PERSONAL DATA PROTECTION LAW
The Law on the Protection of Personal Data (“LPPD”) and its secondary legislation is a living law that is frequently updated since its effective date. Many procedures and principles related to data protection are determined not only by the Law, Regulation and Communiqué, but also by the Board Decisions, Principle Decisions and Board Decision Summaries. Therefore, our monthly bulletins aim to inform those concerned about the practices of the Personal Data Protection Board (“Board”) and to keep them up-to-date.
In July, 12 Board Decision Summaries and Data Breach Notifications were published by the Personal Data Protection Board.
DATA BREACH NOTIFICATIONS
Article 12/5 of the LPPD titled “Obligations regarding data security” states that “In the event that the processed personal data is obtained by others through unlawful means, the data controller shall notify the relevant person and the Board as soon as possible. If necessary, the Board may announce this situation on its website or by any other method it deems appropriate.”
In July 2022, five data breach notifications were published on the website of the Personal Data Protection Authority, www.kvkk.gov.tr.
Meklas Otomotiv San. ve Tic. A.Ş.
The data controller stated that the breach occurred on 29.06. 2022 by encrypting the data as a result of a ransomware attack and was detected by e-mail sent to the data controller on the same day; employees, users, customers and potential customers were affected by the breach, although at least 142 people, the exact number of people affected by the breach could not be determined due to limited access to the servers, and stated that general personal data such as identity, communication, visual records, as well as special categories of personal data such as health information, philosophical belief, religion and sect are among the categories of personal data affected by the breach in the breach notification to the Board.
Knauf İnşaat ve Yapı Elemanları San. ve Tic. A.Ş and Knauf Insulation Izolation San. ve Tic. A.Ş.
It has been stated that a ransomware attack occurred on 29.06.2022 on the German servers of Knauf Gips KG, which processes data as a shareholder of the data controllers, and that it is also possible that no data breach has occurred.
Due to the fact that the personal data collected in business processes are kept on the servers of the data processor, it has been stated that the general personal data of the data subjects such as identity, communication, personal, legal transaction, customer transaction, physical space security, transaction security, risk management, professional experience, finance, marketing, audio-visual records, as well as special categories of personal data such as trade union membership, philosophical beliefs, religion, sect and other beliefs, criminal convictions and security measures and health information may also be in violation.
Although the relevant group of persons affected by the breach has not yet been identified, it has been stated that real and legal persons with whom commercial relations are established, visitors, employee candidates, interns and trainee candidates, legal entities with whom contracts are made and employee families are within this scope, and it has been reported that the details of the affected data will be determined as a result of the technical study.
Turkish Electricity Distribution Company (TEDAŞ)
It was stated that the breach was detected by the Ministry Cyber Security Operation Centre during intelligence work on the Dark Web, that the username and password of an employee of the data controller was captured in an undetermined way and that that user account and other user data registered in the system were leaked by sending to an e-mail address, that the relevant groups of people affected by the breach are employees and citizens, that the personal data are name, surname, e-mail and mobile phone number and that the number of people affected by the breach is 208,000.
Surtaş Otomotiv ve Servis Hizmetleri Sanayi Ticaret Ltd. Şti
The breach occurred on 16.07.2022 and was detected on the same day, the breach occurred by taking control of the data controller’s online transactions system and an instant communication application on the employee’s phone after the SMS confirmation code sent to the employee of the data controller was notified by phone to the person who introduced himself as an authorised person, the relevant groups of people affected by the breach are employees, customers and potential customers, the categories of personal data are identity (name-surname), contact (phone number), visual and auditory records (profile photo), and the number of people affected by the breach is estimated to be 1200.
NeoPets Inc.
It was stated that the breach occurred on 17.07.2022 and that the data controller had a breach on 20.07. 2022, the attacker posted on a forum site that the data of approximately 69 million current and former users from the online platform belonging to the data controller was compromised, and published an advertisement to sell the source codes and database; users, subscribers / members and children were affected by the breach, personal data categories are identity, communication and transaction security, but investigations are ongoing, although the number of people and records affected by the breach has not yet been determined, 3. 5 million active and 65 million inactive accounts registered to the online platform subject to the breach, and that the data controller has started to work with a forensic informatics company to obtain more detailed information.
BOARD DECISION SUMMARIES
Summary of the Decision of the Personal Data Protection Board dated 07/07/2022 and numbered 2022/662 on “Processing of the ‘Hand Geometry’ Information of the Data Subject by the Data Controller without Explicit Consent in order to Access the Service Building of an Enterprise”
While registering to a business, it was stated that in order to enter the service area, the palm and fingerprint information of the person concerned was scanned by the company officials without the explicit consent of the person concerned and these data were processed in the company records, after the termination of the service contract, an application was made to the data controller company in accordance with the KVKK, the data controller responded to the person concerned, but the response given was insufficient, and it was requested to take the necessary action on the subject.
In the reply letter, in summary; it is stated that a device called “Hand Geometry Terminal” is used and that this device records the “hand geometry” of the persons in the system, unlike fingerprint or palm print taking, only the upper part of the hand placed in the device is scanned, there is no mechanism in the device to scan the inner part of the hand where the fingerprint or palm print is located, in other words, the measurements of the person’s hand are scanned by the device, just like measuring the height of a person. The data controller, in its reply, has based on the defence that this personal data is not a special quality personal data such as biometric data, but a general quality personal data such as the age, name, surname, contact number of the person.
It is explained that taking the hand geometry of the person is not sufficient alone to match the person accurately, it is obvious that it is not sufficient to scan only the hand in the Hand Geometry Terminal and that it is necessary to enter a password in addition, and it does not make the person identifiable alone, such as fingerprint or palm reading systems. It is stated that the hand geometry data of the relevant person within the scope of KVKK is deleted immediately after the membership of the relevant person is terminated.
When the Board made a research on the relevant device through open sources; first of all, it was seen that the name of the device was “… Biometric Hand Terminal” and it was stated that the hand geometry reading technology is based on the principle of measuring the physical characteristics of users such as hands and fingers in a three-dimensional environment, and in the explanations, it is emphasised that the indispensable feature of biometric systems is to obtain accurate results and it is emphasised that the probability of error in hand geometry is 1/101.559.956.668.416.
Although it is stated by the data controller that there is a secondary verification with a password due to the possibility of matching with another person, in the explanations regarding the device, it is stated that the person first enters the code, calls the image of himself/herself and when he/she puts his/her hand under the device, the verification takes place in less than 1 second.
The decision refers to the relevant decision of the 15th Chamber of the Council of State, the European General Data Protection Regulation, the relevant decision of the European Court of Human Rights and the opinion of the Constitutional Court.
Considering that biometrics refers to “the measurement of a living organism”, even non-physiological behavioural information is included in the definition of biometric data, it is understood by the data controller that the hand geometry information is processed by an identity control technique that can be automatically verified since it is a measurable physiological feature, the hand is scanned in three dimensions from 31. 000 points and analysing the hand and fingers, and considering that it is mathematically clear and clear that the error rate regarding the matching with the person concerned is very low, it is an identity control method that is performed through physiological feature and can be automatically verified, as a result, it is stated that the data controller performs identity verification with a biometric method by extracting the hand geometry of the service subscribers and the person concerned, and in this sense, it is concluded that sensitive personal data is processed.
It has been determined that there is no reason for compliance with the law regarding the processing of sensitive personal data and the use of biometric data-based systems in this context in order to ensure control at the entrances to the service building within the data controller, and in this context, it has been determined that the sensitive personal data of the data subject is processed without any processing conditions in the KVKK.
Based on the fact that the data subject’s “hand geometry” information in the category of biometric data, which has the characteristics of sensitive personal data, has been processed in violation of Article 12/1 of the LPPD, an administrative fine of 100. 000 TL administrative fine, to inform the data subject that the deletion request has been fulfilled based on the statement of the data controller and that the personal data in question has been deleted, to instruct the data controller to ensure that the transactions for destruction are immediately notified to them if they are transferred to third parties and to inform the Board about the result.
Summary of the Decision of the Personal Data Protection Board dated 17/03/2022 and numbered 2022/243 on “Processing of Personal Data by Sending the Invoice to the Relevant Person Upon Using the E-Mail Address of the Relevant Person While Placing an Order on the Internet by a Person with the Same Name”
It was stated that a person with the same name as the data subject became a member of the data controller with the same name and e-mail and placed an order, and that the data controller sent the invoice for the order to the data subject without checking and confirming the correctness of the e-mail address, and it was requested that the necessary action be taken against the data controller.
In the response letter of the data controller, it is stated that the e-mail does not match any data belonging to the person concerned or that the identity information of the person is not processed, that it has been determined that it is possible to create an order using this e-mail address by mistake with the similarity of the name while shopping by guest login by another user, and that development studies have been started and plans have been made in order to prevent this situation. In addition, it was stated that no data breach notification was made to the Authority, taking into account the provision of Article 12/5 of the LPPD and the definition of data breach made by the European General Data Protection Regulation.
In the decision of the Board, reference was made to the e-invoice obligations of the General Communiqué of the Tax Procedure Law and it was stated that the relevant provision can be based on the legal reason that data processing is mandatory for the fulfilment of the legal obligation of the data controller, which is Article 5/2/ç of the LPPD. It has been determined that the absence of a confirmation mechanism in the transaction in question may cause loss of rights, as well as the fact that all shopping transactions made on the website with guest login without being a member may also mean that there is a risk of data breach.
It has been decided to impose an administrative fine of 100.000 TL within the scope of Article 18/1/b of the LPPD on the data controller, who has been concluded that the processing activity in question is not based on any transaction condition in Article 5 of the LPPD and does not fulfil the principle of being accurate and up-to-date when necessary and the obligations listed in Article 12/1 of the LPPD. In addition, the data controller, who referred to the European General Data Protection Regulation, was reminded that compliance with the provisions of the LPPD is a priority.
Summary of the Decision of the Personal Data Protection Board dated 10/03/2022 and numbered 2022/224 on “Sharing the Telephone Number of the Data Subject with Third Parties by a Bank’s Call Centre”
Upon the discovery of a third party’s card at the Bank’s ATM by the data subject, the card was handed over to the security at the scene of the incident, but in the following hours, as a result of the cardholder sending a message to the data subject via his personal phone number, it was understood that the data was transmitted to the cardholder without explicit consent, and it was stated that the data subject was not informed and did not give explicit consent, and it was requested that the necessary action be taken against the data controller Bank.
In the response letter of the data controller; it is stated that the personal data processed are generally processed for the purposes of ensuring customer security, in addition, the disclosure text is accessible to everyone on the website and thus the disclosure obligation is fulfilled, the data subject is informed and consents.
In summary in the Board’s decision; it was determined that when contacting the bank through the call centre, it was determined that the PDPA disclosure text was presented to the caller, and from the documents submitted by the data controller; while the data subject made an application from the ‘contact us’ section on the website of the data controller, the box “I have read and understood the information made within the scope of the Law on the Protection of Personal Data” was checked, and in this sense, it was understood that the obligation to inform was fulfilled by the data controller Bank.
However, it has been evaluated that it is not in accordance with a reasonable expectation to infer that the data subject’s information will be shared with the third person who owns the card from the statement of the call centre personnel after making explanations that the card is secured, it is more expected to understand from the same statement that the information that the card is found by a citizen with the provision of card security will be shared, and it is possible to infer that the data subject does not consent to the sharing of his personal data from the negative response to the suggestion that the card be delivered by the data subject himself.
Within the framework of Article 12 of the LPPD, it has been decided to impose an administrative sanction on the data controller within the scope of Article 18 of the LPPD based on the sharing of the name, surname and telephone number information, which are the personal data of the data subject, with a third party in violation of the LPPD, and since it is understood that the disclosure obligation has been fulfilled by the data controller bank, it has been decided that there is no action to be taken within the scope of the LPPD regarding the claim in question.
Summary of the Decision of the Personal Data Protection Board dated 04/03/2022 and numbered 2022/184 on “Sharing the Debt Information of the Data Subject with Third Parties by a Receivables Management Company”
It was stated that an SMS was sent to the lines registered in the name of the relevant person’s brother and his wife under a title bearing the title of the data controller receivable management company, and that with this SMS, it was notified that the debt of the relevant person to a telecommunication company would expire and that enforcement proceedings would be initiated if the debt was not paid, and that the relevant person applied to the legal office of the relevant company due to the disclosure of his personal data, but he was not given a written reply; subsequently, when information was requested as to why the personal data of the data subject was not sent to his/her own phone and how the relevant phone numbers could be reached, the reply was given as “we will find it”. It was declared that the personal data of the data subject was shared with third parties without the consent of the data subject and a complaint was filed within the scope of KVKK.
In the decision of the Board, from the response letters sent by the data controller; in case of requesting information about a debt by calling the call centre of the data controller, without any information to the caller and without any processing conditions in Article 5 of the KVKK. It has been determined that the data controller has not taken the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data within the framework of Article 12/1 of the KVKK, since it has been concluded that the phone information of the callers is processed by automatically recording the phone information of the callers into the system without any information to the caller and without relying on any processing conditions in Article 5 of the KVKK and that information about the debt information, which is the personal data of other persons, is shared with these persons. For this reason, it has been decided to impose an administrative fine of 50.000 TL on the data controller in accordance with Article 18/1/b of the LPPD, and to instruct the data controller to terminate the practice of recording the contact information of the persons calling for information and to inform the Board about the result.
Summary of the Decision of the Personal Data Protection Board dated 24/02/2022 and numbered 2022/172 on “Requesting Special Categories of Personal Data from Candidates during the Recruitment Process by the Contact Office of the Data Controller Residing Abroad in Turkey”
It was stated that during the recruitment of the data subject, the liaison office of the data controller asked for criminal record, health report, blood type certificate, copy of driver’s licence, copy of marriage certificate, etc., but no explicit consent was obtained for the processing of these special categories of personal data and that it is contrary to the general principles listed in Article 4 of the LPPD, that the information may have been transferred abroad; that the data controller did not respond to the application of the data subject within the 30-day legal period and requested the necessary actions to be taken in accordance with the provisions of the LPPD.
In the reply letter of the liaison office in Turkey, it is stated that they do not have an individual legal entity and commercial activity, that the personal data in question are in the nature of “personal file” in accordance with the employment contract, that they are kept in accordance with the relevant legal legislation and the legitimate purpose determined in the laws, and that the personal data in question are destroyed following the termination of the employment contract.
Based on the provisions of the Labour Law No. 4857, it is understood that the title of “data controller” belongs to the company based abroad, not to the liaison office, and that the notification made by the data subject to the data controller through the official of the Liaison Office and the employer’s representative is legally valid and valid since it is authorised on behalf of the data controller with a power of attorney approved and issued by an authorised notary abroad, that the application made by the data subject was not responded in a timely manner, that it is not unlawful to transfer data abroad, but the only way to do so is to obtain the explicit consent of the data subject.
On the other hand, although it is claimed by the data controller that all personal data belonging to the data subject at the company headquarters and liaison office have been destroyed, no document supporting this has been submitted to the Authority, and pursuant to Article 7/3 of the Regulation on Deletion, Destruction or Anonymisation of Personal Data, it is stated that data controllers are obliged to document their deletion operations and submit the said document to the official authorities upon request.
Although it is concluded that the explicit consent obtained from the data subject is in accordance with the law, since a supporting document showing that the data in question has been destroyed has not been submitted to the Authority, it has been decided to instruct the data controller to show the utmost care and diligence regarding the applications of the data subjects and to inform the Board by forwarding the document showing that the data has been destroyed to the data subject.
Summary of the Decision of the Personal Data Protection Board dated 10/02/2022 and numbered 2022/103 “Regarding the Sharing of the File Content on Social Media Regarding the Execution Proceedings initiated against a Company with the Name of the Data Subject in the Title”
After the exchange with the data controller, it was stated that an enforcement proceeding was initiated by the data controller against the company (“Company”) named by the data subject, and in this process, a comment was made by a person in a public group on the social media platform Facebook that the documents related to the case would be shared, the person who made the post was recognised as the addressee of the data controller company as a result of the researches, and although the person concerned has no commercial relationship with the person in question, he applied to the data controller in accordance with his rights under the KVKK on the grounds that his personal rights were violated by sharing his personal data in the enforcement file with third parties. It was stated that an application was made to the data controller in accordance with its rights under the KVKK on the grounds that its personal rights were violated by sharing its personal data in the execution file with third parties, but no response was received in due time.
In the response letter of the data controller, in summary: It was stated that the Company was a party to the complaint submitted to the Public Prosecutor’s Office regarding the social media posts, it was decided that there was no ground for prosecution for the offence of defamation on the grounds that the party subject to the complaint was not a person but a legal entity and that the legal elements of the offence did not occur, and that the person who made the posts was a part-time employee of the Company at that time, later left the company, and then started working for the data controller.
It was stated that the complainant was in the portfolio of this person in the data controller Company, the Company did not pay for the purchase of goods and enforcement proceedings were initiated, the person explained the situation with the Company in a Facebook group he was a member of in order to prevent other companies from being harmed by this Company, and as proof, he shared the front cover of the case file in an unreadable way, but this post was deleted without being published and third parties did not see the post in question, and the person in question was removed from the group and blocked after the incident.
In the summary of the Board’s decision, the perspective of the Article 29 Data Protection Working Group’s Opinion dated 04.06.2007 and numbered 4/2007, which was prepared based on the Data Protection Directive No. 95/46/EC as well as the LPPD, on the concept of “personal data” was included. The criteria to be evaluated in case legal entity information is related to natural persons are mentioned.
Although the name of the company subject to the complaint contains the name and surname of the person concerned, since it is understood that the legal entity is targeted in the posts made on social media and since the data in question is considered as data belonging to a legal entity, not a natural person, it has been decided that there is no action to be taken since it is concluded that the subject of the complaint is not within the scope of KVKK.
Summary of the Decision of the Personal Data Protection Board dated 18/01/2022 and numbered 2022/31 “Regarding the Processing of Personal Data of the Data Subject by the Data Controller Operating in the Health Sector for the Purpose of Sending Commercial Electronic Messages without Obtaining Explicit Consent”
The data subject filed a complaint stating that commercial electronic messages were sent to his e-mail address by the data controller operating in the health sector without his explicit consent, that his personal data were processed unlawfully in accordance with the Law on the Regulation of Electronic Commerce and the LPPD and that the data controller failed to take the necessary administrative and technical measures.
In its defence, the data controller stated that the e-mail address of the data subject was registered in the Hospital Information Management System during the first application to the hospital, and that the data processing activity was based on the legal reason that “it is necessary to process the personal data of the parties to the contract, provided that it is directly related to the establishment or performance of a contract” in accordance with the LPPD. Stating that the e-mail sent to the data subject was due to temporary lack of coordination, the data controller emphasised that upon the request of the data subject, he was removed from the list of persons who approved the sending of commercial electronic messages and undertook not to send e-mails again.
The Board found it lawful to obtain the personal data of the data subject at the point of opening the patient record, but reminded the data controller that not using the personal data in connection with the purposes for which they were obtained would render the data processing activity unlawful. The Board assessed that the electronic message sent to the e-mail address of the data subject with the intention of advertising and marketing is incompatible with the legal grounds for requesting personal data in the first stage, and imposed an administrative fine of 100,000 TL on the data controller who did not take the necessary administrative and technical measures to ensure the appropriate level of security in order to prevent unlawful processing of personal data.
Summary of the Decision of the Personal Data Protection Board dated 06/01/2022 and numbered 2022/6 “Regarding the Unlawful Sharing of Personal Data on the Internet Address where the Registry Information of the Company of which the Data Subject is a Former Partner is Displayed”
The data subject applied to the Chamber of Commerce stating that the registry information of the company of which he was a former partner is written under the information related to the company on the website and that he does not want his personal data to be shared with third parties without his consent, and the Chamber of Commerce rejected the request by stating that the request of the data subject cannot be fulfilled in accordance with the Turkish Commercial Code (“TCC”) and the Trade Registry Regulation.
In the response letter submitted by the data controller Chamber of Commerce to the Board, it was stated that the registration and announcement of the changes in the shareholding structure of the company in accordance with the legislation and the appearance of the person as a former partner are public information, personal data such as ID number or address are not included in the relevant announcements, and in this context, the information that is open to the examination of third parties within the scope of the relevant articles of the TCC and the Trade Registry Regulation is included in the company information on the website.
In its decision, the Board stated that the practices in the light of the matters regulated in the TCC and other relevant legislation are compatible with the principles of “being connected, limited and proportionate to the purpose for which they are processed” stated in the Law; and emphasised that the information can be accessed from the information bank platform on the website of the chamber of commerce, and that there is no indication that the publication of the data has a different purpose than the purpose of publication in the trade registry gazette.
In the light of all these evaluations, although the name, surname and capital amount of the former partner of the company can be accessed on the inquiry page, since the reasons requiring the processing of the personal data in question have not disappeared, it has been concluded that there is no need to apply any action within the scope of KVKK.
Summary of the Decision of the Personal Data Protection Board dated 23/12/2021 and numbered 2021/1303 “Regarding the Processing of Data of the Relevant Persons by the Car Rental Program Software Developer and Seller Companies and the Creation of a Black List Programme Enabling the Sharing of These Data Among Car Rental Companies”
It has been stated that the data controllers are car rental software manufacturers or sellers, and that the car companies using the software keep the personal data obtained about the customers under record, but these data are kept open to the access of other companies using the same software in the form of a blacklist application without the consent of the customers and are disclosed in this context.
In the responses sent to the Authority by the companies producing car rental software, it was stated that it is generally necessary to keep records of the information required in the car rental contract for operation management and some personal data such as identity cards and driving licences required by public institutions and organisations. Some software companies stated that the relevant application is also intended to convey the warning and comments about the customer to the relevant car rental company when the customer wants to rent a car from other car rental companies in relation to “problematic customers”. The car rental software producer companies stated that they would not be responsible for the unlawful use of the software by their customers, the car rental companies.
The Board referred to its Decision dated 23.12.2021 and numbered 2021/1303 on the same subject and brought the concept of joint data controller to the surface once again. The Board stated that it is clear that software companies act as data controllers due to the reasons such as the fact that they keep the database and the management of the software within their structure due to the service they provide, they appoint users with admin authority within their own structure, car rental companies cannot interfere with the software codes and therefore limit the customer management authorities. It is stated that car rental companies will obviously continue to be responsible for the data with software companies.
Since the software companies do not have a legal obligation to process the data of the customers of the car rental company, it is assessed that it will be possible to share the data with the “business partners, branches or agencies” of the car rental company only with the criterion of legitimate interest in accordance with the legislation. It has been observed that there is a violation of the basic principles of data processing and general principles regarding the transfer due to the fact that the persons and groups of persons who will be parties to the transfer are not enlightened by the data controller, the transfer is made primarily to the system, not among the car rental companies, and in this context, it is not foreseeable which companies can see the personal data.
In the decision, it is underlined that the interest of the company must be competing with the fundamental rights of the data subject, data processing must be mandatory in order to achieve the interest, the interest must be clear and specific, and it must be impossible for the company to achieve the relevant interest without processing personal data. The Board found the data processing method of the software companies, which are the data controllers, contrary to the general principles of the LPPD, and the data controllers were instructed to destroy the relevant personal data in accordance with the Regulation on Deletion, Destruction or Anonymisation of Personal Data.
Summary of the Decision of the Personal Data Protection Board dated 16/12/2021 and numbered 2021/1262 “On the Processing of Bank Data of the Data Subject by an Insurance Company”
Although the data subject did not share his bank details with the data controller insurance company, he stated that the insurance company processed these data unlawfully and made a data subject application through his attorney and requested the deletion of the said data and applied to the Board after his request remained unanswered.
The data controller explained that the purpose of processing the data is to collect the policy premium and to fulfil the obligations arising from the policy. Since there is a Consumer Arbitration Committee decision regarding the incident, it was emphasised that bank information was processed by making a payment to the bank account of the person in the Company records in order to fulfil the obligation to compensate the fixed damage with the finalised judicial decision arising from the policy, and that the account information regarding the payment at the point of fulfilling the Consumer Arbitration Committee decision should be kept for 10 years in accordance with the legal obligation.
In its defence, the data controller also stated that the power of attorney submitted in the application made by the person through his/her attorney is a “general power of attorney”, and since the requested information is for the processing of personal data, which is a right strictly connected to the person, the attorney using the rights under Article 11 of the LPPD instead of the person concerned should submit a power of attorney containing special authority and that the request was not answered for this reason, but the Board emphasised that this condition should not be sought since there is no regulation on special power of attorney in the legislation and decided to remove the special authorisation requirement stated by the data controller in the application form. In other matters, the Board, finding the defence justified, did not deem it necessary to take any action on the grounds that personal data was processed in accordance with the legal grounds set out in Article 5/2-c and ç of the LPPD.
Summary of the Decision of the Personal Data Protection Board dated 16/12/2021 and numbered 2021/1258 on the Unlawful Processing of the Personal Data of the Data Subject by the Data Controller Company where the Employment Contract is Terminated
The data subject filed a complaint to the Institution stating that the data controller company he left the data controller company was used to log in and out of work through face recognition and fingerprint systems, that there was data transfer abroad, and that no explicit consent process was carried out in the processing or transfer of personal data. The data subject underlined that the data controller did not fulfil its obligation to inform the data subject in accordance with the law in terms of not informing the data subject of the ways to apply to the data controller and the absence of any application form.
The data controller, whose defence was received in relation to the complaint, stated that it fulfilled its obligation to inform the data subject as the employment contract signed by the data subject contains statements regarding the protection of personal data, the application methods of the data subject were explained in detail with the disclosure text on the social network site established by the company only for employees, personal data in the form of biometric data such as fingerprints and face scans are taken for the security of the company and employees, and there is no data transfer abroad.
In the decision, the Board referred to the principles that must be complied with in the processing of personal data and stated that the company’s processing method is incompatible with these principles. It is emphasised that the articles included in the employment contract are not a proper disclosure according to the Communiqué on the Procedures and Principles to be Followed in the Fulfilment of the Disclosure Obligation, since they are handled as a mixed text that does not contain the minimum elements required in the disclosure and explicit consent texts. The Board has stated that it is impossible for a person to start working without signing the employment contract, and that the explicit consent statement, which is intertwined with the employment contract, cannot be said to be based on the free will of the relevant person.
As in many decisions, the Board once again emphasised the importance of the principle of proportionality in the processing of special categories of personal data, and stated that the use of fingerprint and face recognition systems is quite disproportionate while there are systems that do not require the use of biometric data for the security of company employees and serve the same purpose (magnetic card, etc.), and decided to impose an administrative fine of 125,000 TL on the data controller.
Summary of the Decision of the Personal Data Protection Board dated 05/07/2019 and numbered 2019/198 “Regarding the Notification of the Data Subject on the Unlawful Processing of Personal Data by the Data Controller within the Scope of a Loyalty Programme”
In the petition submitted to the Authority, it has been stated that the data controller applies the discount on some products sold in its store only to its “loyalty card” member customers; that obtaining the relevant card as a loyalty card member is conditional on giving explicit consent by sharing personal data and that the customer’s ability to receive service is damaged due to the imposition of explicit consent as a “condition” to the customer.
In its defence, the data controller stated that in the explicit consent text submitted with the clarification text, the purposes for which explicit consent is requested are explained and the condition of being related to a specific subject is met; customers who do not want to provide loyalty cards always have the opportunity to shop through the website or store, the discount benefited by the provision of loyalty cards is not related to the provision of the main product or service, but contains the nature of an additional benefit, and for all these reasons, it cannot be considered as a precondition of the service.
In its defence, the data controller referred to a similar situation in the Handbook on European Data Protection Law and emphasised that linking additional benefits to the explicit consent condition does not eliminate free will. According to the Handbook, “there is no downstream link between the customer and the company and the consequences of not giving consent are not serious enough to affect the free will of the data subject”, in other words, the mentioned discount is not large enough to affect free will.
In its decision, the Board made similar evaluations and stated that the discount offered with the “loyalty card” cannot be considered as a prerequisite within the scope of benefiting from the product and service since it is an additional benefit and does not eliminate the shopping opportunity, and decided that there is no action to be taken within the scope of KVKK.