On November 1, 2018, Personal Data Protection Board ("Board"), acting under the Personal Data Protection Authority, published its principle decision with number 2018/119 in the Official Gazette, which then corrected on November 7, 2018 ("Decision"). Board's Decision is regarding prevention of promotional notifications, e-mail messages, text messages and calls that data subjects might receive from data controllers and data processors.
In the beginning of the Decision, the Board indicates that they received numerous complaints based on the Law No. 6698 on Protection of Personal Data ("Law No. 6698") from individuals, who claim to have received promotional and advertorial calls, text messages, e-mail messages from parties, whom they did not give consent for such communications.
The Board also indicates that, upon receiving such complaints, an investigation has been conducted on the matter by the Board, results of which were used for determining the principles set forth in the Decision.
C. Obligations of Data Controllers & Processors
I. Cease of Activity
The Decision orders data controllers, which direct promotional communications to data subjects without obtaining data subjects' consents or without meeting the conditions under Article 5/2 of the Law No. 6698, to immediately cease such processing activities immediately. Additionally, the Decision also orders data processors that send such communications on behalf of data controllers, to cease their data processing activities immediately, as well.
The Decision lists sending text messages to or calling data subjects phone numbers; and sending e-mails to data subjects; as methods of communication. Although, the wording of the Decision appears to be limited to these methods of communication, considering the purpose of Board's decision, one might argue that the Board will highly likely apply this principle to every other form of electronic communication, provided that it is promotional and/or advertorial and the conditions of the Law No. 6698 are not met.
In this order, the Board refers to its authority under Article 15/7 of the Law No. 6698, which entitles the Board to decide on cease of data processing or transfer of data abroad, if there is an obvious violation of laws and there are irrevocable damages or damages that are hard to recover. In that sense, one might argue that the Board evaluates such activities as violations of the Law No. 6698 and is inclined to interpret such activities as damaging to data subjects, which might be used against data controllers within the scope of claims by data subjects pertaining to non-pecuniary damages.
By referring to Article 12 of the Law No. 6698, the Decision explicitly states that data controllers are obliged to take all technical and administrative measures in order to ensure an adequate level of security for the purposes of (i) preventing unlawful processing of personal data, (ii) preventing unlawful access to personal data; and (iii) protecting personal data.
Furthermore, it is also noted in the Decision that if personal data is processed by another real person or legal entity on behalf of the data controller, the data controller shall be jointly liable with the data processor for taking the foregoing measures.
The board states that they will impose the measures provided under Article 18 of the Law No. 6698 for those who conduct such processing activities, which sets forth administrative fines for those who fail to comply with certain obligations under the Law No. 6698.
The Board also warns that, taking into account the possibility that personal data process for such activities might be collected unlawfully, they will notify the relevant public prosecutor's office, so that criminal proceedings could be initiated for the crime of illegal dissemination and seizure of data in accordance with Article 136 of the Turkish Criminal Code, under which illegal seizure, transfer or dissemination of personal data constitutes a crime under and is subject to an imprisonment up to four years.
Although the Decision does not explicitly indicates any time period for data controllers and processors to cease their activities found to be in violation of the Law No. 6698, it is implied in the Decision that the Board is not eager to punish on-going activities of data controllers and processor, but merely confines itself to warn and urge them to cease such activities and act in accordance with their obligations within the scope of the Law No. 6698.
IV. Checklist for Compliance
Please find below a short checklist of items that might be considered by data controllers before sending out promotional communications, for the purposes of compliance with the Law No. 6698 and Board's principle decision.
- Taken necessary precautions and measures to protect the contact information which will be collected from data subjects (such as creating a dedicated storage space for the relevant data, limiting the number of personnel accessing such data to senior marketing managers etc.),
- Informed data subjects about using their contact information for promotional communications before or, at the latest, during collection of their personal data and recorded such notice for evidential purposes (be it on paper with data subject's signature, a voice record or vie electronic logging),
- If using contact information collected previously for other purposes where data subject might not be reasonably expected to know that it might be used for such communications, informed data subject about using their contact information for this new purpose, before starting processing activities for that purpose; and recorded such notice for evidential purposes,
- Have a legal basis for using their contact information for such communications (please see the table above for the list of valid legal grounds),
- If not, obtained data subject's explicit consent; and recorded such consent for evidential purposes.
Please note that data processors should also consider whether the data controllers, on whose behalf they process personal data and send promotional communications, are in compliance with the Law No. 6698; and vice versa, since they are both jointly liable for violations of the Law No. 6698, as explained above.
In any case, it is clear that individuals are starting to take control of their personal data more and more, as legislations provide them with new ways to exercise their rights. The Board's decision show that complaints from individuals impelled the Board to act on its authority and warn data controllers and processors about the current state of affairs with respect to their promotional activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.