The Turkish Data Protection Authority (DPA) has published a principal decision (“Decision”) on blacklisting in the car rental industry. The DPA has evaluated the privacy violations arising out of the blacklisting and also introduced the joint controller concept for the first time.
The principal Decision of the DPA regarding the blacklisting operations in the car rental industry was published in Official Gazette no. 31725 and dated 20 January 2022. The DPA decided that the blacklisting operations violate the general principles, legal grounds and data transfer provisions of Law No. 6698 on Protection of Personal Data (LPPD). The Decision is available here in Turkish.
What does the Decision cover?
The Decision is about processing of personal data via the software used by car rental companies. Through this software, car rental companies record information about lessees’ vehicle usage and accidents, which include the lessees’ personal data. The information recorded in the software can be accessed not only by the relevant car rental company and the software service provider, but also by various other car rental companies, in a way to be deemed as personal data transfer between companies in the industry. Lastly, the data subjects are not informed about this data transfer.
The DPA evaluated these data processing activities within the scope of the articles of the LPPD on legal grounds, general principles, data transfers and data subject rights. In its evaluation on legal grounds, the DPA stated that the blacklisting data can be processed based on “the legitimate interest of the data controller, provided that it does not harm the fundamental rights and freedoms of the data subject,” only if the blacklisting data is processed by the lessor company. However, the DPA evaluated that the disclosure of the data to other car rental companies would not fall within the scope of the legitimate interest. In addition, the DPA stated that the transfer of the data to an unknown number of car rental companies is in violation to the general principles under Article 4 of the LPPD (i.e., lawfulness and fairness; processing for specific and legitimate purposes; and being relevant, limited and proportional to the purpose). The DPA also pointed out that these processing activities make it difficult for data subjects to exercise their rights under Article 11 of the LPPD, as the data subjects do not know who the other companies their data is transferred to are.
The DPA has also introduced the concept of joint controller and concluded that since different car rental companies have access to the blacklist, these companies also have control over the data and are therefore considered joint controllers together with the software companies. The DPA stated that an evaluation should be made on a case-by-case basis to determine the responsibilities of joint controllers, by taking into consideration: (i) the first and last data controller who access the data; (ii) the data controller who registered the data to the system; (iii) the aim of the data processing; (iv) the data controller who decides the amendment, erasure or transfer of the data; and (v) the operations of the other data controllers.
In light of these evaluations, the DPA decided that the relevant data controllers should take the necessary technical and administrative measures within the scope of the LPPD or face possible administrative fines.
In the Decision at hand, the violations of the LPPD are evaluated within the scope of blacklisting operations of car rental companies. Accordingly, car rental companies should consider the Decision when providing their services in future. In addition, DPA’s evaluation on the concept of joint controllers should generally be taken into account by all data controllers.