"About the processing of the e-mail address, which is the personal data of the person concerned, by a human resources firm for the purpose of sending e-mails for advertising and marketing purposes" Summary of the Decision of the Personal Data Protection Board dated 09/12/2021 and numbered 2021/1243
It is clear that e-mails for commercial promotional purposes were sent to the data subject by a human resources company, the data controller has not had any previous legal transactions with the data controller, therefore he does not have any information about where and how his personal data is obtained, and that his personal data is processed within this framework. It was stated that he did not have his consent, that he applied to the data controller in this regard and requested that his personal data be deleted, but no information was given to him about where his personal data was obtained from and for what purpose it was processed, and it was requested that necessary action be taken about the data controller.
Within the framework of the investigation initiated on the subject, the data controller was asked to defend it, and in summary, in the reply letter;
The e-mail address of the data subject is obtained within the scope of economic activities (survey and promotion works) carried out by the data controller,
It has been stated that the e-mail address in question was processed on the basis of the condition that "it has been made public by the person concerned" within the scope of subparagraph (d) of Article 5 of the Law No. 6698 on the Protection of Personal Data (Law).
As a result of the research conducted by the board;
Any explanation by the data controller regarding which method and on which platform or medium the person concerned has the will to make their e-mail address information public, and no documents proving how it was obtained within the framework of surveys and promotions are not included in the appendix,
Based on the evaluations that it is understood that the e-mail information of the person concerned is processed in violation of the Law and that the person concerned also conveys the request for the deletion of his personal data in his application to the data controller;
Since it is understood that the obligation to "prevent the unlawful processing of personal data" is violated, an administrative fine of 50.000 TL is imposed on the data controller in accordance with paragraph (1) of Article 18 of the Law,
Since it is understood that the e-mail address information of the person concerned is processed in violation of the Law and that the person concerned also conveys the request for deletion of his personal data in his application to the data controller, the data controller is informed to the Board by destroying the personal data of the person concerned and forwarding the log records of the destruction process to the Authority. It was decided to be instructed to give
Conclusion:
Even if the data controllers make the data of the data subject public, an explanation regarding the method and on which platform or medium they intend to make the e-mail address information public, and any document that proves how it was obtained, should be included in the appendix.
Implementation of administrative and technical measures causes data controllers not to be subject to administrative sanctions by KVKK.
Another obligation of data controllers is that although the personal data has been processed as in accordance with the Law and other relevant law provisions, in case the reasons for processing disappear, ex officio or upon the request of the data subject, it must be deleted, destroyed or anonymized.
Other decisions similar to the relevant decision;
Summary of the Decision of the Personal Data Protection Board dated 02/12/2021 and numbered 2021/1214, "On the arrangement of the attendance list containing the personal data of the trainees in a way that can be seen by other participants in the training given by a university"
During the training, the names of the trainees and T.R. The attendance lists containing the identification numbers were circulated and signed by hand, the University and the Ministry did not inform the person concerned about the processing of personal data, they applied separately to the Ministry and the University, the Ministry did not respond to the application, and in the answer of the University, the attendance lists were prepared by the Ministry and signed. It has been stated that it is the obligation to receive .
As a result of the examination of the institution;
The Ministry and the University operate as separate data controllers within the scope of personal data processing activities,
It has been determined that the university responded to the application of the person concerned, but that the response given by the Ministry to the application of the relevant person was carried out after the 30-day period granted to data controllers in accordance with Article 13 of the Law has expired,
The complaint of the person concerned is basically the name, surname and T.C. Due to the receipt of signatures by circulating the attendance sheet with the identity number and the invoice delivery and certificate delivery lists in the classroom environment. It is related that the identity number information is unlawfully shared with third parties, therefore the security of personal data is not ensured,
When the information and documents received from the data controllers about the subject of the complaint are evaluated within the scope of the relevant legislation, in order to prevent confusion in cases such as the presence of persons with the same name and surname information in the attendance tracking chart used, in addition to the name and surname information of the persons, another determinant data (for example, the T.R. ) should be used by masking the relevant data,
According to Article 10 of the Law; During the collection of personal data, it was stated that the data controllers or the persons authorized by them should be informed, and while fulfilling this obligation, the information to be made by the data controllers or the persons authorized by them is at least the identity of the data controller and its representative, if any, the purpose for which the personal data will be processed, to whom and for what purpose the personal data can be transferred. It is stated that it should include the method and legal reason for collecting personal data, and the other rights of the data subject listed in Article 11 of the Law,
In the Continuing Education Center, before the training, like all other participants, it is stated that a contract was signed with the relevant person, and when it is examined whether the obligation of disclosure is duly fulfilled by the data controller with the said contract; which are the minimum elements that ensure the fulfillment of the obligation of illumination in the aforementioned contract; It has been concluded that the obligation to inform is not duly fulfilled by the data controller, since it is seen that information regarding the purpose for which personal data will be processed, to whom and for what purpose, the method and legal reason for personal data collection and other rights of the data subject is not included,
based on their evaluations;based on their evaluations;
Since it is understood that the Ministry responded to the application of the person concerned after 30 days, it has been decided to remind that the 30-day period should be observed while responding to the applications made within the framework of Article 13 of the Law.
Conclusion:
The said decision concerns all education and training institutions. It is of great importance that institutions fulfill their Clarification Obligations, especially at the point of receiving personal data. The necessity of masking data such as ID numbers is discussed in the board decision.
The relevant decision in its entirety:
