praying in a masjid without obtaining their explicit consent and without providing information regarding processing of their personal data, which is considered as a special category of data within the scope of the Personal Data Protection Law No. 6698 (“DPL”). The Data Subject further claimed that they were forced to sign an explicit consent form regarding the retrospective processing of their personal data by writing the date of employment, for fear of being dismissed and that this consent did not reflect their free will.

On the other hand, in its defense, the Data Controller stated that camera footage subject to the complaint was processed for security purposes at the workplace, as the workplace was classified as "very dangerous" in terms of occupational health and safety due to its production activity. In this regard, the employees were informed about the recording through visitor safety sign and camera warning signs at the entrance of the Data Controller’s workplace. Moreover, the Data Controller emphasized that the employees were informed regarding (i) the camera footage is processed due to physical place safety, (ii) the purposes of such processing, (iii) to whom and for what purpose the data may be transferred, (iv) the methods of data collection and (v) the rights of the data subjects. Accordingly, the Data Controller stated that the video footage is processed with the purpose of physical place safety data to track any incident that may occur in the masjid, which is a part of the workplace. However, the Data Controller further argued that its employees’ special categories of data, i.e. personal data regarding religion, sects and other beliefs, are not processed and thus, explicit consent of the employees were not obtained.

In this regard, the Board primarily evaluated and decided that as the Data Controller's processing of the video footage inside the place of worship is a data processing related to the religious belief of the Data Subject, the video footage falls within the scope of special categories of personal data and explicit consent of the Data Subject must have been obtained. Furthermore, the Board underlined that camera surveillance of a place of worship would not be lawful data processing as the employees would have a reasonable expectation of privacy in terms of changing rooms, toilets, showers, prayer rooms, rest rooms and breastfeeding rooms; and that the masjid does not have any characteristics that would oblige it to be monitored with regards to the working area of the Data Controller.

The Board further referred to the Guidelines on Explicit Consent and underlined that explicit consent is a declaration of consent given by the data subject (i) freely, (ii) with sufficient information on the subject matter, (iii) in a clear manner that leaves no room for hesitation and (iv) limited. Accordingly, the Guidelines on Explicit Consent highlights that in an employment relationship where there is a power imbalance and one party has influence over the other, and the employee is not given the opportunity to effectively withhold consent, the explicit consent obtained from the employee will not be considered as freely given consent.

Accordingly, the Board decided to impose an administrative fine of TRY 300,000 (approx. EUR 9,148) on the Data Controller due to:

  • The failure of the Data Controller to process data within the scope of data processing conditions under the DPL as the explicit consent obtained from the Data Subject was based on the fear of dismissal and thus the Data Subject did not provide their explicit consent for the process of their special categories of data,
  • Even if the explicit consent was obtained from the Data Subject, the Data Controller did not act in compliance with the principles regulated under the DPL, namely, being relevant, limited and proportionate to the purposes for which the data is processed and thus, did not take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data.

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya


Turkish Data Protection Board Decision: Data Processing Activities of an Online Game

In its decision dated September 28, 2023 and numbered 2023/1645, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a local distributor of a massively multiplayer online game due to its unlawful processing of personal data.

In summary, the complainant (“Data Subject”) argued that the distributor of an online game (“Data Controller”), who is the sole authorized person responsible for making all transactions on behalf of the owner of the game and generates commercial revenues in Turkey, failed to provide a comprehensive response to their information request within the scope of the Turkish Personal Data Protection Law No. 6698 (“DPL”). Moreover, the Data Controller allegedly stated to the Data Subject that their personal data is not transferred to third parties, neither in Turkey nor abroad. However, the Data Subject claimed that pursuant to Data Controller’s privacy policy and cookie policy, the personal data collected from the players are transferred abroad. Additionally, the Data Subject stated that the Data Controller is using a third-party software to prevent cheating and fraud, which runs during each login to the game and scans all files and software on the computer and continues to run as long as the game remains open. The Data Subject further stated that their personal data was illegally obtained and transferred abroad through this third-party software.

On the other hand, in its defense, the Data Controller stated that the gaming sector is built upon the digital game contracts of which the parties are based abroad and thus, cross-border transfers are obligatory in terms of business processes. However, all servers used within the scope of gaming services are kept in Turkey. Moreover, the Data Controller underlined that the only personal data processed are e-mail address, IP address and if secure login application is selected by the data subjects, mobile phone number data and the processing is based on (i) the necessity due to compliance with a legal obligation to which the Data Controller is subject and (ii) necessity due to the legitimate interests pursued by the Data Controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subjects within the scope of DPL. The Data Controller further emphasized that the personal data of data subjects are not shared with anyone, except for the purpose of fulfilling legal obligations and sharing personal data with judicial authorities pursuant to DPL.

Regarding the claims of third-party software, the Data Controller stated that such software does not scan all files on the players’ computer nor access the camera and microphone. Additionally, the personal data of the players are not transferred abroad through the software.

Last of all, the Data Controller set forth that only necessary cookies are used, and the cookie policy is displayed on the screen as a "pop-up" when the website is visited. On the other hand, as the privacy policy has been prepared prior to the entry of the DPL into force, a new compliance process has been initiated to update the privacy policy to make it compatible with the current data processing activities.

Subsequently, the Board evaluated the claims of both parties and decided to carry out an on-site inspection by visiting the office of the Data Controller and the headquarters of another company from which it receives services, as the Board could not reach a definitive conclusion as to whether the personal data of the Data Subject are transferred abroad by the Data Controller. As a result, the Board concluded that the personal data of players are not transferred abroad.

In this regard, the Board reached the following conclusions concerning the claims of the parties:

  • Unlawful processing of personal data through surveillance software: The Board determined that the surveillance software used by the Data Controller tries (i) to determine whether the player is using a bot software by analyzing the executable files opened in the computer at the moment the game is launched and (ii) to distinguish the type of executable files are open on the computer. Accordingly, the Board decided that the Data Controller only uses the special software to determine whether the players resort to cheating and fraud, and that there is no unlawful personal data processing activity by accessing the personal data on the players' computers during this use.
  • Data Controller’s Obligation to Inform: The Board determined that the privacy policy of the Data Controller is not compliant with the provisions of the DPL and underlined that it should be updated as soon as possible.
  • Cross-Border Data Transfers: As a result of the on-site inspection, the Board concluded that the game servers are kept domestically by the Data controller and the personal data of the Data Subject is not transferred abroad, as the Data Controller (i) purchased game servers to keep personal data domestically, (ii) concluded an agreement with a company for services related to servers, such as security and hosting services, and (iii) backed up the information within the scope of online games, such as game level, items used in the game, on a cloud computing platform, except for the players’ personal data.
  • Personal Data Processing Carried Out Through Cookies: The Board determined that the Data Controller’s processing of personal data through cookies is not incompliance with the provisions of the DPL, since:
    • The Data Controller uses necessary cookies, functional cookies, analysis/performance cookies and targeting/advertising cookies but only provides two options to the players, i.e. "use only necessary cookies" and "allow all cookies" and thus, obtains collective explicit consent and data subjects are not given the opportunity to choose.
    • In line with the Cookie Policy of the Data Controller, various cookies are used by third party cookie providers abroad in the category of necessary cookies and thus, the Data Controller failed to obtain the explicit consent of the data subjects, contrary to the Guidelines on Cookie Practices.

In the light of the above explained, the Board decided to impose an administrative fine of TRY 750,000 (approx. EUR 22,946) on the Data Controller due to its failure to (i) obtain separate explicit consents for different types of cookies and (ii) obtain the explicit consent of the data subjects for cross-border data transfers via cookies.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya


Turkish Data Protection Board Decision: Confidentiality Obligations of Banks

In its decision dated June 15, 2023 and numbered 2023/1050, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a bank’s failure to fulfill a customer’s request to provide the transcript of the conversation between the bank’s customer representative and the customer.

In summary, the customer (“Data Subject”) argued that the bank (“Data Controller”) failed to provide information regarding the Data Subject’s stolen personal data, as their virtual card had been copied. In this regard, the Data Subject requested from the Data Controller the voice recording or the transcript of their conversation with the customer representative, in line with the data subject rights under the Personal Data Protection Law No. 6698 (“DPL”). However, in its defense, the Data Controller denied the Data Subject’s request and did not share the voice recording or the transcript of the conversation due to the provisions of the Banking Law No. 5411 (“Banking Law”) and the Regulation on Sharing of Secret Information (“Regulation”).

In this regard, the Board evaluated the facts of the case in line with the provisions of DPL, the Banking Law and the Regulation. While underlining the rights of the data subjects, including the right to demand for information as to if their personal data have been processed, the Board underlined that the data controllers are under the obligation (i) to finalize the data subjects’ requests free of charge, as soon as possible and within thirty days at the latest or (ii) to reject the data subjects’ requests by explaining the reason and notify the data subject in writing or electronically. The Board determined that the Data Controller did not provide any response to the first inquiry by the Data Subject; and provided response to the second inquiry after the thirty day period.

Furthermore, within the framework of the Banking Law and the Regulation, the Board stated that the confidentiality obligation of the Data Controller requires not to provide “customer secrets” (natural and legal persons’ data after the establishment of a customer relationship with banks specific to banking activities) to third parties about the information and events obtained due to the commercial connection with the customer. On the other hand, this obligation does not prohibit disclosing the Data Subject’s own personal data within the scope of the rights of data subjects regulated under the DPL. The Board also mentioned that the data subject right to request information if their personal data have been processed, includes the right of access to such data.

Accordingly, the Board instructed the Data Controller to share with the Data Subject the transcript of the conversation between them and the customer representative by taking measures such as removing/masking the personal data of others, in line with the rights of data subjects regulated under the DPL.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya


Turkish Data Protection Board Decision: Processing Former Employee’s Email Data

In its decision dated August 3, 2023 and numbered 2023/1321, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding a company’s continued processing of e-mail data of a former shareholder.

In summary, the former shareholder of a company (“Data Subject”) argued that the company (“Data Controller”) has continued to process their e-mail data, as their former work e-mail address is still active, and the Data Controller has been reading their e-mails. The Data Subject further claimed that such processing of their personal data creates unfair competition for their new company and caused material damage; and that their applications to the Data Controller remained unanswered.

On the other hand, the Data Controller stated that the e-mail address in question was closed and recorded as an "undefined email address” in its system and as the extension of the Data Subject’s e-mail address belongs to the Data Controller, the new emails have been directed to the email addresses of the relevant executives of the Data Controller. Moreover, the Data Controller claimed that the emails received after the resignation of the Data Subject do not contain any personal data.

In this regard, the Board evaluated that as the messages are still being sent to the e-mail address previously used by the Data Subject, which is currently inactive, the e-mail data has the quality of personal data, and such personal data continue to be processed by the Data Controller by accessing the sent emails, without relying on the conditions of personal data processing regulated under the Personal Data Protection Law No. 6698, and decided to impose an administrative fine of TRY 50.000 (approx. EUR 1520).

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya


Removal of and Blocking Access to Online Contents: Constitutional Court Annuls Internet Law Provisions

The Constitutional Court’s decision with no. 2023/172 (“Decision”) was published on the Official Gazette on January 10, 2024. The Decision concerns the application for the annulment of several provisions under the Law on the Regulation of Broadcasts via Internet and Prevention of Crimes Committed through Such Broadcasts (“Internet Law”).

While the Constitutional Court decided to annul the Internet Law provisions on removal of content and blocking access based on (i) the publication of criminal content online (Article 8) and (ii) the violation of personality rights (Article 9); it evaluated that the following provisions are in compliance with the Constitution of the Republic of Turkey (“Constitution”): (i) the definition of the social network providers, (ii) the delivery of notices of administrative fine decisions to relevant parties residing abroad, (iii) the administrative fines to be imposed on hosting providers failing to fulfill their obligations, (iv) several obligations of social network providers.

A. The Evaluations of the Constitutional Court

The Definition of the Social Network Providers

Definitions – Article 2

(s) Social network provider: Those natural or legal persons that provide opportunities for users to create, view or share textual, visual, audio, or location data, etc. for the purpose of social interaction.

The grounds for the annulment application of this article were that the phrases “social interaction”, “create”, “view”, “share” are not clear and precise which results in unclarity for determining which internet medias are within the scope of this definition and so, wide discretion power for the administrative authority. Furthermore, the application stated that specific obligations for social network providers are unclear and that the provisions limiting the freedom of persons must be clear and foreseeable pursuant to the Constitution.

While the Constitutional Court accepted that the mentioned phrases are generalizations, it rejected the annulment of this article as these phrases are not unclear or unforeseeable; and that the reason for using such intangible phrases is to contain any solution aimed with the provision, which can vary depending on a concrete case occurring on the Internet, a virtual environment where the borders are hard to define.

The Delivery of Notices of Administrative Fine Decisions to Relevant Parties Residing Abroad

Obligation to Provide Information – Article 3

(5) In the event that the addressee is abroad, administrative fines given per the provisions of this (Internet) Law may be issued by the (Information Technologies and Communication) Authority directly to the addressee by way of the procedure laid out in paragraph 3. Such issuance will be held as a notice issued as per Notification Law No. 7201 dated 2/11/1959. The notification is deemed delivered at the end of the fifth day following the issuance.

This article stipulates that if the addressee of the administrative fines to be given per the Internet Law is located abroad, the Information Technologies and Communication Authority (“ITCA”) may issue a notice related to such administrative fines via (i) e-mail or (ii) other communication tools through information obtained from sources such as communication tools on internet pages, domain names, IP addresses and similar resources.

The grounds for the annulment application of this article were based on the fact that an e-mail or any other kind of notification will be accepted as an official notification, without understanding whether it has reached the addressee or on what date it has reached. It is claimed that such notification procedure (i) is incompatible with freedom to claim rights and right to effective remedy, (ii) is in violation of international conventions to which Turkey is a party, (iii) does not carry legal certainty, and lastly (iv) contradicts the principle of inequality.

In this regard, the Constitutional Court evaluated that the notification procedure regulated by the provision is in compliance with the Constitution, as the addressees subject to the Internet Law are under the following obligations:

  • Content, hosting, access and collective use providers are under the obligation to keep their promotional information up to date on their website,
  • Social network providers with more than one million daily accesses from Turkey are under the obligation to include their representative’s contact information on their website in a way that can be easily seen and directly accessed,
  • Internet service providers are under the obligation to be a member of the Access Providers Association.

Accordingly, the Constitutional Court stated that since the addressees of the notification are under the obligation to provide a valid contact information as detailed above, the notifications to be made in line with this article is in compliance with the Constitution and fulfills the purposes of written notifications, i.e. informing the addressee regarding the action taken against them and documenting the date on which the notification was made.

The Administrative Fines to Be Imposed on Hosting Providers Failing to Fulfill Their Obligations

Liabilities of Hosting Provider - Article 5

(6) The President (of ITCA) shall impose an administrative fine from 100.000 Turkish Liras to 1.000.000 Turkish Liras on the hosting provider who fails to submit a hosting provider notification or fulfil its obligations under this (Internet) Law.

The grounds for the annulment application of this article were that the administrative fine amounts were increased ten times, this increase was disproportionate, and that the President has an arbitrary discretion in imposing the administrative fine, which is in contrary to the Constitution.

While the Constitutional Court agreed that the article does not state the criteria for determining the administrative fine amount, it referred to the Misdemeanor Law No. 5326, where all activities resulting in an administrative fine shall be subject to. Constitutional Court stated in its evaluation that the Misdemeanor Law regulates the criteria for determining an administrative fine amount (i.e. content of the misdemeanor, fault and the economic situation of the perpetrator) and that the President of ITCA must apply such criteria; hence, does not have an arbitrary discretion.

Furthermore, the Constitutional Court noted that with the consideration of the size of the economic value occurring in the internet environment in the recent years, the fine amounts are not deemed as an excessive burden to the hosting providers.

Lastly, the Constitutional Court mentioned that the mentioned provision acts as a deterrent by regulating the imposition of administrative fines in the event that hosting providers, which fulfil a major function in the internet environment, fail to fulfil their obligations that also serve the public sphere. Hence, the administrative fine provision is based on a legitimate purpose and necessary and appropriate with the provision’s aim.

Obligations of Social Network Providers

The Constitutional Court did not examine the Provisional Article 4 of the Internet Law which regulates the obligations of the social network providers subject to the claim due to the fact that the said article had already been amended with the Amendment Law No. 7418 on the Press Law and Certain Laws, published on the Official Gazette on October 18, 2022.

B. The Decisions of the Constitutional Court on Removal of Content and Blocking Access

The Publication of Criminal Content Online

The Decisions to Remove Content and Block Access, and Their Implementation - Article 8

(4) The decision to remove the content and/or block access to publications whose content constitutes the crimes stated in the first paragraph[1] shall be given ex officio by the President (of ITCA). This decision shall be notified to the relevant content, hosting and access provider and shall be asked to carry out its requirements.

(11) In the event that the decision to remove content and/or block access which is given as an administrative measure is not fulfilled, President shall impose administrative fines to the relevant content, hosting and access provider from 10.000 Turkish Liras up to 100.000 Turkish Liras. If the decision is not fulfilled by the access provider within twenty-four hours after the administrative fine is imposed, ITCA may decide to revoke the authorization.

Constitutional Court evaluated this article based on the presumption of innocence regulated under the Constitution. Accordingly, while the adoption of various judicial and administrative measures in relation to a person suspected of a crime is not prohibited under the Constitution, such measures must be a temporary measure carried out in connection with the criminal proceedings. Measures that are completely detached from the criminal proceedings and have a final nature undermine the presumption of innocence, as they result in the person being treated as guilty before a criminal court decision.

In this context, the measure under the Article 8/4 of the Internet Law, i.e. the decision of removal of content, is considered a final measure that is detached from the criminal proceedings and is applied by the determination of the President of ITCA. Moreover, this measure cannot be examined during the criminal investigation process initiated in relation to the related offense that constitutes the justification for the administrative measure applied by the President, and that the injunction continues to stand even if the trial results in a verdict other than a conviction.

As a result, the Constitutional Court concluded (and decided to annul) the provisions regarding the decision to remove the content, which is in the nature of a final measure depending on the determination of guilt by an administrative authority, and the imposition of administrative fines in case of non-execution of this decision violates the presumption of innocence, without a finalized court decision determining that the acts regulated as crimes have been committed.

Before the Decision After the Decision
(4) The decision to remove the content and/or block access to publications whose content constitutes the crimes stated in the first paragraph shall be given ex officio by the President. This decision shall be notified to the relevant content, hosting and access provider and shall be asked to carry out its requirements.

 

(11) In the event that the decision to remove content and/or block access which is given as an administrative measure is not fulfilled, President shall impose administrative fines to the relevant content, hosting and access provider from 10.000 Turkish Liras up to 100.000 Turkish Liras. If the decision is not fulfilled by the access provider within twenty-four hours after the administrative fine is imposed, ITCA may decide to revoke the authorization.

(4) The decision to remove the content and/or block access to publications whose content constitutes the crimes stated in the first paragraph shall be given ex officio by the President. This decision shall be notified to the relevant content, hosting and access provider and shall be asked to carry out its requirements.

 

(11) In the event that the decision to remove content and/or block access which is given as an administrative measure is not fulfilled, President shall impose administrative fines to the relevant content, hosting and access provider from 10.000 Turkish Liras up to 100.000 Turkish Liras. If the decision is not fulfilled by the access provider within twenty-four hours after the administrative fine is imposed, ITCA may decide to revoke the authorization.

 The Violation of Personality Rights

The Article 9 of the Internet Law, subject to the annulment, regulates that the natural person, legal entities, institutions and organizations claiming that their personality rights are violated due to a content published on the internet may ask to (i) the content provider, or (ii) (if they cannot reach the content provider) the hosting provider, to remove the content by using the warning method. They may also request access blocking by applying directly to the judge of the court of peace.

The Constitutional Court stated that the said article restricts (i) the freedom of expression, by enabling the removal of contents published on the internet and/or blocking access to these publications, and (ii) the freedom of the press, considering that these publications may also be within the scope of internet journalism. Pursuant to the Constitution, such restriction must be made by law and must comply with the reasons for restriction stipulated in the Constitution, the requirements of the democratic social order and the principle of proportionality.

Accordingly, the Constitutional Court referred to its Decision with No. 2018/14884[2], which concluded that, while implementing this provision, the criminal judgeships of peace (i) reached conclusions without conducting conflicting trial and without presenting the need for immediate and prompt disposal and (ii) without the approach ensuring the supervision of a fair balance between conflicting rights. Moreover, the reasoned decisions of criminal judgeships of peace contain general statements independent of the circumstances of the concrete events and do not examine how the publications violate personality rights. Within this framework, the Constitutional Court evaluated that the lack of certainty regarding the scope and limits of Article 9 of the Internet Law creates a wide margin of appreciation for the judicial authorities and that it is difficult to obtain results from the objections against these decisions.

On the other hand, the Constitutional Court observed that the said article does not provide a gradual intervention method for the restriction of internet content against attacks on personality rights, as the restrictions prevents access to a certain content on the internet indefinitely from the date of the decision. In this respect, the Constitutional Court concluded that Article 9 of the Internet Law:

  • constitutes a severe interference with the freedoms of expression and the press,
  • does not provide procedural safeguards to prevent arbitrary behavior by narrowing the discretionary power of public authorities,
  • does not contain the guarantees that will ensure proportionate decisions in accordance with the requirements of the democratic social order.

In the light of the above explanations, the Constitutional Court decided that the Article 9 of the Internet Law is unconstitutional and thus, annulled.

The annulments will enter into force on October 10, 2024.


[1] The offenses specified under the Article 8 of the Internet Law are as follows:
a) The crimes under the Turkish Criminal Code dated 26/9/2004 and numbered 5237;
  • Encouragement of suicide (Article 84),
  • Sexual abuse of children (Article 103, first paragraph),
  • Facilitate the use of drugs or stimulants (Article 190),
  • Hazardous substance for health (Article 194),
  • Obscenity (Article 226),
  • Prostitution (Article 227),
  • Providing space and facilities for gambling (Article 228).
b) Crimes in the Law Concerning Crimes Committed Against Atatürk dated 25/7/1951 and numbered 5816.
c) the crimes regulated under the Law on Regulation of Betting and Games of Chance in Football and Other Sports Competitions dated 29/4/1959 and numbered 7258.
ç) the crimes regulated under first and second paragraphs of Article 27 of the Law on State Intelligence Services and National Intelligence Organization dated 1/11/1983 and numbered 2937.
[2] Keskin Kalem Yayıncılık ve Ticaret A.Ş. and other [GK], B. No: 2018/14884, 27/10/2021.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya


Turkish Data Protection Board Decision: Unlawful Voice Recordings in Labor Disputes

In its decision dated September 7, 2023 and numbered 2023/1548, the Turkish Personal Data Protection Board (“Board”) evaluated a complaint regarding an employer submitting voice recordings of an employee to the court, in relation to a labor dispute.

In summary, the employee (“Data Subject”) claimed that their conversation was recorded and given to their employer (“Data Controller”) by a customer and was retained and submitted to the court by the Data Controller without explicit consent. On the other hand, the Data Controller counterclaimed that they terminated the employment agreement due to the Data Subject’s behavior, as the voice recording of the Data Subject demonstrates attempt at bribery and after the Data Subject filed a lawsuit against the Data Controller with the claim that the termination was unlawful, the Data Controller submitted the voice recording to the court file as an encrypted disk, of which the password was not shared with the court.

In this regard, the Board stated that the issues regarding the Data Controller’s retention of the Data Subject’s voice recording which justifies the termination and its submission to the court file should be evaluated within the scope of the Turkish Personal Data Protection Law No. 6698 (“DPL”).

Accordingly, the Board underlined that although the Code of Civil Procedure No. 6100 prohibits the use of illegally obtained evidence in court; the unauthorized voice recordings may not be considered as a crime under the Turkish Criminal Code No. 5237 in certain cases. If the recording is made in self-defense during a sudden situation where obtaining evidence is not possible and there is no opportunity to report the incident to the authorities, it may be admissible as lawful evidence in accordance with the Court of Cassation's precedents. Moreover, in labor disputes, voice recordings may be accepted as lawful evidence if it is not possible to prove that the employer terminated the employment contract for just cause with another evidence or if there is an aim to prevent the loss of evidence. Therefore, the Board determined that the voice recording used to demonstrate the termination of the Data Subject's employment contract for just cause is admissible evidence. Additionally, the Board also stated that the voice recording was not made by the Data Controller but was kept by them due to its evidential value.

The Board further emphasized the Data Controller’s statements regarding the submission of the voice recording to the court, which sets forth that (i) the voice recording was not shared with any personnel, (ii) the voice recording was transferred to an encrypted disk and deleted from the insecure environment by taking the necessary administrative and technical measures, (iii) the voice recording was kept in an encrypted form limited to the legal retention period and lastly (iv) the voice recording was submitted to the court in an encrypted manner.

In this context, the Board decided that the Data Controller submitted the voice recording of the Data Subject to the court in line with the conditions for processing personal data regulated under the DPL, namely, “the necessity for the establishment, exercise or protection of any right”.

 

Authors: Burak Özdağıstanli, Sümeyye Uçar, Begüm Alara Şahinkaya