On 20 January 2022, the Turkish Personal Data Protection Authority ("Authority") issued a principal decision ("Decision") in the Official Gazette on the practice of blacklisting customers in the car leasing sector. In the Decision, the Authority evaluates the software used by car leasing companies for blacklisting practices and concludes that:

  1. the software company and the car leasing companies are joint controllers;
  2. the profiling of customers through the mentioned blacklist and data transfer between other car leasing companies (we provide details below) constitute a violation of Turkey's Personal Data Protection Law ("DP Law") and therefore the data processing activities in question must be ceased; and
  3. administrative sanctions stipulated under the DP Law will be imposed on car leasing companies that use the blacklist application in question.

What is the "blacklist" application?

In the Decision, the Authority evaluated the concrete case and determined that a software developer provides car leasing companies with special software that includes a blacklist tool, which car leasing companies can use to create blacklists that include the personal data of customers who are real persons, and comprehensive assessments on these customers.

Car leasing companies create these blacklists to evaluate the situation of customers who are willing to rent a car in the future. However, these assessments may also become available to other car leasing companies other than the company that directly processed the customers' data. The Authority determined during the investigation that the car leasing companies do not provide customers with sufficient information regarding data flows between car leasing companies.

The Authority also underlined that car leasing companies have limited authority to design the software that allows personal data flows through a blacklist between car leasing companies, and accordingly concluded that the sole control of the management of the design of the software in question belongs to the software company.

Are "blacklist" applications completely forbidden?

The Authority underlines that car rental transactions are concluded within the scope of an agreement. Therefore, car leasing companies may process the personal data of real persons who are willing to rent a car, as data processing activity is necessary for the establishment or performance of the contract.

As to the use of personal data collected to perform an agreement for a blacklist application, the Authority stated that data controllers (car leasing companies) may process the personal data of the data subject through a blacklist within the scope of the legitimate interest of the data controller. However, the Authority underlines the importance of applying a balance test between the legitimate interest of data controllers and real persons' fundamental rights and freedoms.

In the concrete case, the Authority concluded that if the personal data of customers n the "blacklist" is disclosed to other car rental companies by using the same software/application, this constitutes a violation of the fundamental rights and freedoms of the customers.

What is the Authority's conclusion?

As a result of the evaluation, the Authority states that there is more than one data controller in the concrete case and highlights that their negligence and liabilities should be evaluated under the concept of "joint controller". Thereby, the concept of "joint controller" has been defined in Turkish data protection law for the first time.

The Authority concludes that the following groups are joint controllers in the case in question:

  • The car leasing company that provides the personal data of its customers,
  • The software company that provides the blacklist application/software,
  • Other persons in the car rental business that can access the above-mentioned blacklist.

The Authority states that in order to determine the liabilities and negligence of joint controllers, data processing procedures must first be scrutinised for each concrete case, and then it must be determined who has main control over the personal data of the data subject in each concrete case.

Last but not least, the Authority highlights that it would be difficult for data subjects to exercise their rights, as customers whose personal data are kept on the blacklist software do not have sufficient information regarding which car leasing company has their data. The Authority does not provide a remedy for this difficulty within the scope of the Decision.

Follow this link (in Turkish only) for the full text of the Decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.