Legal AlertPersonal Data Protection Board Announced Its Decision Regarding a Bank Which Did Not Comply with Its Instruction.

30 December 2020

As a result of the complaint of the data subject complainant (“Compliant”) regarding the data controller Bank (“Data Controller”) who did not fulfil its obligation to inform in accordance with Article 11 of the Personal Data Protection Law numbered 6698 (“PDP Law”), the Personal Data Protection Board (“Board”) rendered a decision dated 08.10.2020 and numbered 2020/765 (“Decision Dated 08.10.2020”) regarding the Bank’s failure to comply with its previous Board Decision dated 06.02.2020 and numbered 2020/100 (“Decision Dated 06.02.2020”), which required the correction of the deficiencies in the Bank’s privacy notice.

In its Decision Dated 06.02.2020, the Board has stated the lack of compliance of the privacy notice on the Bank’s website with the Communiqué On Principles And Procedures To Be Followed In Fulfillment Of The Obligation To Inform (“Communiqué”), the absence of detailed personal data processing conditions in the privacy notice of the Data Controller Bank, and that the obligation to inform should be fulfilled during the collection of the personal data and as activity-based; and instructed the Data Controller Bank requiring the necessary arrangements to be made regarding the aforesaid statements.

Upon examination of the information and documents provided by the Data Controller Bank, the Board determined that (i) the privacy notice on the Bank’s website does not include the personal data processed by the Bank as categorically and does not contain detailed information on which data processing conditions are the basis of the processing of the personal data; (ii) the Data Controller Bank did not comply with the instructions within the Decision Dated 06.02.2020 on making changes in the privacy notice; (iii) although the Data Controller Bank stated that it uses a privacy notice specific for other activities such as social responsibility projects and corporate branding and advertising activities intended for natural persons who are not customers, it did not submit supporting documents; (iv) the Data Controller Bank does not use a customized privacy notice for the personal data which are processed during applications for different banking products; (v) instead, it directs to the general privacy notice which does not include the processing conditions of the personal data processed by the Data Controller in detail, but includes only the relevant paragraphs and sub-clauses of Articles 5 and 6 of the PDP Law.

Following the preceding assessments, the Board is convinced that the Bank acted in violation of the sub-clause 5 of Article 15 of the PDP Law for the reasons that the privacy notice of the Data Controller Bank was not designed in accordance with the Communiqué and the Data Controller Bank did not follow the instructions within the Board’s Decision Dated 06.02.2020, and decided to enforce an administrative fine of TRY 120.000,- on the Data Controller Bank.