Part II: Is There a Legal Basis Under Turkish Law for the Administrative Fines and Compliance Orders Against Foreign Data Controllers?

In our previous article (see here), we analysed whether the Personal Data Protection Board (the “Board”) can rely on the Misdemeanours Act numbered 5326 to issue administrative fines and compliance orders against foreign data controllers. In this article, we will analyse whether Article 20(3) of the Turkish Constitution constitutes a legal basis for the Board to issue such administrative fines and compliance orders.

Article 20(3) of the Turkish Constitution reads as follows:

“Everyone has the right to request protection of personal data related to them. This right includes being informed about the personal data processed about oneself, accessing those personal data, requesting their correction or deletion and learning whether such personal data is processed in accordance with its purposes. Personal data can be processed only in situations foreseen by law or with the explicit consent of the individual. Principles and procedure regarding protection of personal data shall be regulated by law.”

As can be seen, Article 20(3) of the Turkish Constitution regulates the right to protection of personal data in a general manner. It does not provide specific details; rather it sets forth that the procedure and principles regarding the protection of personal data will be regulated by law.  In this respect, Article 20(3) of the Turkish Constitution does not include any provision regarding the territorial scope of the Personal Data Protection Law numbered 6698 (the “PDPL”) or the jurisdiction of the Personal Data Protection Authority (the “KVKK”) and/or the Board and cannot be put forward as a legal basis in this respect.

In its decision dated 23 June 2020 and numbered 2020/471 on whether a foreign bank is subject to the obligation to register with the Data Controllers Registry under the PDPL; the Board states that the protection of personal data is a fundamental right under Article 20(3) of the Turkish Constitution and that when determining the territorial scope of the provisions regarding data protection, an approach that provides protection in the widest scope should be adopted. The Board does not elaborate on what would be the limits to such a wide scope. This is not surprising as Article 20(3) does not even intend to regulate the territorial scope of the provisions regarding personal data protection, it leaves this issue to the Grand National Assembly of Türkiye.

Furthermore, in the above stated decision, the Board refers to the processing of personal data of the “individuals residing in Türkiye” and the “existence of a representative office in Türkiye” as the reasons for why the relevant foreign bank should be subject to the registration obligation under the PDPL. This shows that the Board acknowledges the need for limits to the territorial scope of the PDPL. If Article 20(3) of the Turkish Constitution could have been a legal basis for the territorial scope of the PDPL, the approach that provides the widest territorial scope would have been that the PDPL should be applicable to any processing of personal data of not only “individuals residing in Türkiye” but also of any Turkish citizen residing abroad, regardless of whether the data controller has any “representative office” in Türkiye. One can even go further and make a broader interpretation that since Article 20(3) of the Turkish Constitution refers to “everyone” as the subject of the right to protection of personal data, the territorial scope of the PDPL should cover any processing activity related to any personal data of every individual around the world. Another may argue that this would be absurd and the word “everyone” under Article 20(3) should be interpreted as “every individual residing in Türkiye” due to the principle of territoriality which would then create the question of which data controllers would be subject to obligations so that this right of personal data protection could be ensured for every individual residing in Türkiye; would that be only the data controllers located in Türkiye, all data controllers (including foreign data controllers all around the world) which process personal data of every individual residing in Türkiye or a combination of all local data controllers and certain foreign data controllers? These potential different interpretations show that Article 20(3) does not regulate the territorial scope of the PDPL and cannot constitute a legal basis in that respect.

The above also shows that the Board cannot rely on Article 20(3) of the Turkish Constitution to adopt an approach that provides the widest scope for the protection of personal data and to issue administrative fines and compliance orders against foreign data controllers based on such an approach. Claiming jurisdiction on such a wide scope without any clear limits would be against the principle of legal certainty under Article 2 of the Turkish Constitution, which prohibits arbitrary interference by administrative authorities and requires the administrative authorities to rely on legal provisions which are clear, plain, understandable and objective, when issuing administrative actions. This approach would also prevent an effective judicial review of the decisions of the Board in terms of territorial scope as it practically provides the Board with an unlimited room for interpretation in terms of territorial scope without any explicit legal provision which may constitute a legal basis for judicial review. This approach would lead to a casuistic practice where the Board or the KVKK makes different interpretations on territorial scope based on each specific case, which would be against Article 2 of the Turkish Constitution as stated above. In fact, we can already see differing interpretations in terms of territorial scope in the Regulation on the Data Controllers Registry and two decisions issued by the Board.

The Regulation on the Data Controllers Registry is related to the registration of the data controllers with the online Data Controllers Registry system established by the KVKK. This regulation does not have a specific provision on territorial scope but its Article 5(1)/b sets forth that the data controllers located abroad should register with the Data Controllers Registry. This regulation does not set forth any limit or qualification in terms of which foreign data controllers are under the registration obligation.

The Board Decision dated 24.01.2019 and numbered 2019/10 is related to the notifications to be made to the Board in case of a data breach as per Article 12(5) of the PDPL. In this decision, the Board states that in case a data breach occurs in relation to a foreign data controller, the notification obligation will apply only if “the breach affects the data subjects residing in Türkiye and the data subjects benefit from the services and goods of the relevant data controller within Türkiye”. Article 12(5) does not include any wording in relation to foreign data controllers. The Board adopts an approach different from the Regulation on the Data Controllers Registry and makes its own interpretation as to the territorial scope of this provision and brings two criteria for this provision to be applied to the foreign data controllers without any legal basis.

The Board Decision dated 23.06.2020 and numbered 2020/471 (quoted also above) is a response to the question of a foreign bank as to whether it is considered as a data controller under the PDPL and whether it is under the obligation to register with the Data Controllers’ Registry. In this decision, the Board sets forth that the PDPL applies to the foreign bank because the foreign bank has a representative office in Türkiye and processes personal data of individuals in Türkiye. Here, the Board makes an interpretation different to the Regulation on the Data Controllers Registry and the Board Decision dated 24.01.2019 and numbered 2019/10 and states the existence of a representative office as a criterion to determine the territorial scope of the PDPL.

As can be seen from the above, the KVKK and the Board arbitrarily made three different interpretations on the territorial scope of the PDPL in three different situations. This clearly shows how an approach providing such a wide room for interpretation without any clear limits, results in unpredictable and differing decisions in practice, which is against Article 2 of the Turkish Constitution.

In our next article, we will analyse whether the secondary legislation issued by the KVKK and the decisions of the Board can constitute a legal basis for the administrative fines and compliance orders issued by the Board against foreign data controllers.