Evaluations on the Principle Decision of the Personal Data Protection Board on Black List Practices in the Car Rental Sector

The principle decision (‘Decision’) of the Personal Data Protection Board (‘Board’) dated 23 December 2021 and numbered 2021/1304 (‘Decision’) was published in the Official Gazette dated 20 January 2022, and although the outputs of the Decision are based on the notifications regarding the use of ‘blacklist’ software and programs in the car rental sector, the Board made several important reminders, especially the fact that the Board recognised the concept of ‘joint controllers’, which is defined in the General Data Protection Regulation (‘GDPR’) but not regulated in the Law on the Protection of Personal Data (‘Law’) no. 6698 sy. The Board has made reminders on several important points, particularly the fact that it has recognised the concept of ‘joint controllers’, which is defined in the General Data Protection Regulation (‘GDPR’) but not regulated in the Law No. 6698 on the Protection of Personal Data (‘Law’) and secondary legislation.

BLACKLIST APPLICATIONS
In the aforementioned blacklist applications, it was mentioned that car rental software developers and sellers offer car rental software with a ‘blacklist’ feature to rental companies or real persons engaged in this business, that the personal data of their own customers and real persons renting vehicles are processed in these software, that the data includes the negativities that occur during the use of the vehicle or the comments of the company, and finally, it was emphasised that a system is structured that provides a data flow / sharing regarding the blacklist from the car rental company to the software and from the software to other car rental companies using these software, and that the real persons renting vehicles are not aware of the relevant situation.

EVALUATION OF CAR RENTAL ACTIVITIES WITHIN THE SCOPE OF KVKK
In the Decision, as is customary from every decision of the Board, firstly, in order to explain that personal data cannot be processed without explicit consent and the exceptions to this, the relevant articles of the Law are referred to, and the rights of the data subjects and data controllers are reminded that they are obliged to take all necessary technical and administrative measures to prevent unlawful processing of personal data, to prevent unlawful access to personal data, to ensure the preservation of personal data, and to ensure the appropriate level of security within the scope of Article 12.

In this context, in the realisation of car rental activities, 1774 sy. In this context, the personal data processing of data controllers due to the obligation to notify law enforcement officers in accordance with the relevant articles of the Identity Notification Law and the requirement to enter the Rental Vehicle Notification System has been evaluated within the scope of the legal reasons ‘expressly stipulated in the law’ and ‘it is mandatory for the data controller to fulfil its legal obligation’ based on Article 5/2/a-ç of the Law, and the contract concluded between the parties regarding the car rental business is evaluated within the scope of the legal reasons ‘expressly stipulated in the law’ and ‘it is mandatory for the data controller to fulfil its legal obligation’, according to Article 5 /2/c of the Law, ‘provided that it is directly related to the establishment or performance of a contract, it is necessary to process the personal data of the parties to the contract’.

COMMON DATA RESPONSIBLE and OTHER HIGHLIGHTS
The Board has stated that the processing of personal data limited to business activities in terms of blacklist-like data records and the disclosure of personal data to other data controllers through software companies will be different. In this context, the Board has assessed that a balance test should be conducted between the processing requirement of ‘processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject’ and the legitimate interests of the data controller, and if the legitimate interest prevails, it may be possible to make a blacklist record on the condition that it is limited to the business activities, in other words, it remains within the data controller.

At this point, it is underlined that opening the processed data to other data controllers will not meet the condition of not violating the fundamental rights and freedoms of the data subject, and will be contrary to the general principles regulated in the Law, especially the principles of ‘compliance with the law and good faith’, ‘processing for specific, explicit and legitimate purposes’, ‘being connected, limited and proportionate to the purpose’, and therefore cannot be considered within the scope.

Considering that the data processed in the application in question is not limited to the data controller, and that other car rental companies using the software can also access the personal data transferred to the software and have control over the data, it has been evaluated that the joint data responsibility of car rental companies and software companies that use the blacklist registration for their own interests will arise.

Joint data responsibility is regulated under Article 26 of the GDPR and is defined as joint controllers ‘where two or more data controllers have jointly determined the purposes and means of processing’. According to the GDPR, it is sufficient for only one of these data controllers to have access to the data. In the relevant decision, it is seen that the Board has adapted this concept to our domestic law.

The Board emphasised that the processes should be examined and the control over the data in question should be determined in order to determine the amount of liability and fault of joint data controllers. While determining the fault rate, it is explained that factors such as who enters the data, the purposes of processing, the activities carried out with the data by the data controllers who provide access to the data other than the data controller who collects the data will be taken as criteria and an assessment will be made in terms of the rights of the data subject.

It has been observed that blacklist applications will lead to negative judgements about the person due to their nature, this situation is likely to be within the scope of profiling, and as a result, it has been clearly stated that the data subject cannot assert the rights of the data subject arising from the Law since the data subjects cannot have information about other car rental companies with which their personal data are shared.

In addition, it is not clearly known how many car rental companies or by which persons and institutions the profiling activity is transferred through the central software. For this reason, it can be interpreted that the exercise of other rights of the data subjects, especially ‘to object to the occurrence of a result to the detriment of the person himself/herself by analysing the processed personal data exclusively through automated systems’, which is one of the rights of the data subjects under Article 11/1/g of the Law, is prevented or even prevented.

In this context, the Board ruled that in the event that personal data is processed within the scope of blacklist applications in the car rental sector in violation of the general principles under Article 4, processing conditions under Article 5 and transfer provisions under Article 8 of the Law, car rental companies that have control over such data will be considered as joint data controllers with software companies, and the necessary administrative and technical measures will be taken by the data controllers to ensure that the processing processes of personal data comply with the Law by putting an end to these unlawful practices.

CONCLUSION
The Board decision analysed above provides guidance on the protection of personal data and related processes, which is a living legislation. Namely

The concept of ‘joint/common data controller’, which is not regulated in our legislation, has been adapted and accepted in our domestic law by an independent administrative authority decision. When the practices of the Law and the Board acting on the GDPR axis are examined, it can be said that this is not a surprise, but the decision taken in terms of legal technique and method is open to criticism. It should be monitored whether this issue is addressed in the update of the Law targeted for 31.3.2022, which aims to make the necessary amendments to the Law based on the provisions of the GDPR regarding the transfer of data abroad.
The Resolution directly concerns persons and organisations providing SaaS (software as a service) and similar services. When the cases of liability in the Decision are reduced to actual practice, it indicates that software providers should carry out their activities much more diligently and in line with privacy by design/privacy by default. This issue should be a control item to be added to the process operation in terms of technical and corporate architecture design. In this context, it can be said that the cases of joint liability between the data controller and the data processor in our current practice have been expanded to cover the cases of joint/joint data liability in accordance with the Resolution.
In the Decision, it is stated that a balancing test should be made when interpreting ‘data processing is mandatory for the legitimate interests of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject’ pursuant to Article 5/2/f of the Law, which can be characterised as a guarantee clause among the legal grounds relied upon in the processing of personal data, and that both the legitimate interests of the data controller and the data subject should be subject to interpretation. In this context, it can be said that the justifications of Art. 5/2/f cannot be easily made from now on and the Board has strengthened its position in favour of the data subject.
Again, in order to protect the interests of the data subject, the methods of the data subject’s right to seek remedies are listed both in general and in particular, and it can be said that the Board may sanction the practices of the data controllers that may directly or intentionally, indirectly or negligently impinge on the data subject’s right to seek remedies.
Similar to the discussions on the issue of ‘consent conditioned on a product or service’, it is seen that the ‘limits of profiling’ have been addressed again within the scope of the Decision, and in accordance with the legitimate interest balance test, if the legitimate interest of the data controller prevails, provided that it is limited to the business activities; the opinion has been explained that profiling can be applied only within the data controller’s own organisation.
In this context, it can be said that profiling practices can be implemented by data controllers by carefully considering them within the scope of privacy by design and architecture (privacy by design/privacy by default).