Upon the complaint of the person concerned about a text message sent for advertising purposes by the data controller operating in the automotive sector, the Personal Data Protection Board (“Board”), initiated an investigation about the storage of customers’ personal data in databases abdroad. Upon the investigation, the following evaluations are included in the decision of the Board dated 22/07/2020 and numbered 2020/559;
The requirement that the data processing is mandatory for the legitimate interest of the Company as a data controller), which is stated as the legal justification for transferring data to an outsource company abroad, was rejected by the Board due to lack of appropriate legitimate interest of the data controller.
The Board states that since there was no statement regarding the personal data transfer to a foreign company, it is unclear whether the data transfer was executed based on Article 5/2(f) or the express consent of the related persons.
Assessment on Convention No. 108
The explanations of the data controller regarding the Convention No. 108 which is transferred to our domestic law, based on the justification in Article 9 of the Law, data transfer to foreign company, which is party to Convention No.108, is legitimate. The Board stated that Article 12 of the Convention No. 108 stipulates that the states parties to the Convention cannot prohibit the transfer of personal data to other State Parties solely for the protection of private life, or restrict the transfer by stipulating a special permit.
In addition, in the second paragraph of the Explanatory Report on the Convention No. 108, it is stated that the provision does not eliminate the possibility of subjecting the data flow between the party states to the notification or making arrangements in the domestic laws of the parties to prohibit domestic or transboundary transfers in certain cases.
In this context, in accordance with the regulation stipulated in the second paragraph of Article 9 of the Law, the transfer of personal data without the express consent of the person concerned, to countries that have not been declared as safe countries by the Board, can only be made with the existence of one of the conditions specified in the second paragraph of Article 5 or the third paragraph of Article 6 of the Law and if the parties undertake the sufficient protection in writing and the transfer is permitted by the Board.
The Board stated that the fact that the country to which the personal data will be transferred is a party to Convention No. 108, is only one of the elements that will constitute the basis for the Board’s assessment and it has considered that the personal data transfer regime stipulated in Law No. 6698 is in compliance with Convention No. 108.
In accordance with the Explanatory Report on the Convention No. 108, the Board, remarks that Convention is not directly applicable.. It is also stated that provision in question would not prevail paragraph (5) of Article 90 of the Constitution or paragraph (6) of Article 9 of Law, and that being a party to Convention No. 108 was not sufficient by itself in determining the status of a safe country under the Law as in the EU practice, but would constitute a positive element in the assessment to be made by the Board.
As a result, it has been concluded that there is an illegal data processing because it does not meet the conditions specified in article 9 of the Law since proper consent text was not composed as a separate document by the data controller, related persons was not clearly and directly informed for the data transfer abroad,the balance test for legitimate interest was not be performed by the data controller in international transfers that will take place depending on the processing conditions, a copy of the letter of undertaking was not sent to the Authority in order to obtain the permission of the Board by making a written undertaking with the relevant company to which the transfer is made. Based on the above evaluations, the Board has assessed that there is unlawful data processing, and has decided that such personal data shall be deleted or destroyed in accordance with paragraph (1) of Article 7 of the Law and the Regulation on Deletion, Destruction or Anonymization of Personal Data.
In conclusion the Board has decided that;
– Data controller has not executed a proper data transfer according to Article 9 of Law.
– Being a party to Convention No.108 is not sufficient for the determination of safe country status however it is considered as a positive element.
– Since an illegal data processing activity is carried out, an administrative fine of TRY 900.000 will be imposed in accordance with sub clause b of paragraph 1 of Article 18 titled “Misdemeanors” of the Law.
– Personal data in question will be deleted or destroyed.
– Updating the illumination text in accordance with Illumination Manifesto.