1. Introduction
With the rapid development of the digital age, the processing and protection of personal data has become increasingly important on a global scale. This situation has led states to make various legal arrangements and establish administrative control mechanisms in order to ensure data security. In this context, many countries have established independent data protection authorities and developed various sanction mechanisms to prevent violations of individuals’ personal data.
In Turkey, the Personal Data Protection Authority (“Authority”) has been established to ensure the protection of personal data and to supervise data processing processes, and the Personal Data Protection Board (“Board”), the decision-making body of the Authority, has the authority to impose administrative sanctions when it examines data processing activities and detects illegalities. The decisions taken by the Board may often result in heavy administrative fines and other sanctions for data subjects or data controllers.
In this article, after discussing the Board’s procedures, the legal nature of the Board’s decisions will be discussed and the judicial remedies and review procedures that may be applied against the decisions issued by the Board will be included.
2. Types of Board Acts
The obligations of natural and legal persons who process personal data and the procedures and principles to be complied with are regulated in the Law on the Protection of Personal Data No. 6698 (“LPPD”). The Authority is an independent and administrative authority established by the LPPD and operates to audit, raise awareness and ensure the implementation of the legislation in the field of personal data protection. The Board is the decision-making body of the Authority. The Board is the authorized unit that makes the final decisions on the acts taken and investigations carried out by the Authority and takes executive decisions by acting independently. In this context, the Board establishes both general regulatory acts determining the general framework and individual acts on individual cases.
While general regulatory acts regulate personal data processing activities in general terms and are guiding and binding for all data controllers, individual acts refer to decisions taken for specific persons, institutions, or organizations. These acts of the Board ensure the effective implementation of personal data protection law as a guiding, supervisory and sanctioning mechanism.
2.1. General Regulatory Acts
Pursuant to subparagraphs (e), (f) and (g) of paragraph 1 of Article 22 of the LPPD, the Board is authorized to take general regulatory act. In this context, the Board is also authorized to set general rules and policies in the field of data protection. In other words, the Board makes principal decisions, regulations and guidelines that are binding on all data controllers through general regulatory acts. These procedures cover a wide range of issues such as the conditions for processing personal data, data security measures, processing of special categories of personal data, cookie policies and data transfer abroad.
2.2. Individual Acts
The Board not only takes general regulatory decisions, but also takes individual acts in line with concrete and individual events and applications directed to a specific person and related to special circumstances. Pursuant to subparagraphs (b), (c) and (ğ) of paragraph 1 of Article 22 of the LPPD, the Board is authorized to take individual acts. The types of individual acts can be summarized as administrative fines, activity suspension and restriction decisions, data breach decisions, decisions based on complaints, and additional administrative sanctions in case of non-compliance with the Board’s decision.
3. Legal Status of the Board Decisions
After mentioning the types of acts taken by the Board, but before addressing the judicial remedy against the Board decisions, it is necessary to make a distinction regarding the status of the decisions. The legal status of the decisions is also important in determining the judicial remedy to be applied against the Board decisions.
As stated under the previous heading, the Authority is an administrative institution in the nature of an independent administrative authority, which is authorized to issue special technical and administrative regulations, and the decision-making body of this Authority is the Board. In order for an act to be accepted as an administrative act, it must be established by the administration, be based on public power, have legal consequences and be subject to review for compliance with the law. In this context, it is obvious that the acts taken by the Board are administrative acts, given that they are based on public power and have legal consequences.
4. Judicial Procedure Against Board Decisions
Administrative acts are subject to judicial review in accordance with the rule of law in order to prevent the administration from using the powers granted to it by the law in violation of the law or from taking acts in excess of these powers. Thus, it is aimed to prevent arbitrary practices of the administration and to ensure compliance with the law. As stated under the previous heading, the acts taken by the Board are administrative acts. Therefore, the Board’s decisions are also subject to judicial review and legal remedies may be applied against the Board’s decisions.
4.1. Application Against Decisions and Procedure
4.1.1. In Terms of Administrative Fines
Article 18 of the LPPD titled “Misdemeanours” stipulates that administrative fines shall be imposed on those who fail to fulfil the obligation of disclosure, fail to fulfil the obligations regarding data security, fail to fulfil the decisions made by the Board, violate the obligation to register and notify the Data Controllers Registry, and fail to fulfil the notification obligation, and paragraph 3 of the relevant article stipulates that administrative fines imposed by the Board may be sued in administrative courts.
In this context, persons against whom an administrative fine is imposed may file an act for cancellation before the competent administrative court. Since the LPPD does not regulate a special period for lawsuits to be filed against administrative fines, the period for filing a lawsuit is 60 days in accordance with Article 7 of the Administrative Procedure Law No. 2577 (“APC”). The determination of the competent court must also be made in accordance with the APC, and within the scope of Article 32 of the APC, the competent administrative court is the administrative court in the location of the administrative authority that made the administrative act or administrative contract that is the subject of the lawsuit. Therefore, the competent and authorized court will be the Ankara Administrative Courts where the Institution is located.
4.1.2. Regarding Other Decisions
There are also decisions other than administrative fines, which are taken by the Board as an individual act. The decisions taken by the Board in the form of individual acts generally include issues such as stopping or restricting data processing activities in case of unlawful processing of personal data, deciding to delete or anonymize the data upon the application of the data subject, imposing the obligation to announce the violation to the public in case of a data breach, and imposing additional obligations on data controllers. Since such decisions have direct legal consequences for data controllers, they are administrative acts and are subject to review by the judicial authorities within the framework of compliance with the law. Since such decisions are also administrative acts, they may be requested to be cancelled by the administrative judiciary. The competent and responsible court to hear the cancellation case will be the Administrative Courts of Ankara, where the Authority is located.
In addition, the general regulatory decisions of the Board are also administrative acts that may be subject to an act for annulment. However, while the individual acts of the Board may be subject to cancellation proceedings before the administrative courts, the regulatory acts of the Board may be filed directly before the Council of State as the court of first instance pursuant to Article 24 of the Council of State Law No. 2575. The time limit for filing a lawsuit is 60 days pursuant to Article 7 of the APC.
Again, in such cases, there is no obstacle to request the cancellation, revocation, modification or amendment of the decision or the establishment of a new act with an application to the Authority within the scope of Article 11 of the APC. The period for filing a lawsuit is 60 days as a rule within the scope of Article 7 of the APC.
4.2. Judicial Review of Decisions
The Board’s decisions are reviewed by the administrative judicial authorities for compliance with the law. In the administrative judicial process, the Board’s decisions are examined in terms of authority, form, reason, subject matter and purpose. Within the scope of the competence audit, it is evaluated whether the Board has taken decisions in the areas it is authorized within the framework of the LPPD and the relevant legislation. In terms of form and procedure audit, it is examined whether the Board’s decisions comply with the legal formal requirements and whether the relevant parties are given the right to defence. In the review of the grounds, the legality of the facts on which the Board bases its decision is examined. While the subject matter review assesses whether the content of the decision is in compliance with the law, the purpose review examines whether the Board’s decisions are in compliance with the principle of protection of personal data. In addition, within the framework of the principle of proportionality, it is analysed whether the obligations imposed on data controllers are compatible with the gravity of the breach.
However, filing a lawsuit before the administrative courts does not automatically stay the execution of the administrative act subject to the lawsuit. Therefore, a stay of execution may be requested pursuant to Article 27 of the APC in cases where irreparable or impossible damages may arise if the act taken by the Board is implemented and the act is clearly contrary to the law. If the court decides to stay the execution, the relevant decision of the Board cannot be implemented until the case is finalized.
If the court decides that the Board’s decision is unlawful at the end of the judicial process, the Board’s decision shall be cancelled, and in this case, the decision shall be deemed as if it had never been made. If the court decides that the Board’s decision is in compliance with the law and dismisses the case on the merits, the relevant Board decision shall be deemed to be in compliance with the law and shall continue to be implemented.
5. Conclusion
The Personal Data Protection Board, which is an important regulatory authority in the field of personal data protection, has the authority to supervise data processing activities and impose administrative sanctions when it detects illegalities. The decisions taken by the Board are administrative acts and are subject to the supervision of the administrative judiciary. In this context, it is possible to file an act for annulment before the administrative courts for administrative fines and individual acts, and before the Council of State for general regulatory acts.
In the lawsuits to be filed against the decisions of the Board, the courts only examine whether the act is in compliance with the law or not, and examine in terms of the elements of authority, procedure, reason, subject matter and purpose. In the event of an unlawfulness, the courts may order the cancellation of the Board’s decision and may order a stay of execution in cases where irreparable or impossible damages may arise during the litigation process.
In conclusion, the judicial review mechanisms envisaged by the LPPD ensure that data processing activities are carried out in accordance with the law and guarantee the legal guarantees of individuals for the protection of personal data. The open judicial remedy against the Board’s decisions constitutes an important guarantee to ensure the rule of law by strengthening the controllability of personal data processing activities.
