One of the best ways of creating a proper understanding about laws is to read decisions issued by the relevant regulatory authorities. The decisions of the Turkish Data Protection Authority (Authority) which guards the Turkish Data Protection Law (DPL) also serve this purpose. The DPL imposes compliance obligations to many businesses from multi-national corporations to local pharmacies. Therefore, the Authority's decisions play a key role for setting the boundaries of these obligations.
The Authority's practices cover a variety of subjects and sectors. In this regard, while the Authority's published decisions are sometimes of routine topics, sometimes they can be attention-grabbing or even intriguing. We structured this article with the aims of increasing awareness in this matter and providing information for persons and companies that they can make use of for themselves. While doing so, we picked out the non-standard decisions instead of the routine ones.
Pharmacy decision
Our first topic is the summary decision of the Authority dated 07.05.2020. This decision concerns the use of the Medula Pharmacy1 printouts of the data subject, a pharmacist, by another person (complainant) in a petition submitted to the Provincial Directorate of Health (Directorate). The petition aims to prevent the data subject from opening a pharmacy store due to his health records, which obtained by the complainant from his spouse's Medula Pharmacy records who is also a pharmacist. In this respect, the petition submitted to the Directorate include that:
- The data subject does not have the information, ability to practice his profession due to his health problems,
- For this reason, it is more beneficial for the public health to not permit the first pharmacist to open a pharmacy store in his new address,
- The annex documents include the Medula Eczane printouts showing the data subject's diagnosis and drug information.
Following the submission of the complaint petition, the Directorate made a notification to the Data Protection Authority (DPA). The Authority assessed that the complainant's access to information from Medula system through his spouse is unauthorized. Therefore, the Authority imposed approx. USD 8.000 administrative fine on the pharmacy belonging the complainant's spouse for not taking necessary security measures. On top of that, the Authority notified the prosecutor's office for the spouse of the pharmacist, since using Medula pharmacy print-outs of the data subject considered to be within the scope of Article 136 of the Turkish Criminal Code (TCC), as the crime of "illegally disclosing or using data".
As understood from the decision, sharing data with unauthorized persons or giving access to unauthorized persons can be a violation of both the DPL and the TCC.
Insurance company decision
Our second topic is the summary decision of the Authority dated 07.11.2019. The decision is based on a complaint made to the DPA about calling the data subject for tele marketing by an insurance company without obtaining her explicit consent. The data subject files a complaint with the DPA upon the tele marketing calls made on behalf of the insurance company by the financial security advisors. In the examination, the Authority found that the contact information was obtained from a public website in which the data subject disclosed for professional competence purposes only. From this point of view, the Authority concluded that the relevant information was not used for the purposes that the data subject aimed for while making public on the relevant website, but rather they were used for tele marketing purposes. Due to the violation, the insurance company is obliged to pay approx. USD 13.000 administrative fine.
The lessons we take from this decision is that personal data disclosed to the public by the data subject can only be processed in accordance with the purposes of such disclosure.
Decision on the sharing of financial information
Our third topic is the summary decision of the Authority dated 16.01.2020. The subject of the decision is the sharing of data subject's data with his father without the consent of the data controller. This topic is not only within the DPL, but it is also within the scope of the Banking Law No. 5411 (Banking Law) and the TCC, which is the reason why we will focus more on this topic.
The decision concerns a loan application made to the bank, the data controller, by the data subject's father. The bank replies the application with a rejection that was grounded on the reason that the loan payments of the applicant's son (data subject) are disrupted, and that the father resides at the same address with his son. The data subject then submitted a plea to the mentioned bank to request compensation for the moral damages due to the sharing of such information. Since the bank did not reply to the plea within 30 days, the data subject filed a complaint to the Authority.
When the Authority requested its defence from the bank, the reply petition listed the following reasons for such data sharing:
- As a result of an intelligence inquiry, his father's loan application was not deemed appropriate because of the fact that the data subject which is in the same risk group with the father has loan disruptions,
- The fact that spouses and children of real persons can be included in the relevant risk groups was mentioned in the Article 49 of the Banking Law,
- Within the scope of the DPL, it is possible to process personal data without obtaining the explicit consent of the data subject, if such processing is required by the law,
- In the privacy notice shared on the bank's website, it is clearly stated and the relevant persons are informed that personal data of persons to be included in the risk group, even if they are not customers of the bank, can be processed in order to determine, monitor, report, control the risk group for the purpose of determining the credit limits to be used by a risk group in accordance with the banking legislation.
The Authority, however, ascertains the following:
- Although the risk group is defined in the Banking Law, those who learn secrets of their customers due to their titles and duties cannot disclose the said secrets to anyone other than the authorities explicitly authorized in this regard as per the Banking Law,
- Those who violate this provision are subject to the penal provisions regulated in the Banking Law,
- In the event that the relevant crimes are committed within the framework of the activities of a legal person, the relevant legal person will be subject to security measures of the TCC specific to legal persons.
Upon these determinations, the Authority decides that:
- There is no action to be taken by the Authority regarding the compensation request within the scope of the DPL,
- Since it is concluded that the provisions of Article 12 of the DPL have been violated, an action will be taken within the scope of the provisions of Article 18 of the DPL for those within the data controller who caused the violation,
- The allegation that the debt information of the data subject is shared with third parties without his consent and knowledge constitutes an illegal act,
- Since these acts are also regulated in the related provisions of the Banking Law and TCC, the subject will be referred to the Banking Regulation and Supervision Agency for an evaluation whether there is a need for initiating proceedings regarding the relevant bank and personnel within the scope of the Banking Law and TCC.
To summarize, your personal data cannot be shared without following the conditions set in the DPL – even with your parents! Moreover, the DPA is not the authority to decide on the compensation for moral damage.
Post mortem privacy
Our fourth and final topic is the summary decision of the Authority dated 18.09.2019. This time, the subject matter concerns an application to the Authority made by a decedent's spouse. In the event, the spouse that is the legal heir of the decedent, who passed away in 2018, sent a letter to the clinic in Istanbul from which her husband received treatment, with the request of all medical and other information of her husband. Upon her request, she received a reply stating that the data cannot be shared with her through an informal medium. Then, the spouse applies to the Authority with the request of the access to the said information.
The Authority evaluates that:
- The data subject is defined under the DPL as the real person whose personal data is processed,
- However, personality is ceased after death in accordance with Article 28 of the Turkish Civil Code,
- Within the scope of the DPL, data subjects can request information on themselves.
- Therefore, the said request is not within the scope of the DPL, and there is no proceedings to be initiated within this scope.
In short, the personal data requests that we can make can only relate to our own personal data. Furthermore, data of deceased individuals are not within the scope of the DPL, and the obligations under the DPL are not relevant in terms of such data.
Lessons learned
Among others, below are the lessons learned from these interesting decisions:
- Personal data can be within the scope of laws other than the DPL,
- Only the personal data of living individuals can be within the scope of the DPL,
- Data that is disclosed to public can only be processed in accordance with the purposes of such disclosure,
- Only the data subjects themselves can request their information.
We do not know whether violating the DPL will be written in your deed book, but it is clear enough that the Authority follows the matter closely. For this reason, in order to comply with the DPL, the decisions of the Authority should be followed closely. We will keep assessing the Authority's decisions, and continue sharing them with you.
Footnote
1. A central internet-based software developed by the Ministry of Health allowing hospitals, doctors, pharmacies and opticians to access and track information of patients (e.g. diagnosis data, identification data).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
