The Personal Data Protection Board (“Board”) evaluated a complaint regarding a data controller sending commercial electronic message to a data subject's work e-mail address, which was found as a result of an internet search, without the data subject's consent in its decision dated 01.09.2022 and numbered 2022/861.
The complaint subject to a decision is sending e-mails regarding the campaign and advertisement to the work e-mail address of the data subject who is a lawyer and failure to inform the data subject about the source of collection of the personal data.
The Board made the following explanations regarding the complaint;
As a result of the examination by the Board, the e-mail address is different from the e-mail address which is subject to the complaint. It was understood that the e-mail address has been made publicly available by the data subject when that the data controller’s statement stating the e-mail address which is subject to the complaint has been reached through the internet search was considered.
It is possible to process personal data if personal data have been made public by the data subject himself/herself pursuant to Article 5/d of the Law on the Protection of Personal Data w. no. 6698 (“DPL”). However, making personal data public does not mean that such personal data may be processed personal data for any purpose. Personal data processing must be limited and relevant to the purpose made available to the public by the data subject.
Further, the data controller stated that personal data was processed through sending marketing e-mails based on Article 6 of the Law on the Regulation of Electronic Commerce No. 6563 containing that "Commercial electronic messages can be sent to tradesmen and merchants without prior consent". However, commercial electronic messages cannot be sent to a person who is a lawyer without obtaining prior consent based on this provision since lawyers cannot act as either tradesmen or merchants pursuant to Article 11 of Attorneyship Law w. no. 1136.
Thus, it has been understood that the data controller has violated the obligation to prevent the unlawful processing of personal data since there are not any conditions for processing personal data set out in Article 5 of the DPL.
It has been also understood from the response given by the data controller to the data subject, only information was given that his/her personal data was erased, but other information requests of the data subject within the scope of Article 11 of the DPL were unanswered. Therefore, the data controller has acted contrary to Article 6 of the Communiqué on Principles and Procedures for the Request to Data Controller (“Communiqué”).
In this regard, the Board adopted the following decision;
The data controller has not submitted any document proving that there is a will of the data subject for processing the e-mail address information for advertising and marketing purposes. Also, there are not any conditions set out in Article 5 of the DPL for processing personal data. In this respect, it has been decided to impose an administrative fine of TRY 150.000 (approx. 5.772 EUR) on the data controller.
Since answering only some of the questions in the application to the data controller made by the data subject constitutes a violation of the DPL, it has been decided to instruct the data controller to respond to the data subject in accordance with Article 6 of the Communiqué.
The letter submitted by the data controller states that the e-mail address of the data subject has been deleted from the records of the data controller upon the request of the data subject. However, it is understood that no document proves the deletion. So, it has been decided to instruct the data controller that the personal data of the data subject must be deleted, destroyed, or anonymized and the related documents must be sent to the Board.
Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş