ARTICLE
26 January 2022

Turkish DPA Issues Principal Decision

EA
Esin Attorney Partnership

Contributor

Esin Attorney Partnership, a member firm of Baker & McKenzie International, has long been a leading provider of legal services in the Turkish market. We have a total of nearly 140 staff, including over 90 lawyers, serving some of the largest Turkish and multinational corporations. Our clients benefit from on-the-ground assistance that reflects a deep understanding of the country's legal, regulatory and commercial practices, while also having access to the full-service, international and foreign law advice of the world's leading global law firm. We help our clients capture and optimize opportunities in Turkey's dynamic market, including the key growth areas of mergers and acquisitions, infrastructure development, private equity and real estate. In addition, we are one of the few firms that can offer services in areas such as compliance, tax, employment, and competition law — vital for companies doing business in Turkey.
The Turkish Data Protection Authority (DPA) has published a principal decision ("Decision") on blacklisting in the car rental industry.
Turkey Privacy

Click here to listen to our legal alert now!

The Turkish Data Protection Authority (DPA) has published a principal decision ("Decision") on blacklisting in the car rental industry. The DPA has evaluated the privacy violations arising out of the blacklisting and also introduced the joint controller concept for the first time.

New development

The principal Decision of the DPA regarding the blacklisting operations in the car rental industry was published in Official Gazette no. 31725 and dated 20 January 2022. The DPA decided that the blacklisting operations violate the general principles, legal grounds and data transfer provisions of Law No. 6698 on Protection of Personal Data (LPPD). The Decision is available here in Turkish.

What does the Decision cover?

The Decision is about processing of personal data via the software used by car rental companies. Through this software, car rental companies record information about lessees' vehicle usage and accidents, which include the lessees' personal data. The information recorded in the software can be accessed not only by the relevant car rental company and the software service provider, but also by various other car rental companies, in a way to be deemed as personal data transfer between companies in the industry. Lastly, the data subjects are not informed about this data transfer.

The DPA evaluated these data processing activities within the scope of the articles of the LPPD on legal grounds, general principles, data transfers and data subject rights. In its evaluation on legal grounds, the DPA stated that the blacklisting data can be processed based on "the legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject," only if the blacklisting data is processed by the lessor company. However, the DPA evaluated that the disclosure of the data to other car rental companies would not fall within the scope of the legitimate interest. In addition, the DPA stated that the transfer of the data to an unknown number of car rental companies is in violation to the general principles under Article 4 of the LPPD (i.e., lawfulness and fairness; processing for specific and legitimate purposes; and being relevant, limited and proportional to the purpose). The DPA also pointed out that these processing activities make it difficult for data subjects to exercise their rights under Article 11 of the LPPD, as the data subjects do not know who the other companies their data is transferred to are.

The DPA has also introduced the concept of joint controller and concluded that since different car rental companies have access to the blacklist, these companies also have control over the data and are therefore considered joint controllers together with the software companies. The DPA stated that an evaluation should be made on a case-by-case basis to determine the responsibilities of joint controllers, by taking into consideration: (i) the first and last data controller who access the data; (ii) the data controller who registered the data to the system; (iii) the aim of the data processing; (iv) the data controller who decides the amendment, erasure or transfer of the data; and (v) the operations of the other data controllers.

In light of these evaluations, the DPA decided that the relevant data controllers should take the necessary technical and administrative measures within the scope of the LPPD or face possible administrative fines.

Conclusion

In the Decision at hand, the violations of the LPPD are evaluated within the scope of blacklisting operations of car rental companies. Accordingly, car rental companies should consider the Decision when providing their services in future. In addition, DPA's evaluation on the concept of joint controllers should generally be taken into account by all data controllers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More