News and developments
Turkish DPA Warns with Principle Decision on Promotional Communications
On
November 1, 2018, Personal Data Protection Board ("Board"), acting under the
Personal Data Protection Authority, published its principle decision with
number 2018/119 in the Official Gazette, which then corrected on November 7,
2018 ("Decision"). Board's Decision is regarding prevention of promotional
notifications, e-mail messages, text messages and calls that data subjects might
receive from data controllers and data processors.
A. Rationale
In
the beginning of the Decision, the Board indicates that they received numerous
complaints based on the Law No. 6698 on Protection of Personal Data ("Law No.
6698") from individuals, who claim to have received promotional and advertorial
calls, text messages, e-mail messages from parties, whom they did not give consent
for such communications.
The
Board also indicates that, upon receiving such complaints, an investigation has
been conducted on the matter by the Board, results of which were used for
determining the principles set forth in the Decision.
B. Obligations of Data Controllers & Processors
I. Cease of Activity
The
Decision orders data controllers, which direct promotional communications to
data subjects without obtaining data subjects' consents or without meeting the
conditions under Article 5/2 of the Law No. 6698, to immediately cease such
processing activities immediately. Additionally, the Decision also orders data
processors that send such communications on behalf of data controllers, to
cease their data processing activities immediately, as well.
The
Decision lists sending text messages to or calling data subjects phone numbers;
and sending e-mails to data subjects; as methods of communication. Although,
the wording of the Decision appears to be limited to these methods of
communication, considering the purpose of Board's decision, one might argue
that the Board will highly likely apply this principle to every other form of
electronic communication, provided that it is promotional and/or advertorial
and the conditions of the Law No. 6698 are not met.
|
According to Article 5/2 of the Law No. 6698,
it is possible to process personal data without the explicit consent where one of the conditions below apply; | |
|
it is explicitly foreseen by laws |
data has been made public by the data subject |
|
processing personal data of the parties of a contract is necessary, on | |
|
processing is necessary; | |
|
for compliance with a |
for the establishment, |
|
for the purposes of the |
to protect the vital |
In
this order, the Board refers to its authority under Article 15/7 of the Law No.
6698, which entitles the Board to decide on cease of data processing or
transfer of data abroad, if there is an obvious violation of laws and there are
irrevocable damages or damages that are hard to recover. In that sense, one
might argue that the Board evaluates such activities as violations of the Law
No. 6698 and is inclined to interpret such activities as damaging to data
subjects, which might be used against data controllers within the scope of
claims by data subjects pertaining to non-pecuniary damages.
II. Precautions
By
referring to Article 12 of the Law No. 6698, the Decision explicitly states that
data controllers are obliged to take all technical and administrative measures
in order to ensure an adequate level of security for the purposes of (i)
preventing unlawful processing of personal data, (ii) preventing unlawful
access to personal data; and (iii) protecting personal data.
Furthermore,
it is also noted in the Decision that if personal data is processed by another
real person or legal entity on behalf of the data controller, the data
controller shall be jointly liable with the data processor for taking the foregoing
measures.
III. Sanctions
The
board states that they will impose the measures provided under Article 18 of
the Law No. 6698 for those who conduct such processing activities, which sets
forth administrative fines for those who fail to comply with certain
obligations under the Law No. 6698.
|
Article 18/1(b) |
Article 18/1(c) |
|
Those who fail to fulfill the obligations relating |
Those who fail to abide by the decisions rendered by |
The
Board also warns that, taking into account the possibility that personal data
process for such activities might be collected unlawfully, they will notify the
relevant public prosecutor's office, so that criminal proceedings could be
initiated for the crime of illegal dissemination and seizure of data in accordance
with Article 136 of the Turkish Criminal Code, under which illegal seizure,
transfer or dissemination of personal data constitutes a crime under and is
subject to an imprisonment up to four years.
Although
the Decision does not explicitly indicates any time period for data controllers
and processors to cease their activities found to be in violation of the Law
No. 6698, it is implied in the Decision that the Board is not eager to punish
on-going activities of data controllers and processor, but merely confines
itself to warn and urge them to cease such activities and act in accordance
with their obligations within the scope of the Law No. 6698.
IV. Checklist for Compliance
Please
find below a short checklist of items that might be considered by data
controllers before sending out promotional communications, for the purposes of
compliance with the Law No. 6698 and Board's principle decision.
1.
Taken
necessary precautions and measures to protect the contact information which
will be collected from data subjects (such as creating a dedicated storage
space for the relevant data, limiting the number of personnel accessing such
data to senior marketing managers etc.),
2.
Informed
data subjects about using their contact information for promotional
communications before or, at the latest, during collection of their personal
data and recorded such notice for evidential purposes (be it on paper with data
subject's signature, a voice record or vie electronic logging),
3.
If
using contact information collected previously for other purposes where data
subject might not be reasonably expected to know that it might be used for such
communications, informed data subject about using their contact information for
this new purpose, before starting processing activities for that purpose; and
recorded such notice for evidential purposes,
4.
Have
a legal basis for using their contact information for such communications
(please see the table above for the list of valid legal grounds),
5.
If
not, obtained data subject's explicit consent; and recorded such consent for
evidential purposes.
Please note that data processors should also consider
whether the data controllers, on whose behalf they process personal data and
send promotional communications, are in compliance with the Law No. 6698; and
vice versa, since they are both jointly liable for violations of the Law No.
6698, as explained above.
In any case, it is clear that individuals are starting
to take control of their personal data more and more, as legislations provide
them with new ways to exercise their rights. The Board's decision show that
complaints from individuals impelled the Board to act on its authority and warn
data controllers and processors about the current state of affairs with respect
to their promotional activities.
Authors: Gönenç Gürkaynak Esq., İlay Yılmaz and Türker Doygun,
ELIG Gürkaynak Attorneys-at-Law
(First published
by Mondaq on February 6, 2019)