The Personal Data Protection Board (“the Board”) evaluated the complaint application about sharing the photos taken during surgery of the data subject and published on the social media account by a doctor who works in the data controller hospital in its decision dated 29.06.2022 and numbered 2022/630.

The complaint subject to the decision is that the data subject’s personal data was processed unlawfully due to, without explicit consent, photos taken during surgery, shared on social media accounts, and kept for 2 years by a doctor who works in the data controller hospital.

The Board made the following explanations regarding the complaint;

  • The photos that are the subject of the complaint are evaluated as personal data since the data subject’s facial parts such as eyebrows, mustaches, etc. that make the person identifiable can are clearly included and not anonymized.
  • In terms of the data controller’s claims that explicit consent was obtained from the data subject, it has been observed that the data subject has given explicit consent for the data controller hospital, but the said photos were processed by a doctor who works in the hospital. The explicit consent given to the hospital does not provide a legal basis for the use of photos by the doctor, therefore the personal data of the data subject has been processed unlawfully.
  • Sharing the photos of the data subject by a doctor who works in the hospital on social media indicates that the necessary technical and administrative measures were not taken by the data controller hospital taking into account that the data controller hospital has the knowledge of this situation.
  • Article 17 of the Law on the Protection of Personal Data No. 6698 (“DPL”) regulates that the provisions of Articles 135 to 140 of the Turkish Penal Code shall be applied for crimes related to personal data. In the presence of such a situation, the data subject can apply to the relevant judicial remedy in such a case.

In this regard, the Board adopted the following decision;

  • It is understood that the data subject has given explicit consent to the data controller hospital, and there is no explicit consent regarding sharing the images taken by the doctor, and the data controller hospital has information that the photos were shared on social media account by the doctor. Since the data controller does not take adequate technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, prevent unlawful access to personal data, and ensure the protection of personal data in terms of sharing photos of the data subject on social media accounts an administrative fine of TRY 100.000 (approx. EUR 4.657) was imposed on the data controller.
  • The data controller has been informed that it is possible to apply to the judiciary regarding the data subject’s proposal regarding the proposal of the data subject not to file a complaint with the Board if financial compensation is paid to them.
  • The data subject has been informed regarding applying for financial compensation by applying to the judiciary, and applying to the judiciary within the scope of the Turkish Penal Code.

Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş