The complaint letter submitted to the Authority briefly states that; the data subject worked as a pilates instructor at the workplace of the data controller and after termination of their work relationship, the controller shared photos of the data subject publicly on its social media account after which data subject requested the data controller to remove those photos, return the photos to himself/herself and destruct the photos and not use them for advertisement or any other purposes on social media. Although the data controller, in its response letter, expressed that the use of the photos in question was stopped, the photos continued to be displayed on the social media account accessible to everyone, the photos were also shared without obtaining explicit consent of the data subject, and not removed from the social media platform despite the request of the data subject. Furthermore, no information was provided to the data subject about the photos shared and obligation to inform was not fulfilled, which is contrary to Personal Data Protection Law No 6698 (the Law). 

For the examination initiated, the data controller was reached for its defence statement; however, no response was given to the Authority’s correspondence for defence, information and documents request.

However, the response letter of the data controller to the data subject explains that; “photos of the data subject were used in the company ads without highlighting any personal characteristics of the data subject and the data subject voluntarily took part in the commercial shootings of the company as a former employee at that time. In the promotional photos, there was no record and information about the data subject, the photos were taken with his/her knowledge and permission and it was not contradiction to the personal rights of the data subject. Furthermore, after the notification, the use of the photos was abandoned upon the request of the data subject, and the company suffered from loss due to the removal of the photos taken for promotional purposes with the permission of the data subject from the company advertisements.” 

In this regard, taking into account the following points:

• Article 5(1) and (2) of the Law rules that personal data cannot be processed without explicit consent of the data subject and personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the conditions listed is met. 
• Article 7 of the Law regulates the ‘Erasure, Destruction or Anonymisation of Personal Data’, and accordingly; 

1)    Despite being processed in compliance with the provisions of this Law and other relevant laws, personal data shall be erased, destructed or anonymized by the data controller, ex officio or on the request of the data subject, in the event that the reasons for the processing no longer exist.
2)    (2) The Provisions of other laws relating to the erasure, destruction or anonymization of personal data are reserved.
3)    (3) Procedures and principles for the erasure, destruction or anonymization of personal data shall be laid down through by-law.

• Pursuant to Article 12 of ‘By-Law on Erasure, Destruction or Anonymization of Personal Data’ published in the Official Gazette numbered 28.10.2017 and issued for the time period for erasure and destruction of personal data upon request of data subject; 

“1) When the data subject requests erasure or destruction of his/her personal data from the data controller, pursuant to Article 13 of the Law;
a) In the event that all of the conditions for the processing no longer exist; the data controller shall erase, destruct or anonymize the mentioned personal data which are subject to the request. The data controller shall act on the request of the data subject at the latest within thirty days and inform the data subject.
b) In the event that all of the conditions for the processing no longer exist and the personal data which are subject to the request have been transferred to any third party; the data controller shall notify the third party of such request and ensure the performance of necessary operations by the third party within the scope of this By-Law.
c) In the event that all of the conditions for the processing have not disappeared completely, the request may be rejected by the data controller in accordance with the Article 13(3) of the Law together with its justified grounds and such rejection shall be communicated to the data subject in writing or by electronic means at the latest within thirty days.”

• Article 8(2) of the By-Law titled ‘Erasure of Personal Data’ specifies that “The data controller is obliged to take necessary technical and organizational measures required for ensuring erased data to be inaccessible and non-reusable for its users concerned” and pursuant to Article 9(2) “the data controller is obliged to take any type of technical and organizational measures required for ensuring destruction of personal data.”
• In the social media account subject of the complaint, the photos of the data subject continue to be displayed and not removed from the account, data subject’s photo was shared in the background and slightly blurred in the post dated 15.05.2019, and the data subject’s photo are clear in the post dated 20.05.2019.
• Since the data controller did not respond to letter by the Authority requesting defense, information and documents within the legal period, no concrete information or document could be obtained regarding the explicit consent of the data subject in terms of the data processing activity in question; therefore, the data controller failed to take necessary technical and organizational measures to ensure the appropriate level of security in accordance with Article 12(1) of the Law by unlawfully processing the personal data of the data subject without relying on any personal data processing conditions within the scope of Article 5 of the Law.
• Besides, upon the request of the data subject, the photographs must be erased/destructed within the legal period of thirty days stipulated in Article 12(1)(a) of the By-Law, and that the data processing activity continuing after the legal period is still unlawful in this context.

On the basis of the foregoing evaluations and within the scope of information and documents obtained, the Board with its Decision numbered 2021/422 and dated 27 April 2021 decides that:

• An administrative fine shall be imposed on the data controller within the scope of Article 18(1)(b) for the failure to take necessary technical and organizational measures to ensure the appropriate level of security in accordance with Article 12(1) of the Law due to the unlawful processing of personal data of the data subject without relying on any personal data processing conditions within the scope of Article 5 of the Law,
• The data controller shall be instructed to remove all the photos of the data subject from the social media, and erase/destruct those photos in accordance with the provisions of ‘By-Law on Erasure, Destruction or Anonymization of Personal Data’, not to use the photos in any other media channel, and to inform the Board regarding the results of these processes.