The Personal Data Protection Board (“Board“) published two decisions on its website. The first decision relates to a data subjects’ complaint regarding a flight ticket sales company (“First Decision“) and the second decisions relates to a bank’s data processing activities to gain potential customers (“Second Decision“). The Board imposed administrative fines on the relevant data controllers for failing to enact the Board’s decision and to take necessary organizational and technical measures to ensure an adequate level of data protection.
What Do the Decisions Say?
In the First Decision, a data subject requested from a flight ticket sales company, i.e. the data controller, to change its subscription e-mail registered in the company’s systems. After the data controller rejected the data subject’s requests, the data subject filed a complaint with the Board and the Board instructed the data controller to take the necessary organizational and technical measures to respond to the data subjects’ applications effectively, lawfully and in good faith. The data subject re-applied to the data controller through its registered e-mail address; however, the data subject received no response from the data controller and applied to the Board again. Accordingly, the Board assessed that the data controller failed to take the necessary organizational measures to respond to data subjects’ requests and to enact the Board’s decision. Therefore, the Board imposed an administrative fine of TRY 50,000 (approx. USD 7,000) on the data controller. The decision is available online here (in Turkish).
In the Second Decision, a data subject visited a bank’s branch to open a deposit account and discovered that the bank, without the data subject’s knowledge, authorization or instruction, opened a commercial account in their name at another branch of the bank. The bank account contained the data subject’s personal and identity information. Accordingly, the data subject filed a complaint with the Board, claiming that the bank, i.e. the data controller, processed their personal data unlawfully. The bank stated that it acquired the data subject’s personal data from a third party to gain potential customers, and created a customer number for the data subject. The Board assessed that the bank’s processing activities do not rely on explicit consent or any other processing grounds and the bank failed to delete, destroy or anonymize this data. Therefore, the Board imposed an administrative fine of TRY 210,000 (approx. USD 30,000) on the bank for failing to take the necessary organizational and technical measures to ensure an adequate level of data protection. The decision is available online here (in Turkish).
The Board continues to provide guidance on data controllers’ obligations under the Data Protection Law through its decisions. The Board published 17 decisions within the last month. Considering how active the Board has been lately, data controllers must re-evaluate their processes in terms of the decisions and take the necessary steps to comply with the Board’s instructions.
Please stay up to date with further developments through the Esin Attorney Partnership Coronavirus Helpdesk