Personal Data Protection Board has been issuing relatively advisory and cautionary decisions since the Law on Protection of Personal Data, a new regulation in Turkish law, entered into force in 2016. However, considering recent decisions of the Board, it is clear that the Board stopped showing tolerance regarding protection of personal data.
Board issued two different decisions on 16.05.2019, in one of which a data controller company was fined 550.000,00 TL and another 1.450.000,00 TL in other decision.
Both Companies were fined for failure to comply with provisions regarding necessary technical and administrative measures, and late reporting of a data security breach.
The legitimacy of the decisions could be argued on. Because the Board has defined the term shortest time as 72 hours in its decision on 24.01.2019 however, companies’ omissions were prior to such decision of the Board. But still, in the light of these decisions, it would not be wrong to think that Authority now is strictly expecting from all data controllers to comply with all requirements and focus their due attention on this matter.