Turkey

Turkish Constitutional Court sets precedent by overruling employee’s right to respect privacy 

The Turkish Constitutional Court recently decided in favor of an organization/employer which used its power of surveillance to inspect an employee’s corporate e-mail account and subsequently terminate that employee’s employment contract due to a violation in the correspondence. The Turkish Constitutional Court ruled that the employer’s behavior does not violate the employee’s right to protection of personal data under the constitutional right of privacy and freedom of communication. The decision, dated January 12, 2021, and numbered 2018/31036, which was published in the Official Gazette published on February 5, 2021, represents a critical precedent with regard to the implementation of personal data protection legislation along with labor law. 

Turkish law introduces the concept of joint data controller 

A decision taken by the Personal Data Protection Board on December 23, 2021 and published on January 20, 2022, introduced the definition of joint data controller in Turkish legislation for the first time. This means that while a leasing company that collects customers’ personal data is deemed a data controller, other leasing companies and software companies which use blacklist programs that can access and control this personal data are also deemed to be joint data controllers.

In Turkey, companies no longer permitted to pass customer data on to external parties 

Companies that pass on customers’ personal data and buying choices to third parties are in contravention of data protection legislation, the Personal Data Protection Board ruled. The announcement on December 17, 2021 means that companies are no longer permitted to send shoppers a verification code to verify completion of payment or update information via SMS. 

Turkish Constitutional Court rules on unlawful obtainment of personal data 

In a recent decision, the Turkish Constitutional Court ruled that the “right to demand the protection of personal data” was violated within the scope of “respect to privacy of private life”, due to ineffective investigation by the judicial authorities about a complaint concerning unlawful obtainment of personal data. The Court decided that the information about the health status of the applicant and their hospital records is required to be accepted as “data about a specific person”, and in this regard, the acquisition, use and processing of this data falls within the scope of the “right to the protection of personal data”. Therefore, the claim on the performance of an ineffective investigation remains under the scope of the “right to demand the protection”.

According to Turkish court, exam scores and program information are deemed personal data

In its recent decision dated January 6, 2022, The Data Protection Board decided that exam scores and higher education program information are considered personal data due to the fact that they may reflect the knowledge, competence, intelligence and judgment of a person in a particular field and provide information about their profession or interests.  Based on this assessment, the Board has imposed an administrative fine of TL 30,000 on a data controller, considering that the data controller removed the news from its website before its investigation was completed as a mitigating circumstance.  

Turkish Data Protection Board announces administrative fines 

- The Data Protection Authority has announced administrative fines regulated under Article 18 of the Data Protection Law numbered 6698, revised by the revaluation rate calculated according to the Tax Procedure Law No. 213 which are as follows:

• TL 13,391 to TL 267,883 for failing to fulfill the obligation to inform;
• TL 40,179 to TL 2,678,863 for failing to fulfill the obligations regarding data security;
• TL 66,965 to TL 2,678,863 for failing to comply with the decisions of the Data Protection Board; and
• (iv) TL 53,572 to TL 2,678,863 for failing to register with and notify the Data Controllers' Registry

Turkish Constitutional Court rejects law enforcement officer’s dismissal appeal 

The Turkish Constitutional Court decided that the following was unconstitutional: an application was made by an applicant, a former law enforcement officer, with the claim that the expression of “…to make an inquiry…” found in subparagraph (aa) of paragraph (6) of Article 8 of the Law on the Adoption of the Decree-Law on General Law Enforcement Disciplinary Provisions numbered 7068, which regulates the penalty given to the applicant, a public official (law enforcement officer) who was sentenced to dismissal from his profession on the grounds that he displayed personal data unlawfully.

Europe

EU Vehicle Data Consultation and the Evolving EU Regulatory Landscape for Connected Vehicles

In the coming years, data collected by vehicles will be subject to a new EU regulatory regime consisting of horizontal rules applicable across many industries and vertical rules designed specifically for the automotive sector. In February 2022, the EU Commission adopted a proposal for a new Data Act, which is currently working its way through the EU legislative process. The Data Act sets out overall principles for data access to connected products, introducing user rights to access and share data, contractual principles for business-to-business data exchange, and switching principles for cloud services.

The Commission is considering three policy options in relation to in-vehicle data. The least intrusive (short of doing nothing) would be to impose equal access rights to functions (e.g., the possibility of remotely unlocking the vehicle door for a shared mobility service) and resources (e.g., the possibility of displaying speed limit information on the vehicle dashboard for a navigation service, or to charging/discharging the battery for electric vehicle related services). Under this option, manufacturers would need to publish lists of vehicle data, functions and resources accessible on a specific model or version of a vehicle. Rules would also address the interplay between the right to access data, functions and resources and the applicable cybersecurity rules, as well as introducing reporting obligations for manufacturers. According to the Commission, this option would encourage broader and fairer access for independent service providers and have the flexibility to accommodate future developments and take account of differences between manufacturers. 

In an intermediate approach, the EU would also impose a requirement to demonstrate the availability for access of a minimum list of data, functions and resources, remotely and in a specific format. This would include bi-directional communication with the driver through a vehicle’s human-machine interface, as well as continuous and secure access to the on-board diagnostic port. The possibility of proposing services across brands could create a stronger business case for the provision of data-driven services and address governmental bodies’ data needs for, e.g. monitoring traffic, CO2 or pollutant emissions or vehicle safety. 

Under the most intrusive option, EU rules would impose not only a minimum list of data, functions and resources, but also governance rules on access. This option could facilitate equal and secure access to vehicle data, functions and resources, and ultimately create a more level playing field and greater incentives for investment in the independent provision and development of new services, with potentially greater benefits. However, it could also increase vehicle manufacturers’ costs and require an even longer implementation period.

Automotive sector stakeholders, including not only manufacturers but also automotive suppliers and distributors and providers of related products and services ranging from telecommunications, entertainment, insurance, fuel/charging stations and aftermarket services, will have to navigate an increasingly complex regulatory landscape. In addition to the specific measures described above, these include the new EU AI regulation, Digital Market Act, Data Governance Act and updated product liability rules, as well as constantly evolving data privacy and localization rules. As in many sectors, EU regulation is likely to cascade into other jurisdictions.