New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July 09 August 2019

Decision Summary of the Board of Protection of Personal Data dated 31/05/2019 and numbered 2019/166: “Sending an irrelevant content to the phone number of a data subject”

Data subject appealed to the data controller regarding the text message which was sent to his/her phone number and of which content was not belong to his/her own. Data subject received a reply explaining that the messages were intended to be sent to another subscriber but as a result of an employee’s mistyping with just 1 number, it was sent to the data subject, and then it was remedied.  However, the complainant argued that the person, whose personal data was the content of the message sent to the data subject, was the nephew/niece of the data subject and it was impossible to mistype 1 number when the relevant phone numbers were considered. Upon the inspection after the data subject’s appeal on this, the Board stated that the following two data processing activities resulted from one action; the name, surname and service number of the nephew/niece were sent to the phone number of the complainant and the data process of the phone number of the complainant without any legal reason stated in the Law. The Board imposed an administrative fine of 50.000 TL to the data controller lawyer as per Article 18/1/b of the Law, by reason of the data controller- lawyer default “Prevent unlawful processing of personal data” stated as per Article 12/1.

Decision Summary of the Board of Protection of Personal Data dated 25/03/2019 and numbered 2019/81 and decision dated 31/05/2019 and numbered 2019/165 “Data processing of biometric personal data of the members for control of the entrance and exit”

Two separate data controller company which are both operating fitness center, passed to hand and palm print system during entrance and exit of their members. Upon various notices and complaints to the Board, indicated the concerns regarding  data processing such as passport photo, time of their last visit at the facilities on TV screen, and  safe storage;

1-As per Article 6 of the Law, biometric data have been identified as special category of personal data, but biometric data are not defined under the Law. As per Article 51 of the GDPR which enter into force on 25.05.2018, for defining biometric personal data, that the person shall be uniquely verified and identified  by the biometric personal data. The 15th Chamber of the Council of State stated in decision numbered 2014/4562 that biometrical personal data refer to specify technical processing by measurable physiological and individual characteristics and automatic identity check  that include the fingerprint scanning, palm scanning, hand geometry recognition methods while entrance and exit to fitness center and indicated that data controller process special categories of personal data by using biometric processing.

2- a) As per Article 4 of Law, personal data shall only be processed in accordance with the law, in good faith and for explicitly specified and legitimate purposes, with the condition of being accurate and up to date when necessary, be relevant, limited and proportionate to the purposes for which data are processed and stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected. Within the principle of proportionality, the data controller shall process the personal data for its purpose, request minimum level of information from the relevant person, otherwise  avoid unnecessary processing, use the personal data for necessary purposes and not store it for longer than necessary. In the decisions of the Council of State numbered 2014/2242 and numbered 2014/4562, biometric methods such as “fingerprint or face scanning system” are also within the scope of the right of privacy, even if in the public sphere. The absence of any assurance that the collected data could not be used in any other way in the future was held to be unlawful. In the decision of European Court of Human Rights S. and Marper v. The United Kingdom dated 4 December 2008, the retention of the fingerprints constituted a disproportionate interference with the applicant’s right to respect for private life and could not be regarded as necessary in a democratic society and the court decided that it was a violation of the Article 8 of the European Convention on Human Rights. Therefore, the “hand and fingerprint scanning” system applied by the data controller for the compulsory and only way of entrance to the gym, was held not to be in accordance with the principle of minimum level of data request from the subject, in light of the principle of proportionality.

b) Processing special categories of personal data to ensure entrance and exit controls in sport clubs is not explicitly regulated by law. For this reason, in relation to the claim that the permission of the data subject is obtained by the data controller for the processing of hand and fingerprint; Article 6 of the Law states that biometric and genetic data are considered as special categories of personal data, and the same declares that “special categories of personal data cannot be processed without the permission of the data subject.” It has been understood that data controllers had taken explicit consent of the data subject for the processing of the palm print. Explicit consent must consist of three elements to be valid, as defined by the Law No.6698. It must be limited to a specific subject. Since it is a declaration of will, the data subject must know what it consents to, the subject matter and consequences of its consent, in order to ensure the existence of free will. In the present matter, the online membership agreement must include consent to the recording of palm print, which is a special category of personal data, in order to form a valid contract. In case of non-compliance, it is considered that the right of termination has been granted to the company and the members will not be able to benefit from the service if they do not consent to the palm trail information at the entrance to the clubs. It is not possible to say that the express consent of the members is based on free will. In this context, it has been seen that the provision of the service by the data controller is based on explicit consent. In relation to the data controllers, it has been decided that it is possible to provide access to those who want to benefit from club services by alternative ways control to control entry to and exit from the sports clubs, the acquisition of palm-print data as biometric data of persons is incompatible with the principle of “Connected purpose of data processing, limited and measured” in Article 4 of Law No. 6698. On the other hand, special categories of personal data may only be processed with the explicit consent of the data subject or within the scope of the Law of the conditions specified in Article 6, paragraph 3. Explicit consent of the data subject for the processing of palm print data must have been obtained by the data controller; but if explicit consent is not provided, it is a violation of Article 12 of the law. Therefore, an administrative fine shall be imposed under Article 18 of the Law; Control of exit to and entrance from the Sports Club for security purposes must be provided to the people who wish to benefit from the club services by means of alternative ways other than processing biometric data; The data controllers must be instructed to stop regulating entry to and exist from the club with biometric data and processing the data; The data of hand, finger and palm prints, processed and maintained by data controllers must be immediately destroyed, in accordance with the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction or Anonymous Making of Personal Data, If the relevant special categories of personal data is to be passed on to third parties, data controllers must be instructed to notify third parties in relation to the destruction of the data.

Decision Summary of the Board of Protection of Personal Data dated 31.05.2019 and numbered 2019/162 “commercial electronic communication sent by a joint stock company (data controller) without data subject’s explicit consent”

Data subject appealed to the data controller regarding a commercial electronic commercial; data subject claims that he/she does not know how and where his/her personal data was obtained and the message was sent without his/her explicit consent and he/she contacted the data controller within the scope of the Protection of Personal Data Law No. 6698, but the data controller didn’t respond to the data subject in the legal time period, data subject appealed to the Board;  1-Whether data controller has his/her explicit consent to send commercial electronic communications, 2-whether his/her personal data has been processed or not processed, if it has been processed, for which the purposes 3- to whom his/her personal data has been transferred at home, 4- whether his/her personal data has been transferred abroad and if it has been to whom, 5- whether data controller is aware of the commercial electronic communications that are sent to him/her and as a result of the inspection; The Board has been decided that sending commercial electronic communications to data subject’s mobile phone number, which is the complainant's personal data used by the company for the purpose of send commercial communication, is a data processing activity within the scope of Law, this process activity must based on any of the conditions under Articles 5 and 6 of the Law but such processing is not based on any of the conditions. The Board imposed an administrative fine of TL 50,000 on the data controller for failing to take technical and administrative measures in order to prevent unlawful processing of the access to personal data stated as per Article 12/1 and to ensure a adequate level of security according to Article 18/1 of the Law.

Decision Summary of the Board of Protection of Personal Data dated 31/05/20019 and numbered 2019/159 “Sending multiple messages from an asset management company to data subject’s phone number:

The data subject stated that he/she receives short messages on his / her phone without obtaining his/her explicit consent and the text message did not an option- put option, he/she does not know from where and how his/her personal data has been obtained, he/she didn’t get any results from application to the data controller in the time period indicated in the relevant articles of the Personal Data Protection Law no.6698, and he/she applied to the Board.

On the matter of failing to respond to the application of the data subject within the legal period of 30 day, the Board determine that the data controller responded to the data subject with the reply letter attachment, this letter was received by the data subject, the data controller was documented the letter with the Shipment Tracking and was answered all matters of complainant information requested. So the Board decided not to take any action regarding the data controller. The Board also decided that about the debts of the data subject, the bank has been transferred to data controller in compliance with to provision of Banking Law No. 5411 and the Turkish Code of Obligations No. 6098. The data controller was the new creditor of the credit debts used by the data subject from the related banks. Pursuant to Article 186 of Law No. 6098, to prevent the debtor from performing its debt to previous creditors; and  that the data subject's data are processed in order to inform the data subject about the legal risks to which the data subject may be exposed in case the debt is not paid, as it is possible that it can be realized without the explicit consent of the person concerned in compliance with the subclause 2 of Article 5 of Law no. However, the use of personal data within the scope of Law No. 6698 is also a data processing activity. Therefore, sending the messages with the same content to the data subject’s phone number more than once is considered as abuse of the right of data controller. It has been concluded that the processing of personal data in subclause 4 of Article 4 of the Law was contrary to the principle of compliance with the law and honesty rules. About the data controller who fails to take the necessary technical and administrative measures to prevent unlawful processing of personal data in subclause 1 of Article 12 of the Law, the Board decided to impose an administrative fine of 20,000 TL on the data controller in compliance 1 of Article 18 of the Law.

Decision Summary of the Board of Protection of Personal Data dated 31/05/2018 and numbered 2019/157 “Corporate e-mail service, whether can be used provided by Google (gmail) through the same extension”

The data subject requested the Board’s guidance on the matter of whether a private e-mail addresses can be used for corporate e-mail addresses with the same extension via Google (gmail) through an open source e-mail service Zimbra, which provides a free corporate e-mail service. The Board stated that the e-mail messages sent and received might be stored in data centers located in different parts of the world while using e-mail service which belongs to Google. In such a case, the personal data would be transferred abroad and the data controller shall do in compliance with the provisions of Article 9 of Law 6698 on the Protection of Personal Data; “Transfer of personal data”, The Board stated that the storage services obtained through data controllers / data processors whose servers are located abroad shall be in compliance with Article 9 of the Law.