New Decisions of the Turkish Personal Data Protection Authority
Updated: Nov 26, 2019
On November 6, 2019, the Turkish Personal Data Protection Authority (“the Authority”) has published new decisions’ summaries on its website. These decisions are;
1. Ways to Contact Data Controller
On November 6, 2019, the summary of the new decision dated 01.10.2019 and numbered 2019/296 was published by the Authority. This decision covers rejection of the data subject’s access request made on the website on the grounds that the Operator Company (“the Company”) cannot verify the identity of the data subject.
In the incident, the data subject has made an access request via the website of the Company which he\she receives telecommunications services. The Company has rejected the application on the grounds that the application was not sent through a notary public or via electronically signed e-mail.
The Company as the data controller has made the following explanations;
The form in question was submitted in accordance with the Communique on the Procedures and Principles of Application to the Data Controller. ("the Communiqué")
The reason for requesting the application in this way is the identification of the Data subject,
In the form submitted by the data subject, there is no information that can confirm the identity information.
According to the Law on the Protection of Personal Data w.no.6698, “the data subject shall lodge an application in writing to the controller about his demands concerning the implementation of this Law or via other methods specified by the Authority.”
Under Article 5 of the Communique; a data subject can transfer his/her demands to the data controller via the following methods;
Via registered electronic mail (KEP) address,
With the secured electronic signature,
By using a mobile signature,
By using the electronic mail address that has been previously notified to the data controller,
With registered e-mail to the system of the data controller,
Via a software or application that has been developed for the purposes of the application.
According to Article 6 of the Communique, the data controller is obliged to take any necessary administrative and technical measures in order to conclude the applications of a related person effectively, in compliance with law and the rule of honesty.
In this context, the Authority made the following evaluations;
The Company has stated that it is only possible to apply with a notary public or e-signature to provide identification. This is a pecuniary burden that is not foreseen in the law or the Communiqué. In this manner, the right of the data subject to make an appropriate application is prevented. This is a situation which is in breach of law and rules of honesty which is listed in Article 6 of the Communiqué. Within the scope of these assessments, it was decided to instruct (warn) the Company.
It was decided that the data subject to be informed about his/her rights in Article 11 and the related articles of the Communiqué.
2. Request the Copy of Identity Card from the Related Person
On November 6, 2019, the Authority’s decision summary dated 01.10.2019 and numbered 2019/294 was published. The decision is regarding a request for a both-sided identification card by the data controller in response to the data subject’s request to change the username and password of his loyalty membership.
The data subject requested to change his/her username and password when using the loyalty program offered by an airline (the data controller). In return for this, the data controller has requested a both-sided identification card copy from the related person as an image. The image was sent by the data subject to be able to access the ticket information. However, afterwards data subject requested that this image be deleted. In response the data controller stated that the information was not kept in the system. The data subject lodged an application to the Authority.
The Authority made the following assessments;
Since the information on the identity card such as “religion” and “blood group” are sensitive personal data, the explicit consent of the data subject is required. Therefore, the data was processed unlawfully.
The data controller did not specify which legal processing condition it used to process the identity information. Therefore, the data controller has processed the data in violation of the principle of processing for specific, explicit and legitimate purposes.
It was possible to process less data for the authentication process; therefore, the data controller processed the data in violation of the principle of being relevant with, limited to and proportionate to the purposes for which they are processed.
By not deleting the identity images, the data controller has also processed the data in violation of the principle of being retained for the period stipulated by relevant legislation or the purpose for which they are processed.
In this respect, the Authority has made the following decisions;
Due to the fact that the data controller has not fulfilled his/her obligations related to data security regulated in paragraph 1 of Article 12 of the Law, a fine of TRY 100,000 (approx. € 15.500) was applied to the data controller pursuant to the subparagraph (b) of paragraph 1 of Article 12 of the Law.
It was also decided to give instructions on the following issues to the data controller;
i) Informing the data subject that the data has been deleted and informing the Authority afterward,
ii) Forwarding the related documents to the Authority if it has been previously notified,
iii) During the submittal of the loyalty card implementation and other services, under the Law reassessment of the method used to confirm the identities of the related persons,
iv) Informing the data subject in this regard.
3. Use of a Mobile Phone Number out of its Purposes
On November 6, 2019, the summary of the decision dated 18.09.2019 and numbered 2019/227 was published by the Authority. The decision covers a bank's use of the person's mobile number for purposes other than its own purpose.
In the incident, a bank employee has called the complainant on the grounds that they could not reach her husband. Firstly, the data subject applied to the bank for receiving information on this subject; however, the bank sent an email stating that the bank service line could be called to obtain information. And then she lodged an application on the grounds that the misuse of the contact information she provided to the Bank for use in transactions related to the Bank.
In this context, the Authority has made the following decisions;
The complainant's application has been not answered in accordance with the provisions of the Communiqué. Therefore, it was decided to remind the bank to pay maximum attention to compliance with the provisions of the Law and the Communiqué.
The telephone number, which data subject has given for use in her own transactions and works, was used in order to reach her husband by the Bank. This situation is contrary to subparagraph c and ç of paragraph 2 of Article 4 of the Law. Due to the fact that the data controller did not take necessary administrative and technical measures under subparagraph a of paragraph 1 of Article 18 of the Law, a fine of TRY 100.000 (approx. € 15.500) was applied to the Bank pursuant to the subparagraph (b) of paragraph (1) of Article 18 of the Law.