Personal Data Protection Board (“Board”) has published the Board Decision (“Decision”), dated 09.12.2021 and numbered 2021/1239, regarding the allegation that the personal data of the data subject is disclosed by the data controller bank by calling the data subject’s family.
The following allegations were submitted to the Board in the complaint subjected to the Decision:
- A loan agreement has been concluded between the data controller Bank and the data subject, despite the lack of explicitly written or verbal consent of the data subject his/her mother and father were persistently called on their phones on the grounds that the data subject could not be reached.
- In the calls made by the data controller, it was stated to the family of the data subject that the data subject and the partners of the company of which the data subject is a partner could not be reached, and the names of the partners were disclosed, a phone number was given at the end of the call and a call was requested from the data subject, and it was repeatedly stated by the family members that the number contacted was in the use of the family of the data subject and the that data subject was put in a difficult situation due to the calls and that the rights of the data subject have been violated by the use of the personal data of the data subject by the data controller Bank without his explicit consent.
- Due to this violation, an application was made to the data controller Bank pursuant to the Personal Data Protection Law Numbered 6698 (‘‘PDPL’’) and upon the rejection by the Bank the data subject made an application to the Personal Data Protection Authority.
The Board evaluated that:
- The phone calls were made in accordance with the relevant legislation and the letter of the Board dated 05.03.2021 on ‘‘disclosing the relationship between the customer and the bank to the relatives of the customer by calling them through the phone number obtained from the Risk Center’’.
- The data controller processes the data of the data subject due to the company in which she/he is the controlling shareholder is included in the “Risk Group” under the Law Numbered 5411 and other relevant legislation, this processing is carried out for the purpose of being used within the bank and transferred to the Risk Center within the scope of banking activities and is ‘‘within the scope of fulfilling the legal obligations of the data controller’’ in accordance with the PDPL.
In the light of its assessments, the Board decided that:
- There is no action to be taken within the scope of the PDPL considering that the debtor’s follow-up made by the data controller due to the risk is carried out by way of contacting the phone number registered in the Risk Center system and that is not possible to determine that personal data is shared by the data controller from the information and documents, and that the necessary action has been taken by the Bank regarding the calls in a short period of time.
- To remind the data controller to be more careful in terms of protecting personal data during phone calls and to inform its personnel regarding this issue.
You may reach the full Turkish text of the Decision via the link below.