Transferring Personal Data Abroad Without Obtaining Explicit Consent
The Personal Data Protection Board (“the Board”) evaluated the complaint application regarding the transferring of personal data without explicit consent by a bank to an insurance company in its decision dated 03.08.2022 and numbered 2022/768.
The complaint subject to the decision is that the data subject received multiple calls from an insurance company, indicating that the bank, as the data controller, had shared the data subject's phone number with the insurance company. Consequently, that the personal data of the data subject was processed unlawfully was claimed.
The Board provided the following explanations regarding the complaint;
Pursuant to Article 8 of the Law on the Protection of Personal Data, Law No. 6698 ("DPL"), the transfer of personal data must be justified by obtaining explicit consent from the data subject or by relying on provisions in other laws concerning data transfer. If the data controller cannot justify the transfer based on one of the data processing conditions listed in Article 5/2 of the DPL, explicit consent or legal justifications are necessary for the data controller's data processing activity.
The document indicating the data subject's consent to receive commercial electronic messages is the "Campaign Communication Preferences Instruction." However, no document demonstrating that the data subject was informed about the personal data transfer was submitted. This violates the principle of "based on information" for obtaining explicit consent. Therefore, the mentioned document does not qualify as explicit consent for the transfer of personal data.
The expression below the relevant instruction screen, stating that “the channels and products allowed by selecting the "all channels and products" option in this form will also include channels and products that can be used and/or defined by the Bank at a date after the form is signed.” is an ambiguous statement concerning the future. It does not comply with the "based on free will" element of the explicit consent conditions. In addition, there is suspicion that the data subject's own will was not involved in completing the boxes on the relevant document.
Therefore, the information and documents presented in the concrete case do not prove that the data subject has provided explicit consent for the transfer of personal data.
When examining the data controller bank's obligations regarding the security of personal data, it is evident that sharing a bank customer's information with third parties in the country or abroad is prohibited without the customer's instruction, even if explicit consent is obtained pursuant to Article 73 of the Banking Law. Therefore, it is unlawful to share personal data with the insurance company without any instruction from the customer.
In the concrete case, it was observed that explicit consent was not obtained for sharing the phone number with the insurance company. There was no evidence or document proving the existence of an instruction or request for the data processing activity mentioned in the complaint, and it did not fall within any exceptions. Furthermore, it has been evaluated that the conditions for transferring personal data listed in Article 8 of the DPL were not met.
In this regard, the Board adopted the following decisions;
An administrative fine of TRY 250.000 (approx. EUR 11.701) has been imposed on the data controller bank due to the failure to fulfill the obligation to take the necessary administrative and technical measures to ensure the appropriate level of security specified in Article 12 of the DPL and due to the Article 8 of the DPL was breached by transferring the data subject’s contact information to the insurance company without relying on any of the processing conditions outlined in Article 5 of the DPL.
Authors: Burak Özdağıstanli, Bensu Özdemir, Ebru Gümüş