Making the Personal Data Publicly Available May Not Be Sufficient Everytime To Process Personal Data
On December 23, 2019, a new decision summary dated 07.11.2019 and w. no 2019/331 has been published by the Turkish Personal Data Protection Authority (“the Authority”) on its website.
The decision by the DPA was given upon a complaint by a data subject due to illegal processing of his/her name/surname and telephone number without his/her consent by an insurance company.
In the present case, the name, surname and telephone number data has been collected by the insurance company from a publicly available website and the insurance company called the data subject about insurance activities without taken his/her explicit consent.
Insurance company’s defense in the case was that the data was made available by the data subject him/herself, therefore explicit consent is not required. After evaluation the Authority has decided as follows;
Even though personal data is collected from a website that is open to public by the insurance company, the purpose of such collection and process is not in line with the purpose and aim of the data subject in making his/her data available. Therefore the DPA concluded that the legal basis in Article 5/(2-d data subject making his/her data available of the Data Protection Law (“the Law”) cannot be relied on in this case. In that context, the DPA concluded that the Company did not take necessary administrative and technical measures in order to prevent the unlawful processing of personal data under Article 12/(1-a) of the Law and pursuant to the Article 18/(1-b) of the Law, an administrative fine of TRY 100.000 (approx. € 15.150,00 on Dec 26, 2019) was applied to the Company.