Summary of the Decision of the Personal Data Protection Board dated 10/03/2022 and numbered 2022/224 on “sharing the phone number of the person concerned with third parties by a bank's call center”¹
A third person's card is found at the Bank's ATM by the person concerned, then the call center of the bank is contacted, the call center officer suggests that the card be received from the person concerned by sharing the phone number of the person concerned with the third person who has the card, After the person concerned did not consent to the solution proposal and the call center officer requested that the card be handed over to the security officers at the airport, the person concerned handed over the bank card to the officials, but later on, a message was sent to the person concerned by the cardholder via his personal phone number, the processed data was sent to the person concerned via his personal phone number. We are open to the transfer of the data, that it is understood that the message was sent, that the processed data was transmitted to the cardholder without the explicit consent of the person concerned, that the relevant person was not informed about the processing of the name, surname and phone number, and that the data was transferred. The Board requested a defense from the data controller in the application for the data controller to take necessary action against the Bank, stating that he did not show a, and in summary, in the defense letter given by the data controller;
- Identity data, communication data and voice recording data; Identity data and contact data regarding the application submitted by the Bank using the contact us section on its website; From the petition sent by the Bank to its branch, the information in the petition and the identity data are processed by the Bank,
- In applications submitted using the 'Contact Us' section of the website, where the Bank's clarification text is accessible to everyone, with the box "I have read and understood the Information provided under the Law on Protection of Personal Data", when the Call Center is called, the first thing that is lost/stolen/suspicious is the box. In the application created by the relevant person through the "Call Center" and in the "Contact Us" section of the Bank's website, where the relevant person is directed to the transaction menu on obtaining information on the Protection of Personal Data along with the transaction notification transactions, the KVKK clarification text is presented to the relevant person through the call center, but the customer prefers not to listen. Pursuant to Article 10 of the Personal Data Protection Law (Law) No. 6698, the obligation to inform regarding the processing of data has been fulfilled,
- Personal data belonging to the cardholder were shared verbally, after the customer representative answered "ok" to the information given by the customer representative that "I will inform the cardholder that you found the card", during the meeting with the call centers to inform the person concerned that their customers have found the bankomat card,
There are expressions.
In the examination made on the subject, the Board Decision dated 17/03/2022 and 2022/243;
- In the 10th article of the Law titled Data Controller's Obligation to Disclose, the data supervisor or the person authorized by him/her during the acquisition of personal data; It is regulated that the data controller and its representative, if any, are obliged to provide information about the identity of the personal data, for what purpose the personal data will be processed, to whom and for what purpose the processed personal data can be transferred, the method and legal reason for collecting personal data, and other rights listed in Article 11,
- In the Communiqué on the Procedures and Principles to be Complied with in Fulfilling the Disclosure Obligation, the procedures and principles to be complied with within the scope of the disclosure obligation by the data controllers or authorized persons are determined, in paragraph (1) of the 5th article of the said Communiqué; d) clause; “Fulfillment of the obligation to illuminate does not depend on the request of the person concerned.” e) clause; “Proof of fulfillment of the obligation of clarification belongs to the data controller.” the provision,
- In the concrete case, when the bank was contacted through the call center, it was determined that the KVKK clarification text was presented to the caller, and from the documents transmitted by the data controller; When applying from the contact us section of the website of the data controller of the data subject, I have read the Information made within the scope of the PDPL, I understood the box, and it is understood that the Bank has fulfilled the obligation of disclosure by the data controller,
- In the concrete case, “... I ensure the security of the card. I took note of the necessary information, I will contact the customer himself and let him know that you found the card.” It has been concluded that the data controller has been involved in processing personal data in violation of the Law, since the explicit consent obtained by the data subject responding as "ok" does not contain the elements of the form of obtaining explicit consent, which is regulated in the Law,
- Since it is understood by the data controller that data processing is carried out by disclosing personal data without any of the processing conditions in Article 5 of the Law apply, "Preventing unlawful access to personal data" and "To ensure the protection of personal data" in Article 12 of the Law. ” is acted against its obligation,
based on their evaluations;
- "Within the framework of Article 12 of the Law, administrative sanctions are imposed on the data controller within the scope of Article 18 of the Law, due to the failure to fulfill its obligations duly in order to prevent the unlawful processing of personal data processed by the Bank within its body and to ensure its preservation,
- Regarding the claim that the obligation to inform is not fulfilled; When contacting the bank via the call center, it is determined that the KVKK clarification text is presented to the caller. At the same time, when applying from the 'Contact Us' section of the data controller's website, in the documents sent by the data controller, "I have read and understood the Information provided under the Personal Data Protection Law. It can be summarized as follows: "Considering the points in which the "box" was checked, there is no action to be taken regarding the claim in question within the scope of the Law, since it is understood that the data controller bank has fulfilled its obligation to inform.
Conclusion:
Even if the data controller has fulfilled his obligation to inform the data subject in accordance with the regulations established by the legislation and the Board, he must take all necessary administrative and technical measures in accordance with his primary obligation to prevent the unlawful processing of personal data processed in accordance with its obligations in Article 12 of the Law and to ensure its preservation.
¹ The entire relevant decision: https://kvkk.gov.tr/Icerik/7296/2022-224
Summary of the Decision of the Personal Data Protection Board dated 18/01/2022 and numbered 2022/31 on "The processing of the personal data of the data subject for the purpose of sending commercial electronic messages without the express consent of the data controller operating in the health sector"
Within the framework of the investigation initiated on the subject, the defense of the data controller was requested.
The e-mail address of the person concerned is obtained as a result of his application to the branch of the data controller and this information is recorded in the Hospital Information Management System (HBYS) during the patient registration process,
The e-mail address of the relevant person is transferred to the Social Security Institution (SGK) systems through the HIMS and MEDULA software, which is the communication medium between hospitals,
As stated in the response to the application of the person concerned, the e-mail sending in question was caused by a temporary lack of coordination between the units and was inadvertently made without the consent of the person concerned,
In order to prevent the current situation from recurring, the e-mail address of the person concerned has been removed from the list of persons who have approved the sending of commercial electronic messages, upon his request, and it is promised that no more e-mail will be sent to the person concerned,
However, a new system will be put into use in the future to verify the e-mail address provided by the relevant persons to the hospital,
Apart from all these; The clarification text, which deals with the processing of the personal data of the patients visiting the hospitals of the data controller in detail, is made more comprehensive and published on the website of the data controller, the Guest Communication Open Consent Statement document, which allows communication with the relevant persons for advertising purposes, is prepared and presented to the relevant persons,
All policies, especially the Personal Data Processing and Disposal Policy, are updated in line with new needs.
specified.
As a result of the investigation carried out on the subject, with the Decision of the Personal Data Protection Board dated 18/01/2022 and numbered 2022/31;
Regarding the complaint of the person concerned, the data controller informed that the e-mail address of the person concerned was obtained during the application made by him to the branch of the data controller, while the patient record was opened,
Although it is lawful for the data controller to provide contact information from the person concerned when opening the patient record, it is seen that the relevant provision is violated due to the fact that personal data is processed by sending a commercial e-mail to the e-mail address for the purpose of obtaining them at the time they are obtained, without connection,
based on their evaluations;based on their evaluations;
Although it is lawful to provide the personal data of the data subject by the data controller, it is stated that the data processing activity complained of is unlawful due to the fact that the personal data is not used for the purposes of obtaining it, and in this context, the data controller makes advertisements to the e-mail address of the data subject without a data processing condition. Due to the processing of personal data by sending notifications for marketing and marketing purposes, the data controller, who is deemed to have not taken the necessary measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data within the framework of subparagraph (a) of paragraph (1) of Article 12 of the Law No. It was decided to impose an administrative fine of 100.000 TL against him within the scope of subparagraph (b) of paragraph (1) of Article 18 of the Law No. 6698.
Conclusion:
Personal data must be processed in accordance with certain principles specified in the Law. Since the use of personal data for purposes other than processing is against the principle of "proportionality", this issue is important for data processors. In the concrete case, although the personal data was obtained in accordance with the law, it is prohibited by the Law to use it other than for the purpose of collection.
Summary of the Decision of the Personal Data Protection Board dated 24/02/2022 and numbered 2022/172 on the "request of special quality personal data from candidates during the recruitment process by the liaison office of the data controller residing abroad in Turkey"
In summary, in the complaint of the person concerned about the liaison office in Turkey of the data controller residing abroad;
- When the person is admitted to the job, the liaison office of the data controller asks for criminal record, health report, lung film report, blood group certificate, photocopy of driver's license, photocopy of marriage certificate and identity card photocopy of family members and these documents are delivered by the person concerned,
- The liaison office did not obtain explicit consent from the data subject regarding the processing of the aforementioned special categories of personal data, and the plurality of processed data categories contradicted the general principles in Article 4 of the Law,
- Due to the fact that the data controller is a resident abroad, the personal data of the data subject may also be transferred abroad,
and requested the necessary action to be taken.
Within the framework of the investigation initiated on the subject, the data controller was asked to defend it with a letter written to the liaison office in Turkey, and in summary, in the reply received;
- The complainant is the liaison office of the foreign origin data controller in Turkey and does not have a separate legal entity and commercial activity in accordance with the legal establishment principles,
- The personal data subject to the complaint of the person concerned is obtained from the person concerned within the scope of the workplace personnel file, since the person concerned is an employee of the data controller residing abroad, and in this sense, it is not possible to mention a situation such as the transfer of the personal data abroad without permission,
- The personal data subject to the complaint is kept as a personal file in accordance with the law under the responsibility of the liaison office complained of during the employment contract, as per the employment contract, and the personal data in question is destroyed in the records of the liaison office and foreign units, following the termination of the employment contract,
statements and claims. As a result of the examination carried out by the Board on the subject, with its decision dated 24/02/2022 and numbered 2022/172;
- The main purpose of the Law is to protect the fundamental rights and freedoms of individuals, especially the privacy of private life, in the processing of personal data, and to regulate the obligations of natural and legal persons who process personal data and the procedures and principles to be followed,
- On the other hand, Article 2 of the Labor Law No. 4857 (“Law No. 4857”), titled “Definitions”, states that “A natural person working on the basis of an employment contract is an employer, a real or legal person employing workers or institutions and organizations without legal personality; The relationship established between the employer and the employer is called a business relationship, and the liaison offices are in the status of "workplace" according to the Law No. 4857,
- Article 6 of the Implementation Regulation of the Foreign Direct Investments Law, titled “Liaison Office Establishment”, states that “The Ministry is authorized to grant permission to companies established in accordance with the laws of foreign countries to open liaison offices in Turkey and to extend the duration of these permits…” is in command,
- In the concrete incident, it is seen that the party complained of is the liaison office of the data controller, a legal entity residing abroad, and according to the information obtained from the website of the data controller, the data controller was purchased by a software company based in another country, in this case the Turkey Liaison Office of the data controller; It does not carry out commercial activities in Turkey, has no legal personality, is a liaison office only engaged in "Communication and Information Transfer" activities and is subject to foreign capital legislation,
- It is understood that the investors specified in the Law No. 4875 will gain the title of employer in terms of labor law, and thus the employer who employs the liaison office employees and therefore the person concerned; the data controller will be the data controller himself, not the liaison office,
- In the concrete case, it was concluded that the title of "data controller" can be attributed to the data controller residing abroad and having a legal personality, not to the Turkish Liaison Office of the data controller residing abroad,
- In the notification sent by the person concerned, it is seen that the company manager of the data controller is included with the title of "authorized", and that the company manager is authorized on behalf of the data controller with a power of attorney approved and issued by the authorized notary of the place of residence abroad, in this case, the Liaison Office representative and the employer's representative of the data controller. the notification made through the website is legally valid and valid, and the data controller must also respond to it,
- It is not possible for the data subject not to think that the personal data in the form of information and documents obtained from him in accordance with the foreign legislation to which the data controller is subject will be processed abroad, while making a business contract to work within the body of the data controller of foreign origin,
- Although it is claimed by the data controller that all personal data of the person concerned was destroyed at the company headquarters and liaison office, a document supporting this was not submitted to the Authority,
Based on their assessment,
- In the concrete case, the title of "data controller" belongs to the company based abroad, not the liaison office,
- Since the director of the liaison office is also the representative of the employer of the data controller, the notification made by the person concerned to the liaison office is legally valid and valid,
- In the concrete event that constitutes the subject of the complaint, it is not illegal to transfer data abroad, the personal data of the data subject is obtained through the contract concluded by the data controller residing abroad, within the scope of the business relationship, in accordance with the law of the country of residence, but in sufficient explanations to the relevant person and the Board regarding the provisions of this legislation. not found,
- Bahse konu iş akdinin ifası için ilgili kişiye ait kişisel verilerin yurt dışında işlenmesinin gerektiği ve bunun yegâne yolunun da ilgili kişinin açık rızasının alınması olduğu anlaşıldığından, ilgili kişiden alınan açık rızanın hukuka uygun olduğu,
As it is understood, the data controller;
- “The persons concerned should show the utmost care and diligence regarding their applications,
- It has been decided to instruct the relevant person to inform the Board of the result of the transaction with a document proving this matter by forwarding the document showing that the personal data of the person concerned has been destroyed at the company headquarters and liaison office.
Conclusion:
Since the liaison offices of data controllers residing abroad within the borders of Turkey will be considered workplaces in accordance with the relevant legislation, data controllers residing abroad must comply with the relevant legislation in the data they process through their liaison offices. Although it is logically understood that the processed data will be transferred abroad, it is necessary to comply with the relevant legislation and the rules stipulated by the Board during this transfer phase. After complying with the rules of transfer abroad, a policy containing information about how/for how long the processed data will continue to be processed after the purpose of processing the data, such as the data storage destruction policy, should be prepared, and the procedures should be documented by complying with the deadlines in the prepared policy and it should be protected against possible audit by the Board. must be kept available.
² The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7294/2022-172
Summary of the Decision of the Personal Data Protection Board dated 07/07/2022 and numbered 2022/662 on "The processing of the 'hand geometry' information of the person concerned by the data controller in order to enter the service building of an enterprise without obtaining explicit consent" ³
In order to enter the service area of the relevant person while registering for a business, the palm and fingerprint information is scanned by the relevant company officials and these data are processed in the company records, the service area is provided by putting the hand of the service recipients on the device and typing the given password, therefore, the person concerned has a legally valid opening. It was requested that the necessary action be taken, stating that the palm and fingerprint were scanned without his consent, that after the contract was terminated, he applied to the data controller company in accordance with the Personal Data Protection Law No. . A defense was requested from the data controller by the Board regarding the incident subject to the complaint, and in summary, in the reply letter received;
- The hand, which is read by the device called Hand Geometry Terminal, pays attention to points such as the length of the fingers, the distances between the junction points, the geometry of the playful places in the fingers, the geometric structure of the hand, the dimensions of the fingers and bones can be measured according to a formula in three-dimensional environment, and only the upper part of the hand placed on the device can be measured. The device is scanned, there is no mechanism in the device to scan the inside of the hand where the fingerprint or palm print is found, in other words, the measurements of the hand of the person are scanned by the device, just like measuring the height of a person,
- The fundamental difference of the concept of hand geometry from finger or palm print is that although finger or palm print is personal, hand geometry does not have such a personal feature. In this case, when evaluated within the scope of KVKK, finger or palm print is special quality personal data because it is personal to the person, while hand geometry is only a personal data because it may be the same for two other people, in other words, hand geometry is the age, name of the person. is a personal data such as surname, contact number,
- Since the hand geometry does not make the person directly identifiable, there is a need for matching by entering the passwords of the people themselves after reading the hand geometry to the device,
- Claims that the company has obtained fingerprints or palm prints from its subscribers are completely untrue,
expressed. As a result of the examination of the Board on the subject, with its Decision dated 07/07/2022 and numbered 2022/662;
- It is necessary to determine the nature of the personal data subject to the complaint and whether it is special quality personal data, as a matter of fact, in the reply letter received from the data controller; Since the device saves the "hand geometries" of the people to the system, unlike the palm or fingerprint acquisition, the information recorded by the device is "hand geometry" information that does not have biometric quality, and there is a possibility that another person may have the same information as the age, name of the person in question. It is stated that it is a personal data such as surname, contact number,
- The Biometric Hand Terminal system scans the hand from 31,000 points in three dimensions, analyzes the characteristics of the hand and fingers, pays attention to points such as the length of the fingers, the distances between the junction points, the geometry of the joints in the fingers, and the geometric structure of the hand, the dimensions of the fingers and bones in a three-dimensional environment. It has been determined that information can be measured according to the formula, it is also emphasized in the explanations that the indispensable feature of biometric systems is to get correct results, that there is a 9-character code for each hand in hand geometry, each of these 9 characters contains a total of 36 possibilities consisting of 10 numbers and 26 letters, that is, the system is not mistaken. As for how the verification process is done, it is stated that the probability is 1/36x36x36x36x36x36x36x36x36 = 1/101.559.956.668.416; Although it is stated by the data controller that there is a secondary verification with a password due to the possibility of pairing with another person, in the explanations regarding the device, it is stated that the verification takes place in less than 1 second as soon as the person calls his/her own image by entering the code first and puts his/her hand under the device,
- In the Decision No. 2014/4562 of the 15th Chamber of the Council of State; It is stated that biometric methods refer to authentication techniques that can be automatically verified and performed through measurable physiological and individual characteristics, and these methods include fingerprint recognition, palm scanning, hand geometry recognition, iris recognition, face recognition, retina recognition, DNA recognition. ,
- On the other hand, in the decision of the Constitutional Court dated 10/03/2022, application number 2018/11988, that the right to demand the protection of personal data within the scope of the right to respect for private life has been violated due to the fingerprint registration system; Article 6 of the Law No. 6698 states that the processing of special quality personal data by counting as a restriction is subject to more stringent conditions than general quality data, and that biometric data, which is considered as special quality personal data, is "a process that enables a person to be separated from other persons and to identify the person himself, It is considered as "special quality personal data due to its importance because it contains biological or behavioral information belonging to the person", and at the same time, if there is a legitimate purpose for the use of biometric methods, there is no other way suitable for realizing this purpose with less interference to rights and freedoms. He pointed out that constitutional guarantees that will protect the rights and freedoms of the employee should also be provided by the administration in case the methods including the processing and sharing of personal data are used in the workplace,
- Veri sorumlusu tarafından el geometrisi bilgisinin parmak izi gibi kişiye ait bir özelliğinin bulunmadığı başka bir kişi ile aynı olmasının mümkün olabileceği ifade edilse de cihaz aracılığıyla elin 31.000 noktadan üç boyutlu olarak taranarak elin ve parmakların analizinin yapıldığı, ilgili kişiyle eşleşmeye ilişkin yanılma oranının çok düşük olduğunun matematiksel olarak açık ve net olduğu dikkate alındığında fizyolojik özellik aracılığıyla gerçekleştirilen ve otomatik şekilde doğrulanabilen bir kimlik denetleme yöntemi olduğu, sonuç olarak, veri sorumlusu tarafından hizmet abonelerinin ve ilgili kişinin el geometrisinin çıkarılması suretiyle biyometrik bir yöntemle kimlik doğrulaması yapıldığı, bu anlamda özel nitelikli kişisel veri işlendiği sonucuna varıldığı,
- Veri sorumlusu bünyesindeki hizmet binasına girişlerde denetimin sağlanması amacıyla özel nitelikli kişisel verilerin işlenmesine ve bu bağlamda biyometrik veri bazlı sistemlerin kullanılmasına dair herhangi bir hukuka uygunluk nedeni olmadığı, bu çerçevede ilgili kişinin özel nitelikli kişisel verisinin 6698 sayılı Kanun’da yer alan herhangi bir işleme şartı mevcut olmaksızın işlendiği sonucuna varıldığı,
based on their evaluations;based on their evaluations;
- “Without any of the processing conditions in Article 6 of the Law, the "hand geometry" information in the biometric data category of the person concerned is processed by the data controller, therefore, by the data controller according to Article 12 (1) of the Law. In terms of the violation of the obligation in paragraph numbered, the unfair content of all these issues and the fault, the fault of the data controller and the economic situation; Considering the fact that the personal data subject to the complaint is sensitive personal data, that the sensitive personal data of other subscribers are processed in violation of the Law, a large number of people are affected, and that it interferes with the right to protect personal data, Article 18 of the Law (1 Administrative fine of 100.000 TL is imposed on the data controller pursuant to subparagraph (b) of paragraph no.
- Pursuant to the request for deletion of the personal data of the data controller within the body of the data controller, it is not physically possible to send a document regarding the deletion process, since the hand geometry data of the person concerned is promptly deleted following the termination of the membership of the person concerned, and since the hand geometry information is saved on the device and deleted from the device again. to inform the data subject that the deletion request has been fulfilled and that the personal data in question has been deleted, based on the declaration of the data controller,
- The application of special quality personal data processing as biometric data for the purpose of entry is stopped within the scope of the 7th paragraph of the 15th article of the Law, To promptly destroy the data in accordance with the provisions of the Regulation on the Deletion, Destruction or Anonymization of the Data, if the relevant special data is transferred to third parties, to promptly notify the third parties to whom these data have been transferred, and to inform the Board of the results of the transactions. to the instruction of the data controller”
form has been decided.
Conclusion:
It is clearly seen in the Law that biometric data is a special quality data. Although this issue was not clearly understood at first, it became clear with the guides and decisions that the Board shared as a result of its studies. Even though it is called a hand geometry terminal, the use of tools that measure the hand of the person from 31000 different points shows that special data are processed that will make the person concerned identifiable. Thus, if the data controllers have special data processing purposes; The description of the work done by the personnel working on this subject and the place of work are important. If the employee is not in a critical task on behalf of the company, the biometric data of the person should not be processed. In addition, it should not be kept as a necessity in order to start/continue the work in which the biometric data will be processed in the form of palm/fingerprint processing. Even if the person is in a critical task or in a normal duty, if he does not expressly consent to the processing of his biometric data, which is put forward as a condition, a different method should be presented and the data should be processed in that way.
³ The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7399/2022-662
Summary of the Decision of the Personal Data Protection Board dated 05/07/2019 and numbered 2019/198 on the "notification of the data subject that personal data is being processed unlawfully by the data controller within the scope of a loyalty program"4
In summary, in the petition submitted to the institution; It was stated that a special discount was applied to the loyalty card for some products sold in the store of the data controller, thus special discounts were made conditional, the personal data of the customer was requested for membership in the loyalty program and the supply of the card, and express consent was imposed as a condition, and the data controller was notified.
- Within the framework of the information contained in the petition, which is the subject of the notice, it is understood that the price of the product, which is 99.99 TL, is determined as 79.99 TL within the scope of the loyalty card special discount and offered for sale,
- The opportunity to shop from the stores of the data controller is not eliminated for the data controllers who do not want to be included in the loyalty card program and/or do not want to give express consent within the said program,and sales are continued at non-discounted prices to customers who are not members of the loyalty program,
- Offering products/services at a discount with additional benefits within the scope of the loyalty program does not mean that express consent is imposed as a condition.
based on their evaluations;based on their evaluations;
- The fact that the products or services offered in the stores of the data controller are offered with an additional benefit, within the campaigns and at the special discounted prices for the loyalty program of the data controller company, the express consent is imposed as a condition and in this sense, the express consent of the data subject is offered or benefited from a product or service. Since it cannot be accepted as a precondition for the petition, there is no action to be taken within the scope of the provisions of the Law regarding the petition in question.
decided.
Conclusion:
In accordance with the provision of subparagraph (a) of paragraph (1) of Article 3 of the Personal Data Protection Law No. 6698, there are three elements of express consent: being related to a specific subject, being based on information, and being disclosed with free will. In order to send electronic commercial messages within the scope of the loyalty program, approval must be obtained in accordance with the draft Loyalty Guide published by KVKK. In addition, the Authority stated that the processing purpose of the processing of personal data to recognize the customer and the processing for sending commercial electronic messages is different. In this context, the data controller should make an assessment as to whether the contact information of the person who is a member of the loyalty program can be used to send commercial messages.
4 The relevant decision in its entirety: https://kvkk.gov.tr/Icerik/7348/2019-198
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.