As a result of the complaint of the data subject complainant, regarding the data controller Bank (“Data Controller”) who did not fulfil its obligation to inform in accordance with Article 11 of the Personal Data Protection Law numbered 6698 (“PDP Law”), the Personal Data Protection Board (“Board”) rendered a decision dated 08.10.2020 and numbered 2020/766 (“Decision Dated 08.10.2020”) regarding the Bank’s failure to comply with the previous Board Decision dated 06.02.2020 and numbered 2020/98 (“Decision Dated 06.02.2020”), which required the correction of the deficiencies in the Bank’s privacy notice.
Upon examination of the information and documents provided by the Data Controller Bank following the Decision Dated 06.02.2020, the Board determined that;
- A privacy notice was prepared by the Data Controller following the serving of the Board, such privacy notice included which personal data is processed in a categoric and detailed manner, and plain and clear statements on where from and how such personal data is collected, why it is processed, delivered and on which legal grounds, to which legal and real persons, and the retention and processing periods of such personal data,
- However, such privacy notice, instead of informing on the personal data processing conditions such processing is based on, included only the relevant paragraphs and sub-clauses of Articles 5 and 6 of the PDP Law as contrary to the Communique,
- Regarding the different activities carried out by the Data Controller, even though a specific privacy notice is used for credit card applications, such privacy notice does not contain the personal data (categorically) processed, the purposes of the processing, the legal grounds of the processing and other elements specific to activities in detail, and it is not prepared in accordance with the Communiqué; and for the real estate loan service, the general privacy notice of the Bank is used instead of an activity-specific privacy notice.
Following the preceding assessments, the Board is convinced that the Data Controller acted in violation of the sub-clause 5 of Article 15 of the PDP Law for the reasons that the Data Controller did not prepare its privacy notice in accordance with the Communiqué and did not follow the instructions within the Decision Dated 06.02.2020, and decided to enforce an administrative fine of TRY 120.000,- on the Data Controller.
You may reach the full Turkish version of the Decision Dated 08.10.2020 via the link below.