Turkey: The Decision Of The Personal Data Protection Board Regarding Unlawful Processing Of Personal Data By A Bank Through Sending SMS To The Mobile Phone Number Of The Data Subject Has Been Published

The decision of the Personal Data Protection Board ("Board") dated 02.11.2021 and numbered 2021/1104, regarding the allegation that the unlawful processing of personal data by a bank through sending SMS to the mobile phone number of the data subject ("Decision") has been published.

In the complaint submitted to the Personal Data Protection Authority ("Authority"), the data subject claimed that he/she requested the deletion of his/her data from the data controller bank ("Data Controller"), that in the reply of the Data Controller it was stated that the necessary actions were taken in this regard, however, the Data Controller continued to send information messages to the data subject via SMS and e-mail and that the data subject applied to the Data Controller in this regard, and in the reply the "Regulation on Commercial Communication and Commercial Electronic Messages" was submitted as the justification, and the data subject requested that the necessary actions be taken regarding the Data Controller.

The Board evaluated that:

The processing of the personal data of the data subject by sending an SMS for a purpose other than the initial processing purpose by the Data Controller, although the phone number was given by the data subject, who is a customer of the Data Controller, to the Data Controller, in order to be contacted regarding transactions, even though his accounts before the Data Controller have been closed and the Data Controller has replied to the data subject stating that his/her personal data will not be processed other than for storage purposes.

The Data Controller has not taken the necessary technical and administrative measures in accordance with the Personal Data Protection Law numbered 6698 (" Law ") to ensure the appropriate level of security in order to prevent the unlawful processing of personal data considering that there is no legal ground in the Law regarding the processing of the personal data of the data subject by sending informative messages, and the processing of the personal data is also contrary to the obligation to comply with the principles of "being processed for specified, explicit, and legitimate purposes"and "being relevant, limited and proportionate to the purposes for which data are processed" which are specified in the Law.

") to ensure the appropriate level of security in order to prevent the unlawful processing of personal data considering that there is no legal ground in the Law regarding the processing of the personal data of the data subject by sending informative messages, and the processing of the personal data is also contrary to the obligation to comply with the principles of "being processed for specified, explicit, and legitimate purposes"and "being relevant, limited and proportionate to the purposes for which data are processed" which are specified in the Law. No declaration has been made by the Data Controller regarding the deletion of the personal data of the data subject, only the accounts have been closed and the preferences for sending commercial messages that personal data will not be processed for marketing purposes have been updated in order for the data subject to not be reached through any channel.

As a result of the joint evaluation of the documents submitted by the Data Controller and the 10-year retention period specified in article 42 of the Banking Law numbered 5411 and the principle of "being stored only for the time designated by relevant legislation or necessitated by the purpose for which data are collected", it has been determined that the Data Controller not deleting the personal data of the data subject is not against the law, due to the reasons necessitating their processing not having ceased, considering that the last transaction of the data subject before the Data Controller was the closing of active products carried out on 03.08.2019, and therefore, the retention period of 10 years has not passed since the last transaction date.

In the light of its evaluation, the Board decided:

To impose an administrative fine within the scope of the Law, for the Data Controller which did not fulfil its obligations under the Law, despite the Data Controller's response to the data subject that the personal data will not be processed for purposes other than storage, regarding the request for the deletion of the personal data, considering that, the Data Controller's processing of the personal data by sending an SMS for informational purposes is not based on any legal grounds set forth in the Law.

Since it is considered that it is not contrary to the Law that the Data Controller did not fulfil the deletion request due to the reasons requiring the processing of the personal data of the data subject not having ceased, there is no action to be taken within the scope of the Law.

