Constitutional Court Curbs the Personal Data Protection Board’s Authority: Law Takes Precedence Over Guidelines

Introduction

The Constitutional Court (“TCC”) unanimously held that an administrative fine imposed on an insurance company by the Personal Data Protection Board (“Board”) violated the principle of legality in crimes and punishments, as guaranteed under Article 38 of the Constitution. In terms of both its scope and implications, this decision is of significant importance for the Board’s practices.

The Course of Events at Issue in the Decision

In the case at hand, a complainant reported to the Personal Data Protection Authority that an insurance company had contacted him without his prior consent for the purpose of offering services. The company argued that it had obtained the complainant’s first name, last name, and telephone number from the publicly accessible website “hizmetburada.com” and that, accordingly, it was permitted to process this data as “data made public by the data subject” under Article 5/2(d) of the Personal Data Protection Law No. 6698 (“PDPL”).

Following its review, the Board rejected this defense and decided to impose an administrative fine of TRY 100,000 on the company on the grounds that the data had been “used for a purpose other than that for which it was made public.” During the judicial proceedings, the fine was reduced to TRY 17,828 and became final. Following an individual application to the Constitutional Court, the TCC General Assembly examined the matter on its merits.

The Constitutional Court’s Legal Assessment

In its review of the application, the Constitutional Court made the following decisive finding: the concept of “use for a purpose other than disclosure” is not defined in any provision of the PDPL, nor is it subject to any sanction. According to the Court, “imposing an administrative fine based on this concept amounts to an unforeseeable expansion of an obligation not provided for in the text of the law and violates Article 38 of the Constitution.”[1]

In line with this finding, the Constitutional Court held that the principle of legality, guaranteed under Article 38 of the Constitution, also applies to administrative offenses. Individuals must be able to clearly foresee, from the text of the law at the time of the relevant act, which conduct may result in sanctions. Interpretations and explanations set out in administrative guidelines or Board decisions cannot, on their own, satisfy this threshold of foreseeability.

Practical Implications of the Decision for Data Controller Companies

With this decision of the Constitutional Court:

• It has been established that the Board cannot rely solely on the doctrine of “purpose of disclosure” as a basis for sanctions unless that doctrine is grounded in the text of the law.
• In relation to the processing of data obtained from publicly available sources, such as dictionary-style websites, social media platforms, directory applications, and similar channels, the imposition of indirect sanctions under the concept of “use of data for purposes other than those for which it was made public” is now subject to constitutional scrutiny.
• In existing cases involving administrative fines related to the protection of personal data, this decision serves as a strong defense basis against sanctions imposed on similar grounds.

Anticipated Legislative Changes

In light of the Constitutional Court’s decision, the legislature is expected to clearly regulate, at the statutory level, the provisions concerning the purpose of disclosure and the scope and limits of that purpose. It is therefore important to closely monitor potential legislative amendments. In addition, it is likely that the Board will review its principle decisions, guidelines, and relevant directives in consideration of this decision.

Our Assessment

Although this decision does not directly amend the current penalty regime under the PDPL for companies, it imposes a significant limitation on the Board’s authority to define the scope of penalties through expansive interpretations that lack a clear legal basis.

In this context, we recommend that companies consider the following actions:

• Reviewing marketing, CRM, and operational processes involving data obtained from publicly available sources under Article 5 of the PDPL;
• Re-evaluating ongoing or not yet finalized Board reviews and appeal proceedings in light of this precedent decision;
• Updating the legal grounds cited in personal data processing inventories where such grounds are based on the “disclosure” exception.

You can access the full text of the decision, which is only in Turkish, here.

References

Constitutional Court, Application No. 2020/32193, 27 January 2026, §§ 43–45. (2026, 01 27).