JUDICIAL REMEDIES AGAINST THE DECISIONS ADOPTED BY PERSONAL DATA PROTECTION BOARD
Gradual global increase in data processing implementations pushed states towards setting several regulations in the field of data security. To that end, many states, within their administrative organizations, started to found data protection authorities. In Turkey, Personal Data Protection Authority has been found for supervision of behaviors by any actors, be it commercial or not, in the field of personal data.
Personal Data Protection Authority adopts decisions by means of its board, being their decision-making body in its organization; and imposes, in many of its decisions, mass amounts of administrative fines and other sanctions on related parties, which may turn out negatively. In this article is scrutinized the categories and the legal character of the decisions adopted by the Personal Data Protection Board, and the judicial remedies against the said decisions as well as the examination procedures.
II. CATEGORIES OF PERSONAL DATA PROTECTION DECISIONS
A. REGULATORY ACTS
Pursuant to article 7 paragraph 3 and article 22 subparagraph (e) of the Code no. 6698 of Personal Data Protection (“CPDP”), the Personal Data Protection Board has been furnished with the power to issue regulations and other regulatory acts. In this respect, the Personal Data Protection Board issues regulations and communiqués.
B. INDIVIDUAL ACTS
The most notable decisions adopted by the Personal Data Protection Board, being the decision-making body in the Personal Data Protection Authority’s organization, which may lead to change in legal status quo of the relevant parties, is decisions on the administrative fines. Commonly, the administrative fines imposed by the Personal Data Protection Board are at stake when data controllers have failed to take necessary technical and administrative measures to ensure the data security. In addition, regarding the administrative fines, it is one of the most encountered violations in practice that, in case the processed personal data were illegally acquired by the third parties, the data controllers have failed to perform their obligation to notify the relevant parties and the Personal Data Protection Board on the situation, as set out under article 12 paragraph 5 of CPDP. Again, administrative fines can be imposed on those who have failed to fulfil their obligation to inform in scope of article 10 of CPDP. Last but not least, according to article 138 of Code no. 5237 of Misdemeanor (“Code of Misdemeanor”), administrative fines will be imposed on those who have failed to remove or anonymize personal data as per article 7 of CPDP.
That said, an approval by the Personal Data Protection Board is required to achieve the data transfer abroad by data controller pursuant to article 9 of CPDP. The Personal Data Protection Board can, in this respect, decide on approval or non-approval.
Lastly, according to article 15 of CPDP, as a result of its examination upon complaint or conducted ex officio, should the violation be found, the Personal Data Protection Board can decide that the illegalities found must be recovered by data controller.
III. LEGAL CHARACTER OF THE PERSONAL DATA PROTECTION BOARD’S DECISIONS
The Personal Data Protection Authority, being an administrative institution, is an autonomous administrative authority furnished with the power to set out technical and administrative regulatory acts. The Personal Data Protection Authority adopts its decisions in light of CPDP, by means of the Personal Data Protection Board, its decision-making body.
That being the case, before any further explanation on the judicial remedies against the Personal Data Protection Board’s decisions, distinction should be drawn between the legal character of its decisions.
Notwithstanding that the fines imposed by the Personal Data Protection Board for failure to fulfil their obligations pursuant to articles 7, 10, 12, 15 and 16 of CPDP are described as administrative fines, the general preamble of CPDP suggests that in cases of non-explicit provisions in the code, the Code of Misdemeanor will apply. Therefore, administrative fines imposed pursuant to the abovementioned articles are subject to the legal term “misdemeanor”.
Apart from that, in the event that an approval by the Personal Data Protection Board is required as per article 9 of CPDP, should the Board does not give approval, although there is no explicit provision in the code, such decision is considered as an administrative act.
Likewise, pursuant to article 15 of CPDP, decision by the Personal Data Protection Board on denial upon complaint or conducted ex officio examination or non-response to the application within 60 (sixty) days is also considered refusal act of administrative nature.
IV. JUDICIAL REMEDIES AGAINST THE PERSONAL DATA PROTECTION BOARD’S DECISIONS
A. PROCEDURE IN APPLICATIONS AND CASES AGAINST DECISIONS
1. In Terms of Administrative Fines
Administrative fines imposed by the Personal Data Protection Board are not regarded as administrative acts on the account of the fact that such fines are imposed due to being consequence of misdemeanors. The CPDP sets out that provisions under Code of Misdemeanor will be applicable to administrative fines. As such, relevant parties are entitled to file an action for objection to the fine within 15 (fifteen) days at the latest from the date of notification, requesting the removal of such decision by the Personal Data Protection Board. The competent court is determined pursuant to article 12 of the Code no. 5271 of Criminal Procedures (“CCP”), according to which, the competence of Criminal Court of Peace will be determined as per the place where the misdemeanor has been committed or where the victim is.
As for article 269 of CCP, an action for objection against the Personal Data Protection Board’s decision will not suspend the execution thereof. However, the suspension of execution can be requested.
Besides, it is considered that there would not arise any legal issue in lodging application with the Personal Data Protection Authority in scope of article 11 of CAJP, as there is no provision in Code of Misdemeanor that prohibits doing so.
2. In Terms of Other Decisions
In applications which require the Personal Data Protection Board’s approval under article 9 of CPDP, it is regarded that administrative judicial remedies may be taken according to article 125 of the Constitution since the Personal Data Protection Board’s decision on non-clearance of the approval request will constitute an act of administrative nature.
Decisions by the Personal Data Protection Board on denial upon complaint or conducted ex officio examination or non-response to the application within 60 (sixty) days, as set out under article 15 of CPDP are also considered as administrative act, due to which an action for annulment may be requested before administrative judicial authorities.
In such circumstances, it rests with the Administrative Courts of Ankara to hear the case, as competent and authorized court, which is in the very place where the Personal Data Protection Authority is located.
Again, in such circumstances, there is no prohibition to request the revocation, removal, amendment of or adopting new act, with an application to be lodged with the Personal Data Protection Authority under article 11 of CAJP.
B. JUDICIAL REVIEW OF DECISIONS
The court’s examination on the administrative fine decisions by the Personal Data Protection Authority will be conducted to determine whether the elements of misdemeanor act have realized. In that regard, the court’s examination on the merits will focus on whether the concrete case amounts to misdemeanor. That said, from procedural aspect, the court may also regard whether any illegal evidence has been exploited by the Board in the conduct of decision-making process.
On the other hand, in terms of decisions by the Personal Data Protection Board other than administrative fines, the courts may investigate whether the administrative act carries the necessary elements which are authority, procedure, ground, subject and objective.
At the end of the litigation, should the Personal Data Protection Board’s decision be annulled or removed, such decision will be regarded as if never effective.
The Personal Data Protection Board can impose grave administrative fines on relevant parties, while also they may adopt other sorts of decisions. As a result of such decisions, relevant parties’ interests are likely to be seriously and negatively affected.
Since decisions by the Personal Data Protection Board are adopted as a result of an interdisciplinary examination, in other words, of a blend of legal sciences with others, such decision may thus include findings which are in contradiction with the law.
Therefore, decisions adopted by the Personal Data Protection Board relating to negative clearance and denial of application can be judicially reviewed in administrative jurisdiction; whereupon the negative effects of decisions may be lifted. Similarly, administrative fines imposed by the Personal Data Protection Board can be taken before the criminal jurisdiction, where it is possible to raise objection thereto.
Against the decisions adopted by the boards abovementioned, it bears great importance to comply with the time periods in terms of notifications and term of litigation as well as prepare the application from legal and technical aspects effectively. This is because an effectively prepared application and petition is crucial when it comes to restitution of the harmed interests of relevant parties.