News

29.02.2024

Constitutional Court Ruling: Procedural Safeguards in Data Protection Cases

Turkish Constitutional Court has stated in its decision M.I.I. (application number 2020/7518) that the rejection of the objection to the penalty imposed by the Personal Data Protection Board by the court of first instance without justification resulted in a violation of the property right under the Turkish Constitution. 

Background

In 2018, the Aplicant Company discovered a data breach dating back to 2014 had occurred, which was two years subsequent to their acquisition of a hotel in the UK in 2016. Following the determination of unauthorized access to the guest reservation database, the Company issued a press release and informed the data subjects. As a result of Turkish citizens being affected by the data breach, the Personal Data Protection Board imposed an administrative fine of TRY 1,450,000 on the Company.

The Company objected to the administrative fine with the following reasons:

  • Liability of Another Data Controller: According to the law, the responsibility for the data breach should lie with the acquired company where the breach occurred, rather than with itself.
  • Procedural Irregularities: Board’s decision was established in violation of procedural rules.
  • Insufficient Reasoning in Decision: The decision lacks legally sufficient and adequate reasoning to support the imposition of the administrative fine.
  • Interpretation of Notification Period Uncertainty: The timeframe for reporting data breaches had not been clear at that time, and the decision of the Board was inapplicable to the specific case.
  • Liability: Despite taking all necessary measures in the data breach, it is unlawful to impose a penalty.
  • Violation of Proportionality and Equality Principles: The fine lacks proportionality when compared to similar incidents and this violates the principle of equality.

The application made to the court of first instance was rejected, as the court did not find any procedural or legal violations and deemed no changes necessary to the initial decision.

Constitutional Court Decision

The Constitutional Court stated that the Board possess a certain degree of discretion in choosing the measures necessary to guarantee data security. The fulfilment of various technical and administrative measure obligations to ensure the appropriate level of security in order to ensure data security and the imposition of a proportionate sanction are within the scope of this discretion.

According to the Court, company's objections were crucial for the judicial process, yet the court of first instance failed to assess them. This failure led to a violation of procedural safeguards and the right to property.

Conclusion


The Constitutional Court acknowledges the Personal Data Protection Board's discretionary authority to determine measures ensuring data security. However, it was found that the right to property was violated due to the rejection of Applicant’s objections without their evaluation.

In light of the Constitutional Court’s decision, it is expected that the court of first instance will consider factors such as evaluating objections and providing detailed justifications in their decisions. It is also likely that applications will be submitted to the Constitutional Court concerning Board decisions with procedural deficiencies or deemed disproportionate, leading to a review of the Board’s decisions.

 

Çağla Tuna

Oğuzhan Başak