Bold Moves in Data Security: Key Recent Decisions by Regulatory Authorities
The Advertising Board imposed sanctions on an online shopping platform operated by a retail company offering installment sales, concerning its “User and Privacy Agreement”. Upon examination, it was determined that the clause stating, “The user consents to the sharing of their information with the site for the purposes of providing personalized advantages, sales marketing, and any similar communication activities,” effectively deprived consumers of the ability to provide genuine, voluntary consent. The investigation revealed that users were pressured into accepting targeted advertising and marketing practices and were not given the option to refuse such activities, thereby restricting their freedom of choice. Furthermore, the Board highlighted that consumers lacked the ability to withdraw their consent, deeming the practice an unfair commercial activity and ruling for the suspension of the site’s operations.[1]
The Advertising Board has issued a significant sanction concerning the collection of personal data during in-store purchases. It was revealed that a home goods store required consumers to provide personal information -such as their name, surname, and phone number- as a condition to access discounted sales. Consumers who refused to share their data were denied the opportunity to benefit from the promotions. Additionally, although the store claimed the discounts were exclusive to members, this information was not disclosed on the promotional banners. The Board rules the practice an unfair commercial activity, determining that it coerced consumers into sharing personal data and effectively compelled them to accept a condition they would otherwise reject. Consequently, the Board ordered the cessation of this practice.[2]
The Competition Authority announced that a retail chain selling essential food and consumer goods was fined approximately 1.3 billion TL due to a data deletion attempt by one of its executives during an on-site inspection at the company’s headquarters. Emphasizing that on-site inspections are a crucial tool for detecting violations of competition law, the Authority stated that obstructing or impeding such inspections could result in an administrative fine amounting to 0.5 % of the company’s annual turnover. The Authority further underscored that inspections are conducted meticulously using state-of-the-art technology, focusing strictly on data relevant to the investigation, with no interference in personal or private data. It also reminded companies that no data should be deleted from work devices once the inspection begins, highlighting that the Authority’s advanced technological tools can easily detect such actions.[3]
The Court of Cassation issued a ruling for compensatory damages against the unauthorized sharing of personal data. The plaintiff, the employer, stated that a secretary employed at a dermatology clinic had copied the clinic’s records containing personal and contact information of patients without permission, and then shared these details with a pharmacy where she later started working. The employer claimed that this action caused distress to the patients and resulted in commercial harm. The first instance court rejected the case, stating that the act of invasion of personality rights could not be proven. However, the Court of Cassation assessed the illegal sharing of personal data as an unlawful act and decided that compensatory damages should be paid to the employer.[4]
The Court of Cassation overturned the decision of the first instance court regarding the legality of RFID (Radio Frequency Identification) technology used to track employees’ locations and movements in the workplace, due to a lack of expert examination. The plaintiff, a labor union, argued that the tracking devices were used to monitor workers’ performances and movements during break times, and that the devices vibrated when there was a brief period of inactivity. They claimed that such devices violated employees’ personal rights and were in breach of the regulations on the protection of personal data. They claimed that such devices violated employees' personal rights and were in breach of the regulations on the protection of personal data. The Court of Cassation pointed out that insufficient examinations had been conducted in the case regarding how the device worked, what data was recorded, how employees' location information was processed, and whether this data was stored in compliance with the law. It was emphasized that the protection of personal data also means the protection of workers' dignity, and a thorough investigation was required to determine whether employees' personal data was processed legally and whether explicit consent had been obtained for its processing. The case was sent back to the first instance court for further review.[5]
[4] 4th Civil Chamber of the Court of Cassation, Date 15.9.2022, Merits Nr. 2021/27198, Decision Nr. 2022/10454 (https://karararama.yargitay.gov.tr/)
[5] 9th Civil Chamber of the Court of Cassation, Date 22.02.2024, Merits Nr. 2024/1311, Decision Nr. 2024/3381 (https://karararama.yargitay.gov.tr/)
The Advertising Board imposed sanctions on an online shopping platform operated by a retail company offering installment sales, concerning its “User and Privacy Agreement”. Upon examination, it was determined that the clause stating, “The user consents to the sharing of their information with the site for the purposes of providing personalized advantages, sales marketing, and any similar communication activities,” effectively deprived consumers of the ability to provide genuine, voluntary consent. The investigation revealed that users were pressured into accepting targeted advertising and marketing practices and were not given the option to refuse such activities, thereby restricting their freedom of choice. Furthermore, the Board highlighted that consumers lacked the ability to withdraw their consent, deeming the practice an unfair commercial activity and ruling for the suspension of the site’s operations.[1]
The Advertising Board has issued a significant sanction concerning the collection of personal data during in-store purchases. It was revealed that a home goods store required consumers to provide personal information -such as their name, surname, and phone number- as a condition to access discounted sales. Consumers who refused to share their data were denied the opportunity to benefit from the promotions. Additionally, although the store claimed the discounts were exclusive to members, this information was not disclosed on the promotional banners. The Board rules the practice an unfair commercial activity, determining that it coerced consumers into sharing personal data and effectively compelled them to accept a condition they would otherwise reject. Consequently, the Board ordered the cessation of this practice.[2]
The Competition Authority announced that a retail chain selling essential food and consumer goods was fined approximately 1.3 billion TL due to a data deletion attempt by one of its executives during an on-site inspection at the company’s headquarters. Emphasizing that on-site inspections are a crucial tool for detecting violations of competition law, the Authority stated that obstructing or impeding such inspections could result in an administrative fine amounting to 0.5 % of the company’s annual turnover. The Authority further underscored that inspections are conducted meticulously using state-of-the-art technology, focusing strictly on data relevant to the investigation, with no interference in personal or private data. It also reminded companies that no data should be deleted from work devices once the inspection begins, highlighting that the Authority’s advanced technological tools can easily detect such actions.[3]
The Court of Cassation issued a ruling for compensatory damages against the unauthorized sharing of personal data. The plaintiff, the employer, stated that a secretary employed at a dermatology clinic had copied the clinic’s records containing personal and contact information of patients without permission, and then shared these details with a pharmacy where she later started working. The employer claimed that this action caused distress to the patients and resulted in commercial harm. The first instance court rejected the case, stating that the act of invasion of personality rights could not be proven. However, the Court of Cassation assessed the illegal sharing of personal data as an unlawful act and decided that compensatory damages should be paid to the employer.[4]
The Court of Cassation overturned the decision of the first instance court regarding the legality of RFID (Radio Frequency Identification) technology used to track employees’ locations and movements in the workplace, due to a lack of expert examination. The plaintiff, a labor union, argued that the tracking devices were used to monitor workers’ performances and movements during break times, and that the devices vibrated when there was a brief period of inactivity. They claimed that such devices violated employees’ personal rights and were in breach of the regulations on the protection of personal data. They claimed that such devices violated employees' personal rights and were in breach of the regulations on the protection of personal data. The Court of Cassation pointed out that insufficient examinations had been conducted in the case regarding how the device worked, what data was recorded, how employees' location information was processed, and whether this data was stored in compliance with the law. It was emphasized that the protection of personal data also means the protection of workers' dignity, and a thorough investigation was required to determine whether employees' personal data was processed legally and whether explicit consent had been obtained for its processing. The case was sent back to the first instance court for further review.[5]
