06 Jul, 2022

GRC Decision Summaries of the Month

Summary of the Decision of the Personal Data Protection Board dated 02/11/2021 and numbered 2021/1111 on "unlawfully obtaining the criminal conviction of the person concerned by the data controller, who is a lawyer, and submitting it to the court file"

As a result of the investigation carried out on the subject, with the decision of the Personal Data Protection Board (Board) dated 02/11/2021 and numbered 2021/1111;

Obtaining, storing, using, transferring, etc., of the criminal record information of the person concerned, by the data controller fully or partially automatically or non-automatically provided that it is a part of any data recording system. and that such activities will be considered as "processing of special quality personal data" and that such activities will be based on one of the legal reasons in Article 6 of Law No. 6698 and by taking adequate measures determined by the Board, There is no doubt that it should be carried out in accordance with the principles,

In this context, it is necessary to first consider whether the criminal record information of the data subject is obtained by the data controller in the concrete case, whether it is based on one of the legal reasons in Article 6 of the Law No. 6698 If it is obtained (and subsequently used/given) without relying on one of the legal reasons in Article 6 of the Law No. 6698, the said acts will constitute an illegal data processing activity,

From the information and documents submitted to the file; From the defense of the data controller that it is seen that the data subject does not have an explicit consent given to the data controller for the processing of the criminal record data, that "the criminal record information of the data subject was obtained from the courthouse in accordance with the Attorneyship Law, and there is no illegality in the works and transactions carried out by the parties". In the personal data processing activity carried out about the data subject, the "Personal data other than health and sexual life, listed in the first paragraph, may be processed without seeking the explicit consent of the data subject in cases stipulated by the law." Therefore, it should be clarified whether the provision of Article 2 of the Attorneyship Law mentioned by the data controller in his defense falls within the scope of the "conditions envisaged by the laws" in paragraph (3) of article 6 of the Law No. 6698,

Based on the wording of the provisions of the aforementioned legislation, it is clear that the regulation in the 2nd article of the Attorneyship Law is a "general provision" against the "special provision" in the 7th article of the Criminal Records Law and that the lawyers are informed of the criminal record information of the persons concerned. It has been concluded that the personal data processing activity carried out by the data controller about the data subject is illegal,

The fact that the criminal record information, which is the subject of the personal data processing activities carried out by the data controller, has been obtained illegally in the first place, renders all personal data processing activities of the data controller illegal from the beginning, since there is an illegal activity. Based on the evaluations that there is no doubt that something legitimate cannot be built on anything;

An administrative fine of 75,000 TL is imposed on the data controller pursuant to subparagraph (b) of paragraph (1) of Article 18 of the Law No. 6698,

Since it has been concluded by the data controller that the data subject has been processed illegally from the beginning, the personal data of the data subject, which are kept before the data controller and related to the unlawful processing, shall be deleted, destroyed, or destroyed in accordance with Article 7 of the Law No. 6698. Instructing the data controller to destroy it in accordance with the Regulation on Anonymization and inform the Board of the result,

Considering that the sharing of the said data may contain an element of crime within the scope of the provisions of the Turkish Penal Code No. 5237, it has been decided to inform the person concerned that an application can be made to the Office of the Chief Public Prosecutor in order to take action in this regard.

Conclusion: 

The cases in which the express consent of individuals is required in order to process their criminal record records are specified in the Personal Data Protection Law No. 6698 and the Judicial Registry Law No. 5352. In the concrete case, although it is stated that criminal record records were obtained in accordance with the Attorneyship Law, it is stated that the regulation in the 2nd article of the Attorneyship Law is a "general provision" against the "special provision" available in the 7th article of the Criminal Records Law. It has been concluded that it does not authorize access to the registry information ex officio. It is important that data controllers correctly determine the situations that can be processed without express consent and act according to the situations specified in the Law No. 6698, in order not to be penalized by the board. 

To reach the full decision;

https://www.kvkk.gov.tr/Icerik/7266/2021-1111 

Summary of the Decision of the Personal Data Protection Board dated 11/11/2021 and numbered 2021/1153 on the "processing of personal data by sending an SMS with advertising content to the person concerned by the data controller selling medical products"

In summary, in the complaint of the person concerned, submitted to the Institution; A commercial electronic message with advertisement content was sent from a data controller selling medical products to his mobile phone number, which is his personal data, and then he declared that he did not have his express consent for the processing of his personal data, and applied to the data controller with a petition requesting the deletion of his personal data and information about how his personal data was obtained, In response to the response, they do not have any data of the person concerned other than the phone number, that the mobile phone number in question is the contact information of another patient registered within the data controller, that this patient has consented to receive advertising and promotional messages, and that the relevant patient inadvertently gives the number of the person concerned. stated that it is thought to have given; however, it was stated that this answer given by the data controller was insufficient and the approval mechanism was carried out without verification, and the negligence of the data controller in the aforementioned event was stated and necessary action was requested.

As a result of the evaluation made on the subject, with the Decision of the Personal Data Protection Board dated 11/11/2021 and numbered 2021/1153;

When the application submitted by the data subject to the data controller is examined, it is seen that the name, surname, signature, address and contact information are included, and there will be no case of not being able to identify, since the person concerned does not have any record with the data controller,

It is understood from the information on the said document that this sale was made in 2019 and that the mobile phone number of the person concerned is included as the contact information,

Although the mobile phone number in question belongs to the person concerned instead of the aforementioned customer, this situation is not known by the data controller and the said number is processed as a data related to the said customer, therefore the mobile phone number of the data subject is not processed as a data associated with him in the records of the data controller and the customer It was concluded that the incident subject to the complaint occurred as a result of the wrong number being reported by mistake, 

From the petition signed by the customer specified by the data controller, it is understood that he has express consent to send electronic messages to him for advertising and marketing purposes, 

In the response of the data controller to the Authority, although a screenshot of the relevant list was included, stating that the number in question was put on a "black list" upon the application of the data subject, the personal data processing activity was continued by blacklisting the processed personal data without relying on any data processing condition. Based on the evaluations that it was concluded that the personal data subject to the complaint of the person concerned was not destroyed in accordance with Article 7 of the Law, it was decided that there was no action to be taken against the data controller under the law.

Conclusion: 

According to Article 13 of the Law titled "Application to the Data Controller", the data subject will submit his/her requests regarding the implementation of this Law to the data controller in writing or by other methods to be determined by the Board; It is stipulated that the data controller will conclude the requests in the application as soon as possible and within thirty days at the latest, free of charge, depending on the nature of the request, accept the request or reject it by explaining the reason, and notify the relevant person in writing or electronically. It is stated in the law and the related communiqué that the conclusions to be made must comply with the law and the rule of honesty, and that all administrative and technical measures should be taken by the data controllers.

To reach the full decision; 

https://www.kvkk.gov.tr/Icerik/7268/2021-1153 

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation

 

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles