The Personal Data Protection Board (“Board”), rendered its decision dated 10.09.2020 and numbered 2020/691 (“Decision”) upon a complaint made to the Personal Data Protection Authority (“Authority”) including that an advertisement message was sent to the complainant data subject (“Complainant”) by an association (“Data Controller”), it is unclear through where the personal data was accessed by the Data Controller, Complainant’s personal data was used without an explicit consent, and Complainant’s request to obtain information from the Data Controller was left unanswered after 30 days of statutory period.
Within the defense that was requested of the Data Controller, it is stated that; (i) the request to obtain information was unanswered due to an administrative problem; (ii) the Complainant’s phone number was passivized upon the Complainant’s application; (iii) the explicit consent of the Complainant regarding the text message delivery was not detected; (iv) the Data Controller does not hold any personal data other than the phone number belonging to the Complainant; (v) the reason for the phone number of the Complainant being possessed by the Data Controller is probably a text message donation made by the Complainant at the past; and (vi) the text message subject to the complaint is sent to the Complainant by the Data Controller.
In its assessment regarding the incident subject to the complaint, the Board determined that (i) it is stated in the Article 5 of the Personal Data Protection Law (“PDPL”) that personal data processing cannot take place without the explicit consent, together with its exceptional cases; and it is among the primary obligations of the data controller to follow the general principles stated in the Article 4 of PDPL; (ii) At the incident subject to complaint, the Data Controller could not prove the reasoning for the personal data processing, and the explanation regarding the reason of possessing the phone number of the Complainant did not provide the necessary legal basis for the processing; (iii) the personal data processing is against the PDPL since it took place without the explicit consent and this shows that the Data Controller did not fulfill its obligations regarding data security; (iv) the Data Controller failed to take any action towards Complainant’s request for information and did not explain the reason stated as “an administrative problem” clearly, and Data Controller not attending the application of the Complainant is against the PDPL; (v) pursuant to the Article 7 of the PDPL, it is necessary to eliminate the currently unlawful situation by immediately deleting the personal data which has been processed without a legal reasoning from the beginning; (vi) the fact that the phone number in question being kept in the system of the Data Controller as blacklisted would not eliminate the illegality and the phone number in question should be destroyed.
As a result of its enquiry, the Board decided,
• To apply administrative fine to the Data Controller in accordance with the Article 18 of the PDPL after reaching a conclusion that the Data Controller did not take the necessary technical and administrative measures in accordance with the Article 12 of the PDPL,
• To instruct the Data Controller on their obligations concerning responding the applications of the data subjects within the scope of statutory period stated in the PDPL,
• To instruct the Data Controller on the destruction of the Complainant’s phone number qualifying as personal data which was obtained against the law.
You may reach the full Turkish version of the Decision via the link below:
https://www.kvkk.gov.tr/Icerik/6832/2020-691
