1) USE OF MOBILE PHONE NUMBER FOR EXTERNAL PURPOSE BY THE BANK DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 18/09/2019
The Complainant claims that a bank employee called the Complainant and requested the Complainant to help him / her contact the Complainant’s spouse. After that, the Complainant applied to the Bank for information on how and why the contact information provided to the Bank for use in the transactions related to the Complainant’s spouse and the Bank did not give the Complainant a written reply.
The Bank’s message to the Complainant’s e-mail address contains “… we tried to contact you through your contact number to provide detailed information about your share, but we did not receive any response. You can find out the details of your transaction by calling … Service Hotline.”
In the decision;
– It is concluded that in the e-mail message sent to the Complainant by the Bank, the Bank informs them that they can learn the details of their application by calling the Bank Service Line can not be considered as a written or electronic reply to the Complainant about the issues,
– Processing of the phone number information provided by the Complainant to the Bank in order to reach the Complainant in relation to him / her business and transactions is contrary to the obligation of “being processed for specific, explicit and legitimate purposes; being relevant with, limited to and proportionate to the purposes for which they are processed” in accordance with paragraphs ( c ) and ( ç ) of paragraph 2 of Article 4 of Law No. 6698., A TRY 100.000 administrative fine was imposed against the Bank based on paragraph (a) of paragraph 1 of Article 12 of the Law shows that the data controller has not taken the necessary technical and administrative measures to ensure the proper level of security in order to prevent unlawful processing of personal data in accordance with paragraph (b) of paragraph 1 of Article 18 of the Law.
2) “DATA CONTROLLER WHO REQUIRES A FRONT – BACK IDENTITY CARD IMAGE FOR CHANGING DATA SUBJECT’S USERNAME AND PASSWORD” DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 01/10/2019
When using the loyalty program submitted by the airline company (the data controller), the data subject who applied to the data controller with the request to change the username and password information was replied that his / her application would be fulfilled if he/she forwarded the front – back identity card image. At that time, the data subject electronically transmitted his / her identity image to access the ticket information. However, the data subject later contacted the data controller and requested that the data be deleted from the records of the data controller and the third parties if transferred. The application of the data subject to the data controller, which answered that the personal data was not kept in their systems and not shared with third parties.
– Since the information in the identity image includes “blood group” and “religion” information, the data is concerned as personal data of special nature therefore the provisions of Articles 5 and 6 of the Law should be taken into consideration together, since the data includes personal data of special nature, it is illegal to process data without the express consent of the data subject,
– Considering the subject matter of the application in terms of the General Principles;
a) The data controller is not transparent as they respond to the data subject that the identity image has been recorded despite the preservation of the identity image, for this reason, conducts data processing activities contrary to the good faith,
b) The data processing activity of the data controller is contrary to the principle of processing for certain, clear and legitimate purposes,
c) Due to it is possible to process less data for the authentication process, the identity image processed by the data controller is contrary to the principle of being relevant with, limited to and proportionate to the purposes for which they are processed,
d) Based on the fact that the data controller does not delete the data after the authentication process is finished and declares that it has been deleted upon request of information and documents, the data processing activity is contrary to the principle of being retained for the period of time stipulated by relevant legislation or the purpose for which they are processed,
– Upon the request of information and documents by the Board, the identification process was not carried out in accordance with the Company’s rules when the first application of the data subject’s was processed, the content of the complaint regarding the receiving of identity images can not be analyzed correctly, the data subject is misinformed about the data processing process, the identity images transmitted by the data subject are stored on the servers of the complaint module software company, it has been determined that the identity images have not been deleted, therefore, the data controller does not respond to the data subject’s application in accordance with the law and good faith,
– It is considered that it is appropriate for the data controller to request additional information to confirm the identity of the data subject in order to respond to the application under the Law, requiring a front-back identity image, including personal data of the data subject such as religion and blood group, it is not in line with the principle of “being relevant with, limited to and proportionate to the purposes for which they are processed” in Article 4 of the Law, it also does not comply with Article 6 of the Law regulating the processing of personal data of special nature, in defence of the data controller, stating that the call centre team requested an identity document in violation of the written working rules, confessed to the event,
– As described above; data processing is unlawful, in this context, the data controller who is obliged to take all necessary technical and administrative measures to ensure the proper level of security to prevent unlawful processing of personal data acted in violation of the obligation of data security, has been detected.
Based on the above detection, It has been decided to impose an administrative fine of TRY 100.000 on the data controller, who is considered to have failed to fulfill the data security obligations stated in paragraph (1) of Article 12 of the Law, in accordance with paragraph (b) of Article 1 of Article 18 of the Law.
3) “THE OPERATOR COMPANY REJECTED THE APPLICATION OF DATA SUBJECT THAT THE IDENTITY CAN NOT CONFIRM” DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 01/10/2019
The application made by the data subject to the Operator Company (Company) on which he/she received services individually was rejected on the grounds that the identity verification could not be made because the KVKK application form on the Company website was not completed and notified via notary or electronic signed e-mail.
In the Privacy Policy of the Company’s website, the KVKK request form of the application to be made to the Company by the data subject shall be filled in and sent to the Company’s address via “through notary … ” through information. It is understood that the form was submitted in a format following the Declaration on Procedures and Principles of Application to the Data Controller ( Declaration), the reason for the company requirements for the applications to be made as specified is to identify the individuals. In addition to the methods specified in the Declaration, an additional control mechanism has been established as to whether the applicant is the same person and the information requested by the Company. The application of the data subject has been submitted to the Company’s customer service in an electronic environment, not through the method specified by the Company. In the form submitted by the data controller, contrary to the KVKK request form created by the Company for the application, no information such as the Turkish Republic ID number, the address is required, only the surname, telephone, and e-mail address are required. It was found that it was not in compliance with the Declaration.
Having regard to Article 13 (1) of the Law No. 6698 entitled “Application to the Controller” in order to provide confirmation of identity by the Company, to impose a material burden not offered in the Law or the Declaration as a result of the notification that he/she can only apply through a notary or esignature, and to prevent the right to make a proper application by filling the KVKK request form by misleading the data subject in this way, would not comply with the law and the code of good faith.
4) “SHORT MESSAGE WAS SENT TO THE DATA SUBJECT WITHOUT CONDITIONS FOR PROCESSING OF PERSONAL DATA” DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 18/09/2019
– In Article 3 of Law on the Protection of Personal Data No. 6698; processing of personal data is defined as any operation performed upon personal data such as collection, recording, storage, retention, alteration, re-organization, disclosure, transferring, taking over, making retrievable, classification or preventing the use thereof, fully or partially through automatic means or provided that the process is a part of any data registry system, through non-automatic means.
– If one of the conditions mentioned in paragraph 1 of the Article 5 of the Law titled “Conditions for Processing of Personal Data” exists, it is possible to process personal data without the express consent of the data subject.
– Considering that the information and documents requested to be sent to the Authority by 05.08.2019 during the on-site inspection conducted by Sevinç Educational Institutions the information and documents required to be sent to the Board are not forwarded to the Board by the educational institution,
The message was sent to the mobile phone for advertising purposes without the explicit consent of the complainant or other processing conditions listed in paragraph (2) of Article 5 of the Law. It was concluded that the Educational Institution did not take the necessary technical and administrative measures to provide a sufficient level of security to prevent unlawful processing of personal data within the scope of paragraph (a) of paragraph (1) of Article 12 of the Law. Therefore, it has been decided to impose an administrative fine of TRY 50.000 on Sevinç Educational Institutions in accordance with the provision of paragraph (b) of paragraph (1) of Article 18 of the Law.
5) SOFTWARE / PROGRAM / APPLICATION WHICH ALLOWS SEARCHING OF PERSONAL DATA SUCH AS IDENTITY AND CONTACT INFORMATION OF CITIZENS BASED ON DATA OBTAINED AGAINST THE LAW DECISION ON THE PERSONAL DATA PROTECTION BOARD DATED 18/10/2019
Within the scope of notices received to the Personal Data Protection Board; it has been determined that software/programs/applications that allow the searching of personal data such as identity and contact information of citizens are used on the data obtained through various ways by some individuals and organisations operating in sectors finance, real estate consultancy, insurance etc. and attorneys/law firms. Considering that this pursuance violates the provisions of Article 12 of the Law No. 6698, which regulates the obligations concerning data security, in order to prevent possible data violations; It was unanimously decided that;
– The matter shall be notified to the relevant Chief Public Prosecutor’s Office in accordance with the provisions of Article 158 of the Code of Criminal Procedure No. 5271 for the establishment of the required judicial proceedings within the scope of the Turkish Code of Criminal on those found to be using the software/program/application of this nature,
– To inform the public that administrative actions shall be taken against the data controllers within the scope of the task of the Personal Data Protection Board.