Compliance Quarterly

Global

Contracting for cybersecurity risks: Mitigating weak link 

Read the full publication, "Contracting for cybersecurity risks: Mitigating weak link."

The proposed EU Cyber Resilience Act: What it is and how it may impact the supply chain

Read the full publication, "The proposed EU Cyber Resilience Act: What it is and how it may impact the supply chain."

A look back on five key developments in Cybersecurity and Data Protection in Southeast Asia in 2022

Read the full publication, "A look back on five key developments in Cybersecurity and Data Protection in Southeast Asia in 2022."

Turkey

The Turkish Constitutional Court has ruled that termination of an employee's contract by inspecting private correspondence violates the Right of Privacy and Freedom of Communication

In its recent decision concerning a case where information, obtained by an employer as a result of inspecting another employee's messages with the applicant on a mobile phone allocated for work purposes was used as the grounds to terminate the applicant's employment contract, the Turkish Constitutional Court (TCC) has decided that the employer's termination of employment contract using its power of surveillance authority, violates the "Privacy" and "Freedom of Communication" rights of the employee.

The TCC further noted in the mentioned decision that full and clear information was not given to the employee in advance regarding control of communication made over the company mobile phones allocated for use by employees, and that it was also unclear whether an investigation limited to the employer's claim that an investigation was made on the work phone to reach customer contact information was, in fact, carried out.

The TCC also determined that messaging applications can be used for personal purposes and the applicant's inspection of an employee's messages on a work phone causes a violation of the employee's rightful expectation that their fundamental rights and freedoms will be protected in the workplace.

Administrative fines under law on the Protection of Personal Data are increased according to the revaluation rate

According to the General Communiqué on Tax Procedure Law, published in the Official Gazette, dated 24 November 2022, the revaluation rate has been set at 122.93% for the year 2022. Accordingly, the administrative fines under Article 18 of the Law on the Protection of Personal Data have increased, as follows:

• Failure to fulfill the notice obligation shall result in an administrative fine in the amount between TL 29,852 to TL 597,191;
• Failure to fulfill obligations regarding data security shall result in an administrative fine in the amount between TL 89,571 to TL 5,971,989;
• Failure to fulfill the obligation to fulfill decisions made by the Board shall result in an administrative fine in the amount between TL 149,285 to TL 5,971,989; and
• Failure to fulfill the obligation to register with the Data Controllers' Registry shall result in an administrative fine in the amount between TL 119,428 to TL 5,971,989.

New Regulation on the collection, storage and sharing of Insurance Data has entered into force

New regulation (Regulation), governing the principles and procedures regarding the processing and sharing of insurance data has been published in the Official Gazette, dated 18 October 2022. The Regulation defines "insurance data" as "data on the insurance contract, insurer, and insurance companies who are parties to insurance contracts; insured, beneficiaries, and other third parties who directly or indirectly benefit from the insurance contract; and all data based on risk assessment, including false insurance practices". Accordingly, all public and private entities are obliged to provide insurance data to the Insurance Information and Supervision Center (Center), as requested. All insurance, reinsurance, and pension companies engaged in insurance activities are obliged to become a member of the Center and to keep the general database up-to-date. The Regulation further sets forth the rules on sharing insurance data. Insurance data will be shared with the members by the Center, and it may only publish the data in a way that cannot be associated with any real person.

The insurance data can only be used for the purposes listed in Article 15 of the Regulation, such that it helps improve the insurance sector, following insurance practices and monitoring mandatory insurances. The use of the insurance data by the Center is also limited to the purposes listed in the Regulation. The responsibilities of the members and the Center are also defined in the Regulation. Lastly, the Regulation explicitly states that all personal data processing activities within the scope of this Regulation must be in compliance with the Law on Personal Data Protection (Law No.6698).