Turkish Personal Data Protection Board (“Board”)
released decision summaries regarding the application of the Law on the
Protection of Personal Data No. 6698 (“Law No. 6698”) on April 2, 2020. In this
information note, you will be provided extracts of these summaries.
Summary of the
Decision dated July 8, 2019 numbered 2019/206 (“Decision 2019/206”) on a data
controller’s procedure on its website requiring data subjects’ explicit consent
as a pre-condition for the performance of the services
As per the definition of the explicit consent
stipulated under the Article 3 of the Law No. 6698, the explicit consent has to
be freely given, specific, and informed. In cases where data subjects have to
give their explicit consents to some data processing activities to receive
services, such consent is not deemed “freely given” according to the definition
of the explicit consent. Therefore, such processing activity which is based on
the void consent of the data subject shall be unlawful.
In Decision 2019/206, the Board stressed that
since collection of personal data in the concerned website is only required for
obtaining specific discounts and there is alternative providers in such website
that enables customers to receive services without giving their explicit consents,
such consent is not deemed as a pre-condition for the performance of the
service, thus not in violation of the relevant articles of the Law No. 6698.
Summary of the
Decision dated September 18, 2019 numbered 2019/273 (“Decision 2019/273”) on
the access request to the personal data of deceased people from their relatives
In Decision 2019/273, the Board emphasized that
the Law No. 6698 is only applicable to individuals alive in the Turkish legislation.
Therefore, the protection of the deceased people’s personal data does not fall
under the scope of the Law No. 6698.
Summary of the
Decision dated November 7, 2019 numbered 2019/333 (“Decision 2019/333”) on a
data controller operating in the telecommunications sector who sends irrelevant
subscriber’s personal data to the complainant due to the similarity of their
name and surname
Prior to the complaint, the data subject who
received another subscriber’s invoices due to the similarity of their names
applied to the data controller in order to exercise its rights arising from the
Article 11 of the Law No. 6698. Yet, the data controller did not reply to such
application relying on the ground that such application was not included the
necessary information stipulated under the Communiqué on the Procedures and
Principles of Application to Data Controller. Moreover, the data controller
stated that both subscribers having the similar names gave the same e-mail
address for their registrations to such telecommunication company’s database.
The Board decided to penalize such company
regarding its technical and organizational measures which were inefficient to warn
the data controller when an e-mail address which was already registered by a
customer was eligible for a new customer’s registration, since it is not
possible for two different customers to use the same e-mail address and,
assumingly, a typo was made during registration of the latter customer.
The Board also stressed that not replying a
data subject application on the grounds that such application is not included
with the necessary information as to the Communiqué on the Procedures and
Principles of Application to Data Controller is not lawful or in compliance
with rules of bona fides. Data controllers have to reply to the improperly
performed applications in order to remind to the applicants the requirements of
the Communiqué on the Procedures and Principles of Application to Data
Controller.
Summary of the
Decision dated January 16, 2020 numbered 2020/41 (“Decision No. 2020/41”) on
the non-fulfilment of a compensation request regarding the unlawful data
processing claim of a data subject
Pursuant to the Article 11 of the Law No. 6698,
if any losses incur due to the processing of personal data inconsistent with
the law, data subjects shall have a right to request the indemnification of
such losses by applying to the data controller.
Prior to the complaint, the data subject requested
a compensation for its pecuniary losses incurred due to its dismissal which was
caused by the unlawful call to the data subjects’ workplace from a bank to learn
whether the data subject will make the payment regarding its debts. However,
the Board concluded that there was not any evidence regarding such claim and
the intangible losses cannot be claimed under the Article 11 of the Law No.
6698.
Summary of the
Decision dated January 27, 2020 numbered 2020/58 (“Decision No. 2020/58”) on
the disclosure of customers’ personal data by an insurance agency on its social
media platforms for the advertising purposes without notice of such customers
In Decision No. 2020/58, the Board decided to
penalize the insurance agency who shared personal data of its customers such as
name, surname, address, color and registration number of their cars, in its
defense due to its ineffective anonymization methods, on the social media based
on its non-fulfilment of the obligations of data controllers stipulated under
the Article 12 of the Law No. 6698.
Summary of the
Decision dated January 27, 2020 numbered 2020/65 (“Decision No. 2020/65”) on the
personal data processed within the scope of a mobile application offering
transportation services
In the complaint, there was a mobile
application which enabled users to receive transportation services and to give
points to their drivers regarding their journey. Such application also enabled
drivers to give points to the users, yet, neither of its privacy policy nor
terms and conditions specified such processing of users’ personal data. Therefore,
the Board concluded that such mobile application is not in compliance with its
obligation regarding the information to be provided to the data subjects
pursuant to the Article 10 of Law No. 6698.
Furthermore, the Board resolved that such
processing is not in compliance with the general data processing principles
stipulated under the Article 4 of the Law No. 6698, since there is not any
specific, explicit and legitimate purpose or legal basis in the application’s
privacy policy referring to the pointing activity regarding users.
The Board indicated that considering the legal
basis of such processing the pointing activity is not necessary for the
performance of the contract between the user and the application, in reply to
the defense of the mobile application which claims that such processing is
lawful under the exemption of the explicit consent regarding the necessity of
the processing for the conclusion or performance of an contract pursuant to the
Article 5(2)(c) of Law No. 6698.
Summary of the
Decision dated January 27, 2020 numbered 2020/67 (“Decision No. 2020/67”) on
the advertisements and notifications which are send to a data subject via
messages by a real estate company without the data subject’s explicit consent
In Decision No. 2020/67, the Board argued one of the exemptions of the data subject’s explicit consent stipulated under the Law No. 6698 in response to the defense of the real estate company which was based on the mere fact that such data was made public by the related data subject. Pursuant to the Article 5(2)(d) of the Law No. 6698, if the personal data is made available to the public by the data subject, the data subject’s explicit consent is not required in order to process such data. However, the crucial criteria to be taken into consideration regarding processing of personal data made public is that such data cannot be processed for the purposes other than the data subject’s publication purpose. Therefore, the Board stressed that the publicly available personal data cannot be processed for advertisement purposes pursuant to the Article 5(2)(d) of the Law No. 6698, unless it is clear that the data subject’s publication purpose is to receive advertising messages or calls. In consideration of the above, the Board decided to penalize the real estate company regarding its unlawful processing activities.
Author: Aslı Naz Ünlü