In this decision, which resulted in an administrative fine of 900.000 TL, the issues that the Personal Data Protection Board had repeatedly emphasized were reworked, and a penalty was imposed due to the deficiencies detected. In particular, the decision on data transfer abroad, based on the decision numbered 108, sets an example for many data controllers.

In summary, the decision made by the Board points to the following important headings.

1. An ex officio investigation was initiated due to the contradiction in simultaneously relying on "legitimate interest" and "explicit consent" as the basis of data processing activity.
2. The data controller defended the following issues against scrutiny:

• Data that does not contain sensitive personal data are securely transferred online to a member country of the European Union,
• Explicit consent was obtained from the data owner,
• Data is processed based on legitimate interest,
• Safe countries have not yet been published by the Board,
• Data transfer based on the "Convention on the Protection of Individuals Against Automatic Processing of Personal Data" numbered 108 is in compliance with the law.

3. The decision of the Board against this defense includes the following headings:

• In case of relying on a processing condition other than express consent, there is no need to obtain explicit consent, and "legitimate interest" is one of these conditions,
• In cases where legitimate interest is based, a balance test should be made between the legitimate interest of the data controller and the fundamental rights and freedoms of the person concerned, and it should be decided whether the data will be processed in this direction,
• It has been concluded that there is no valid legitimate interest since the legitimate interest is not explained in the defense and a balance test is not mentioned,
• The alleged "explicit consent" is not based on sufficient information, nor is there any information regarding the transfer abroad,
• It is not clearly explained in the clarification text which processing activities are based on explicit consent and which are based on legitimate interests,
• Convention No. 108 does not abolish domestic legal regulations, has a feature that facilitates data transfer and cannot be a basis for the determination of a "safe country" on its own,
• In the concrete case, it is necessary to apply the special provisions of the KVKK No. 6698, not the general provisions of the Convention No. 108.
• Not applying to the Board with a commitment to protect the data from the third party to whom the data is transferred.
• The lighting text is not arranged in detail in accordance with the legal regulations,

It was stated that the processes of obtaining explicit consent with the clarification text were combined, instead of keeping them separate.

When it comes to data transfer abroad, the articles that must be included in the commitments to be taken from the data controller or data processor to be transferred were published by the Personal Data Protection Board on 09.03.2020.

For Detail of the Decision and Other Board Decisions

To summarize further,

1) The data processing conditions are not determined correctly,

2) Clarification and obtaining explicit consent are not in compliance with legal regulations,

3) Again, an administrative fine of 900.000 TL was imposed due to the fact that data was transferred abroad without complying with the legal regulations.

This decision reminded once again that KVKK compliance projects are extremely important.

---