Legal AlertNewsThe Principle Decision of the Personal Data Protection Board Regarding Blacklisting Applications in the Car Rental Sector Was Published in the Official Gazette

1 February 2022
The Principle Decision of the Personal Data Protection Board (‘’Board’’) dated 23 December 2021 and numbered 2021/1304 regarding blacklisting applications in the car rental sector was published on Official Gazette dated 20 January  2022 and numbered 31725. 

As a result of the investigations carried out by the Personal Data Protection Board (“Board”) within the scope of the Personal Data Protection Law (‘’Law’’) regarding complaints submitted to Personal Data Protection Authority (‘’Authority’’), it has been understood that ‘’blacklisting’’ software/programs/applications are used in the car rental sector.

  • The Board has determined the following issues in the car rental sector: The software developers and vendors in the car rental sector are selling software including ‘’blacklisting’’ features to car rental companies,
  • The car rental companies are processing the personal data of their customers via blacklisting software,
  • These software systems are systems which allow a car rental company to grant access to the personal data of the data subject to other car rental companies, therefore, the personal data of the data subject may be transferred mutually, 


  • Within this scope it is understood that, via the blacklisting software, the personal data of customers of a car rental company may be shared with other parties other than the relevant car rental company. 

In light of its evaluations, the Board decided that:

  • In case the personal data is being processed via backlisting applications in violation of the general principles, data processing conditions, and provisions regarding transfer of personal data stipulated under the Law, car rental companies which are in control of the personal data and software companies shall be regarded as joint controllers,


  • Such activities which are in violation of the Law must be ended and data processing activities must be conducted in accordance with the technical and administrative measures stipulated under the Law,
  • Legal sanctions shall be imposed to data controllers which do not take the aforementioned measures and resort to blacklist application in the car rental sector contrary to the provisions of the Law.

You may reach the full Turkish version of the Principle Decision via the link below: