The Personal Data Protection Authority’s decision dated 02/12/2021 and numbered 2021/1218 on the failure to inform the data subject employee regarding personal data processing activities carried out by the data controller employer residing abroad, and the unlawful processing of the data subject’s personal data:

The data subject has been informed about data processing activities in context of the European Union General Data Protection Regulation ( #GDPR ), before he started to work in the data controller’s London office. Later, the data subject left the position in London and started to work in the data controller ‘s liaison office in Istanbul. The Authority declares that the information provided to the data subject about personal data processing activities carried out by the data controller in Turkey is sufficient under the GDPR’s obligations. However, it is recommended that caution should be given to comply with the obligation to inform about the personal data processed in Turkey in accordance with Article 10 of the Turkish Personal Data Protection Law.   

For personal data to be published on the data controller’s website, it must first be determined whether the data subject gave explicit consent. If the legal basis for the personal data processing activity is “explicit consent,” as defined in Article 5 (1) of the Law, it must be assumed that the given explicit consent is withdrawn after the data subject’s warning letter to the data controller dated May 26, 2021.   

It is possible that the data subject’s personal data is published on the data controller’s website for the legal reason stated in clause 5 (2) (f) of the Law: “It is necessary for the legitimate interests of the #datacontroller, provided that the fundamental rights and freedoms of the data subject are not harmed”. However, for relying to this legal basis, the data controller’s legitimate interests must outweigh the data subject’s fundamental rights and freedoms (“balancing test“).

According to the authority, it is acceptable that the data controller has a legitimate interest in informing the public that a liaison office exists in Turkey and that competent persons work there, or at least know who works there, and that the disclosure does not manifestly affect the data subject’s fundamental rights and freedoms.   

Nevertheless, it has been noted that, if the parties’ #employment relation ends, personal data on the data controller’s website, which can be caused a perception that data subject is still working, may violate the “freedom of work and contract” guaranteed by Article 48 of the Turkish Constitution. As a result, personal data processing activities cannot be justified by the legal reason stated in clause 5 (2) (f) of the Law.