08 Mar, 2022

3 January 2022 KVKK Board Decision

Summary of the Decision of the Personal Data Protection Board dated 02/12/2021 and numbered 2021/1210 on the "processing of the mobile phone number, which is the personal data of the person concerned, by calling and sending SMS to inform about Digiturk campaigns"

The Board first asked Krea Content Services and Production Anonim Şirketi (Krea Content Services) to defend itself, considering the dimension of the issue that concerns Digiturk within the framework of the investigation for the incident subject to the complaint. 

In the defense made; 

  • The person concerned does not have a subscription record and there is no personal data of the person concerned in the Company systems prior to the person's application to the Company, 
  • The phone numbers specified in the application of the person concerned do not belong to the Company and the said calls and SMS messages are not made by the Company, 
  • It cannot be determined whether the said phone numbers belong to one of the Company's dealers, because the dealers may have obtained telephone numbers independently from the Company, 
  • The dealers that mediate some of the sales of the Company's products and services to the end users act as separate data controllers independently of the Company in all marketing processes, they have not received any orders or instructions from the Company and no guidance has been given by the Company in this regard, these calls The Company does not have any control over it and therefore the Company does not act as the data controller in the event subject to the complaint,
  • It has been stated by the company that no personal data regarding current or potential customers is transferred to the dealers and that there are no practices such as providing contact information lists for the purpose of marketing the products. 

As a result of this defense, KVKK; When the statements submitted by the parties to the Institution regarding the subject are evaluated, it has not been determined that Krea Content Services acted as a data controller in the concrete case.

Then, the operators that allocated the telephone lines specified in the application of the relevant person were identified and information and documents were requested from the operators in question regarding the persons/companies to which the telephone lines were allocated and the content of the contract made within this scope.

As a result of the examination of the reply letters received from the relevant operators, 0850 *** ** 77 to the Dealer whose title was also stated in the reply letter of Krea Content Services, to the M.D. of the lines 0216 *** ** 70 and 0850 *** ** 15. to the person named (M. Communications); 0850 *** ** Line 82 is M.A. It is understood that it was allocated to the person named. 

In summary, the reply received from the dealer is; 

  • They are the dealers of Krea Content Services,
  • The fact that the call of the person concerned without consent concerns the operator-call center department of the Company and that the operator service is M.D. was transferred to the person named (M. İletişim),
  • There is no information about how the subcontractor obtains the numbers, the content of the conversations and whether they make calls to the person concerned, and that the subcontractor is responsible for this issue.

specified and subcontracted M.D. (M. İletişim) and the subcontractor agreement between them has been sent.

From the correspondence with the operators, M.D. In summary, in the reply received from the person named (M. İletişim);

  • Subcontractor call center service is provided to the said dealer of Krea Content Services,
  • Calls are made to the phone number of the relevant person for advertising and promotional purposes, 
  • The data registered in their systems were obtained by number derivation method before the effective date of the Law No. 6563 on the Regulation of Electronic Commerce, 
  • The incident subject to the complaint is outside the scope of Law No. 6698 and should be evaluated within the framework of Law No. 6563 on the Regulation of Electronic Commerce.

expressed. 

In the reply letter received from the person named M.A., in summary; 

  • In some periods, advertisements given on social media accounts were encountered by people on their social media accounts, and in this context, campaign announcements were made to them after they filled out a form voluntarily,
  • Attached is the form filled in by the person concerned on a website.

and people were informed about the operation of the system used to search. 

As a result of the evaluation made on the subject,,

Since the processing of the mobile phone number, which is the personal data of the person concerned, by calling / sending an SMS for product promotion and marketing purposes, constitutes a personal data processing activity pursuant to Article 3 of the Law, one of the conditions listed in Article 5 of the Law must be fulfilled in order to be able to mention that this processing is carried out in accordance with the law. . 

In Article 3 of the Law and in the Implementation Guide on the Law on the Protection of Personal Data, concepts such as data controller and data processor are explained. In the concrete case, it was concluded that the Dealer and Krea Content Services were not data controllers as a result of the defenses made.

In the concrete case, the subcontractor M.D. (M. İletişim), which is informed that the two numbers in question were allocated to M.D. The dates on which it is concluded that it is being used by M.D. It has been declared that the dates presented in the defense of the person named (M. İletişim) match and that the phone numbers registered in his system were obtained by the "number derivation method". The person named M.D. has the title of data controller. 

M.A. When an evaluation is made in terms of M.A., the concrete case of M.A., which creates its own database and sends a commercial electronic message to him by processing the phone number, which is the personal data of the person concerned, by using this database. has the title of data controller within the scope of 

Based on the statement of M.D. (M. İletişim) that the data registered in the system was obtained by the method of number derivation, it was understood that the processing of the phone number of the person concerned was not based on any processing condition specified in Article 5 of the Law. It has been decided by the institution to impose administrative sanctions against him.

Concluding that he is the data controller, M.A. When an evaluation is made in terms of the personal data processing activity of the person named, the relevant form is not submitted to the Institution in the form shown on the website and in a log record or similar format, instead the mobile phone number of the person concerned and the date of application are written in M.A.'s handwriting, and the "I give consent" box is ticked. and since it was seen that the form was signed by M.A. by writing M.A.'s name and phone number, it was not sufficient to believe that the form was filled by the person concerned, as claimed by M.A. administrative sanctions were issued.

Regarding the destruction of the phone number data used by the person concerned and informing the Board of the result, M.D. and it was decided to instruct M.A.

Conclusion; 

There has been an increase in such complaints recently. In particular, guiding/informing its dealers about showing the utmost care and attention to compliance with the Law (KVKK) in new customer acquisition processes and in contracts to be made with dealers. It is necessary to include clear provisions regarding who is the data controller and who is the data processor.

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation

 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles