In a recent decision published on the 7^th of May 2020, the Turkish Data Protection Board imposed two administrative fines on Amazon Turkey Perakende Hizmetleri Limited Şirketi :

·  1,100,000 TL for not taking adequate technical and administrative measures to ensure the appropriate level of data security,

·  100,000 TL for not fulfilling the requirements for informing the data subjects.

There are three important outcomes from this decision:  

• The confusion on whether the Turkish Data Protection Board has the authority to impose fines for transferring data abroad, has been resolved. With this decision, it is clarified that fines can be imposed on companies when transferring data abroad without due respect for the provisions of the law.

• The importance of receiving explicit consent from the personal data subjects  for processing, storing, and transferring personal data is once again highlighted:

• • Consent should be obtained for all data processing activities

• • Approval by the data subject of a company’s privacy policy does not release the company from the requirement for obtaining an explicit consent

• • Explicit consent should always be obtained in order to transfer data out of Turkey 

• The significance for companies of abiding with the general data protection principles, which are imposed by the Turkish Personal Data Protection Law, is emphasized with this decision, as the basis for imposing the fines is related to the general principles for data protection, rather than particular breaches of the law.