“About the processing of personal data by sending a lien notice to the person who is a relative of the debtor by the lawyer of the bank” Summary of the Decision of the Personal Data Protection Board dated 21/10/2021 and numbered 2021/1069
In summary, in the complaint of the person concerned, submitted to the Institution; As a relative of the debtor, with the attachment notice sent to him by a Bank lawyer within the scope of paragraph (1) of Article 89 of the Execution and Bankruptcy Law, he determined that his personal data were shared with the third parties included in the notice without his explicit consent, and he informed both the Bank and the Bank regarding this matter. It was stated that the Bank's lawyer was consulted and it was requested to take necessary action against the data controller.
As a result of the examination on the subject, with the Decision of the Personal Data Protection Board dated 21/10/2021 and numbered 2021/1069;
In the concrete case, it is seen that the data controller is the Bank's Lawyer, since the third parties included in the attachment notice issued within the scope of paragraph (1) of Article 89 of the Execution and Bankruptcy Law were notified to the enforcement office by the creditor's representative,
To fulfill the obligations arising from the Enforcement Bankruptcy Law and secondary legislation in terms of the obligations arising from the Attorneyship Law and the enforcement proceedings it carries out, in order to protect the rights and interests of the Bank, in sending the 89/1 attachment notice to the relatives of the debtor party on behalf of the Bank, where the data controller is his representative. Based on the evaluations, it is concluded that it is legal to process the personal data processed in this context, without the explicit consent of the person concerned, within the framework of paragraph (2) of Article 5 of the Law;
Since the bank is not a data controller in the concrete case, there is no action to be taken against it within the scope of the Law,
Processing the name, surname, identity number and address information of the person concerned in order to send a lien notice to third parties within the scope of paragraph (1) of Article 89 of the Execution and Bankruptcy Law for the establishment of the transactions that the lawyer is obliged to carry out in order to collect the receivables of the bank he represents Since it is considered to be in compliance with the Law within the scope of "the provision that data processing is mandatory for the establishment, exercise or protection of a right" in subparagraph (e) of paragraph (2) of Article 5 of the Law, the Law also applies to the Data Controller Lawyer in relation to the complaint in question. It has been decided that there is no action to be established within the scope of
Conclusion:
Considering the case, it is among the obligations of the bank lawyer to send a lien notice to the relevant person in accordance with the Enforcement-Bankruptcy Law and the Attorneyship Law. The fact that the data controllers know the conditions in the law well enables them to act more lawfully in their work. In accordance with the 2nd paragraph of the 5th article of the Law, the fact that the express consent was not obtained was considered lawful for the reasons listed, but the condition of explicit consent is an important issue that should be evaluated well, especially for banks, on the basis of each case. As a result of data processing activities carried out without express consent, data controllers may face major criminal sanctions.
In order to reach the continuation of the decision; https://kvkk.gov.tr/Icerik/7262/2021-1069
Summary of the Decision of the Personal Data Protection Board dated 02/11/2021 and numbered 2021/1104 on "The unlawful processing of personal data by the Bank by sending an SMS to the mobile phone number of the person concerned"
In summary, in the complaint of the person concerned, submitted to the Institution; The data controller made a request from the Bank for the deletion of his data, in the reply given by the Bank it was stated that the necessary actions were taken in this regard, however, information messages were sent from the Bank via SMS and e-mail and the Bank was applied for in this regard, and in the reply given, "About Commercial Communication and Commercial Electronic Messages". It was stated that the regulation of the “Regulation” was given as a justification, and it was requested that necessary action be taken about the data controller.
The customer relationship between the Bank and the related person started in 2005, and the active products at the Bank were closed on 03.08.2019, upon the request of the relevant person,
The phone number information given by the person concerned to the Bank, of which he is a customer, in order to be reached in his own business and transactions, has been closed, in other words, his accounts with the Bank have been made passive, and the Bank has replied to the person concerned that personal data will not be processed for purposes other than storage. Despite, the processing of the personal data of the data subject by sending an SMS for a purpose other than the one originally received by the data controller serves a different processing purpose,
As a result of the evaluation together with the documents submitted by the data controller, the 10-year storage period stipulated in Article 42 of the Law No. 5411 and the principle of “Preservation for the period required by the relevant legislation or for the purpose for which they are processed” specified in Article 4 of the Law No. 6698. Considering that the last transaction of the relevant person at the bank was the closing of the active products carried out on 03.08.2019, and therefore, the 10-year period has not passed since the last transaction date; It is not against the law that the data controller does not fulfill the request for deletion, since the reasons requiring the processing of the personal data of the data subject have not yet disappeared,
Regarding the period when the SMSs subject to the complaint were sent, within the scope of the fight against the new type of Covid 19 epidemic, the Ministry of Interior's 81 Provincial Governorships, 30 provinces with metropolitan status and Zonguldak were sent to the streets between 24.00 on 30.04.2020 and 24.00 on 03.05.2020. It is seen that the Circular of Curfew, dated 03.04.2020 and numbered 6235, regarding the implementation of the curfew, was sent to the list of those exempted from the curfew, provided that the minimum number of information processing centers and employees of institutions, organizations and businesses that have a wide service network throughout the country, especially banks.,
Considering that, despite the Bank's response to the person concerned that personal data will not be processed for purposes other than storage, regarding the request for the deletion of the personal data of the data subject, the Bank's processing of the personal data of the person concerned by sending an SMS for informational purposes is not based on any processing condition set forth in Article 5 of the Law.,
It has been decided to impose an administrative fine of 50.000 TL, within the scope of subparagraph (b) of paragraph (1) of Article 18 of the Law, for the data controller who does not fulfill his obligations in paragraph (1) of Article 12 of the Law.
Conclusion:
In the concrete case, although the customer closed his bank account in 2019, he continued to receive messages from the bank. Considering the defense of the bank, although it is said that messages were sent to inform all old and new customers, especially during the Covid-19 period, in the concrete case, there is no processing condition specified in Article 5 of the Law, in the processing of the personal data of the person concerned by transmitting informational messages, /b> on the other hand, considering that the processing is in violation of the obligation to comply with the principles of "processing for specific, clear and legitimate purposes" and "being connected, limited and proportional to the purpose for which they are processed" in the processing of personal data in Article 4 of the Law. It has been concluded that in accordance with subparagraph (a) of paragraph (1) of Article 12 of the Law, the data controller has not taken all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data.
To reach the full decision; https://kvkk.gov.tr/Icerik/7263/2021-1104
Summary of the Decision of the Personal Data Protection Board dated 02/12/2021 and numbered 2021/1217 on "The allegation that an untrue, dishonorable and dishonorable television report was made about the person concerned by using the photographs of the concerned mother and her child with the title of concerned person"
In the Main News program, which is the subject of the application, photos of the person concerned and their child are used, it is stated that the person concerned has a son and a daughter from his first marriage, has been married to someone else for six years and his son from his first marriage stabbed the person concerned, one of the knife blows came to the heart of the person concerned. The broadcast containing the statements that he fought the war and the murderous son was arrested,
It is clearly against the law that the person concerned is not residing in the province where the incident took place, that he is not divorced from his wife, that he was not stabbed, and that the incident in question is not about the person and his child, and that the photograph taken from the Facebook page of the person concerned is used and disseminated for purposes other than the purpose of false news. is inconsistent,
A criminal complaint was filed with the Office of the Chief Public Prosecutor on the grounds that the crimes regulated in Articles 132 to 138 of the Turkish Penal Code No. 5237 were committed due to the news made with the photograph used unlawfully,
Within the framework of the investigation initiated based on the complaint;
The media company was asked to defend itself, and their broadcasts and activities were established under the Law No. 6112 on the Establishment and Broadcasting Services of Radio and Television, operating in the field of private television broadcasting. They are a company subject to the control of (RTÜK),
Within the scope of the complaint petition summarized in the letter of the Institution sent to them, it is stated that the photo in the news is on the Facebook page, which is understood to be open to everyone, therefore, it is clear that the photograph in question was not obtained illegally or is not a confidential data, that the photos were published completely closed,
In the concrete case, it is stated that there is a conflict between the Law No. 6698, which is a general law, and the Law No. 6112, which is a special law, but that Law No. 6698 cannot find an area of application regarding the news subject to the complaint, and this situation indicates that there is a conflict between the Law No. 6698 and the Law No. It was stated that the full exception brought by the article should be accepted as a manifestation of the hit once again.
As a result of the examination carried out on the subject, with the Board's decision dated 02/12/2021 and numbered 2021/1217;
When the information and documents submitted to the file are considered in the light of the provisions of Articles 1, 2, 3, 4, 5, 6 and 8 of the Law No. 6698; The name and surname information of the person concerned and a photograph of the person and child of the person mentioned will have the quality of "personal data" since they make the identities of the persons named definite or identifiable, and that the name and surname of the person concerned will also have the characteristics of the person concerned and the Law No. 6698. Recording, storing, publishing, etc., of the child's photograph of the person, who is the person concerned, within the scope of the provisions of the media company. being subject to acts will constitute a "personal data processing activity" in accordance with Law No. 6698, and the media company carrying out the said personal data processing activities will be "data controller" before Law No. 6698,
The fact that the photograph of the persons concerned was published by blurring/icing by the media company does not remove the personal data nature of the aforementioned photograph, since it is possible to identify the persons concerned in case the blurred/frosted photograph and other information such as "name and surname" are combined/matched. , because it is possible to access the unblurred/unfrosted version of this photo when a search is made on the name and surname information of the person concerned, as well as the search engines and/or the social media platform called Facebook – as indicated in the information and documents submitted within the scope of the file,
The media company said, "the content of the news is based on the information received from agencies such as DHA, İHA and AA, as well as the research and interviews conducted at and around the crime scene; Even though the media company made a defense against it, it was seen that the name of the victim woman was written correctly in the news (belonging to the İHA and DHA news agencies), which was again shown to the Agency by the media company and shown as the source of the news,
Therefore, it can easily be said that if the media company had reported carefully and carefully, the name mistake could have been corrected by at least confirming the victim's wife, whose images were included in the news,
Although the media company made a defense statement that "the wife of the victim woman confirmed that the photograph used in the news, maybe because of the similarity, maybe with the shock of the incident, was shown to her and approved," this statement could not be supported by any document supporting the media, company gives the impression that the aforementioned statement may have been made solely for the sole purpose of avoiding liability,
As a result of the balance test conducted between freedom of expression, which is the conflicting rights, and the right to personality within the scope of a published news, all three criteria must be met at the same time in order to give priority to freedom of expression;
Regarding the news subject to review, the fact that the data controller, pursuant to a judicial decision, has been notified about the error made in the news to the first audience by publishing the reply and correction text in due time, will not eliminate the unlawful personal data processing carried out by the data controller,
The fact that the complaint made by the relevant persons to the Board was made after the publication of a reply and correction text based on the court decision will not affect the individual evaluations to be made in accordance with the provisions of the Law No. 6698.
based on their evaluations;based on their evaluations;
The application of an administrative fine of 300.000 TL in accordance with subparagraph (b) of paragraph (1) of Article 18 of the Law No. 6698 on the data controller, because of unlawful personal data processing by the data controllers, it is brought forward by the persons concerned. It has been decided to inform the relevant persons that an action can be taken before the judicial authorities for the pecuniary and/or moral compensation claims that may be filed.
Conclusion:
Media companies need to be more careful about their personal data processing activities. In particular, data controllers are obliged to take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data. In the concrete case, according to the decision of the board, the fact that the photograph of the persons concerned is included in the Facebook page, which is open to the public (in other words, it has been made public) does not allow the use of this photograph for other than its purpose, and the processing of the photograph is based on the personal data processing conditions regulated in the Law No. 6698. It is understood that the concept of "publicizing" within the scope of Law No. 6698 has a narrower meaning than making personal data available to the public in any way, and that the person concerned should be in close relationship with the will to make it public and the purpose of making it public. Although the media company says that the recognition of the person is prevented by blurring / icing, a conclusion can be reached about who the person is with the name-surname and the photo used. In addition, the fact that other news channels mentioned in the decision did not make a mistake about the name, but this media company did not show enough care and made such a mistake, shows that the punishment given is an appropriate punishment.
To reach the full decision; https://kvkk.gov.tr/Icerik/7271/2021-1217
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.