New Decisions from the Turkish Personal Data Protection Board
New Decisions from Turkish Personal Data Protection Board
On August 14, 2023, in accordance with the decisions of the Personal Data Protection Board ["Board"] published on the website of the Personal Data Protection Authority ["Authority"], the significance of the general principles of law, specifically the obligations to maintain a legitimate and proportionate purpose and adhere to the principle of good faith during data processing operations was emphasized. The decisions also examined the conditions of explicit consent as defined by the Law on the Protection of Personal Data [“LPPD"].
The Principle of Good Faith Should Guide Interpretation When Obtaining Explicit Consent
The Board's Decision No. 2023/692 dated 02.05.2023 addresses the condition of explicit consent for health services provided by a private health institution and the violation of the general principles stipulated in LPPD during data processing.
The Authority conducted an investigation on the complaint that it is mandatory to consent to the processing of the data of the applicants and to contact them for this purpose in order to be informed about the services and announcements of the health institution while filling out the form to make an appointment on the website of the health institution, who is the data controller.
While reiterating the rules regarding explicit consent within its decision, the Board highlighted that, as per Article 3/f.1-a of the LPPD under the section titled "Definitions," explicit consent is defined as "consent pertaining to a specific subject, founded on information and expressed with free will", and in this sense, explicit consent should primarily pertain to a specific subject and remain confined to that subject. In this regard, the Board stated that the data controller must unambiguously specify the subject for which the explicit consent statement is requested and, given its nature as a statement of will, explicit consent necessitates a person's freely given consent.
In addition, it is stated that it is obligatory to comply with the general principles listed in Article 4 of the LPPD, which are: compliance with the law and good faith, being accurate and up-to-date when necessary, being processed for specified, explicit and legitimate purposes, being relevant, limited and proportionate to the purpose for which data are processed, and being stored only for the period stipulated in the relevant legislation or required for the purpose for which data are processed.
As a result, it is determined that the said practice links the appointment service, which serves as a preliminary step for individuals to receive services, to the requirement of explicit consent for the promotion of the data controller and mandating an explicit consent declaration is found to impair the will of the individuals in this regard. Therefore, it has been decided to impose an administrative fine of 300,000 TL on the data controller, on the grounds that such practice constitutes a violation of the principle of compliance with law and good faith stipulated in Article 4 of the LPPD.
The decision is important in terms of showing that explicit consent must be obtained with free will in accordance with the LPPD regulation and reiterating the obligation of data controllers to act in accordance with the general principles listed in the LPPD for each data processing activity.
Data Processing Must Have a Legitimate and Proportionate Purpose
The Board's decision dated 11.05.2023 and numbered 2023/787 pertains to unlawfulness of a hospital's processing of personal data within the scope of its advertising and promotional activities even if it has obtained explicit consent from patients regarding the processing of personal data, including health data in accordance with sectoral regulations.
As a result of the examination made by the Board; it was determined that the data controller requested explicit consent from the patients within the scope of the "Informed Consent Form on the Protection of Personal Data Specific to Photography/Video Shooting", and that the relevant consent form states that the photographs/videos to be taken within the scope of the execution of marketing, advertising and promotion processes will be recorded and may be transferred to third parties from which services are received, cooperated with or contracted, national, local and international press organs and social media platforms.
Art. 4 of the LPPD titled "General Principles" stipulates that personal data shall only be processed in accordance with the procedures and principles stipulated in the LPPD and other laws. Moreover, Art. 4/f. 2- a and c of the LPPD specifically states that it is mandatory to process data for specific, explicit and legitimate purposes complying to good faith and general principles of law, while adhering to every rule introduced by laws and other legal regulations in the processing of personal data.
As a result, it was decided to impose an administrative fine of 250.000 TL on the data controller on the ground that the data processing activity in question does not have any basis under Art. 6 of the LPPD. The Board determined that health data, which is special categories of personal data, are processed by the data controller by shooting videos about the diseases and treatment process of the data subjects and sharing them on social media accounts, and that although there is "explicit consent" of the data subjects for the processing of personal data for advertising, marketing and promotion purposes pursuant to Art. 6 para. 2 of the LPPD, private hospitals are prohibited from making promotions to create demand in accordance with sectoral regulations. Considering the prohibitive provision in Article 60 of the Regulation on Private Hospitals published in the Official Gazette dated 27.03.2002, the Board stated that explicit consent cannot be asserted as a data processing condition in the concrete case.
The decision is significant in terms of showing that obtaining explicit consent alone is not sufficient, that data processing must have a legitimate and proportional purpose, and that the data controller is obliged to process data in accordance not only with the LPPD but also with the provisions of other legislation, and that the Board conducts a legal compliance audit in this direction.