Recent Decisions of the Personal Data Protection Board
We would like to inform you that only 45-day working days left until 30 September 2019 for fulfilling registration and notification obligation to VERBIS for the data controllers that employ more than 50 employees and whose annual financial statement exceeds TRY 25 million; and data controllers established outside of Turkey. The persons within the scope of the above-mentioned group shall make their applications via VERBİS of Data Protection Board or e-state platform.
We advise not to initiate the registration process on the last day of registration due to the high number of data controllers and a potential crash of the system on the last day of registration.
You may find below several precedents where the Board has implied administrative sanctions against the data controllers.
I. The Board ruled under decision numbered 2019/157 that;
• Upon usage of e-mail service infrastructure of G-mail belonging to Google, the e-mails being sent and received are stored in data centers in various places around the world. In such case, personal data will be deemed as it is transferred abroad and data controllers shall carry out the application in question in accordance with the provision of the article 9 of the Data Protection Law numbered 6698 with the title “Transfer of personal data abroad”;
• Storage services provided by data controllers/data processors, whose “Servers” are abroad, shall be carried out in accordance with the provisions of article 9 of the Law.
II. The Board decision numbered 2019/159 states that;
• The fact that short messages (SMS) are being sent to the phone number of a real person by the data controller asset management company where there is no written consent of the relevant person, and furthermore the relevant person does not know how, from whom and where the data controller obtained his personal data;
• Due to the fact that debts of which collections are belated and which repayment was not carried out have been assigned to the data controller and to the fact that phone number data which is the Complainant’s personal data being processed with the aim of notifying legal risks to which the Complainant is exposed can be carried out without the Complainant’s explicit consent within the scope of the Article 5/2-(e) Law numbered 6698, there is no legal action to be taken about data controller;
• However, the fact that usage of personal data is also a data processing activity, that in this sense several messages with same content having been sent by the data controller in different dates to the relevant person is deemed as the abuse of right by the data controller and that this incident constitutes a breach of law and of the principle of good faith in processing personal data stipulated in the Article 4/2-(a) of the Law are taken into account and an administrative fine of 20.000 TRY has been imposed.
III. The Board decision numbered 2019/162 states that;
Following requests have been examined together
a) Upon the fact that an SMS texts with advertisement purposes have been sent to the Complainant’s phone number, the relevant person does not know how and from where his personal data has been obtained and accordingly information was requested from the data controller due to the usage of the personal data without the explicit consent as per the Law On The Protection Of Personal Data (Law) numbered 6698, yet no answer was given within the legal period.
b) As a result of unresponsiveness to the request within the scope of the Law made to the data controller within legal period, a complaint has been made to the Board and information is requested regarding the following points: (1) whether there is explicit consent with regards to sending SMS texts with advertisement content at the data controller; (2) whether personal data has been processed, if yes, with what purpose it has been processed (3) to whom personal data has been transferred in the country (4) whether personal data has been transferred abroad, if yes, to whom it has been transferred (5) whether the Company is informed about the SMS texts.
As result of the examination;
• Since usage of phone number data which is the Complainant’s personal data whereby a message with advertisement purpose was sent to him by the Company is a data processing activity in the sense of provisions of personal data protection, while data processing has to be based on conditions stated in the Articles 5 and 6 of the Law, yet the fact that sending of the message subject to the complaint is based on no condition for processing was established, due to the fact that the data controller did not take mandatory technical and administrative measures to ensure the appropriate security level with the aim of preventing unlawful processing of personal data, an administrative fine of 50.000 TRY has been imposed as per the Article 18/1-(b) of the Law on the Company since it acted against the Article 12/1-(a).
IV. The Board decisions numbered 2019/81 and 2019/165 state that;
In the consideration as a result of examination of various notifications and complaints made to the Board by relevant persons about two different companies (data controllers) delivering gym services upon processing some personal data of special nature including biometric data like using palm printing system in the control of entrance-exit of their members, photographs of registered members, displaying information such as last visit and upon suspicion as to whether these data are stored safely:
a) offering finger and palm printing system used by data controllers for the entrance to gym as mandatory and the only way to benefit from the service is not considered in compliance with the principle of requesting data from relevant persons at minimum level in the light of Principle of Proportionality in processing personal data;
b) in addition, in the incident in question, under the online membership contract introduced to members, when introducing consent for palm print to be registered which are personal data of special nature as the mandatory condition for the conclusion of the contract and granting right to termination to the company in case of irregularity are considered together, it is considered that it is not possible to infer that explicit consents given by members are based on free will when the fact that they won’t be entitled to benefit from the service in question in case of the absence of consent for palm print data to be taken in the entrance of members to gym is taken into consideration, and within this scope delivering services by data controller is bound to mandatory condition of explicit consent.
In this respect,
• When the fact that taking persons’ palm print data which are biometric data for entrance control of gym members could be carried out with alternative ways does not comply with the principle of “being related to, limited to and proportional with the objective of processing” as per the Article 4/2 of the Law, on the other hand relevant persons’ explicit consents were taken for palm print data to be processed by data controller that would otherwise lead them to be deprived of gym service is taken into consideration, since the explicit consents taken from members constitute irregularity to the Article 12/1-(a) of the Law an administrative fine within the scope of the Article 18/1-(b) of the Law is to be imposed.
• Upon the data controller failing to take mandatory technical and administrative measures that would prevent third parties’ personal data from being seen, an administrative fine within the scope of the Article 18/1-(c) of the Law is to be imposed.
• Data controllers are to be instructed at the point of the control of entrance to and exit from sports club and the security in club as entrance controls regarding persons wishing to benefit from club services are to be maintained with alternative ways other than processing biometric data, carrying out entrance-exit operations with biometric data and processing biometric data are to be immediately ceased.
• Data related to hand, finger and palm print data processed and stored by data controllers until today are to be destroyed immediately in compliance with the article 7 of the Law and the Regulation Regarding Erasure, Destruction or Anonymizing of Personal Data, if the transfer of relevant data of special nature to third parties is in question, data controllers are to be instructed to inform immediately third parties to whom these data have been transferred about operations regarding destruction.
V. The Board decision numbered 2019/166 states that;
Relevant person applied to data controller due to SMS text sent to his phone number containing content that does not belong to him; data controller responded that this derived from an error of staff and that the message was sent to relevant person as a result of one digit error when making entry of another subscriber and that error was corrected immediately; however, the relevant person stated that the person whose data were in the SMS text is his nephew and it is not possible to confuse his phone number with his nephew’s phone number with only one digit error. As a result of examination of his request,
• Two different processing activities carried out with one action in the form of either sending name, surname and service number of the Complainant’s nephew who is reported to be indebted to a group of companies, or processing the Complainant’s phone number based on none of the conditions of processing in the Law, an administrative fine of 50.000 TRY is to be imposed on the lawyer (data controller) who failed to perform the obligation of “prevent unlawful processing of personal data” envisaged in the article 12/1-(a).