DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 10/02/2022 AND Nr. 2022/103

“ABOUT SHARING ON SOCIAL MEDIA THE CONTENT OF THE FILE RELATING TO THE EXECUTION FOLLOW-UP STARTED ABOUT A COMPANY WITH THE NAME OF THE RELATED PERSON IN THE TITLE”

After shopping with a textile company (the data controller), enforcement proceedings were initiated by the data controller against the spare parts company (Company) in which the name of the relevant person was mentioned.

In this process, public comment was made by a person in a group open to everyone on Facebook: “The company did not pay for the masks it bought, it is a fraud, accordingly, an enforcement proceeding has been initiated against the Company and the documents regarding the enforcement will be shared in this group”.

As a result of the research done on the internet on behalf of the person who shared the information, it has been determined that the data controller is recognized as the addressee of the company.

Although the person concerned has no commercial relationship with the person in question, personal rights have been violated by sharing personal data in the execution file with third parties.

It has not been determined how information about the execution file was obtained by the person whose name is not mentioned in the trade registry record of the data controller company, but who introduces himself as a company official.

In the examination made on the subject, the Board decided as follows.

In the concrete case, in the social media platform sharing the comments containing some information about the Company, obtained by photographing the enforcement proceedings request document by the employee of the data controller, and sharing the comments on the social media platform, because the personal data is not processed, the issue is stated in Article 2 of the Law ( In accordance, it has been decided that it is not within the scope of the Law.

Although the name and surname of the person concerned are mentioned in the name of the Company complained of,

Social media posts are aimed at a legal entity. Since the data in question is considered as data belonging to a legal entity, not a real person, the subject of the complaint is not within the scope of the Law and no action has been taken by the Board.

REGARDING THE PROCESSING OF THE PERSONAL DATA OF THE RELATED PERSON TO SEND COMMERCIAL ELECTRONIC MESSAGES, WITHOUT THE EXPRESS CONSENT, BY THE DATA SPEAKER OPERATING IN THE HEALTH SECTOR

DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 18/01/2022 AND Nr. 2022/31

A commercial message was sent to the e-mail address by the data controller operating in the health sector.

In the examination made on the subject, the Board decided as follows.

It has been determined that the e-mail address of the person concerned was obtained during the application made by him to the branch of the data controller while opening the patient record.

Providing the contact information of the person concerned or his/her companions during the opening of the patient registration does not constitute a violation of Law No. 6698, but the contact information of the concrete related person is used for marketing activity, not for conveying any medical information to himself or his relatives. It has been seen that the e-mail sent to the relevant person is for informational and commercial purposes.

Although it is legal to provide the personal data of the data subject by the data controller, it is considered that the data processing activity complained of is unlawful because the personal data in question is not used for the  purpose obtained conclusion that the relevant institution has not taken the necessary measures to ensure the appropriate level of security to prevent the unlawful processing of personal data, since notifications are sent to the e-mail address of the person concerned for advertising and marketing purposes.

ABOUT “UNLAWFUL SHARING OF PERSONAL DATA ON THE WEBSITE WHICH WAS DISPLAYING REGISTRY INFORMATION OF THE COMPANY, WHICH IS THE RELATED PERSON’S FORMER PARTNER”

THE DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 06/01/2022 AND NUMBER 2022/6

The name and surname are written under the title of former partners on the website where the registration information of the company of which the person concerned is a former partner is displayed.

In this context, the data controller has applied to the Chamber of Commerce verbally and in writing to remove the information on the site.

It has been stated by the Chamber of Commerce that the request of the person concerned cannot be made by the Turkish Commercial Code and the Trade Registry Regulation.

In the examination made on the subject, the Board decided as follows.

An inquiry is made from the Information Bank of the Chamber of Commerce according to the Company information.

When an inquiry is made about the company on the relevant page, information about the name, surname, position, and capital amount of the partners and former partners, as well as the general information of the company, is included.

The Chamber of Commerce makes inquiries by entering company information from the Information Bank section on the “…” website and the information in the trade registry gazette is placed on this platform, making it easier to access information.

This is also an obligation foreseen for chambers of commerce.

It has been decided that there is no action to be established under the law.

ON THE CREATION OF A BLACK LIST PROGRAM THAT PROVIDES THE PROCESSING OF THE DATA OF RELATED PERSONS AND THE SHARE OF THIS DATA BETWEEN CAR RENTAL COMPANIES BY THE SOFTWARE AND DEALER COMPANIES OF CAR RENTAL PROGRAMS

DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 23/12/2021 AND Nr. 2021/1303

• There are car rental software manufacturers or vendors. Car rental companies using this software keep records of all the data they obtain about their customers through this software In this context, other companies using the same software can see the personal data of the relevant customers from the blacklist pool in the application without their consent. this way the data is disclosed to other users using the software.

1. Car Rental Program Software Companies and Car Rental Companies’ Data Responsibility Assessment has been made.
2. An Evaluation was made regarding the Realization of the Services Provided by Software Companies with Cloud Technology Infrastructure.
3. An Evaluation of the Rights of the Relevant Persons to Object to the Consequences Occurring against them during the Data Processing Activity and Profiling.

There are “black list” applications that include the personal data of real person customers who rent a car. These data have been processed unlawfully and have been made available to other car rental companies, which are the customers of the software companies, in violation of their obligation to preserve them.

It has been decided to instruct the data controllers, who are examined within the scope of the notice, to destroy the Personal Data by the provisions of Article 7 of the Law and the Regulation on the Deletion, Destruction, or Anonymization of Personal Data.