04 Apr, 2021

March 2021 Precedent KVKK Decisions

Summary of the Decision of the Personal Data Protection Board dated 11/02/2020 and numbered 2020/108 on "the transfer of the personal data of the data subject, who is a former employee, without the consent of the data controller company"

As a result of the complaint of the person who started to work in another company in the same sector, that her personal data was transferred by it's former employer to her new employer without her explicit consent, the Board;

  • The person concerned has deliberately provided false information to his new company regarding his position in the former company and the reason for leaving the job,
  • The data transfer between the two companies is limited due to the position of the person concerned and leaving the job,
  • In accordance with the Labor Law, the employee is obliged to give accurate information to the employer about his qualifications,
  • Ignoring the wrong information given by the relevant person by the old company will be against the honesty rule,
  • For these reasons, it has been determined that the data transfer is processed within the scope of "legitimate interest" in Article 5 of the Law, and it has been decided that there is no need to impose any sanctions.

With the decision, striking determinations were made regarding the "legitimate interest" of personal data processing conditions, especially the Integrity Rule in Article 2 of the Turkish Civil Code. Indeed, if the complaint of the person concerned is accepted, there will be an “abuse of right” because the complaint of the person concerned is to prevent the disclosure of maliciously false information and to try to hide the true information. It is certain that such an approach will not be protected by the legal order.

Summary of the Decision of the Personal Data Protection Board dated 09/02/2021 and numbered 2021/115 on "Transmitting the debt information of the person concerned by the Bank's contracted lawyer to the relative of the person concerned due to his debt to the Bank"

In the complaint submitted to the Authority, the person concerned requested that due to his debt to the Bank, his sister's mobile phone number be called by the Bank's contracted lawyer and an SMS was sent to his mobile phone number and necessary action was taken within the scope of unlawful sharing of his personal data by the lawyer.

Regarding the Board complaint;

  • It cannot be concluded that the registration of the phone number of the related person's sister in the Bank's systems is based on the explicit consent of the person concerned, and in this context, it is considered that the phone number of the related person's sister has been processed unlawfully by the Bank,
  • In accordance with the provisions of the law, the personal data to be processed without seeking explicit consent should belong to the debtor,
  • Except for the personal data of the person involved in the Legal Tracking System established by the Bank, sharing his sister's phone number with the Lawyer is not a personal data processing activity that can be carried out within the scope of the Law and is against the law. Administrative fine of 175,000 TL in accordance with subparagraph ),
  • Considering that the lawyer has the title of data processor and the number was removed from the system after the lawyer determined that the number belonged to his sister, not the debtor, it was decided that there was no need to impose any sanctions.

In this decision, which emphasized the principle of "being accurate and up-to-date when necessary", one of the principles in Article 4 of the Law, it was also determined that taking the right measure at the right moment within the data processing activity ensures compliance with the Law.

Summary of the Decision of the Personal Data Protection Board dated 28/05/2020 and numbered 2020/435 on "The data controller does not respond to the request for a copy of the personal data within the scope of the personal file to be given to the party after the unfair termination of the employment contract of the person working in a cargo company"

Board upon the complaint of the person concerned;

  • The data controller's defense that the requested data is not personal data, that there is no demand under the Law No. 6698, that no one can be compelled to produce evidence against himself, that the right to remain silent is exercised and that the matter falls within the jurisdiction of the judicial authorities is not valid,
  • Documents such as defense text, resignation letter contain personal data,
  • Accordingly, it has decided to instruct the Data Controller to forward the resignation petition and the defense text requested by the Relevant Person to the Relevant Person.

The decision, which includes comparative determinations regarding the definition of personal data, is a good example of how the application areas of the Law No. 6698 are becoming clearer day by day and the way the data subjects seek their rights within the scope of the Law.

Summary of the Decision of the Personal Data Protection Board dated 05/05/2020 and numbered 2020/335 on "not allowing the person to benefit from the rental service due to the fact that the person concerned does not give express consent for the processing of his personal data while receiving car rental service"

Upon the complaint of the person concerned, the Board; It has been determined that due to the fact that the person concerned does not want to give explicit consent for his personal data during the car rental process, he is not provided with car rental services and accordingly;

  • Data Controller; It is not sufficient to defend that the person concerned can rent from another car rental company, and that the processing of personal data is carried out within the scope of the Identity Declaration Law No. 1774,
  • During the purchase of car rental service, the data controller uses a wholesale way of obtaining explicit consent for the purpose of processing the personal data of the persons who want to benefit from the service within the scope of the conditions other than the processing conditions in the second paragraph of Article 5 of the Law. Considering that the service is not provided to the people in the event that it is not provided; It has been decided to impose an administrative fine of 50.000 TL against the data controller, as there is illegal data processing activity.

The decision reinforces the concept of “explicit consent” repeatedly emphasized by the Board. As we have emphasized in our previous briefings, it shows us once again that the main data processing conditions in Article 5 of the Law are conditions other than express consent, and that "explicit consent" should be subject to exceptional use due to its fragile nature. In the case subject to the decision, besides the fact that the express consent cannot be tied to the service condition, erroneous methods of obtaining explicit consent are also striking.

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles