05 Sep, 2022

GRC Judgment Summaries of the Month – August 2022

Summary of the Decision of the Personal Data Protection Board dated 04/03/2022 and numbered 2022/184 on “Sharing the debt information of the person concerned with third parties by a receivables management company” ¹

It is stated that an SMS is sent to the lines registered in the name of the related person's brother and spouse, who is a military personnel, under a title bearing the title of the data controller receivable management company, that the debt of the person concerned to a telecommunication company will expire and if the debt is not paid, enforcement proceedings will begin; Due to the disclosure of the personal data of the person concerned, the relevant receivable management company has applied to the law firm, but no written response has been given to him; subsequently, the person in question was called by a person who said that the line belonging to his spouse was a law firm employee, and during the conversation he addressed the issue as "Let's solve the issue by talking, not legally, what is the situation, why did you write a petition; Afterwards, the spouse of the person concerned states that they cannot disclose personal data as they wish, that this constitutes a crime in accordance with the Law on the Protection of Personal Data (Law) No. 6698, and that they will take any legal action against them; In addition, it was stated that the personal information of the person concerned was not sent to his/her own phone, and it was also stated that contact information could be reached from UYAP or MERNİS if requested, and when information was requested about how to reach the relevant phone numbers, they were indirectly answered as we found them, we will find them; It was declared that the personal data were shared with third parties without the consent of the person concerned, and a complaint was filed within the scope of the Law. Within the framework of the investigation, the data controller receivable management company was asked to defend the complaint made under the law, and the requested defense response letter is summarized as;

  • Due to the fact that a receivable transfer agreement has been concluded with a telecommunication company, the execution file information, invoices belonging to the customers, contact information given by the customers to the telecommunication company are obtained by the aforementioned company,
  • The numbers forwarded by the enforcement debtors to the telecommunication company are called while the transaction is being processed,
  • By calling the call centers of the companies from the phone lines subject to the complaint as the relevant person, the mentioned numbers are automatically recorded in the system and an SMS is sent automatically,

Statements and claims are included. Records showing that the numbers mentioned in the incident from the statements made in the petition regarding the issue called the call center were submitted to the Authority. The decision of the Board, dated 04/03/2022 and numbered 2022/184, as a result of the evaluation of the concrete event;

  • It is seen that an SMS was sent to the phone of the person registered in the name of his brother and his spouse, stating that the debt of the person concerned to the telecommunication company would expire, and it was stated that his personal data was shared with third parties without his consent,
  • From the reply letters sent to the Authority by the data controller; In the event that the call center of the data controller is requested for information about a debt, the phone information of the callers is automatically recorded in the system without informing the caller and without relying on any processing condition in Article 5 of the Law, and the debt, which is the personal data of these persons and other persons, is processed. The data controller does not take the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the illegal processing of personal data within the framework of paragraph (1) of Article 12 of the Law.

based on their evaluations;based on their evaluations; 

  • “Considering that a processing condition within the framework of Article 5 of the Law is not valid for recording the telephone numbers calling the data controller as the telephone number of the data subject and sharing the debt information with third parties by calling these telephones, personal data shall be legally enforced within the framework of paragraph (1) of Article 12 of the Law. An administrative fine of 50.000 TL will be imposed on the data controller, who is determined not to take the necessary technical and administrative measures to ensure the appropriate level of security in order to prevent illegal processing, within the framework of subparagraph (b) of paragraph (1) of Article 18 of the Law,
  • To instruct the data controller to stop the practice of automatically recording the phone numbers of the people who call the data controller as the contact information of the debtors in the data controller systems, and to inform the Board of the result”.

Conclusion:

Data controllers may process the data they process as stipulated in the relevant legislation, with express consent or on the condition of showing a basis in accordance with other processing conditions, after they inform the relevant persons about how/for the purpose they are processed. It should show great sensitivity to take all necessary administrative and technical measures in order to prevent unlawful access to and preserve the personal data it processes. 

¹The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7295/2022-184

Summary of the Decision of the Personal Data Protection Board dated 10/02/2022 and numbered 2022/103 “About sharing the content of the file regarding the enforcement proceedings initiated against a company in which the name of the person concerned is mentioned in the title”

After the shopping made with a textile company, the data controller started the enforcement proceedings of the spare parts company (Company) in which the name of the relevant person was mentioned. A public comment was made on the issue of "that enforcement proceedings have been initiated against the company and the documents related to the enforcement will be shared in this group". As a result of the research conducted on the Internet on behalf of the person making the sharing, it has been determined that the data controller is recognized as the addressee of the company. How can we be informed about the execution file by the person whose name is not mentioned in the trade registry record of the data controller company, but who introduces himself as a company official? Since it could not be understood that i was obtained, it was stated that an application was made to the data controller in accordance with the rights under Article 11 of the Personal Data Protection Law No.

Within the framework of the investigation initiated regarding the awe in the complaint petition, the defense of the data controller was requested.

  • It has been decided that there is no need for prosecution on the grounds that the legal elements of the crime did not occur in the complaint submitted to the Public Prosecutor's Office regarding the social media posts subject to the complaint, and the person making the posts subject to the complaint was a part-time employee of the company whose name the person mentioned was at that time, and later left the company. , then started to work with the data controller,
  • The Company did not pay for the purchase of goods, did not respond to e-mails and telephone calls, could not be contacted in any way, and an enforcement proceeding was initiated against the Company,
  • Since the aforementioned person suffered a lot from this marketing, he briefly explained the situation with the Company in a Facebook group of which he is a member, in order to prevent other companies from being harmed by this company, as a proof, he shared the front cover image of the case file in an unreadable way, but this post was deleted before it was published. and third parties did not see the said post, and after the event, the aforementioned person was removed from the group and blocked.

expressed.

As a result of the investigation carried out on the subject, with the decision of the Personal Data Protection Board dated 10/02/2022 and numbered 2022/103;

  • “In the opinion of the Article 29 Data Protection Working Group dated 04.06.2007 and numbered 4/2007; Article 29 Data Protection When evaluated according to the criteria of "content", "purpose" or "result", with the said opinion of the Working Group, that this may be the case, for example, in the use of a company e-mail by a particular employee or in information expressing the behavior of the owner of a small business, According to the said opinion; If the same information is also considered to be associated with different people in terms of different elements, for example, if an information is about person A, it has an effect on person A in terms of content criteria, if it is used for the purpose of treating person B in a certain way, with person B in terms of purpose criterion, and on the rights and interests of person C, or if it is likely to have any effect, it can be said to be related to Person C in terms of the “result” criterion,
  • “The relevant company bears the name and surname of the authorized person, it should be taken into account whether the company title is personal data in accordance with subparagraph (d) of paragraph (1) of Article 3 of the Law, in the concrete case, and the title of the merchant in the enforcement proceedings document. Considering that the legal entity is targeted in the posts and comments made even though the person's name and surname are included, the Law is of the opinion that the title of the company or the debt information, address, tax identification number information do not have an effect on the rights and interests of the natural person or are not used for the purpose of treating the natural person in a certain way. Does not meet the definition of personal data in
  • Pursuant to paragraph (1) of Article 2 of the Law, the provisions of the Law shall be applied to real persons whose personal data are processed, and to natural and legal persons who process this data fully or partially automatically or non-automatically provided that they are part of any data recording system,
  • Specific to the concrete case, in the sharing of comments containing some information about the Company on the social media platform, obtained by photographing the enforcement proceedings request document by the employee of the data controller and sharing it on the social media platform, the subject is Article 2 (1) of the Law due to the fact that personal data is not processed. not within the scope of the Law pursuant to paragraph no.

based on their evaluations;based on their evaluations;

  • “Although the name and surname of the person concerned is mentioned in the name of the Company, which is the subject of the complaint, since it is understood that the legal entity is targeted in the shares made on the social media, the data in question is considered as data belonging to the legal entity, not the real person, and there is no action to be taken because it is believed that the subject of the complaint is not within the scope of the Law” decided.

Conclusion:

It is seen that the provisions of the Law only include real persons whose personal data are processed, by specifying as “real persons whose personal data are processed…” in Article 2, which indicates the scope of the Law. In this context, we agree that there is no action to be taken within the scope of the Law given by the Board, since the data that constitutes the subject of the event is data that concerns the legal person instead of the real person, and since the legal person data is not within the scope of the law.

² The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7293/2022-103

Summary of the Decision of the Personal Data Protection Board dated 16/12/2021 and numbered 2021/1258 "About the unlawful processing of the personal data of the data subject by the data controller company whose employment contract has been terminated" ³

In summary, in the complaint of the person concerned, submitted to the Institution; the data controller started to work with the company on 10.12.2018, he left the said job on 30.12.2019, when he wants to apply to the data controller company for his personal data, the company does not have an application form and the means of application are not notified to the party, the obligation to inform is not fulfilled in accordance with the law, sensitive personal data is processed without his explicit consent, the data controller company is entered with fingerprint and face scanning system, different companies of the group company have branches abroad and the personal data is transferred abroad without explicit consent when the data subject visits the foreign branch, It is stated that adequate technical and administrative security measures are not taken for the data controller company, and that there is no privacy policy on the website of the data controller company, and that what is required within the scope of the Personal Data Protection Law No. 6698 (Law) requested to be done.

  • In the concrete case, it was stated by the data controller that the application form and the lighting text were included in a social media platform that only the company personnel could access, but the application form was not included in the appendix of the defense petition, and the lighting text was only the image of the title on the said platform. included in the appendix, 
  • Article 9, titled "Processing and Protection of Personal Data", of the employment contract that is attached to the defense petition and signed with the data subject, and that it is claimed that the data controller has fulfilled his obligation to inform, It was written as a mixed text, which includes expressions for both the clarification and obtaining explicit consent from the person concerned, and which does not fully include the minimum elements that the clarification and explicit consent texts should contain,
  • Although it has been stated that the Employee Explicit Consent Text and the Employee Disclosure Text, which have been prepared separately by the data controller since July 2020, have been signed by the personnel, it has been observed that the signature of the person concerned is not present in these texts submitted to the Agency, and these documents cannot be taken as a basis for the complaint of the person concerned, 
  • It cannot be said that the decision of the person concerned whether to give express consent for the processing of sensitive personal data is based on free will, since a clause is added to the employment contract to obtain the explicit consent of the data subject, and the express consent for the processing of sensitive personal data is submitted to the data subject in conjunction with the employment contract. In this sense, the explicit consent data processing condition relied on by the data controller is unlawful, 
  • Even if the processing of personal data is carried out depending on the consent of the person concerned and for a specific purpose, express consent does not justify the collection of excessive amounts of data, accordingly, personal data is collected only for certain purposes and as needed, used where required for the purpose and not kept longer than necessary for the purpose. Accordingly, it is disproportionate to the need to ensure the security of the company employees specified by the data controller as the reason for the processing of the fingerprint and face scan data of the person concerned. Biometric data processing is not in accordance with the principle of proportionality, which is one of the general principles of the Law,
  • On the other hand, the data controller claims that his personal data was transferred abroad without his explicit consent during the process he went to the branch of the company located abroad, and the data controller stated in the defense petition that no personal data of the data subject was transferred abroad, but in the complaint petition there was no concrete information about the transfer activity. and documents are not included and therefore there is no action to be taken within the scope of the Law in terms of these claims,
  • It is stated in the complaint petition that there is no privacy policy on the website of the data controller, that data controllers are obliged to fulfill their obligation to inform within the scope of Article 10 of the Law. There is no obligation to prepare a privacy policy by data controllers in the Law and other legislation.

based on their evaluations;based on their evaluations;

  • Article 5 of the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Clarification Obligation is that the illumination text added as an article to the relevant person's employment contract is a mixed text that also bears the nature of the explicit consent text, that the illumination text does not contain the minimum elements that should be included. Considering that the disclosure is not fulfilled separately from the express consent declaration pursuant to subparagraph (f) of paragraph number ) , the obligation to inform is regulated in accordance with Article 10 of the Law and the Communiqué, and to instruct the data controller to inform the Board of the result, 
  • The explicit consent text included as an article in the employment contract, which the data controller claims as a legal reason for processing biometric data, is not signed with free will, since the person concerned does not have a chance to start work without signing the employment contract, and the purpose desired to be achieved with the biometric data used when the personnel enters and exits the workplace is achieved by other means. Data that can be accessed, on the grounds that the processing of biometric data on the basis of explicit consent is contrary to the principle of proportionality with the purpose set forth in Article 4 of the Law, titled "General Principles", is in violation of paragraph (1) of Article 12 of the Law. an administrative fine of 125,000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law,
  • Instructing the data controller to terminate the biometric data processing activity that is determined to have been unlawfully processed, and to destroy the said data in accordance with the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction and Anonymization of Personal Data, and to inform the Board of the result. , 

decided.

Conclusion:

Data controllers need to act carefully regarding biometric data processing. Particular attention should be paid to the condition of explicit consent in the processing of biometric data, and the relevant persons should be carefully informed. In addition, if personal data processing is based on the condition of explicit consent during the fulfillment of the disclosure obligation, data controllers must perform the disclosure obligation and obtaining explicit consent separately.

³ The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7286/2021-1258

Summary of the Decision of the Personal Data Protection Board dated 06/01/2022 and numbered 2022/6 on "unlawful sharing of personal data on the internet address where the registry information of the company of which the relevant person is a former partner".

In the complaint submitted to the Institution; In this context, the data controller, the Chamber of Commerce, has the registration information of the company of which the person concerned is a former partner, the name and surname are written under the title of former partners on the website, he does not have any legal or administrative ties with the company, therefore he does not want his personal data to be shared with third parties without their consent. The Chamber of Commerce stated that the request of the person concerned could not be fulfilled in accordance with the Turkish Commercial Code and the Trade Registry Regulation and requested action be taken.

Within the framework of the investigation initiated regarding the allegations in question, the data controller Chamber of Commerce was asked to defend it, and in summary, in the reply received;

  • The registration, amendment and deregistration procedures, which are subject to registration in accordance with the provisions of the Turkish Commercial Code, are made by the Trade Registry Directorates over MERSIS (Central Registry Registration System), and the texts of the registration announcements are produced in MERSIS and published in the Turkish Trade Registry Gazette, 
  • In the establishment process of limited companies, the registration of the articles of association and all partners is regulated in Article 587 of the Turkish Commercial Code, and the registration of the transitional states of shares is regulated in Article 598; In the announcements regarding the registration of limited companies' share transfer published in the Turkish Trade Registry Gazette, which is subject to registration and open to inspection by third parties, the name-surname information of the partner transferring the share and the partner transferring the share are included, and personal data such as identity number and address information are announced by hiding, 
  • Due to the fact that the partnership structure of the company has been registered and announced in accordance with the legislation, it is an obvious information that the person appears as a partner or former partner, and does not constitute personal data such as identity number and address,
  • In this context, within the company information on the website of the data controller; Article 35 of the Turkish Commercial Code and Article 15 of the Trade Registry Regulation contain information that is allowed by the legislation and published in the Trade Registry Gazette and is open for inspection by third parties.

expressed.

In the examination made on the subject, with the Decision of the Personal Data Protection Board dated 06/01/2022 and numbered 2022/6;

  • When the website where the request for the deletion of the name and surname of the person concerned is examined, it is seen that an inquiry can be made from the Information Bank of the Chamber of Commerce according to the Company information, and when an inquiry is made on the relevant page about the Company of which the relevant person is a former partner, the company's registration number, chamber registration number, MERSIS number, company title, In addition to information such as business address, date of registration to the chamber, capital, subject of business, information about the transactions registered in the registry newspaper under the title of Registry and Newspaper Information, as well as information about the name, surname, position and amount of capital of the partners and former partners,
  • As stated in the complaint of the relevant person, it is seen that the name, surname and capital amount of the person concerned are displayed on the inquiry page as a former partner of the said Company,
    • Bu çerçevede ticaret sicilinin, Ticaret Bakanlığının gözetim ve denetiminde ticaret sicili müdürlükleri ve şubeleri tarafından tutulacağı düzenlenmiş olup Ticaret Bakanlığı tarafından il merkezindeki ticaret ve sanayi odaları ile ticaret odalarında faaliyet gösterecek şekilde ticaret sicili müdürlükleri kurulacağı hükmünden de anlaşılacağı üzere ticaret sicili müdürlüklerinin il merkezindeki ticaret odasına bağlı olarak faaliyet gösterdiği, 
    • Öte yandan, kayıtlar ile tescil ve ilan edilmesi gereken içeriklerin düzenli olarak depolandığı ve elektronik ortamda sunulabilen merkezi ortak veri tabanının, Ticaret Bakanlığı ile Türkiye Odalar ve Borsalar Birliği nezdinde oluşturulduğu,
    • Türk Ticaret Kanunu’nun ve Ticaret Sicili Yönetmeliği’nin ilgili maddeleri çerçevesinde, herkesin sicilin içeriğini ve müdürlükte saklanan tüm senet ve belgeleri inceleyebileceği ve bu incelemenin elektronik ortamda ve/veya müdürlükte yapılabileceği ile tescil edilmiş olgularda meydana gelen her türlü değişikliğin de tescil edileceği anlaşılmakta olup Şirketin pay devrine ilişkin değişikliğin ticaret sicili gazetesinde tescil edildiği, söz konusu ticaret sicilinin tutulmasından sorumlu ticaret sicil müdürlüklerinin de ticaret odalarına bağlı olarak faaliyet gösterdiği dikkate alındığında söz konusu bilgilerin ticaret odası bünyesinde hâlihazırda mevcut olduğu sonucuna varıldığı,
    • Ayrıca, ticaret sicil gazetesinde yer alan bir bilginin ticaret odasının sayfasında bulunmasındaki amacın yine ticaret sicil işlemlerine ilişkin bilginin daha kolay ulaşılabilir olmasını sağlamak adına gerçekleştirildiği, bununla birlikte söz konusu bilgiye yalnızca ilgilileri tarafından ticaret odasının sayfasındaki bilgi bankası platformundan firma bilgileri girilmek suretiyle erişildiği, söz konusu bilginin ticaret sicil gazetesinde yayınlanma amacından farklı bir amaçla yayınlandığına ilişkin herhangi bir emare bulunmadığı dikkate alındığında söz konusu kişisel veri işleme faaliyetinin Kanun’un Genel İlkeler başlıklı 4 üncü maddesinde yer alan “işlendikleri amaçla bağlantılı, sınırlı ve ölçülü olma” ilkesine de aykırılık teşkil etmediği, diğer yandan söz konusu bilginin ilgili kişi tarafından da belirtildiği üzere doğru olduğu ve yayınlanmasında amaca aykırılık bulunmadığı,
    • Diğer taraftan, Anayasa’da ve Türkiye Odalar ve Borsalar Birliği ile Odalar ve Borsalar Kanunu’nda yer aldığı üzere Kamu Kurumu niteliğindeki meslek kuruluşları ve üst kuruluşlarının; belli bir mesleğe mensup olanların müşterek ihtiyaçlarını karşılamak, mesleki faaliyetlerini kolaylaştırmak, mesleğin genel menfaatlere uygun olarak gelişmesini sağlamak amacıyla kurulan kamu tüzel kişilikleri olduğu, 
    • Türkiye Odalar ve Borsalar Birliği ile Odalar ve Borsalar Kanunu’nda yer aldığı üzere; ticaret ve sanayiyi ilgilendiren bilgi ve haberleri derleyerek ilgililere ulaştırmak, ilgili kanunlar çerçevesinde resmî makamlarca istenecek bilgileri vermek ve özellikle üyelerinin mesleklerini icrada ihtiyaç duyabilecekleri her çeşit bilgiyi, başvuruları durumunda kendilerine vermek veya bunların elde edilmesini kolaylaştırmak, elektronik ticaret ve internet ağları konusunda üyelerine yol gösterecek girişimlerde bulunmak, bu konularda gerekli alt yapıyı kurmak ve işletmek şeklinde odalara görev ve sorumlulukların yüklendiği 
  • When taken into consideration, the personal data processing activity carried out by the relevant Chamber of Commerce by providing the opportunity to make inquiries by entering company information from the Information Bank section of the website and to facilitate access to information by placing the information in the trade registry gazette on this platform. Considering that it can be evaluated within the scope of the obligations stipulated in the Constitution and the Union of Chambers and Commodity Exchanges of Turkey and the Chambers and Commodity Exchanges Law numbered 5174, the personal data processing activity in question is clearly stated in the laws in subparagraph (a) of paragraph (2) of Article 5 of the Law. It is concluded that it is carried out on the basis of the conditions stipulated and mandatory in order for the data controller to fulfill its legal obligation in subparagraph (ç) of the same paragraph.

based on their evaluations;based on their evaluations;

  • In Article 7 of the Law titled "Deletion, Destruction or Anonymization of Personal Data", "Although it has been processed in accordance with the provisions of this Law and other relevant laws, in the event that the reasons for its processing disappear, personal data may be data ex officio or upon the request of the data subject. deleted, destroyed or anonymized by the person responsible.” It was concluded that the reasons requiring the processing of the personal data in question did not disappear, and it was decided that there was no action to be taken within the scope of the Law regarding the request of the person concerned in this regard.

Conclusion:

In the event subject to the decision, it has been observed that the information such as the registry and name and surname of the company, of which the relevant person is a former partner, took place even though they did not have any connection with the company. In the examinations made, when an inquiry is made on the relevant page about the Company of which the relevant person is a former partner, the company's registration number, chamber registration number, MERSIS number, company title, business address, date of registration with the chamber, capital, subject of business, partners and former partners' names, surnames, duties and capital. amount has been reached. However, the purpose of publishing the said data was found in accordance with Article 4 of the Law, titled General Principles. At the same time, since it was concluded that the data processing was carried out on the basis of the conditions that the data controller is obliged to fulfill its legal obligation according to Article 5 of the Law, it was stated that the purpose of processing the personal data in question was not eliminated, and it was decided that there was no action to be established within the scope of the Law. 

⁴ The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7291/2022-6


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.


 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram