A Landmark Decision of the Constitutional Court on Administrative Fines under the Data Protection Law: The Boundaries of the Principle of Legality Redrawn

The decision of the Turkish Constitutional Court (“Court”), dated 27 January 2026 and numbered 2020/32193, has been published and is considered likely to reshape the approach of the Personal Data Protection Board (“Board”) to administrative fines. In its decision, the Court reviewed an administrative fine imposed by the Board under the Law No. 6698 on the Protection of Personal Data (“DPL”) in light of the principle of legality in criminal offences and penalties, as safeguarded under Article 38 of the Constitution, and found a violation.

Summary of the Board’s Decision:

In the case at hand, the data subject’s contact details were publicly available on an online platform, and these data were used for commercial purposes by a data controller operating in the insurance sector. The Board imposed an administrative fine on the grounds that such use was incompatible with the purpose for which the personal data had been made public. In its reasoning, the Board held that the fact that personal data had been made public for a specific purpose does not constitute a legal basis for their processing for different purposes.

The Court’s Assessment:

In its review, the Court first emphasized that the principle of legality in criminal offences and penalties is not limited to criminal law but also constitutes a constitutional safeguard applicable to misdemeanours and administrative sanctions, including administrative fines. In this context, it underlined that individuals must be able to foresee which acts may be subject to sanctions and that the conduct giving rise to sanctions must be defined with sufficient clarity by law, as a necessary requirement of the rule of law.

The Court noted that Article 5 of the DPL permits the processing of personal data that have been made public by the data subject without explicit consent. However, it also observed that the DPL does not contain any provision regarding the “purpose of making data public,” the “use in line with the purpose of disclosure,” or the legal consequences of processing contrary to such purpose. The Court stated that the Board’s approach based on “use in line with the purpose of disclosure” essentially reflects an interpretation set out in guidelines issued by the Authority, whereas such an obligation is not clearly and explicitly regulated at the statutory level.

Accordingly, the Court concluded that the administrative fine imposed on the applicant was based on the creation of an obligation not explicitly provided for in the law, through an expansive interpretation. It held that the imposition of sanctions by extending the scope of statutory provisions through administrative interpretation is incompatible with the requirements of foreseeability and legal certainty inherent in the principle of legality.

The Court further pointed out that, in the specific case, there had been insufficient assessment as to why the applicant was considered a data controller and whether the platform on which the personal data were initially published bore any legal responsibility. This finding is particularly significant for ongoing discussions regarding the scope and limits of data controller liability in cases where personal data are obtained from third-party sources.

Conclusion and Evaluation

This decision of the Court is of particular importance in terms of assessing administrative fines imposed under the DPL in light of the constitutional principle of legality. Considering the extensive and detailed guidelines frequently issued by the Personal Data Protection Authority regarding the implementation of the legislation, it is expected that procedural rules and principles set out in such guidelines—but not explicitly stipulated in the legislation—will not, on their own, form the basis of administrative sanctions. Instead, it is anticipated that the Board will align future enforcement practices with the requirements of the principle of legality. In this respect, the decision is likely to guide future practice concerning both the limits of the Board’s interpretative authority and the legality of administrative fines in the field of personal data protection.