News and developments
Personal Data Protection Authority Imposed Administrative Fines Against the Association Sending Adve
On 6 November 2020, Turkey’s Personal Data Protection Authority published a summary of a decision dated 10 September 2020 and numbered 2020/791 on its website regarding the processing of the mobile phone number of a data subject by an association for sending advertising SMS without getting explicit consent of the data subject.
The decision was made as a result of the examination carried out by the Personal Data Protection Board (“Board“) within the framework of the Law on Protection of Personal Data numbered 6698 (“DP Law”), upon the complaint of the data subject.
The examinations of the Board, based on in its assessment of the case, are as follows;
- The terms of the processing of a personal data are regulated under article 5 of the DP Law; the first paragraph of this article emphasize that personal data cannot be processed without the explicit consent of the data subject, and if one of the conditions specified in the second paragraph is met, it is possible to process personal data without seeking the explicit consent of the data subject.
- In the concrete case; the reason for the processing of the mobile phone number of the complainant was not proved by the association as a data controller, nor was there any clear statement regarding this issue.
- The Board indicated that the statement made by the data controller as “It is highly probable that the data subject made an SMS donation before” is not a statement based on a legal basis and cannot be accepted as a valid statement, and there was no explicit consent of the data subject for sending SMS. Within this context, it is stated that the personal data processing activity by obtaining the mobile phone number, which is the personal data of the complainant and using it in order to send advertising SMS, constitutes a violation of the DP Law. This situation indicates that the data security obligations are not fulfilled by the data controller.
- Additionally, the Board states that the association as a data controller did not respond to the information requested by the data subject and the reason for not responding was stated as an “administrative problem“, is not a clarifying explanation about the administrative problem. Besides, in the light of the regulations on the Communiqué on the Procedures and Principles of Application to the Law and Data Controller, there are two types of actions that data controllers can take against any application, and within this scope, the application should be accepted by the data controllers or rejected by explaining the reason. In this respect, the Board stated that not responding to the application of the data subject and not taking any action against the relevant application by the data controller is against the DP Law.
- On the other hand, as per article 7 of the DP Law; although it has been processed in accordance with the provisions of the DP Law and other relevant laws, if the reasons for processing disappear, the personal data will be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject. Therefore, the Board stated that in case of unlawful personal data processing due to lack of legal basis, personal data should be deleted immediately.
- In this regard; the blacklisting of the said telephone number does not mean that the personal data, which is processed unlawfully, has been deleted, and that the processed personal data is already blacklisted in the association’s systems without any legal reason indicates that the unlawful situation is still continuing. Therefore, the phone number should be deleted.
As a result of these evaluations, the authority
- Concluded that the necessary technical and administrative measures were not taken to ensure the appropriate level of security in order to prevent the unlawful processing of personal data,
- Imposed an administrative fine on the association as a data controller,
- Decided to instruct the data controller to respond to the application made by the data subject within legal period, pay utmost attention and to destroy the mobile phone number.
Please find the full text of the Board decision here. (Only available in Turkish)
On 6 November 2020, Turkey’s Personal Data Protection Authority published a summary of a decision dated 10 September 2020 and numbered 2020/791 on its website regarding the processing of the mobile phone number of a data subject by an association for sending advertising SMS without getting explicit consent of the data subject.
The decision was made as a result of the examination carried out by the Personal Data Protection Board (“Board“) within the framework of the Law on Protection of Personal Data numbered 6698 (“DP Law”), upon the complaint of the data subject.
The examinations of the Board, based on in its assessment of the case, are as follows;
- The terms of the processing of a personal data are regulated under article 5 of the DP Law; the first paragraph of this article emphasize that personal data cannot be processed without the explicit consent of the data subject, and if one of the conditions specified in the second paragraph is met, it is possible to process personal data without seeking the explicit consent of the data subject.
- In the concrete case; the reason for the processing of the mobile phone number of the complainant was not proved by the association as a data controller, nor was there any clear statement regarding this issue.
- The Board indicated that the statement made by the data controller as “It is highly probable that the data subject made an SMS donation before” is not a statement based on a legal basis and cannot be accepted as a valid statement, and there was no explicit consent of the data subject for sending SMS. Within this context, it is stated that the personal data processing activity by obtaining the mobile phone number, which is the personal data of the complainant and using it in order to send advertising SMS, constitutes a violation of the DP Law. This situation indicates that the data security obligations are not fulfilled by the data controller.
- Additionally, the Board states that the association as a data controller did not respond to the information requested by the data subject and the reason for not responding was stated as an “administrative problem“, is not a clarifying explanation about the administrative problem. Besides, in the light of the regulations on the Communiqué on the Procedures and Principles of Application to the Law and Data Controller, there are two types of actions that data controllers can take against any application, and within this scope, the application should be accepted by the data controllers or rejected by explaining the reason. In this respect, the Board stated that not responding to the application of the data subject and not taking any action against the relevant application by the data controller is against the DP Law.
- On the other hand, as per article 7 of the DP Law; although it has been processed in accordance with the provisions of the DP Law and other relevant laws, if the reasons for processing disappear, the personal data will be deleted, destroyed or anonymized by the data controller ex officio or upon the request of the data subject. Therefore, the Board stated that in case of unlawful personal data processing due to lack of legal basis, personal data should be deleted immediately.
- In this regard; the blacklisting of the said telephone number does not mean that the personal data, which is processed unlawfully, has been deleted, and that the processed personal data is already blacklisted in the association’s systems without any legal reason indicates that the unlawful situation is still continuing. Therefore, the phone number should be deleted.
As a result of these evaluations, the authority
- Concluded that the necessary technical and administrative measures were not taken to ensure the appropriate level of security in order to prevent the unlawful processing of personal data,
- Imposed an administrative fine on the association as a data controller,
- Decided to instruct the data controller to respond to the application made by the data subject within legal period, pay utmost attention and to destroy the mobile phone number.
Please find the full text of the Board decision here. (Only available in Turkish)