KPLAW

İş Kuleleri, Kule 3, Kat:2, 34330,
Levent / Istanbul, Turkey

CONTACT

T: +90 (212) 249 29 39
M: info@kplawtr.com

The Personal Data Protection Board published its new decisions on 23.05.2022. Here are some of the highlighted decisions we have evaluated for you.

 

1. Personal Data Protection Board Decision on Unlawful Processing of Personal Data through Cookies on Websites and Mobile Applications

What Does the Board Decision Say?

The Board's decision dated 10/03/2022 and numbered 2022/229, addresses the unlawful processing of the personal data from the data subject through cookies on the website and mobile applications of the data controller company which operating in the e-commerce sector.

The Personal Data Protection Board concluded the following,

  • Cookies should be classified strictly as necessary cookies and non-essential cookies.
  • Strictly necessary cookies are compulsory for the website to function properly.
  • For other cookies, explicit consent must be obtained from the data subject in accordance with the opt-in model.
  • If it is not within the exceptions in the Law on the Protection of Personal Data (“PDP Law”), the pop-ups appearing at the homepage of internet sites should be arranged in a way to obtain explicit consent,
  • If data is to be transferred abroad and a letter of commitment has not been submitted by the data controller, the data controller must transfer data abroad by obtaining explicit consent from the data subject,
  • Pop-ups on the site should include separate and easily accessible links to the privacy policy and cookie policy.
  • Cookie policy should include, data processing purposes, to whom and for what purpose the data transfer can be made, the method and legal reasons for collecting personal data, and the rights of the data subject. The privacy policy should be prepared in consideration with the cookie policy.

 

Who Does the Decision Affect?

The decision closely concerns data controllers who process personal data through cookies on websites and mobile applications.

Was an Administrative Fine Applied?

The Board applied an administrative fine of TL 800,000 on the data controller due to violations of the PDP Law.

To Sum Up

Data controllers who process personal data through cookies should obtain explicit consent from the data subjects and fulfilling their obligation to inform. They should also update their websites and mobile applications in a user-friendly manner by considering the exceptions arising from the PDP Law.

 

2. Personal Data Protection Board Decision Regarding the Sharing of Personal Data by the Data Subject Through Telephone Calls by the Bank

What Does the Board Decision Say?

The Board's decision dated 09/12/2021 and numbered 2021/1239, addresses the issue of a data controller bank, sharing the personal data of a data subject customer, by contacting the family members of the data subject. The data subject stated that he/she was telephoned by the data controller bank and not be reached for the payment of his/her debts related to the loan agreement that was previously concluded with the bank. Furthermore, the data subject stated that his/her family was insistently telephoned by the bank and that his/her personal data was shared without the data subject’s explicit consent.

The Personal Data Protection Board concluded the following,

  • Data regarding the family were retrieved from the Risk Center for the limited purpose of reaching the customers to follow up on their debts due to the risk incurred by the data controller. According to the Bank, the said calls were made in accordance with the relevant legislation and the Board's decision dated 05.03.2021 "Regarding the sharing of the customer's relationship with the Bank with the relatives through the call made through the phone number obtained from the Risk Center".
  • It could not be determined that personal data regarding the debt information of the data subject was shared by the data controller, from the available information and documents.
  • Upon the request of the data subject, the number was blocked by the bank and necessary action was taken regarding the telephone calls to the data subjects family members in short period of time.

In this regard the Personal Data Protection Board concluded that there is no violation, but that the necessary administrative and technical measures should be taken by the data controller.

Who Does the Decision Affect?

That decision closely concerns banks that process personal data.

Was an Administrative Fine Applied?

The Board reminded the data controller bank that there is no action to be taken within the scope of the PDP Law but warned that the data controller bank should inform the personnel to be more careful with regards to telephone calls.

To Sum Up

While Banks fulfill their obligations arising from banking legislation, they should consider the PDP Law as well.

 

3. Personal Data Protection Board Decision Regarding the Access to the Corporate E-Mail Account of a Former Employee by the Employer without Disclosure

What Does the Board Decision Say?

The Board's decision dated 25/11/2021 and numbered 2021/1187 addresses the issue of access to the corporate e-mail account of the data subject, who was a former employee, by the data controller employer without properly fulfilling their obligation to inform.

The Personal Data Protection Board concluded that,

  • All information in the e-mail address of the employees is considered as personal data.
  • The data controller should inform the data subject employees that their corporate e-mail account should only be used for business purposes only and that the employer could review/inspect employees’ e-mails.
  • In case of data transfer abroad; data transfer must be carried out in accordance with Article 9 of the PDP Law,
  • Even if the data subject has personal e-mail correspondence via their corporate e-mail address, it doesn’t mean that the data subject is willing to disclose their personal data and make it public. The fact that a person’s personal data is in a place where everyone can see it does not make it public.

Who Does the Decision Affect?

That decision closely concerns natural and legal person employers.

Was an Administrative Fine Applied?

The Board applied an administrative fine of TL 250,000 on the data controller due to violations of the PDP Law.

To Sum Up

Data controller employers must fulfill their obligation to inform their employees about all personal data that may be processed within the scope of their working relationship. While processing their employee’s personal data, the employers should collect data in proportion to their legitimate interest and consider employee’s fundamental rights and freedoms. “Making information public” can only be valid if the data subject’s will and intent in this direction.

 

4 .Personal Data Protection Board Decision on the Non-Correction of the Credit Rating of the Data Subject by the Bank and the Sharing of Personal Data with Third Parties

What Does the Board Decision Say?

The Board's decision dated 02/11/2021 and numbered 2021/1107 addresses the issue of initiating legal proceedings by the bank against a data subject and proceeding in unlawful transactions affecting the data subject’s credit rating and sharing false financial information with third parties.

The Personal Data Protection Board concluded that,

  • The data controller is obliged to be a member of the Risk Center in accordance with the Banking Law.
  • Considering the relevant legislation, the data controller is required to inform the Risk Center about the credit information, credit risk, etc. of its customers.
  • Despite the later revision, the account details of the data subject were initially processed inaccurately and transferred to the Risk Center. It was found that the data controller did not take administrative and technical measures to prevent this unlawful processing activity.
  • The data subject suffered loss due to the financial situation arising as a result of the transfer of inaccurately processed personal data to the Risk Center.

Who Does the Decision Affect?

That decision closely concerns banks that process personal data.

Was an Administrative Fine Applied?

The Board applied an administrative fine of TL 150,000 on the data controller due to violations of the PDP Law

To Sum Up

Since data controller banks have considerable power in their sector, processing inaccurate personal data of data subjects may have significant financial implications. Considering the possibility that misreported personal data may lead to the victimization of the data subjects, data controller banks have an active obligation to act in a prudent manner and in compliance with the PDP Law.