Turkey’s Data Protection Authority Ruled Principles on Direct Marketing
Turkeys Personal Data Protection Authority reminds the importance of data and explicit consent once again with its recent ruling. The ruling is parallel with international data protection laws such as GDPR which also bans direct marketing to individuals without their explicit consent. In accordance with the provisions of the Law on the Protection of Personal Data No. 6698 (Law), a number of appeals have been submitted to the Personal Data Protection Authority (Authority) regarding the fact that the advertisement notifications / calls to the individuals have been sent without their explicit consent.
The Authority has decided, with the Decision 2018/119 on October 10th, 2018, the processing activities shall immediately stop pursuant the Article 15(7) of the Law, if the data controllers or data processors who act on behalf of the controllers are sending an ad by SMS, by call or by e-mail without the explicit consent of the individuals or without providing the processing conditions stated in paragraph (2) of article 5 of the Law.
In order to prevent the unlawful access, processing of personal data and to protect personal data, under Article 12 of the Law, the data controller has to take all necessary technical and administrative measures to ensure the adequate level of security. Additionally, if the personal data is being processed on behalf of the controller by another natural or legal person, that he is jointly liable, together with these persons, to take such measures.
The appropriate measures shall be taken in accordance with the provisions of Article 18. Data controllers that do not comply with the law may be subject to administrative fines minimum of TRY 15.000 and maximum of 1.000.000.
Moreover the Authority will notify the Office of the Chief Public Prosecutor in accordance with the Criminal Procedure Law No.5271 Article 158, to prosecute liable data controllers under the Article 136 of the Turkish Criminal Code No. 5237, “Giving or Receiving the Data Unlawfully”.
In short, the Authority reminds to the data controllers and processors acting on their behalf the importance of consent and also notes their liabilities and the consequences if they do not abide by the Law.
Author:Begüm Aksoy