1. Turkish DPA has published its Guidelines on Personal Data Processing Inventory

The Turkish Data Protection Authority ("Turkish DPA") published its Guidelines on Personal Data Processing Inventory and a sample data inventory on its website on 30.04.2019.

The guidelines include various issues to be addressed by data controllers in the preparation of data inventories. Pursuant to the guidelines, VERBS records should reflect a more general view on categories of personal data, whereas the data inventory should take a more detailed approach to the processing of personal data and include personal data categories and their sub-categories, purposes and legitimate grounds of processing, data subjects, retention periods, recipients of personal data and security measures.

The deadline for registration for VERBS is 30.09.2019; thus, it is recommended that data controllers that are required to register for VERBS accelerate their compliance efforts. Apart from being a legal requirement for some data controllers, data processing inventories also serve a critical purpose in responding to subject access requests and pursuing timely data erasures.

(You can click here to find our newsletter on VERBS registration requirement and exceptions.)

2. Turkish DPA fines Facebook TRY 1.65M (USD 273k) for a breach caused by the photo API bug.

The Turkish DPA announced on its website on 10.05.2019 that it had fined Facebook a total of TRY 1,650,000 (USD 273k) in its decision numbered 2019/104 and dated 11.04.2019. TRY 1,100,000 (USD 182k) of that fine was assessed for Facebook's failure to take appropriate technical and organizational measures to prevent the data breach and the remaining TRY 550,000 (USD 91k) was for failure to notify the Turkish DPA regarding such breach.

According to the decision, the Turkish DPA started an ex officio investigation into Facebook's breach, which the latter disclosed in an announcement "Notifying our Developer Ecosystem about a Photo API Bug" that it published on its Developer Blog on 14.12.2018. As a result of the investigation, the Turkish DPA determined that due to a photo API bug, third party applications had been able to gain access to more user data than the users had actually permitted, including users' draft photos, and that around 300,000 users in Turkey may have been affected.

In its decision, the Turkish DPA decided that Facebook had breached Turkish Data Protection Law ("TDPL") on the grounds that: (i) more data had been shared than Facebook users had actually permitted; (ii) Facebook could not determine whether third party applications had accessed such data; (iii) users' free choice had been limited when third party applications requested permission to access user data; and (iv) Facebook's delay in handling the data breach.

The Turkish DPA's decision is the first decision in which it announced an administrative fine and disclosed the data controller's identity, and it may also be the largest fine it has ever imposed for a single data breach. The decision demonstrates the Turkish DPA's sensitivity regarding breach notifications, the close attention it pays to global incidents that also affect users in Turkey, and its willingness to act ex officio when necessary.

3. Amendments were made to the secondary legislation of the Turkish Data Protection Law

Amendments were made to the secondary legislation of the TDPL, particularly regarding certain definitions and wording in order to clarify ambiguities. These amendments were published in the Official Gazette on 28.04.2019. As a result of these amendments:

- Data controllers will now need to demonstrate legitimate grounds for processing in their data inventory;

- The Data controllers' requirement to prepare data inventory has been clarified for those which are required to register for VERBS;

- The VERBS contract persons to be designated by the data controllers is now defined more clearly; and

- The obligation to provide separate privacy notices when different departments of a data controller process personal data for different purposes has been repealed.

4. The Turkish DPA accredited to the European Conference of Data Protection Authorities

According to the announcement made on the Turkish DPA's website on 10.05.2019, the Turkish DPA's accreditation application to the European Conference of Data Protection Authorities was accepted at the recent conference, which took place in May 2019.

Previously, in 2017, the Turkish DPA had been accredited to the International Conference of Data Protection and Privacy Commissioners. The Turkish DPA's presence in international organizations together with its global counterparts is significant with respect to its global recognition and the harmonization of its domestic practices with global data protection trends.