Turkey guarantees right to be forgotten in Data Protection Authority guidelines

On 20 October 2021, the Personal Data Protection Authority published a Guide to the Evaluation of the Right to be Forgotten (RtbF) specifically for search engines, which takes into account the findings and implementation criteria of Decision No 2020/481 of the Data Protection Board of 23 June 2020 in relation to requests for deletion of results displayed in search engines and highlights the individual criteria to be considered by search engines when evaluating these requests.

Legal basis of the RtbF

The Right to be Forgotten is a concept introduced into Turkish law by the decisions of the Constitutional Court and the Court of Appeal and is not explicitly recognised in the Personal Data Protection Act.

However, the decision indicated that the RtbF would be examined in the context of Article 7 of the Law, which relates to the erasure, destruction or anonymisation of personal data.

As a result, all issues related to the RtbF are now assessed on the basis of the aforementioned court decisions, the decisions of the Board and Article 7 of the Law.

Decision No. 2020/481

The June 2020 decision on requests for removal of certain personal data from search engine indexes stated that data subjects should first submit requests to search engines (acting as controllers) to remove search results relating to the data subjects from search engine indexes.

If search engines refuse such requests or do not reply to the requester (i.e. the data subject), the requester may lodge a complaint with the Personal Data Protection Board.

The decision stipulates that when assessing requests from data subjects for the removal of results displayed by search engines, a certain assessment criterion must be taken into account, which is explained in more detail below.

Evaluation criteria of the Guide

In accordance with the Decision, the Guide sets out the following RtbF criteria for search engines and examines each criterion individually.

1. whether the person concerned plays an important role in public life;
2. Whether the subject of the search result is a child;
3. The truthfulness of the content (i.e. is the information false or misleading?);
4. The relationship between the information and the working life of the person concerned;
5. whether the information insults, humiliates or defames the person concerned;
6. whether the information contains sensitive personal data;
7. whether the information is up-to-date;
8. whether the information makes the data subject subject to detriment;
9. whether the information poses a risk to the data subject;
10. whether the information has been released by the data subjects themselves;
11. whether the content covers the data processed in the context of journalism;
12. whether the release of the information is required by law; or
13. whether the information is related to a criminal offence.

The Guide states that these 13 criteria must be taken into account when balancing the data subject's right to privacy with the public's right to access information.

The search engines must decide whether to accept or reject the applicant's request to remove certain search results.

Remedies

All data subjects have the right to directly request a search engine to remove certain search results from its indices.

The search engine must decide on such a request within 30 days of the data subject's request.

If a request is refused, if the search engine provides an insufficient response or if the search engine does not respond to the request in a timely manner, the data subject may lodge a complaint with the Board within 30 days of becoming aware of the controller's response, but no later than 60 days after receipt.

Conclusion

The RtbF is now a fully recognised concept in Turkish law, giving data subjects the right to seek redress before the Committee and other judicial authorities.

The principles of the Guide should provide guidance on how individuals can effectively exercise their right of access to information and how this request should be handled by the competent authorities.

For more information on the Decision, the Guide and the Data Protection Regulations in Turkey, please contact your regular CMS advisor or the CMS experts in the field: Dr. Döne Yalçın or Sinan Abra.