January 2021 – The Personal Data Protection Board ("Board") has published on December 22, 2020, a Principle Decision (the "Principle Decision") on the personal data of third parties illegally sent by data subjects to data controllers upon the latter's request such as phone numbers, e-mail addresses. The Principle Decision has been published in the Official Gazette on January 15, 2021.

In the complaints and notices sent to the Board, it has been alleged that data controllers operating in various sectors such as e-commerce, telecommunications, transportation and tourism request from their client data subjects to declare their phone number and/or e-mail addresses in order to ensure that documents containing personal data such as invoices, statements, reservation documents are sent via SMS and/or e-mail. However, it is observed that there are inaccuracies and mistakes in the information provided by the data subjects or as a result of the disclosure of the information belonging to third parties by the data subjects, the said documents containing the personal data of such data subjects are transmitted to third parties.

According to the Principle Decision, the data controller is under an active duty of care to make sure that the personal data provided by the data subjects is accurate and up-to-date. Therefore, the data controllers must take necessary technical and administrative measures in order to comply with such active duty of care. Such measures shall include a confirmation code sent to the phone number or email address of the data subject. Therefore the Board has further clarified and exemplified the types of technical measures which must be implemented by data controllers. The Board further clarified that data controllers must always keep the channels open for data subjects to update and correct their personal data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.