“ABOUT THE PROCESSING OF THE BANK DATA OF THE RELATED PERSON BY AN INSURANCE COMPANY” DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 16/12/2021 AND NO 2021/1262

Although the data subject did not share the bank information with the insurance company, it has been determined that this information has not been processed unlawfully by the insurance company.

In the examination made on the subject, the Board decided as follows.

In the concrete case, even though the application submitted by the data subject to the data controller through his/her representative was not answered due to the thebecausecontroller was received by the data controller and there was no power of attorney with special authority, there is no regulation in the personal data protection legislation regarding the need for a special power of attorney for the applications to be made by the data controllers through their proxies. ” condition should not be sought.

The data controller has been warned not to seek “special authority” in the power of attorney for the legal representative.

The claim that the request for deletion or destruction of personal data is not fulfilled has been taken into account that the insurance contract/relationship between the data subject and the data controller continues, and the data controller must preserve the personal data of the data subject by its legal obligation. It has been decided that there is no action to be taken by the Board on the subject since the reasons requiring the processing of the personal data of the person concerned have not disappeared.

 

“ABOUT THE UNLAWFUL PROCESSING OF THE PERSONAL DATA OF THE RELATED PERSON BY THE DATA RESPONSIBLE COMPANY WITH THE TERMINATION OF THE BUSINESS CONTRACT”

DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 16/12/2021 AND NO 2021/1258

The data controller started to work with the company on 10.12.2018. resigned from the post on 30.12.2019.

In the examination made on the subject, the Board decided as follows.

It has been determined that the Employee Explicit Consent Text and the Employee Disclosure Text, which have been prepared separately by the data controller since July 2020, have been signed by the personnel. It was observed that the signature of the person concerned was not found in these texts sent to the institution. The complaint was not considered.

In the case subject to the complaint, since an article is added to the employment contract to obtain the explicit consent of the person concerned, the express consent for the processing of sensitive personal data is presented in conjunction with the employment contract. cannot be mentioned. The person concerned does not have a chance to start work without signing the employment contract. In this sense, the condition of explicit consent data processing by the data controller is unlawful,

The processing of personal data is carried out depending on the consent of the person concerned, but it is considered that it does not justify the collection of excessive amounts of data, and accordingly, personal data is collected only for certain purposes and as necessary. It should be used where the purpose requires and should not be kept longer than necessary for the purpose.

It is seen that the explicit consent text in the employment contract is not signed with free will, since the person concerned does not have a chance to start work without signing the employment contract.

It has been decided to instruct the data controller to inform the Board of the result by destroying the biometric data processing activity determined to be illegally processed.

 

REGARDING THE NOTIFICATION OF THE RELATED PERSON THAT THE PERSONAL DATA IS PROCESSED UNDER THE LAW UNDER A LOYALTY PROGRAM

DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 05/07/2019 and Nr. 2019/198

A special discount is applied to the loyalty card for some products sold in the store of the data controller.

Customer personal data is requested for membership and card supply to the loyalty program in question and express consent is imposed as a condition.

In the examination made on the subject, the Board decided as follows.

Within the framework of the information in the petition, which is the subject of the investigation, the price of the product, which is 99.99 TL, is sold as 79,99 TL within the scope of the loyalty card special discount. Persons who do not want to be included in the loyalty card program and/or do not want to give express consent within the said program do not have the opportunity to shop at the stores of the data controller. Customers who are not members of the loyalty program continue to be sold at non-discounted prices.

Assuming that the offer of products/services at a discount with additional benefits within the scope of the loyalty program does not mean that express consent is imposed as a condition, imposing express consent as a condition and in this sense, asserting the explicit consent of the person concerned as a precondition for offering a product or service or benefiting from a product or service. It was decided that there was no action to be taken within the scope of the provisions of the Law regarding the petition in question.

error: Bu içerik korumalıdır.