Recent Development
The Turkish Data Protection Board (“Board“) published four decisions regarding data subjects’ applications to data controllers, the conditions for processing personal data, and the data security obligations of data controllers on its website on November 6, 2019.
What Are the Decisions?
The Board’s first decision concerns a data subject’s complaint regarding the use of a data subject’s rights regulated under Article 11 of the Turkish Data Protection Law (“KVKK”). The data controller, a telecom operator, provided a form on its website for data subjects to complete to apply to the data controller to use their rights under the KVKK. The data controller stated that data subjects could submit the forms physically, by printing and mailing them through a notary public, or digitally, via e-mail with electronic signature. The data controller expressed that it uses such communication methods in order to identify the relevant data subjects. The Board considered that the requirements of submitting the forms via notary or e-mail with electronic signature is an additional burden on the data subjects, was not foreseen in the KVKK or the Communiqué on the Procedures and Principles of Application to the Data Controller (“Communiqué”). The Board further referenced Article 5 of the Communiqué, which allows the data subject to apply to the data controller in writing, or through software or an application developed for this purpose. Consequently, the Board considered that the data controller’s actions contradict the KVKK and the Communiqué and does not espouse good faith. Accordingly, the Board concluded that the data controller is in violation of the Communiqué and instructed the data controller to ensure full compliance with the respective article.
The Board’s second decision concerns a complaint regarding the identity verification methods an aviation company utilizes to alter passwords for loyalty cards. The aviation company requested a copy of both sides of the data subject’s national ID to verify their identity. In addition, when the data subject questioned the retention period of the copies of their ID, the data controller stated that this data is not stored anywhere, even though later investigation revealed they are in fact stored. The Board indicated that Turkish IDs contain information such as blood type and religion, which are sensitive personal data and subject to stricter protection regime under the KVKK. The Board further stated that the data controller did not act in good faith, as the data controller misinformed the data subject about the retention period. Further, the Board emphasized that because identity verification is possible by processing a small amount of personal data, the processing activity was not relevant, limited and proportionate to the overall purposes of personal data processing. Consequently, the Board imposed a fine worth TRY 100,000 (approximately USD 17,000) on the aviation company; instructed the data controller to review its procedures regarding identity verification and the personal data to be processed during such procedures in light of the law; and to inform both data processors and data subjects about these procedures.
The Board’s third decision is related to the use of a phone number a bank utilizes for other purposes than that of data processing. The complainant received a call from the bank and was asked to provide contact information for their spouse because the bank was unable to reach their spouse. The data subject filed a complaint against the bank about the incident and the bank replied by e-mail, stating that they could not reach the data subject by phone and that they could receive further information by calling the bank’s customer services hotline. The Board considered the bank’s reply to be incompliant with the Communiqué’s requirements, as it did not provide the data subject with the requested information. The Board further stated that the processing activity is not relevant to the purposes of the processing, and this indicates that the bank did not implement the necessary administrative and technical measures for personal data security. Consequently, the Board imposed worth TRY 100,000 (approximately USD 17,000) on the bank.
The Board’s last decision concerns a data subject’s complaint that an educational institution sent them marketing SMS messages without meeting the conditions for processing of personal data regulated under Article 5 of the KVKK. The Board underlined that sending marketing messages to data subjects’ mobile phones is a data processing activity as per Article 3 of the KVKK. Thus, the Board stated that the explicit consent of the data subject or the presence of the other conditions for processing personal data listed under Article 5 of the KVKK is required. The Board also carried out a site visit at the premises of the educational institution during the process and stated that their sending marketing messages to the data subject’s mobile phone without meeting the data processing conditions set forth in KVKK was unlawful. Consequently, the Board imposed a fine worth TRY 50,000 (approximately USD 8,650) on the educational institution.
Conclusion
The Board’s recent decisions provide guidance on its stances on various data protection topics, such as data controllers’ obligation to address data subjects’ requests; the conditions for processing personal data; and the obligation to take the necessary administrative and technical measures. Considering the wide scope of application of the obligations foreseen in the KVKK, data controllers should carefully re-evaluate their processes in light of the Board’s decisions.