02 May, 2021

April 2021 Precedent KVKK Decisions

Summary of the Decision of the Personal Data Protection Board dated 29/09/2020 and numbered 2020/755 on the "transmission of the dues debt information of the relevant person to the host by the site management"

In summary, in the complaint petition submitted to the Institution by the person concerned; he received an SMS from the landlord stating that his dues were incomplete in some months and not paid at all in some months, and this incident of SMS transmission revealed that his personal data was processed unlawfully; Regarding the personal data processed/transferred, the person concerned does not have any knowledge or consent for the personal data to be shared with the host by the site management, and in this direction, the data controller uses the rights set forth in Article 11 of the Personal Data Protection Law (Law) No. 6698 by applying to the site management. In the response of the site management, it was stated that the fee payment information of the relevant person was shared in line with the request of the host, but a document indicating that the relevant person was informed or express consent was obtained from him or any reason for compliance with the law could not be presented. It has been requested that an administrative fine be imposed on the data controller site management.

As a result of the evaluation of the board on the subject;

  • Considering that the landlord and the tenant are jointly and severally liable for the common expenses and delay compensation, both the landlord and the estate management have an interest in the landlord being aware of whether the tenant has paid their share of the common expenses of the apartment, such as dues,
  • In this respect, considering that the reply given by the data controller to the person concerned also states that the debt information of the data subject is shared with the landlord upon the request of the landlord, it is clear that the response given by the data supervisor to the data subject is sufficiently explanatory of the issues subject to the claims of the data subject.
  • It is stated that dues debt information, which is in the nature of personal data of the person concerned, is shared by the data controller upon the request of the landlord, and that the explanations included in the response text sent by the data controller site management to the relevant person are of an explanatory nature to the issues subject to the claim of the person concerned, in this context, regarding the complaint in question. It was decided that there was no action to be taken within the scope of the law.

With the decision; Article 22 of the Condominium Law No. 634 titled “Common Expenses Coverage” states that “Expense and advance debt and delay compensation to be incurred by the flat owner pursuant to Article 20, a lease contract in one of the independent sections, the right of residence (sükna) or any other reason. The beneficiaries are also jointly and severally liable. However, the tenant's responsibility is limited to the amount of rent he is obliged to pay, and the payment made is deducted from the rent debt…” It has been determined that the establishment, exercise or protection of a right is carried out within the scope of subparagraph (e) of paragraph (2) of Article 5 of Law No. 6698.

Summary of the Decision of the Personal Data Protection Board dated 29/09/2020 and numbered 2020/746 on the request for access to the phone call records of the data subject for the purpose of establishing a subscription agreement with the data controller.

Due to the conflict she experienced during the service procurement, it made an application for the request of the voice recordings of the interview made with the data controller via the registered e-mail (KEP) address of the data controller.

By the Board;

  • According to the Personal Data Protection Law; If the person's personal data has been processed, the right to request information includes the right to access the said data, and that the right of access is fully informed about how his personal data is processed so that the person concerned can exercise his/her rights over his personal data by completing the right to request information. Instructing the data controller to send the data to the data subject by taking precautions such as removing or masking the personal data of others other than the data subject,
  • Instructing the data controller to respond to the applications of the data subjects within the scope of the Law in a timely manner in accordance with the relevant provisions of the Law and the provisions of the Communiqué on Application Procedures and Principles to the Data Controller,
  • Instructing the data controller to make the necessary arrangements within its own body so that the relevant persons can submit their applications within the scope of the Law via the KEP address of the data controller instead of the KEP (registered e-mail) address of the parent company,

decided.

In the concrete case;
In accordance with the Law No. 6563 on the Regulation of Electronic Commerce; In the event that it is understood that it is accepted as an electronic contract within the scope of the contracts made over the phone, personal data can be processed within the scope of the provision of the Personal Data Protection Law in the meeting between the data controller and the data subject to establish a contract via the phone, in the event that the interview records are given to the relevant person during the interview, the customer service employee Taking precautions about this data because of the fact that there is personal data in Turkey, emphasizes the importance of everyone's right to demand the protection of their personal data, which was added to Article 20 of the Constitution with the Law No. 5982 in 2010.

Summary of the Decision of the Personal Data Protection Board dated 08/10/2020 and numbered 2020/769 on "illegal data processing by the data controller company that took over the company of which the data subject is a former employee"

In the complaint that the person concerned is transferred to the institution;
The company, for which he was a former employee, was transferred to another company with all its debts, duties and obligations, but no clarification was made during the acquisition of personal data, the clarification text presented on the website of the transferor company contains clear and ambiguous statements, It has been claimed that the data controller has personal data, including the data of the company, and that in accordance with the Law on the Protection of Personal Data No. 6698, his express consent has not been obtained for this data processing activity, and that his personal data has been processed through commercial electronic messages sent to him by the data controller, without any legal reason, and necessary action has been taken about the data controller.

As a result of the investigation on the subject, by the Personal Data Protection Board;

It is also possible to fulfill the obligation of enlightenment during the acquisition of personal data, since it is understood from the petition of complaint and the answers of the data controller that the personal data of the data subject was processed between 2014-2015, the Law on the Protection of Personal Data No. 6698 came into force as of 07.04. therefore, there is no action to be taken within the scope of the Law in this regard.

Regarding the processing of health data without the explicit consent of the person concerned, that the employer has the title of data controller in terms of arranging the personnel files of its employees;

It includes health data, which is considered as a special quality personal data, where workplace physicians are among the persons under the obligation of confidentiality, that the employees are suitable for the job they will do, and that they have the duty to arrange the results of the employment and periodic health examination and the necessary examinations in accordance with the sample given in the annex of the regulation and to keep them in the workplace. In the processing of special quality personal data determined by the Board, considering that it is declared that the personal health files of both the employee and former employees are kept limited to the access of the workplace physician, who is under the obligation of confidentiality, and that the person concerned has no claim that the security of their personal data is not provided. It has been decided that it is possible to process health data by the workplace physician within the scope of his duties stipulated in the legislation, by taking adequate measures to be taken by the data controllers.

With the decision; In accordance with the 3rd paragraph of the 6th article of the Personal Data Protection Law no. It is stated that it can be processed without seeking explicit consent by persons or authorized institutions and organizations under the obligation to keep it. In accordance with the Labor Law No. 4875 of the employer, the records containing the health data of the employers must be kept in the personal health files of the employers, the personal health files are kept limited to the access of the workplace physician, who is under the obligation of confidentiality, and the company is not registered in the systems. It has been concluded that it is possible to process health data by the workplace physician within the scope of his duties stipulated in the legislation, by taking the necessary precautions.

To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

Request a Quotation

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram

Related Articles