Turkey: KVKK fines private hospital TRY 250,000 for inadequate data security measures
On August 14, 2023, the Personal Data Protection Authority (KVKK) published a summary of its decision No. 2023/692, as issued on May 11, 2023, in which it imposed a fine of TRY 250,000 (approx. $9,240) to an unnamed private hospital for violations of the Law on Protection of Personal Data (the Law), following a complaint by an individual.
Background to the decision
The KVKK acknowledged receiving a complaint from an individual alleging that the private hospital unlawfully obtained explicit consent from patients for the processing of personal data, including health data, in relation to its advertising and promotional activities.
Findings of the KVKK
The KVKK observed that the private hospital processed health data through video recordings pertaining to patients' medical conditions and treatments, which were shared on social media platforms for advertising, marketing, and promotional purposes, with explicit consent obtained from the individuals concerned, pursuant to Article 6(2) of the Law. However, despite the obtained explicit consent, the KVKK noted that sectoral regulations prohibit private hospitals from engaging in promotional activities that create demand. Taking into account Article 60 of the Regulation on Private Hospitals, the KVKK concluded that explicit consent cannot serve as a legitimate basis for this data processing activity, which lacked a valid legal ground as a result.
The KVKK found that the private hospital violated Article 12(1)(a) of the Law for not ensuring an adequate level of security to prevent unlawful processing of personal data.
For the reasons stated above, the KVKK imposed the aforementioned fine on the unnamed private hospital pursuant to Article 12(1)(a) of the Law.
The KVKK decided that the personal data processing for the stated purposes shall cease pursuant to Article 15(7) of the Law and that if personal data has been transferred to third parties, it should be destroyed in compliance with Article 7 of the Law and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data. Furthermore, the KVKK instructed the necessary steps to be taken to ensure that these destruction processes are conveyed to the third parties to which the data had been transferred, and the results should be reported to the KVKK.
You can read the decision, only available in Turkish, here.