May 2023 – In April 2023, the Turkish Personal Data Protection Authority (the "DPA") published a total of 40 decisions on their official website. The primary focus of these decisions revolved around the unauthorised sending through communication channels of personal data, such as telephone numbers and e-mail addresses, to third parties. This practice was deemed to be in violation of Personal Data Protection Law No. 6698 ("DP Law"), which has raised considerable concerns in recent times.
Background: The "Principle Decision" set the rules for identification
On 22 December 2020, the DPA issued a principle decision numbered 2020/966 (the "Principle Decision"), which addresses the unlawful transfer through communication channels of personal data belonging to third parties by data controllers. Such transfers can occur either as a result of intentional misrepresentation made by data subjects, or due to inadvertent failures made by data controllers. The Principle Decision focuses specifically on transfers due to inadvertent misrepresentations made by data subjects.
According to the Principle Decision, data subjects may provide inaccurate or false information, or may inadvertently disclose information belonging to third parties, and therefore documents containing the personal data of such data subjects are transmitted to third parties. Data controllers are under an active duty of care to ensure that the personal data provided by data subjects is accurate and up-to-date.
Therefore, data controllers must take necessary technical and organisational measures in order to comply with the active duty of care. Such measures may include a confirmation code sent to the phone number or email address of the data subject. You can find our article here with more details on this Principle Decision.
Compliance Check: Are Data Controllers Complying with the Active Duty of Care on Identification?
Absence of the verification mechanism on an e-commerce site
In this decision, where a customer registered the wrong e-mail address on an e-commerce site, the DPA imposed an administrative fine of TRY 120,000 (approx. EUR 5,620) on the data controller, as it did not set up an identity verification mechanism.
Background: The complainant received an e-mail regarding order information belonging to a third party. As a result of an investigation conducted by the customer service of the e-commerce site, it was determined that the customer provided the wrong e-mail address as a result of name similarity, and for this reason, the e-commerce site sent the order information to an unauthorised third-party.
As a result, the DPA considered the possibility of misrepresentations in the information entries made manually by individuals and decided to impose an administrative fine of TRY 120,000 (approx. EUR 5,620) on the data controller, on the grounds that the e-commerce site did not establish an identity verification mechanism. You can find the full text of the decision here (only in Turkish).
Sending e-invoices to an unauthorised person by a marketing company
The decision in question pertains to a situation where a marketing company inadvertently sent the e-invoices of a supermarket to the complainant fifteen times via e-mail. However, the complainant is not a customer of the supermarket, and they notified the data controller of this situation. Nevertheless, the marketing company continued to send invoices to the complainant.
As a result, the DPA concluded that the marketing company is considered as a data controller, as they decide which personal data will be collected. However, the marketing company, in this case, registered the e-mail address of the data subject incorrectly due to name similarity with the complainant, and following the complainant's request, they corrected the e-mail address. In conclusion, the DPA did not impose an administrative monetary fine but instructed the marketing company to establish the necessary verification mechanisms stated under the Principle Decision. You can find the full text of the decision here (only in Turkish).
Sending financial information of a data subject to an unauthorised person via e-mail
In the decision in question, a bank, as a data controller, sent the statements and instant account movements regarding a data subject's account to the e-mail address of a third party without their consent. The data subject applied to the data controller, but the data controller replied that there was no data breach, as the data subject confirmed the e-mail by signing the relevant forms. The data subject then filed a complaint with this DPA in this regard.
As a result of its investigation, the DPA concluded that the company in which the data subject is a shareholder provided the wrong e-mail address to the bank, and the data subject signed the relevant forms in this regard. As the bank corrected the e-mail address during this period, the DPA did not impose an administrative fine on the bank. However, the DPA advised the bank to establish additional mechanisms to verify and update contact information used in bank transactions. You can find the full text of the decision here (only in Turkish).
If non-compliant, more fines will follow!
The DPA imposed an administrative fine of TRY 200,000 (approx. EUR 9,360) on a telecommunications company, as a data controller, for not fulfilling its obligations regarding data security and ruled that the sending of e-invoices of other subscribers to the e-mail address of a data subject constitutes a violation of the principle of "being accurate and kept up to date when necessary".
In the decision in question, the data subject had previously filed a complaint against the telecommunications company for the sending of e-invoices belonging to another subscriber. At that time, the DPA imposed an administrative fine on the data controller and instructed it to take necessary measures to ensure data security.
As the telecommunication company did not take additional measures, the DPA decided to impose an additional administrative fine of TRY 200,000 (approx. EUR 9,360) on the data controller, as the transaction in question constitutes a breach of data security. In addition, the DPA again instructed the telecommunications company to take the necessary measures to ensure that data is not transmitted to unauthorised persons. You can find the full text of the decision here (only in Turkish).
Corporate phone numbers should not be used for individual purposes!
The DPA assessed a case where a GSM operator, as a data controller, failed to verify an identity in the process of sending the debt information of a data subject as a text message to the corporate numbers of the company in which the data subject is a shareholder. As a result, the DPA imposed an administrative fine of TRY 85,000 (approx. EUR 3,980) on the data controller.
In the decision in question, the GSM operator authorised a law firm to collect the debt of the data subject. The law firm sent a message to the mobile phone numbers of the company in which the data subject is a shareholder. The message contained (i) the name and masked surname, (ii) the amount of the debt, and (iii) data about the process. The data subject made an application to the data controller but had no results.
As a result, the DPA stated that the use of the company's corporate numbers as contact numbers in individual contracts violates the principle of being "accurate and kept up to date when necessary". Due to this unlawful data processing activity, the DPA imposed an administrative fine of TRY 85,000 (approx. EUR 3,980) on the data controller for failing to fulfil its obligations regarding data security. Within the framework of the instruction given by the data controller, no action was taken against the data processing law firm, as it did not have the opportunity to verify the phone numbers specified. You can find the full text of the decision here (only in Turkish).
Unlawful transfer of health data
In the decision in question, the employer of a data subject requested a drug test, and the data subject took such test at a private health institution (data controller). The test results of data subjects, whose contact details were not obtained during the test, were unlawfully sent to the e-mail address of another employee at the workplace.
In the DPA's assessment, the data controller sent sensitive data (health data) without verifying whether the e-mail address to which the data controller will send the sensitive personal data belongs to a workplace physician who has a confidentiality obligation. For this reason, the DPA imposed an administrative fine of TRY 75,000 (approx. EUR 3,510) on the data controller, as it did not take all necessary technical and organisational measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data. You can find the full text of the decision here (only in Turkish).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
