Legal AlertPersonal Data Protection Board Announced Its Decision Regarding a Bank’s Failure to Act in Compliance with the Given Instructions.

13 January 2021

As a result of the complaint of the data subject complainant, regarding the data controller Bank (“Data Controller”) who did not fulfil its obligation to inform in accordance with Article 11 of the Personal Data Protection Law numbered 6698 (“PDP Law”), the Personal Data Protection Board (“Board”) rendered a decision dated 08.10.2020 and numbered 2020/766 (“Decision Dated 08.10.2020”) regarding the Bank’s failure to comply with the previous Board Decision dated 06.02.2020 and numbered 2020/98 (“Decision Dated 06.02.2020”), which required the correction of the deficiencies in the Bank’s privacy notice.

In its Decision Dated 06.02.2020, the Board has stated the lack of compliance of the privacy notice on the Data Controller’s website with the relevant provisions of the Communiqué on Principles and Procedures to be Followed in Fulfillment of the Obligation to Inform (“Communiqué”) due to the facts that the personal data processing conditions stipulated by the PDP Law are not clearly manifested and an impression is created where different purposes of personal data processing may occur, that the privacy policy published in the web-site of the Data Controller cannot be regarded as the act of informing, that the obligation to inform should be fulfilled during the collection of the personal data and as activity-based; and served an instructive notice to the Data Controller requiring the necessary arrangements to be made regarding the aforesaid statements.

Upon examination of the information and documents provided by the Data Controller Bank following the Decision Dated 06.02.2020, the Board determined that;

  • A privacy notice was prepared by the Data Controller following the serving of the Board, such privacy notice included which personal data is processed in a categoric and detailed manner, and plain and clear statements on where from and how such personal data is collected, why it is processed, delivered and on which legal grounds, to which legal and real persons, and the retention and processing periods of such personal data,
  • However, such privacy notice, instead of informing on the personal data processing conditions such processing is based on, included only the relevant paragraphs and sub-clauses of Articles 5 and 6 of the PDP Law as contrary to the Communique,
  • Regarding the different activities carried out by the Data Controller, even though a specific privacy notice is used for credit card applications, such privacy notice does not contain the personal data (categorically) processed, the purposes of the processing, the legal grounds of the processing and other elements specific to activities in detail, and it is not prepared in accordance with the Communiqué; and for the real estate loan service, the general privacy notice of the Bank is used instead of an activity-specific privacy notice.

Following the preceding assessments, the Board is convinced that the Data Controller acted in violation of the sub-clause 5 of Article 15 of the PDP Law for the reasons that the Data Controller did not prepare its privacy notice in accordance with the Communiqué and did not follow the instructions within the Decision Dated 06.02.2020, and decided to enforce an administrative fine of TRY 120.000,- on the Data Controller.

You may reach the full Turkish version of the Decision Dated 08.10.2020 via the link below.