July 2022 – On 18 July 2022, The Turkish Personal Data Protection Authority (“Authority”) published its decision (“Decision”) on a data subject's complaint alleging that an insurance company had processed their personal data without legal grounds. As a result of the examination, the Authority concluded that the insurance company processed the individual's personal data to carry out the insurance policy executed between the data subject and the insurance company.

The most important matter in the Decision is that the Authority highlighted that data subjects are able to apply to data controllers via a lawyer without a power of attorney involving a special authority to apply to data controllers.

What happened before?

The data subject claimed that the insurance company unlawfully processed their bank information, as the data subject did not provide this personal data. In this respect, the data subject's lawyer has applied to the insurance company and requested detailed information. However, the insurance company did not provide information on this matter, as the power of attorney did not involve a special authority to apply to data controllers under Turkish Personal Data Protection Law.

During the examination, the insurance company stated in its defence that:

  • the insurance company did not provide the information requested, as the application was made by the data subject's lawyer by submitting a general power of attorney, however, a special power of attorney is required to make such an application;
  • the bank, which acts as an agency of insurance company in this case, shared the data subject's bank information with the insurance company in order to issue the insurance policy to the data subject on behalf of the insurance company;
  • the purpose of processing the data subject's personal data is to fulfil the obligations arising from the insurance policy.

What the Authority states in its Decision

As result of its examination, the Authority has stated that:

  • the insurance company may process personal data to fulfil the obligations arising from an insurance policy, and accordingly such data processing activity is in compliance with Turkish Data Protection Law;
  • data controllers do not need a special power of attorney for applications made by data subjects' lawyers, since there is no provision stipulating such a requirement in Turkish law;
  • although data controllers need to explain the reasons for accepting or refusing a data subject's application, the insurance company did not inform the data subject of the reasons for the refusal of the application;
  • the insurance company processed the data subject's bank information to be able to pay the compensation arising from the insurance policy, therefore the insurance company can conduct such data processing activity under the legal basis of fulfilment of an agreement.

Conclusion

In conclusion, the Authority has made it clear with this Decision that data controllers cannot require a special power of attorney for data subjects' applications. In this respect, the Authority instructed the insurance company to remove the phrase requiring a special power of attorney from the application form and other relevant documents.

Follow this link for the full text of the Decision (only available in Turkish).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.