Legal AlertThe Personal Data Protection Board Rendered a Principle Decision Regarding Unlawful Transfer of Data Subjects’ Personal Data to Third Parties by the Data Controller, Contrary to Personal Data Protection Law Numbered 6698.

19 January 2021

The Personal Data Protection Board (“Board”), in its Principle Decision dated 22.12.2020 and numbered 2020/966 (“Principle Decision”), envisaged that the data controllers should establish mechanisms enabling them to confirm the contact information of the data subjects in order to prevent the personal data of the data subjects from being sent to third parties through communication channels such as mobile phone or e-mail, as contrary to Articles 4 and 12 of the Personal Data Protection Law numbered 6698 (“PDP Law”).

The Board determined that the data controllers who operate in the sectors such as e-commerce, telecommunication, transportation, and tourism, in order to provide documents containing personal data such as invoices, statements, reservation documents to the data subjects within their scope of activities, and as a result of such data subjects’ incorrect telephone and e-mail statements, send such documents containing data subjects’ personal data to third parties instead. However, as per the Principle Decision, in accordance with the Article 4 of the PDP Law, data controllers have an active duty of care to maintain the personal data accurate and up-to-date while processing of the same, provided that such personal data constitutes and generates a result regarding the data subject. Besides, it is of importance that the data controllers keep the channels open to ensure for data subjects to provide accurate and up-to-date information where necessary.

Within this frame, the data controllers should take reasonable measures (sending verification codes/links to the phone numbers and/or e-mails etc.) to confirm the contact details of the data subjects in order to

  • Determine the source from where the personal data is obtained,
  • Determine the accuracy of the source from where the personal data is collected,
  • Prevent the negative consequences that the data subjects may encounter due to their personal data being incorrect.

The Board also underlined in this Principle Decision that data controllers are obliged to take all necessary technical and administrative measures in order to ensure the appropriate level of security to prevent unlawful processing of and unlawful access to the personal data, and for maintenance of the personal data in accordance with Article 12 of the PDP Law.

You may reach the full Turkish version of the Principle Decision via the link below:

https://www.kvkk.gov.tr/Icerik/6858/2020-966