The Personal Data Protection Board (“Board”) evaluated the complaint application regarding the processing of the child's personal data by a data controller marketing company by sending promotional brochures without the explicit consent of the child's parents in its decision dated 03.08.2022 and numbered 2022/776.
The complaint focused on the actions of a self-employed entrepreneur, who sent a promotional brochure to an 8-year-old child as part of their marketing efforts for a product belonging to the marketing company. It was claimed that the personal data of the child had been processed unlawfully due to the lack of explicit consent from the child's parent.
The Board provided the following explanations regarding the complaint;
It was necessary to determine the data controller in this case. Pursuant to the contract between the company and the self-employed natural person entrepreneur, it is stated that the self-employed entrepreneur is responsible for determining the purpose and means of processing personal data regarding customers, as well as complying with applicable data protection laws. The relationship between the company and the self-employed entrepreneur was determined to be an independent contract rather than a dependent relationship like an agency or employer-employee relationship. When these provisions are considered, it was concluded that the self-employed natural person entrepreneur acts independently from the company in processing personal data for marketing purposes. The self-employed entrepreneur determined the purposes and means of data processing and had the role of data controller in their relationship with the data subject. The company did not have a role in the data processing activities.
The data controller claimed that that the personal data was provided by the data subject, and argued that the processing activity, carried out by sending the brochure, fell within the exception provision “Personal data are processed by natural persons within the scope of purely personal activities of the data subject or of family members living together with him/her in the same dwelling provided that it is not to be disclosed to third parties and the obligations about data security is to be complied with” in Article 28 of the Law on the Protection of Personal Data No. 6698 (“DPL”). However, this exception provision is applicable to the processing of personal data by family members living in the same residence, which is not the case here. Therefore, this exception provision does not apply to the self-employed entrepreneur who acted as the data controller.
It has been evaluated that processing of name and address which are personal data by sending a promotional brochure for marketing purposes is not based on any of the processing conditions in Article 5 of the DPL due to the fact that the time gap of four and a half months between the order placed on the e-commerce site and the brochure, the fact that the brochure was not sent with the order, and the absence of any document showing explicit consent for the processing of personal data for promotional and marketing purposes were considered.
In this regard, the Board adopted the following decisions;
There is no action to be taken against the company within the scope of the DPL since the self-employed entrepreneur, who sent the brochure, was acting independently from the company based on the terms of the contract and maintained a service relationship with customers in selling company products, they act as a data controller independent of the company when processing personal data of their customers.
It was determined that the processing of the child's name and contact information, as personal data, by sending the promotional brochure had no connection to the order shown in the invoice submitted by the data controller. The brochure was not sent together with the order shown in the invoice. Therefore, the sending of the brochure was carried out without relying on any of the processing conditions set out in the DPL. Consequently, the obligations stipulated in Article 12/1 of the DPL were not fulfilled, and an administrative fine of TRY 30,000 (approximately 1,400 EUR) was imposed. This decision took into account the unfair content of the misdemeanor committed under the scope of Article 17 of the Misdemeanor Law, as well as the fault and economic situation of the data controller.
It was decided to notify the marketing company regarding the self-employed entrepreneurs should be informed that the explicit consent of the data subjects should be obtained, and the provisions of the DPL should be complied with in the processing of personal data for promotional and marketing purposes.
Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş