Can the Turkish Personal Data Protection Board Issue Administrative Fines for Unlawful Processing or Unlawful Cross-Border Transfers of Personal Data?

In this brief article we will analyze the practice of the Turkish Personal Data Protection Board (the “Board”) of relying on Articles 12 and 18 (1)/b of the Personal Data Protection Law No. 6698 (the “PDPL”) when issuing an administrative fine for unlawful processing or unlawful cross-border transfers of personal data. This matter is worth analyzing as neither Article 12 nor Article 18(1)/b of the PDPL sets forth an administrative fine for unlawful processing or unlawful cross-border transfers of personal data.

The administrative fines to be issued by the Board against the data controllers are regulated under Article 18 of the PDPL. Article 18 states that the Board can issue an administrative fine for violation of Article 10 (transparency and notice obligation), Article 12 (data security obligation), Article 15 (compliance with the decisions of the Board), and Article 16 (obligation to register with the Data Controllers’ Registry) of the PDPL.

Notably, Article 18 of the PDPL does not refer to any provision of the PDPL which requires the data controllers to lawfully process personal data or transfer personal data abroad. Under the PDPL, the provisions regarding lawful processing (i.e. compliance with the general principles of processing, requirement to rely on a proper legal basis when processing personal data and sensitive personal data, deletion of personal data, transfers of personal data to third parties) are set forth under its Articles 4-8 and lawful transfers of personal data abroad under its Article 9. Article 18 of the PDPL sets forth which administrative fines will be applied for the violation of specific provisions of the PDPL but Articles 4-9 are not stated among the provisions the violation of which lead to an administrative fine under Article 18.

The Board does not consider this a problem, as can be understood from the various administrative fines it issued for violation of Articles 4-9 of the PDPL. The Board states that violation of Articles 4-9 of the PDPL constitutes a violation of Article 12 of the PDPL as well, which in turn gives the Board the right to issue an administrative fine as Article 18(1)/b sets forth an administrative fine for violation of Article 12 of the PDPL. The Board comes to this conclusion by interpreting Article 12(1) of the PDPL, which sets forth that the data controller must take all necessary technical and organizational measures to provide an appropriate level of security for the purposes of (a) preventing unlawful processing of personal data, (b) preventing unlawful access to personal data and (c) ensuring protection of personal data. According to the Board, when a data controller unlawfully processes or transfers personal data abroad, it means that it did not take all necessary technical and organizational measures to prevent unlawful processing of personal data, which violates Article 12(1) of the PDPL.

According to the Board’s interpretation, Article 12(1) of the PDPL is a provision which regulates lawful processing of personal data and transfers of personal data abroad. This interpretation is not correct; these issues are regulated in detail under Articles 4-9 of the PDPL, not under Article 12(1). Article 12 of the PDPL is a provision which regulates solely data security issues, even its heading is “obligations on data security”; it does not regulate lawful processing of personal data or transfers of personal data abroad.

The term “data security” is different from the term “lawful processing of personal data” and “transfers of personal data abroad”. Data security focuses on keeping the personal data secure by taking appropriate technical and organizational measures against internal and external threats, whereas lawful processing regulates how a data controller should collect and process personal data (e.g. taking into consideration the reasonable expectations of the data subjects) and transfers of personal data regulates the conditions to comply with when a data controller or a data processor transfers the personal data outside the jurisdiction of a country. This is why the PDPL regulates lawful processing, transfers of personal data and data security under separate provisions. For example, in a privacy notice, if a data controller cites all the legal bases for processing under Article 5 of the PDPL but does not specify which legal basis is related to which processing purpose and which personal data category, the Board considers this to be a violation of the principles of “processing for definitive, clear and legitimate purposes” and “being relevant, limited and proportional to the purposes of processing” under Article 4 of the PDPL. It is clear that this issue is not related to data security; it is not related to keeping the data secure against internal or external threats, it is related to how a data controller should draft its privacy notice.

Of note, the Turkish Data Protection Authority issued a Data Security Guideline, where it explains the technical and organizational measures to be taken to ensure an appropriate level of security as per Article 12 of the PDPL and provides good practice examples. There is no mention of Articles 4-9 of the PDPL in the Data Security Guideline; it focuses solely on the security measures to be taken against internal and external threats. If Article 12(1) had regulated lawful processing of personal data and transfers of personal data abroad, the Data Security Guideline, which is prepared to explain Article 12 of the PDPL, would have included explanations in that respect. The fact that there is no such explanation in the Data Security Guideline is another indicator that Article 12 does not regulate lawful processing and transfers of personal data abroad.

Articles 4-9 of the PDPL all regulate the obligations related to their respective issues in detail. Article 12(1), on the other hand, stipulates the obligations of the data controller regarding data security. Article 12(1) is not a general provision which sets forth all the obligations related to data processing activities –and it would be meaningless given that they were already provided for in detail in Section II of the PDPL in Articles 4-9

– it is a specific provision stipulating data security. To put it simply, infringements of Articles 4-9 cannot automatically constitute an infringement of Article 12 as each of these provisions regulate a different issue.

The Board’s approach is not in line with the principle of legality under Turkish law. By making such an interpretation, the Board arbitrarily broadens the scope of application of Articles 12(1) and 18(1)/b; it creates a new type of misdemeanor and a sanction, which is a practice that is not allowed under Turkish law. Article

4 of the Misdemeanors Act No. 5326 explicitly adopts the legality principle by stating that (i) the misdemeanors can only be set forth by law, or by secondary legislation provided that the law draws a general framework within which the misdemeanors can be set forth by the secondary legislation and (ii) administrative sanctions can only be set forth by law. This means that in order for an action to be considered a misdemeanor, it must be stated as such explicitly in a law, or alternatively in a secondary legislation provided that there is a provision in the law that determines the limits within which the secondary legislation can determine which actions constitute a misdemeanor. The sanctions associated with misdemeanors can only be stated in the law, they cannot be set forth by secondary legislation. The PDPL does not include a provision which sets forth a general framework within which the Board can issue secondary legislation determining which actions constitute misdemeanors. That is why the Board has not and cannot issue such a secondary legislation. Furthermore, it is clear that the PDPL does not set forth an administrative fine for violations of Articles 4-9. For this reason, the Board uses Article 12(1) of the PDPL as if it was a provision regulating lawful processing and lawful cross-border transfers of personal data. As explained above, this violates the legality principle under Turkish law. In light of the above, it is evident that the Board cannot issue administrative fines for violations of Articles 4-9 of the PDPL. Even if the Board believes that an administrative fine should be applied to data controllers violating Articles 4-9 of the PDPL, it cannot do so without an explicit provision under the PDPL. What it can do is to inform the Turkish Grand National Assembly of its opinion that the PDPL needs to have such a provision.

It is also important to ask if there isn’t anything that the Board can do in case of a violation of Articles 4-9 of the PDPL. The PDPL actually provides an enforcement tool to the Board in cases where a data controller violates Articles 4-9. Article 15(5) of the PDPL states “as a result of the examination made upon complaint or ex officio, in cases where it is understood that an infringement exists, the Board shall decide that the identified infringements shall be remedied by the relevant data controller and notify this decision to the relevant parties. This decision shall be implemented without delay and within thirty days at the latest after the notification”. When Articles 4-9 are infringed, the PDPL requires the Board to issue a compliance order under Article 15(5) instead of issuing an administrative fine under Article 18(1)/b. If a data controller does not comply with the compliance order of the Board, the Board will then be able to issue an administrative fine under Article 18(1)/c, which sets forth an administrative fine for non-compliance with the decisions of the Board.