1. The decision of the Constitutional Court regarding the use of company email addresses.
T.R. With the decision of the Constitutional Court, with application number 2018/31036 and dated 12.01.2021, published in the Official Gazette dated February 5, 2021, it has been clarified regarding the use of company e-mail addresses, which is the subject of discussions, and the limits of intervention by the company to this account.
Making an individual application to the Constitutional Court (“the Applicant”), he stated that the correspondences he made with his corporate e-mail accounts were examined without informing and obtaining his consent, and that his employment contract was unfairly terminated due to poor performance based on these correspondences. He claimed that as a result of the bank's examination of the e-mail contents and the Court's acceptance of these contents as the main evidence for the judgment, respect for his private life and freedom of communication were violated.
In its examination, the Constitutional Court saw that it was clearly regulated that within the scope of the employment contract signed with the employee, the e-mail accounts would only be used for business, that they could be audited by the bank, that the e-mail address should be used in accordance with its purpose, that the employment contract could be terminated in case of poor performance or non-compliance with the prohibition of working in another job.
Although the employee has a reasonable expectation that the e-mail account allocated to her will not be interfered with under normal conditions, it has been stated that she should no longer have such an expectation due to this provision in the employment contract.
The Constitutional Court also determined that the interference to the e-mail account was carried out in line with the request of the court and within the limits of the request, and therefore decided that there was no violation of rights.
2. Decision of the Personal Data Protection Board dated 27/01/2020 and numbered 2020/59 on "The allegation that the e-mail address used by the relevant person in the company of which he is a partner was accessed without permission and unlawfully"
Upon the rejection of the request by the complainant to delete the e-mail account and its content to the relevant company, the right to complain to the Personal Data Protection Authority has been exercised.
In summary, the data controller indicates that the e-mail address used by the complainant is the corporate e-mail address registered in the name of the company and that access to this address; He argued that it was due to the complainant's failure to perform his duty and mismanagement, and that the court had determined the malicious use in these records, and that the deletion of these data would result in misleading the judicial authorities and obscuring the evidence.
In this direction, the Board;
In order to protect the rights of the company of which the person is a partner, the personal data obtained from the server backup records of the e-mail address in question, “…. It has decided that there is no action to be taken within the scope of the Law regarding the complaint in question, since it is considered that the personal data processing activity carried out due to the lawsuit filed is also within the scope of the relevant article of the Law.
3. Decision of the Personal Data Protection Board dated 27/01/2020 and numbered 2020/66 on "The processing of the contact number of the person concerned by an electricity distribution company without relying on any processing conditions"
In summary, in a complaint submitted to the Institution; About the contact number of the person concerned, about the deletion of his contact number from the contact information of the aforementioned contracts, and about the result of his application, that an electricity distribution company sent SMSs for information purposes on different subjects regarding several electricity subscriber numbers that do not belong to him, that he does not want to receive an informative message regarding the subscriptions in question. It was stated that an application was made to the data controller as much as the number of the subscriber number to be notified in writing, but no action was taken by the data controller and no response was given to him, however, an information message was still sent to the contact number, and the necessary action was taken within the scope of the Law on the Protection of Personal Data (Law) numbered 6698. requested to be done.
As a result of its investigation, the Board evaluated that there was no data processing for a legitimate purpose, that the personal data processing conditions in Article 5 of the Law were not in the event subject to the complaint, and that measures were not taken by the data controller to ensure the appropriate level of security and an administrative fine of 100.000 TL was imposed. .
4. Announcement of the Personal Data Protection Board on the Application for Commitment Regarding Data Transfer Abroad
The application for a Commitment to transfer personal data abroad by a data controller has been evaluated by the Personal Data Protection Board within the scope of subparagraph (b) of the 2nd paragraph of Article 9 of the Personal Data Protection Law No. 6698 and the said data transfer has been authorized by the Board on 09.02.2021.
As this permission is the first permission granted and published by the Board, it gives a clue that it paves the way for the next possible requests for permission to be decided and that subsequent applications will be concluded within a reasonable time.
To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.