New Legislative Amendments (2)
Recent Amendments to the Capıtal Movements Cırcular
The Capital Movements Circular (the “Circular”) has been amended by the letter numbered 468620 and dated November 4, 2019 of the Ministry of Treasury and Finance of the Republic of Turkey (the “Amendment”).
Article 6/2 of the Circular setting out the rules for the payment of share prices in capital increase, states that capital increases may be realized by way of existing shareholders exercising their pre-emptive rights or real/legal persons other than existing shareholders subscribing to the company’s capital. Also, if the capital increase is not registered with the trade registry within three months starting from the respective general assembly or board of directors resolution, such amounts shall be returned to their owners. Accordingly the sub-article 5 of the same article, added with the same Amendment, specifies that the amount deposited to the company’s bank account by foreign shareholders for a future capital increase may only be contributed to the company’s capital if such capital increase is realized and documented within the same three months period.
With this Amendment, it has been clarified that the capital injection made by foreign shareholders are subject to the same period requirements which have been already specified under both the Circular and the Turkish Commercial Code numbered 6102.
Public Announcement of the Turkish Data Protection Authority on the Obligation to Inform
The Turkish Data Protection Authority (the “DPA”) has published a public announcement on November 8, 2019, in order to clarify the data controllers’ obligation to inform data subjects. The announcement draws attention to the fact that the texts prepared by data controllers, especially media organizations, to fulfill the obligation to inform frequently indicates their compliance with the European General Data Protection Regulation (the “GDPR“). However, the DPA emphasizes that such statements are not sufficient to fulfill their obligation to inform. The information notices on the processing of personal data must be in conformity with Article 10 of Law Numbered 6698 on the Protection of Personal Data (the “Data Protection Law”) and Article 4 of the Communiqué on the Principles and Procedures to be Followed in Fulfilling the Obligation to Inform (the “Communiqué”). Therefore, it is advised that the data controllers should explicitly state the compliance of their policies and rules with such regulations.
In addition, as per Article 4 of the Communiqué, (i) the identity of the data controller and its representative (if any), (ii) the purpose of the data processing, (iii) the third parties that such data may be transferred to and the purposes of such transfer, (iv) the methods and legal grounds of the data collection (with specifying explicitly which legal ground(s) listed under the Data Protection Law are invoked) and (v) the data subjects’ rights under Article 11 of the Data Protection Law must be explicitly included in an easily understandable way.
Turkish Data Protection Board’s Latest Resolutıon
On November 6, 2019, the Turkish Data Protection Board (the “Board”) published four resolutions on its website relating to different topics. The highlights of these resolutions are explained below:
- The first resolution numbered 2019/296 and dated October 1, 2019 covers a complaint made by a data subject because of their rejection of access request by a telecom operator company (the “Company”) on the grounds that such request must have been made via notary or e-mail with electronic signature. The company further declared that these methods for submitting the request forms are necessary to confirm data subjects’ identity. However, the Board noted that under the Communiqué on the Procedures and Principles of Application to the Data Controller (the “Communiqué on Application to the Data Controller”), data subjects have the right to apply to data controllers, among other methods, in writing, by using a mobile signature or via an e-mail address that has been notified to or registered with data controller. Therefore, it is stated in the resolution that the requirement of the Company creates an additional financial burden to data subjects and limits their rights under the Communiqué. Thus, the Board concludes that the Company should be instructed to take maximum care and attention to comply with the provisions of the Communiqué on Application to the Data Controller.
- The second resolution numbered 2019/294 and dated October 1, 2019 concerns a request for a copy of both sides of the data subject’s identity card by an aviation company for the data subject to change the username and password of his loyalty membership. Upon the data subject’s request for the image to be deleted from the systems of the data controller and third parties to whom such image may have been transferred, the aviation company stated that such data was not stored or transferred. Further investigation revealed that such personal data has actually been stored. The Board stated that information such as "religion" and "blood group" which can be found on the identification card are sensitive personal data, thus the explicit consent of the data subject is required for collecting such. Since there is no explicit consent, the data has been processed illegally. Furthermore, the Board articulated that the data controller did not act in good faith in misleading the data subject about the preservation period of his data. Additionally, it has been noted that, even though the verification of identity is necessary for the requested action, it could have been achieved by collecting less data. Also, the legal grounds for processing data was not specified by the data controller. Consequently, the Board decided that the principles stating that data processing should be made for clear, specific and legitimate reasons and in a way that is proportionate to such purposes have been breached. As a consequence, the Board imposed a fine in the amount of TRY 100.000 to the aviation company according to the Data Protection Law.
- The third resolution of the Board numbered 2019/277 and dated September 18, 2019 covers a bank’s use of their customer's mobile phone number for purposes other than its main purpose. The customer has filed a complaint regarding this incident claiming that when he tried to reach the bank regarding the data processing and the bank replied by an e-mail only stating that they could not reach the data subject by phone and that the data subject should call the service hotline for further information. The Board decided that such response was not satisfactory under the Communiqué on Application to the Data Controller. Within this scope, the Board reminded in its resolution that data controller should pay strict attention to their compliance with the Data Protection Law and the Communiqué on Application to the Data Controller. Additionally, the Board noted that since the data processing was not made for clear, specific and legitimate reasons and in a way that is proportionate to such purposes, the processing of data constitutes a breach of the Data Protection Law. As a result, the Board imposed a fine amounting to TRY 100.000 to the Bank as a penalty.
- The last resolution numbered 2019/276 and dated September 18, 2019 covers an incident in which an educational foundation sent marketing SMS messages to data subjects without obtaining their approval. According to the Data Protection Law, sending commercial messages to the data subject is accepted as a data processing activity. Thereby the board articulated that for the legal execution of data processing the existence of the explicit consent of the data subject or one or more of the other legal grounds listed under Article 5 are required. Consequently, the Board deemed the respective SMS messages unlawful and imposed a fine of TRY 50.000 on the educational foundation.