Processing a Mobile Phone Number without any Data Processing Conditions
Updated: Dec 26, 2019
On December 23, 2019; the Turkish Personal Data Protection Authority (“the Authority”) has published a summary of the new decision dated 07.11.2019 regarding the processing of the mobile phone number of the data subject by a medical doctor without any data processing conditions.
In the case, a message with informative/advertisement content was sent to the data subject's mobile phone by a medical doctor who is a data controller without his/her explicit consent. Thereupon, the related person applied to the data controller but received no response. A complaint was then lodged with the Authority. As a result of the examination carried out by the Authority, the relevant information and documents on the subject were requested from the data controller. However, no response has been given by the data controller.
According to paragraph 1 of Article 5 of the Law on Protection of Personal Data (“the Law”), “personal data cannot be processed without the explicit consent of the data subject.”
The second paragraph stipulates instances where no explicit consent will be sought. Under paragraph 2 of Article 5 of the Law; “Personal data may be processed without seeking the explicit consent of the data subject only in cases where one of the following conditions is met:
a) it is clearly provided for by the laws.
b) it is mandatory for the protection of life or physical integrity of the person or of any other person who is bodily incapable of giving his consent or whose consent is not deemed legally valid.
c) processing of personal data belonging to the parties of a contract, is necessary provided that it is directly related to the conclusion or fulfilment of that contract.
ç) it is mandatory for the controller to be able to perform his legal obligations.
d) the data concerned is made available to the public by the data subject himself.
e) data processing is mandatory for the establishment, exercise or protection of any right.
f) it is mandatory for the legitimate interests of the controller, provided that this processing shall not violate the fundamental rights and freedoms of the data subject.”
The data controller has processed personal data without the explicit consent of the related person or other processing conditions listed in paragraph (2) of Article 5 of the Law. Although the necessary information and documents on the subject was requested from the data controller, he/she did not respond to these issues. In this context, the Authority decided that the data controller should pay the following fine;
Due to the fact that the data controller failed to take the technical and administrative measures mentioned in the subparagraph (a) of paragraph (1) of Article 12 of the Law, a fine of TRY 50.000 (approx. EUR 7.590,09 on Dec 26, 2019) was applied pursuant to the subparagraph (b) of paragraph (1) of Article 18 of the Law.