On 1 November 2018, the Turkish Data Protection Board (“Board”) announced a decision setting out the principles and measures to be adopted to prevent data controllers and data processors from forwarding advertising notifications via e-mails or SMS messages and/or reaching out to data subjects through their mobile numbers.


Numerous data subjects have complained to the Board that they have received e-mails or SMS messages, or have been contacted at their personal mobile numbers, despite never having given their explicit consent as dictated under the Law on the Protection of Personal Data (“LPPD”).

Details of the decision:

After considering these complaints from various data subjects, the Board has adopted a decision resolving the following:

If the relevant personal data have been processed on behalf of the data controller by another natural or legal person, the data controller will be jointly liable with such persons for taking the necessary technical and organizational measures.

  • Data controllers or third persons who send SMS messages to phone numbers or who forward advertising messages through calls and e-mails in the name of the data controller without fulfilling the conditions for processing of personal data must immediately stop processing such data.
  • Data controllers must take all necessary technical and organizational measures to ensure security is sufficient to:
    1. prevent unlawful processing of personal data,
    2. prevent unlawful access to personal data, and
    3. safeguard personal data.
  • The administrative fines set out under Article 18 of the LPPD will be imposed if those liable entities fail to take such measures. The administrative fines to be imposed depend on the type of breach in question and are as follows:
    1. Fines between TRY 5,000 and TRY 100,000 (EUR 650 and EUR 13,200) for those who fail in their obligation to provide information;
    2. Fines between TRY 15,000 and TRY 1,000,000 (EUR 2,000 and EUR 132,000) for the failure to comply with the provisions of the LPPD;
    3. Fines between TRY 25,000 and TRY 1,000,000 (EUR 3,300 and EUR 132,000) for the failure to comply with the Board`s decisions; and
    4. Fines between TRY 20,000 and TRY 1,000,000 (EUR 2,632 and EUR 132,000) for the failure to register with the Registry and to provide up to date information to it.
  • The chief public prosecutor’s office will be notified of any non-compliance. Potential sanctions include, without limitation, imprisonment for data controllers obtaining or sharing personal information in breach of the LPPD.