New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July 09 August 2019
New Decisions Of Board Of Protection Of Personal Data Published On 17th Of July
Decision Summary of the Board of Protection of Personal Data dated 31/05/2019 and numbered 2019/166: “Sending an irrelevant content to the phone number of a data subject”
Data subject appealed to the data controller regarding the text message which was sent to his/her phone number and of which content was not belong to his/her own. Data subject received a reply explaining that the messages were intended to be sent to another subscriber but as a result of an employee’s mistyping with just 1 number, it was sent to the data subject, and then it was remedied. However, the complainant argued that the person, whose personal data was the content of the message sent to the data subject, was the nephew/niece of the data subject and it was impossible to mistype 1 number when the relevant phone numbers were considered. Upon the inspection after the data subject’s appeal on this, the Board stated that the following two data processing activities resulted from one action; the name, surname and service number of the nephew/niece were sent to the phone number of the complainant and the data process of the phone number of the complainant without any legal reason stated in the Law. The Board imposed an administrative fine of 50.000 TL to the data controller lawyer as per Article 18/1/b of the Law, by reason of the data controller- lawyer default “Prevent unlawful processing of personal data” stated as per Article 12/1.
Decision Summary of the Board of Protection of Personal Data dated 25/03/2019 and numbered 2019/81 and decision dated 31/05/2019 and numbered 2019/165 “Data processing of biometric personal data of the members for control of the entrance and exit”
Two separate data controller company which are both operating fitness center, passed to hand and palm print system during entrance and exit of their members. Upon various notices and complaints to the Board, indicated the concerns regarding data processing such as passport photo, time of their last visit at the facilities on TV screen, and safe storage;
1-As per Article 6 of the Law, biometric data have been identified as special category of personal data, but biometric data are not defined under the Law. As per Article 51 of the GDPR which enter into force on 25.05.2018, for defining biometric personal data, that the person shall be uniquely verified and identified by the biometric personal data. The 15th Chamber of the Council of State stated in decision numbered 2014/4562 that biometrical personal data refer to specify technical processing by measurable physiological and individual characteristics and automatic identity check that include the fingerprint scanning, palm scanning, hand geometry recognition methods while entrance and exit to fitness center and indicated that data controller process special categories of personal data by using biometric processing.
2- a) As per Article 4 of Law, personal data shall only be processed in accordance with the law, in good faith and for explicitly specified and legitimate purposes, with the condition of being accurate and up to date when necessary, be relevant, limited and proportionate to the purposes for which data are processed and stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected. Within the principle of proportionality, the data controller shall process the personal data for its purpose, request minimum level of information from the relevant person, otherwise avoid unnecessary processing, use the personal data for necessary purposes and not store it for longer than necessary. In the decisions of the Council of State numbered 2014/2242 and numbered 2014/4562, biometric methods such as “fingerprint or face scanning system” are also within the scope of the right of privacy, even if in the public sphere. The absence of any assurance that the collected data could not be used in any other way in the future was held to be unlawful. In the decision of European Court of Human Rights S. and Marper v. The United Kingdom dated 4 December 2008, the retention of the fingerprints constituted a disproportionate interference with the applicant’s right to respect for private life and could not be regarded as necessary in a democratic society and the court decided that it was a violation of the Article 8 of the European Convention on Human Rights. Therefore, the “hand and fingerprint scanning” system applied by the data controller for the compulsory and only way of entrance to the gym, was held not to be in accordance with the principle of minimum level of data request from the subject, in light of the principle of proportionality.
b) Processing special categories of personal data to ensure entrance and exit controls in sport clubs is not explicitly regulated by law. For this reason, in relation to the claim that the permission of the data subject is obtained by the data controller for the processing of hand and fingerprint; Article 6 of the Law states that biometric and genetic data are considered as special categories of personal data, and the same declares that “special categories of personal data cannot be processed without the permission of the data subject.” It has been understood that data controllers had taken explicit consent of the data subject for the processing of the palm print. Explicit consent must consist of three elements to be valid, as defined by the Law No.6698. It must be limited to a specific subject. Since it is a declaration of will, the data subject must know what it consents to, the subject matter and consequences of its consent, in order to ensure the existence of free will. In the present matter, the online membership agreement must include consent to the recording of palm print, which is a special category of personal data, in order to form a valid contract. In case of non-compliance, it is considered that the right of termination has been granted to the company and the members will not be able to benefit from the service if they do not consent to the palm trail information at the entrance to the clubs. It is not possible to say that the express consent of the members is based on free will. In this context, it has been seen that the provision of the service by the data controller is based on explicit consent. In relation to the data controllers, it has been decided that it is possible to provide access to those who want to benefit from club services by alternative ways control to control entry to and exit from the sports clubs, the acquisition of palm-print data as biometric data of persons is incompatible with the principle of “Connected purpose of data processing, limited and measured” in Article 4 of Law No. 6698. On the other hand, special categories of personal data may only be processed with the explicit consent of the data subject or within the scope of the Law of the conditions specified in Article 6, paragraph 3. Explicit consent of the data subject for the processing of palm print data must have been obtained by the data controller; but if explicit consent is not provided, it is a violation of Article 12 of the law. Therefore, an administrative fine shall be imposed under Article 18 of the Law; Control of exit to and entrance from the Sports Club for security purposes must be provided to the people who wish to benefit from the club services by means of alternative ways other than processing biometric data; The data controllers must be instructed to stop regulating entry to and exist from the club with biometric data and processing the data; The data of hand, finger and palm prints, processed and maintained by data controllers must be immediately destroyed, in accordance with the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction or Anonymous Making of Personal Data, If the relevant special categories of personal data is to be passed on to third parties, data controllers must be instructed to notify third parties in relation to the destruction of the data.
Decision Summary of the Board of Protection of Personal Data dated 31.05.2019 and numbered 2019/162 “commercial electronic communication sent by a joint stock company (data controller) without data subject’s explicit consent”
Data subject appealed to the data controller regarding a commercial electronic commercial; data subject claims that he/she does not know how and where his/her personal data was obtained and the message was sent without his/her explicit consent and he/she contacted the data controller within the scope of the Protection of Personal Data Law No. 6698, but the data controller didn’t respond to the data subject in the legal time period, data subject appealed to the Board; 1-Whether data controller has his/her explicit consent to send commercial electronic communications, 2-whether his/her personal data has been processed or not processed, if it has been processed, for which the purposes 3- to whom his/her personal data has been transferred at home, 4- whether his/her personal data has been transferred abroad and if it has been to whom, 5- whether data controller is aware of the commercial electronic communications that are sent to him/her and as a result of the inspection; The Board has been decided that sending commercial electronic communications to data subject’s mobile phone number, which is the complainant's personal data used by the company for the purpose of send commercial communication, is a data processing activity within the scope of Law, this process activity must based on any of the conditions under Articles 5 and 6 of the Law but such processing is not based on any of the conditions. The Board imposed an administrative fine of TL 50,000 on the data controller for failing to take technical and administrative measures in order to prevent unlawful processing of the access to personal data stated as per Article 12/1 and to ensure a adequate level of security according to Article 18/1 of the Law.
Decision Summary of the Board of Protection of Personal Data dated 31/05/20019 and numbered 2019/159 “Sending multiple messages from an asset management company to data subject’s phone number:
The data subject stated that he/she receives short messages on his / her phone without obtaining his/her explicit consent and the text message did not an option- put option, he/she does not know from where and how his/her personal data has been obtained, he/she didn’t get any results from application to the data controller in the time period indicated in the relevant articles of the Personal Data Protection Law no.6698, and he/she applied to the Board.
On the matter of failing to respond to the application of the data subject within the legal period of 30 day, the Board determine that the data controller responded to the data subject with the reply letter attachment, this letter was received by the data subject, the data controller was documented the letter with the Shipment Tracking and was answered all matters of complainant information requested. So the Board decided not to take any action regarding the data controller. The Board also decided that about the debts of the data subject, the bank has been transferred to data controller in compliance with to provision of Banking Law No. 5411 and the Turkish Code of Obligations No. 6098. The data controller was the new creditor of the credit debts used by the data subject from the related banks. Pursuant to Article 186 of Law No. 6098, to prevent the debtor from performing its debt to previous creditors; and that the data subject's data are processed in order to inform the data subject about the legal risks to which the data subject may be exposed in case the debt is not paid, as it is possible that it can be realized without the explicit consent of the person concerned in compliance with the subclause 2 of Article 5 of Law no. However, the use of personal data within the scope of Law No. 6698 is also a data processing activity. Therefore, sending the messages with the same content to the data subject’s phone number more than once is considered as abuse of the right of data controller. It has been concluded that the processing of personal data in subclause 4 of Article 4 of the Law was contrary to the principle of compliance with the law and honesty rules. About the data controller who fails to take the necessary technical and administrative measures to prevent unlawful processing of personal data in subclause 1 of Article 12 of the Law, the Board decided to impose an administrative fine of 20,000 TL on the data controller in compliance 1 of Article 18 of the Law.
Decision Summary of the Board of Protection of Personal Data dated 31/05/2018 and numbered 2019/157 “Corporate e-mail service, whether can be used provided by Google (gmail) through the same extension”
The data subject requested the Board’s guidance on the matter of whether a private e-mail addresses can be used for corporate e-mail addresses with the same extension via Google (gmail) through an open source e-mail service Zimbra, which provides a free corporate e-mail service. The Board stated that the e-mail messages sent and received might be stored in data centers located in different parts of the world while using e-mail service which belongs to Google. In such a case, the personal data would be transferred abroad and the data controller shall do in compliance with the provisions of Article 9 of Law 6698 on the Protection of Personal Data; “Transfer of personal data”, The Board stated that the storage services obtained through data controllers / data processors whose servers are located abroad shall be in compliance with Article 9 of the Law.
Other News
-
19.4.2024
The Constitutional Court Decision Annulled The Regulation Envisaging Liability For Litigation Expenses Within The Scope Of Mediation In Civil Disputes
In accordance with paragraph 11 of Article 18/A of Law No. 6325 on Mediation in Civil Disputes1 ("the Code"), a party shall be held liable for the entire cost of the litigation, nothwithstanding justification at the conclusion of the proceedings, and shall not be granted power of attorney fee if he or she fails to appear for the initial session of mandatory mediation without providing an explanation.The aforementioned regulation is outlined as follows:
-
8.4.2024
E-Application" Period In Capital Markets Board Applications
With its announcement dated 5 February 2024, the Capital Markets Board ("Board") announced to the public that capital market institutions, organisations and partnerships will be able to make their applications more quickly and effectively through the e-Application System.
-
5.4.2024
The Amounts In The Pre-Conditions To Be Complied With Before The Initial Public Offering Of Shares In Several Sectors Were Decreased
The Capital Markets Board ("Board" or "CMB") decreased the financial thresholds for financial statements, especially considering the sectoral differences of the companies that submitting to the Board for initial public offering and the 12th Development Plan ("Plan") prepared by the Presidency of the Strategy and Budget Directorate.
-
15.3.2024
New Regulations Introduced With The 8th Judicial Package
The Law No. 7499 on the Amendment of the Code of Criminal Procedure and Certain Laws ("Law"), which contains amendments and new regulations known as the "8th Judicial Package", was published in the Official Gazette dated 12 March 2024 and numbered 32487. In this article, we will discuss the amendments to the Criminal Procedure Code No. 5271 (" CPC"), Turkish Criminal Code No. 5237 ("TCC"), Turkish Civil Code No. 4721 ("TCC"), Enforcement and Bankruptcy Code No. 2004 ("EBC") and Law No. 6384 on the Duties and Working Procedures and Principles of the Compensation Commission.
-
12.3.2024
Changes In The PDPL Was Published In THE Official Gazette
Law No. 7499 on Amendments to the Code of Criminal Procedure and Some Laws ("Law No. 7499") including critical amendments to the Law No. 6698 on the Personal Data Protection Law ("PDPL") was published in the Official Gazette on March 12, 2024.
-
9.2.2024
Amendments Were Made To The Regulations Based On The Occupational Health And Safety Law
In the Official Gazette dated 4 February 2024 and numbered 32450, amendments were made to some regulations issued based on the Occupational Health and Safety Law No. 6331:
-
1.2.2024
Turkish Competition Board Mergers And Acquisitions Outlook Report For 2023 Has Been Published
On January 5th, 2024, the Turkish Competition Authority has published the Report prepared by the Competition Board on Mergers, Acquisitions And Privatisation Transactions in 2023 ("Report").
-
31.1.2024
Important Principle Decision From The Advertising Board Regarding Discount Sale Advertisements
At the first meeting of the year held on January 9, 2024, the Advertising Board made an important principle decision regarding discount sale advertisements by amending the "Guideline on Advertisements Containing Price Information and Discount Sale Advertisements and Commercial Practices" in order to prevent consumer victimization through misleading advertisements and practices that lead to unfair competition in the retail trade sector.
-
17.1.2024
The Authority to Decide on Trademark Cancellation Passed to the Turkish Patent And Trademark Office!
In Article 192/1 (a) of the Industrial Property Law ("IPL") published in the Official Gazette dated 10 January 2017 and numbered 29944, the enforcement of Article 26 of the Law titled "Cancellation Cases and Cancellation Request" was postponed until seven years later, and with the Provisional Article 4 of the IPL, it was stipulated that the authority to decide on the cancellation of trademarks would be directly exercised by the Intellectual and Industrial Rights Civil Courts until 10 January 2024.
-
16.1.2024
Egemenoğlu Hukuk Bürosu / Internship Application
We are pleased to announce the opening of internship applications at Egemenoğlu Hukuk Bürosu. Legal Internship Application Deadline: March 15 Summer Internship Application Deadline: March 29 Prospective candidates are requested to submit their CVs either through our website www.egemenoglu.av.tr or by sending them to info@egemenoglu.av.tr.
-
12.1.2024
Turkish Sustainability Reporting Standards (TSRS) And Scope Of Application Of TSRSs Were Puslished In The Official Gazette
In the Official Gazette dated 29.12.2023 and numbered 32414, the Public Oversight, Accounting and Auditing Standards Authority (POA) announced the Turkish Sustainability Reporting Standards and determined the principles to be followed in sustainability reports.
-
11.1.2024
Important Regulations Which Are Effective As Of 2024 And/ Or Has Been Made Subject To Time Extension
Laws No. 5746 and No. 6550 extended the regulation on higher depreciation (showing expenses related to depreciation) and calculation rates and periods for new machines acquired for use in R&D, innovation and design activities.
-
19.12.2023
The Principles and Rules to be Applied in Retail Trade have been reorganize
With the "Regulation Amending the Regulation on Principles and Rules to be Applied in Retail Trade" prepared by the Ministry of Commerce and published in the official gazette on 14.12.2023, significant changes were made in the principles and rules of retail trade.
-
18.11.2023
Warning From The Authority On Sending Verification Codes To Customers Via Sms During Shopping
The Personal Data Protection Authority ("Authority") published a Public Announcement ("Announcement") on the Processing of Personal Data by Sending a Verification Code via SMS to the Data Subjects during Shopping in Stores.
-
14.11.2023
Communiqué Amending the Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102 has been published
In order to regulate the procedures and principles to be followed in cases of loss of capital or insolvency of joint stock companies, limited liability companies and limited partnership companies with capital divided into shares within the scope of Article 376 of the Turkish Commercial Code No. 6102 (Law), the Communiqué on the Procedures and Principles Regarding the Application of Article 376 of the Turkish Commercial Code No. 6102 (Communiqué) was first published in the Official Gazette dated 15/09/2018 and numbered 30536, and with the Provisional Article 1 of this Communiqué until 01/01/2023, Within the scope of Article 376 of the Law, it was stated that foreign exchange losses arising from foreign currency denominated liabilities that have not yet been fulfilled may not be taken into account in the calculations regarding capital loss or insolvency.