Legal AlertPersonal Data Protection Board Rendered a Decision Regarding a Complaint on Unauthorized and Unlawful Access to an E-Mail Account Which was Used by the Data Subject Partner of the Company.

14 March 2021

The Personal Data Protection Board (“Board”) rendered a decision dated 27.01.2020 and numbered 2020/59 (“Decision”), following the complaint (“Complaint”) of the data subject complainant (“Complainant”) regarding unauthorized and unlawful access to the personal e-mail account ( which consists personal data and was used within a Limited Liability Company (“Limited Company”) of where the Complainant is a partner; changing access settings of the e-mail; and the rejection of the request by the data controller owner of the IP addresses to which this e-mail is affiliated (“Data Controller”) on deletion and removal of all the data in the e-mail account in question.

Within the defense that was requested of the Data Controller company, it is stated that (i) the General Manager of the Data Controller company is also the partner and the authorized manager of the Limited Company, (ii) the e-mail account owned by the Limited Company is not the personal account of the Complainant, but it is an account which was allocated to follow transactions of the company, (iii) it is certain by the decision of the Commercial Court of First Instance and the Prosecutor’s Office that the access to the e-mail address with the company extension in question was not illegal, (iv) the e-mails accessed from backup servers are only submitted to the Court and the Prosecutor’s Office as part of the criminal complaint as evidence in relevant cases, (v) the allegations that the e-mail account of the Complainant was accessed and the access settings were changed are far from the truth and such claims were denied by the Court and the Prosecutor’s Office, (vi) the request to delete all data, backups and copies of the e-mail account of the Complainant was rejected due to prevent the spoliation of evidence, (vii) it is lawful to audit the backup records of the e-mail address with the extension of the company, due to fulfilling the duties of a manager in accordance with the Article 626 of the Turkish Commercial Code numbered 6102.

As a result of the examination of the Complaint of the Complainant, the defense of the Data Controller and the related legislation provisions, the Board determined that, (i) processing is carried out for the purpose of establishing, exercising and protecting a right within the scope of Article 5, sub-clause 2, paragraph (e) of the Personal Data Protection Law numbered 6698 (“PDP Law”), (ii) processing of personal data by means of filing a lawsuit at the Commercial Court of First Instance via using personal data is in accordance with the scope of Article 28, sub-clause 1, paragraph (d) of the PDP Law, and (iii) in light of the aforementioned determinations, there is no procedure to be established under the PDP Law regarding the Complaint.

You may reach the full Turkish version of the Decision via the link below.