EN-US 
TR-TR 
Turkish Personal Data Protection Board (“Board”) released its recent rulings in summary regarding the application of the Law on the Protection of Personal Data No. 6698 (“Law No. 6698”) on April 15, 2020. In this information note, you will be provided extracts of these two summaries.
1. Decision dated February 6, 2020 numbered 2020/86 (“Decision 2020/86”) on the complaint regarding, inter alia, the data controller’s obligation to reply data subject’s request
In the Decision 2020/86, the data subject applied to the Board for the second time complaining that the data controller, a flight ticket sales company, did not answered the data subject’s request, despite of the fact that the Board had already instructed the data controller to reply data subject requests in compliance with the Communiqué on the Procedures and Principles of Application to Data Controller according to the data subject’s first complaint. The Board stressed that there is no penalty stipulated under the Law No. 6698 for not replying a data subject, however, as per Law No. 6698, Board is entitled to impose penalties on parties not obeying its instructions. Accordingly, the data controller was fined for not complying with the Board’s decision.
2. Decision dated February 6, 2020 numbered 2020/103 (“Decision 2020/103”) on the complaint regarding the unlawful processing of the data subject’s personal data to open a bank account for the purposes of acquisition a potential customer by a bank
In Decision 2020/103, it is stated that the data subject had applied to the bank to open a bank account. However, the data subject had received the information that in the database of the bank he had have already an existing commercial bank account. Subsequently, it is understood that the bank had acquired the data subject’s personal data unlawfully and had opened a commercial bank account for the benefit of the data subject without the data subject’s consent. Yet, the bank account remained inactive since neither a customer agreement was signed by the data subject nor the data subject were aware such process.
Even though such unlawful processing was initiated prior to the effective date of the Law No. 6698, the Board decided to penalize such bank due to the processing which was lacking a legal basis, since the bank did not destructed such personal data, as bank was required to do, within the transition process of the Law No. 6698.
Author: Aslı Naz Ünlü
