Shortly after its establishment with the Turkish Data Protection Law No. 6698 (“Law”), the Turkish Data Protection Authority (“DPA”) has started to observe the data protection ecosystem of Turkey. In this regard, the DPA has been focusing on the areas, where data protection concerns are perceived more concentratedly. One of the instruments that the DPA has been putting to use is adopting resolutions, where the violation is prevalent. It is worth to note that “resolutions” are different than “decisions” in nature within the meaning of the Law.
As paragraph 6 of Article 15 proposes, “As a result of the inspection conducted either ex officio or upon complaint, in case it is determined that the violation is prevalent, the Board shall adopt a resolution and publish it.” Differently from the DPA’s decisions, resolutions are adopted in cases where the violation not only exists but also prevalent. Also, the Law supposes that the resolutions must be published whereas the decisions are only served to the concerned parties since they are based on at a one-time act.
Within this Article, we will discuss the DPA’s recent resolution adopted with a view to prevent the companies from reaching out to their customers or potential customers without their explicit consent for advertising purposes by means of SMS, e-mail, and calls.
Recent Resolution of the DPA
SMS and e-mails have been one of the most preferred ways by companies within the recent years for reaching out to their customers for advertising purposes. Since companies can make announcements about their new products, campaigns, discounts and other marketing relating subjects through a single SMS, a call or an e-mail, these platforms have become more appealing than other traditional advertising instruments.
It is also undeniable that their convenience and accessibility create significant competitive advantage to firms which are highly engaged with their consumers. Those being said, individuals have a right to not receive those advertisements thanks to the data protection regulations. Since the mentioned instruments are directly linked to consumers’ mobile phones, personal computers and other personal devices, this issue inevitably becomes closely related to personal data and its protection.
As such, the DPA adopted a resolution dealing with this issue and published it on October 1, 2018 in the Turkish Official Gazette. The DPA has concluded that it received numerous complaints about advertisements sent through e-mail, SMS, and calls without explicit consent of the individuals and determined that these operations constitute a violation. As the violation was found to be prevalent by the DPA, it adopted the following resolution:
- The operations of the data controllers and the data processors acting on behalf of the data controllers, who send SMS or e-mails or make calls for advertising purposes shall be stopped unless they have explicit consent of the data subjects or satisfy the conditions given in the Article 5 for processing.
- Data controller shall take all necessary technical and organizational measures for providing an appropriate level of security in order to prevent unlawful processing of personal data, prevent unlawful access to personal data, and safeguard personal data. In case personal data are processed on behalf of the data controller by another natural or legal person, the data controller shall be jointly liable with such persons with regard to taking the measures.
- Administrative fines will be imposed in the scope of Article 18 to the persons who continue to be a part of above-mentioned actions.
- Since the personal data that are subject to processing may have been obtained illegally, these operations will be reported to public prosecutors in accordance with Article 136 of the Criminal Law No. 5237 and Article 136 of the Criminal Procedure Law No. 5271.
This resolution of the DPA clearly gives the indication that DPA is interactive with the applications and requests of the individuals especially regarding the breaches of data protection rights. The DPA will likely to continue to take similar actions and adopt resolutions on subjects that affect individuals’ everyday lives and privacy.
By Ertugrul Can Canbolat, Senior Associate, Baran Can Yıldırım, Associate, Seniha Irem Akın, Associate, Actecon