Personal Data Protection Board (“Board”) rendered a decision dated 06.05.2021 and numbered 2021/470 (“Decision”) regarding the unredeemed access request of a data subject working in a data controller company (“Data Subject”) to the employer Data Controller (“Data Controller”), for the access to personal data regarding meal card account activities.
Pursuant to the Decision, the Data Subject requested from the Data Controller to be forwarded the account movements of the meal card allocated to him/her by the Data Controller. In order to provide the requested information to the Data Subject, the Data Controller has requested certain information to verify the identity of the Data Subject. Due to the Data Subject’s request to have her/his personal data sent to the e-mail address with the extension gmail.com, the infrastructure of which is abroad, by making a risk assessment, within the framework of additional security measures the Data Controller stated that the phone number sent to the e-mail address with the @gmail.com extension is required to be called to access the aforesaid data. The Data Subject has applied for complaint (“Complaint”) to the Personal Data Protection Authority (“Authority”) on the grounds that the additional security measure introduced is contrary to the law and access to her/his personal data is prevented.
The Board evaluated as follows regarding the request received by the Authority:
- Within the framework of Article 11 of the Personal Data Protection Law numbered 6698 (“PDPL”) the Data Subject has the right to request information about herself/himself and to access personal data, and these rights allow the Data Subject to be informed about how her/his personal data is processed;
- Pursuant to Article 12 of the PDPL, the Data Controller must take all necessary technical and administrative measures to ensure the appropriate level of security in order to prevent the unlawful processing of personal data, unlawful access to personal data and to ensure the storage of personal data;
- Within the scope of the Communique on the Principles and Procedures for the Request to Data Controller (“Communique”), the Data Controller is obliged to take all technical and administrative measures necessary in order to conclude the application to be made by the Data Subject effectively, in accordance with the rule of law and good faith;
- Within the framework of the technical and administrative measures included in the Guideline on Personal Data Security, the Data Controller shall correctly determine the possibility of the risks that may arise regarding the protection of personal data and the losses to be caused in case of the occurrence of the risks and take appropriate measures;
- While not preventing the Data Subject from accessing her/his personal data, the Data Controller stated that she/he sent the file requested by the Data Subject to her/his e-mail address in an encrypted manner in order not to cause a disproportionate burden to the Data Subject and that this password shall immediately be shared with the Data Subject when called with the phone number included in the subject e-mail;
- As stated by the Board in its Decision dated 31.05.2019 and numbered 2019/157, in case of using the g-mail.com service, the infrastructure of which is abroad, the Data Controller’s sending of the file containing the personal data by encrypting shall have the purpose of providing high level of security and;
- Pursuant to Article 12 of the PDLP, these additional security measures taken by the Data Controller to prevent unlawful access to personal data of the Data Subject are not in violation of the PDPL, but the meticulous implementation of the PDPL.
In the light of its evaluations, the Board decided as follows:
Pursuant to subparagraph (b) of paragraph 1 of Article 12 of the PDPL, the precautions taken by the Data Controller in order to fulfill the obligation to take all technical and administrative measures to ensure the appropriate level of security in order to prevent unlawful access to personal data are reasonable; the necessary explanation regarding the security measure taken is made to the Data Subject and therefore the Data Subject’s right of access to personal data is not prevented; and thus there is no action to be taken against the Data Controller within the scope of PDPL.
You may reach the full Turkish version of the Decision via the link below.