New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July 09 August 2019
New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July
Decision Summary of the Board of Protection of Personal Data dated 31/05/2019 and numbered 2019/166: “Sending an irrelevant content to the phone number of a data subject”
Data subject appealed to the data controller regarding the text message which was sent to his/her phone number and of which content was not belong to his/her own. Data subject received a reply explaining that the messages were intended to be sent to another subscriber but as a result of an employee’s mistyping with just 1 number, it was sent to the data subject, and then it was remedied. However, the complainant argued that the person, whose personal data was the content of the message sent to the data subject, was the nephew/niece of the data subject and it was impossible to mistype 1 number when the relevant phone numbers were considered. Upon the inspection after the data subject’s appeal on this, the Board stated that the following two data processing activities resulted from one action; the name, surname and service number of the nephew/niece were sent to the phone number of the complainant and the data process of the phone number of the complainant without any legal reason stated in the Law. The Board imposed an administrative fine of 50.000 TL to the data controller lawyer as per Article 18/1/b of the Law, by reason of the data controller- lawyer default “Prevent unlawful processing of personal data” stated as per Article 12/1.
Decision Summary of the Board of Protection of Personal Data dated 25/03/2019 and numbered 2019/81 and decision dated 31/05/2019 and numbered 2019/165 “Data processing of biometric personal data of the members for control of the entrance and exit”
Two separate data controller company which are both operating fitness center, passed to hand and palm print system during entrance and exit of their members. Upon various notices and complaints to the Board, indicated the concerns regarding data processing such as passport photo, time of their last visit at the facilities on TV screen, and safe storage;
1-As per Article 6 of the Law, biometric data have been identified as special category of personal data, but biometric data are not defined under the Law. As per Article 51 of the GDPR which enter into force on 25.05.2018, for defining biometric personal data, that the person shall be uniquely verified and identified by the biometric personal data. The 15th Chamber of the Council of State stated in decision numbered 2014/4562 that biometrical personal data refer to specify technical processing by measurable physiological and individual characteristics and automatic identity check that include the fingerprint scanning, palm scanning, hand geometry recognition methods while entrance and exit to fitness center and indicated that data controller process special categories of personal data by using biometric processing.
2- a) As per Article 4 of Law, personal data shall only be processed in accordance with the law, in good faith and for explicitly specified and legitimate purposes, with the condition of being accurate and up to date when necessary, be relevant, limited and proportionate to the purposes for which data are processed and stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected. Within the principle of proportionality, the data controller shall process the personal data for its purpose, request minimum level of information from the relevant person, otherwise avoid unnecessary processing, use the personal data for necessary purposes and not store it for longer than necessary. In the decisions of the Council of State numbered 2014/2242 and numbered 2014/4562, biometric methods such as “fingerprint or face scanning system” are also within the scope of the right of privacy, even if in the public sphere. The absence of any assurance that the collected data could not be used in any other way in the future was held to be unlawful. In the decision of European Court of Human Rights S. and Marper v. The United Kingdom dated 4 December 2008, the retention of the fingerprints constituted a disproportionate interference with the applicant’s right to respect for private life and could not be regarded as necessary in a democratic society and the court decided that it was a violation of the Article 8 of the European Convention on Human Rights. Therefore, the “hand and fingerprint scanning” system applied by the data controller for the compulsory and only way of entrance to the gym, was held not to be in accordance with the principle of minimum level of data request from the subject, in light of the principle of proportionality.
b) Processing special categories of personal data to ensure entrance and exit controls in sport clubs is not explicitly regulated by law. For this reason, in relation to the claim that the permission of the data subject is obtained by the data controller for the processing of hand and fingerprint; Article 6 of the Law states that biometric and genetic data are considered as special categories of personal data, and the same declares that “special categories of personal data cannot be processed without the permission of the data subject.” It has been understood that data controllers had taken explicit consent of the data subject for the processing of the palm print. Explicit consent must consist of three elements to be valid, as defined by the Law No.6698. It must be limited to a specific subject. Since it is a declaration of will, the data subject must know what it consents to, the subject matter and consequences of its consent, in order to ensure the existence of free will. In the present matter, the online membership agreement must include consent to the recording of palm print, which is a special category of personal data, in order to form a valid contract. In case of non-compliance, it is considered that the right of termination has been granted to the company and the members will not be able to benefit from the service if they do not consent to the palm trail information at the entrance to the clubs. It is not possible to say that the express consent of the members is based on free will. In this context, it has been seen that the provision of the service by the data controller is based on explicit consent. In relation to the data controllers, it has been decided that it is possible to provide access to those who want to benefit from club services by alternative ways control to control entry to and exit from the sports clubs, the acquisition of palm-print data as biometric data of persons is incompatible with the principle of “Connected purpose of data processing, limited and measured” in Article 4 of Law No. 6698. On the other hand, special categories of personal data may only be processed with the explicit consent of the data subject or within the scope of the Law of the conditions specified in Article 6, paragraph 3. Explicit consent of the data subject for the processing of palm print data must have been obtained by the data controller; but if explicit consent is not provided, it is a violation of Article 12 of the law. Therefore, an administrative fine shall be imposed under Article 18 of the Law; Control of exit to and entrance from the Sports Club for security purposes must be provided to the people who wish to benefit from the club services by means of alternative ways other than processing biometric data; The data controllers must be instructed to stop regulating entry to and exist from the club with biometric data and processing the data; The data of hand, finger and palm prints, processed and maintained by data controllers must be immediately destroyed, in accordance with the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction or Anonymous Making of Personal Data, If the relevant special categories of personal data is to be passed on to third parties, data controllers must be instructed to notify third parties in relation to the destruction of the data.
Decision Summary of the Board of Protection of Personal Data dated 31.05.2019 and numbered 2019/162 “commercial electronic communication sent by a joint stock company (data controller) without data subject’s explicit consent”
Data subject appealed to the data controller regarding a commercial electronic commercial; data subject claims that he/she does not know how and where his/her personal data was obtained and the message was sent without his/her explicit consent and he/she contacted the data controller within the scope of the Protection of Personal Data Law No. 6698, but the data controller didn’t respond to the data subject in the legal time period, data subject appealed to the Board; 1-Whether data controller has his/her explicit consent to send commercial electronic communications, 2-whether his/her personal data has been processed or not processed, if it has been processed, for which the purposes 3- to whom his/her personal data has been transferred at home, 4- whether his/her personal data has been transferred abroad and if it has been to whom, 5- whether data controller is aware of the commercial electronic communications that are sent to him/her and as a result of the inspection; The Board has been decided that sending commercial electronic communications to data subject’s mobile phone number, which is the complainant's personal data used by the company for the purpose of send commercial communication, is a data processing activity within the scope of Law, this process activity must based on any of the conditions under Articles 5 and 6 of the Law but such processing is not based on any of the conditions. The Board imposed an administrative fine of TL 50,000 on the data controller for failing to take technical and administrative measures in order to prevent unlawful processing of the access to personal data stated as per Article 12/1 and to ensure a adequate level of security according to Article 18/1 of the Law.
Decision Summary of the Board of Protection of Personal Data dated 31/05/20019 and numbered 2019/159 “Sending multiple messages from an asset management company to data subject’s phone number:
The data subject stated that he/she receives short messages on his / her phone without obtaining his/her explicit consent and the text message did not an option- put option, he/she does not know from where and how his/her personal data has been obtained, he/she didn’t get any results from application to the data controller in the time period indicated in the relevant articles of the Personal Data Protection Law no.6698, and he/she applied to the Board.
On the matter of failing to respond to the application of the data subject within the legal period of 30 day, the Board determine that the data controller responded to the data subject with the reply letter attachment, this letter was received by the data subject, the data controller was documented the letter with the Shipment Tracking and was answered all matters of complainant information requested. So the Board decided not to take any action regarding the data controller. The Board also decided that about the debts of the data subject, the bank has been transferred to data controller in compliance with to provision of Banking Law No. 5411 and the Turkish Code of Obligations No. 6098. The data controller was the new creditor of the credit debts used by the data subject from the related banks. Pursuant to Article 186 of Law No. 6098, to prevent the debtor from performing its debt to previous creditors; and that the data subject's data are processed in order to inform the data subject about the legal risks to which the data subject may be exposed in case the debt is not paid, as it is possible that it can be realized without the explicit consent of the person concerned in compliance with the subclause 2 of Article 5 of Law no. However, the use of personal data within the scope of Law No. 6698 is also a data processing activity. Therefore, sending the messages with the same content to the data subject’s phone number more than once is considered as abuse of the right of data controller. It has been concluded that the processing of personal data in subclause 4 of Article 4 of the Law was contrary to the principle of compliance with the law and honesty rules. About the data controller who fails to take the necessary technical and administrative measures to prevent unlawful processing of personal data in subclause 1 of Article 12 of the Law, the Board decided to impose an administrative fine of 20,000 TL on the data controller in compliance 1 of Article 18 of the Law.
Decision Summary of the Board of Protection of Personal Data dated 31/05/2018 and numbered 2019/157 “Corporate e-mail service, whether can be used provided by Google (gmail) through the same extension”
The data subject requested the Board’s guidance on the matter of whether a private e-mail addresses can be used for corporate e-mail addresses with the same extension via Google (gmail) through an open source e-mail service Zimbra, which provides a free corporate e-mail service. The Board stated that the e-mail messages sent and received might be stored in data centers located in different parts of the world while using e-mail service which belongs to Google. In such a case, the personal data would be transferred abroad and the data controller shall do in compliance with the provisions of Article 9 of Law 6698 on the Protection of Personal Data; “Transfer of personal data”, The Board stated that the storage services obtained through data controllers / data processors whose servers are located abroad shall be in compliance with Article 9 of the Law.
Other News
-
22.11.2024
The Procedure of Sale by Auction and The Legal Aspect of New Regulations Brought by the 9th Judicial Package
By new regulations brought by the 9th Judicial Package, a new legal frame for the sale of seized goods electronically is instructed according to Enforcement and Bankruptcy Law Article 111/b. Transactions about the sales of seized goods are made via a sale portal integrated with the National Judicial Network Information System (UYAP) by auction. However, because of the legal gaps of the law, an application about the sale transactions cannot be displayed. The amendments introduced by legislators to the law regarding electronic sales in the 8th and 9th Judicial Packages, as well as the newly established regulations, are considered an important step toward making foreclosure processes faster and ensuring that sales transactions are conducted in a safer and more transparent environment.
-
15.11.2024
Law Numbered 7531 On Amendments To Certain Laws Was Published
Law1 No. 7531 on the Amendment of Certain Laws ("Law"), also known as the 9th Judicial Package, was published in the Official Gazette dated 14.11.2024 and numbered 32722 and contains significant amendments to 17 different laws.
-
13.11.2024
E-Government Era Begins In Lease Agreements!
The Ministry of Treasury and Finance ("Ministry") announced in the 2023-2025 period of its 2022 Action Plan for Combating the Informal Economy ("Action Plan") that lease agreements could be concluded through the e-Government portal to support the decision-making processes of the parties involved and conduct risk analysis studies. The first phase of this activity was launched on November 4, 2024, through the e-Government portal, and the second phase is expected to be implemented by the end of the year.
-
11.11.2024
A New Era in Digital Markets: The Competition Authori's The Competition Authority's 2024-2028 Strategic Plan Published
The Competition Authority ("the Authority") has published its 2024-2028 Strategic Plan ("the Strategic Plan") with the aim of adapting to the rapidly evolving dynamics of digital markets and maintaining a competitive economic order. Developed in light of recent shifts in the global competitive environment, the Strategic Plan focuses on new regulations in digital markets and emerging technologies. The Authority aims to ensure fair and competitive markets through this plan, with a clear focus on enhancing consumer welfare.
-
31.10.2024
Public Announcement on Standard Contract Notification Module Published
Public Announcement on Standard Contract Notification Module published on 24.10.2024 on the official website of Personal Data Protection Authority ("Authority"). By the decision dated 17.10.2024, the Personal Data Protection Board ("Board") created "Standard Contract Notification Module" ("Module") in order to carry out standard contract notification processes in a faster and more efficient manner and decided that the notifications could also be carried out online via the Module.
-
28.10.2024
Warning To Research Companies: Inform First, Then Obtain Consent
After the number of complaints to the Personal Data Protection Authority ("Authority"), the Authority published a Public Announcement on "Personal Data Processing Activities of Research Companies by Using "Random-Digit Dialing as a Method of Telephone Sampling" for the purpose of Statistical Research" ("Public Announcement").
-
21.10.2024
EU Data Act
In today's world, where digitalization is gaining significant pace, data sharing and management are of vital importance for all sectors. In this context, the European Union has adopted the EU Data Act, which reshapes the regulations on data sharing. It aims to promote the wider use of data generated by digital devices and services while introducing new rules for a fair data economy.
-
2.10.2024
Regulation No.2023/1115 on the Prevention of Deforestation and Rules for Companies Exporting Products to the European Union
According to data from the United Nations Food and Agriculture Organization, it has been determined that the world's forests decreased by 178 million hectares over the 30-year period from 1990 to 2020.
-
1.10.2024
SEC Climate Disclosure Rule
For the sake of a livable environment and the future of our world, sustainability and ecosystem protection are becoming increasingly important. In this context, governments are introducing environmental reporting standards for companies, which are among the actors that most significantly impact the ecosystem.
-
26.7.2024
2024-2025 Action Plan For The National Artificial Intelligence Strategy Has Entered Into Force
Presidency of the Republic of Türkiye Digital Transformation Office published 2024-2025 Action Plan for the National Artificial Intelligence Strategy within the framework of the 12th Development Plan in order to further Turkey's progress in the field of artificial intelligence and to achieve the set targets.
-
30.5.2024
Important Amendments Introduced to the Turkish Commercial Code by Law No.7511
The Law on Amendments on Turkish Commercial Code and Certain Laws (the "Law") was published in the Official Gazette dated 29 May 2024 and numbered 32560.
-
8.5.2024
Law Proposal on the Amendments on the Turkish Commercial Code Numbered 6102 and Certain Laws in Offered to the Parliament
Law Proposal on the Amendments on the Turkish Commercial Code and Certain Laws is offered to the parliament. Within the scope of the proposal, it is planned to make important amendments to a number of laws, particularly the Turkish Commercial Code, the Cooperatives Law, the Law on the Protection of Competition and the Law on Consumer Protection.
-
19.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
8.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
5.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.