Compliance quarterly

Europe

The new horizontal guidelines: Information exchange

The European Commission ("EC") published for consultation two draft revised horizontal block exemption regulations ("HBERs") on research and development ("R&D") and specialization agreements, as well as draft revised guidelines on horizontal cooperation ("the Guidelines"). The updated EC regulations and Guidelines are expected to enter into force on 1 January 2023.

Read the full publication, "The new horizontal guidelines: Information exchange."

Turkey

Turkish Constitutional Court ruled tracking workshift hours via fingerprint is against the right to privacy

Upon an application by a municipality officer, the Constitutional Court ruled that processing fingerprint data to track the shift hours of employees is against Article 20 of the Turkish Constitution regulating the right to privacy. In its evaluation, the Court emphasized that for the processing of biometric data, explicit consent of the data owner must be obtained and the processing must have a legal ground in accordance with Article 13 of the Turkish Constitution. Since the Law on State Officers No.657 includes specific provisions for determination of the work-hours as well as starting and completion times, however does not regulate any provision regarding the tracking whether the officers continue with their shift, legal ground is not met for processing of the sensitive data. Therefore, the Court ruled that the processing of the fingerprint to serve the purpose of shift tracking is against the right to data privacy.

Turkish Data Protection Agency published the Guideline on Loyalty Programs

The Data Protection Agency published the Draft Guideline on Loyalty Programs for public opinion. The Guideline provides examples on the type of personal data that can be processed, reasons for compliance of data processing activities with laws and use of data by entities regarding loyalty card programs. The Guideline defines loyalty programs and provides instructions regarding processing of data within the scope of loyalty programs such as below:

1. Within the scope of the loyalty programs, data controllers must send privacy notices specific to their activities rather than providing general information. The privacy notices should describe in detail the incremental benefits such as discounts and the data storage rules in relation to these benefits.
2. Obtaining explicit consent for becoming a member to the loyalty program is not deemed as linking the service to the consent provided that not becoming a member does not result in a material disadvantage in terms of the additional benefit provided through the loyalty program
3. Approvals for electronic communication should be collected from data owners within the scope of loyalty programs.

Data Protection Agency of Turkey published the Guideline on Cookies

The Data Protection Agency of Turkey published the Guideline on Cookies in June 2022. The Guideline includes recommendations for website operators processing personal data through cookies. The Guideline defines cookies as type of text files placed into the user device by website operators and small-sized rich text formats of certain information regarding users which is allowed to be stored into their terminal devices while they are browsing. The Guideline classify the cookies in terms of their: (i) period, (ii) purpose, and (iii) parties. The Guideline also sets forth the requirement of obtaining explicit consent should be evaluated depending on (i) whether the communication is provided through electronic communication network or (ii) its absolute necessity for the services requested by the subscriber or user. Obtaining explicit consents would be required in case none of the above conditions exists.

Guideline on Banking Sector Best Practices in Personal Data Protection is published

The Personal Data Protection Authority (DPA) and the Banking Regulation and Supervision Agency (BRSA) of Turkey cooperatively issued the "Guideline on Banking Sector Good Practices in Personal Data Protection" (Guideline) on 5 August 2022. The Guideline aims to provide guidance to data controller banks in relation to the personal data processing activities carried out in accordance with the Law and the secondary legislation issued by the DPA and set best practice examples in this context. The Guideline provides explanations and scenarios where DPA evaluates whether banks and or third parties are data controllers and data processors in certain situations by setting an example of the relationship between data controller and data processor. The Guideline mainly focuses on the following items: (i) distinction between the data controller and the data processors; (ii) data processing agreement to be made between data controller and data processor, (iii) legal grounds for processing data by banks, (iv) relationship between the data protection legislation and confidentiality obligation under the banking legislation and the prevailing legislation; (v) evaluation of legitimate interest in terms of bank operations.

Turkish Data Protection Authority's decision on processing hand geometry data

A complaint has been made to the Data Protection Authority of Turkey (DPA) against a data controller alleging that the data controller scans palms and fingerprints through a "Hand Geometry Terminal" as a perquisite to provide certain services without obtaining the explicit consents of data owners. Upon review of the complaint, the DPA decided that the data collected through scanning of palms and fingerprints can be classified as sensitive personal data as it allows the data processor to identify a specific customer among others and the processing of such sensitive personal data is subject to clear explicit consent. The Authority further resolved that the customers were not sufficiently informed about the scope, limits and results of the data processing procedures and therefore the data controller breached the Turkish Data Protection Law No:6698. Accordingly, the data controller is imposed with an administrative fine in the amount of TL 100,000 and instructed to delete such personal data and inform the data subjects and the DPA.

Personal Data Protection Board in Turkey published a draft Guideline for Processing Genetic Data

Data Protection Authority of Turkey (DPA) published a draft guideline for processing genetic data (Draft Guideline). According to the Draft Guideline, the genetic data should be processed according to principles regulated in this Draft Guideline, the general principles under Article 4 and the conditions regulated in Article 6 of the Data Protection Law No:6698. The Draft Guideline sets forth the following principles about processing of genetic data: (i) processing shall not interfere with the essence of fundamental rights and freedoms of data owners; (ii) processing should be appropriate for the desired purpose; (iii) method for processing shall be necessary for the purpose of processing; (iv) aim and the means for processing should be proportionate; (v) processed genetic data should be stored for a required period of time, disposed without delay in accordance with the personal data storage and disposing policy. Draft Guideline further regulates the concept of explicit consent, processing of genetic data for health and scientific purposes, transfer of genetic data abroad, obligations of the data processor and the technical measures to be taken.