In accordance with the Law on the Protection of Personal Data, the sanctions imposed by the Board due to the data controllers who establish and manage the personal data recording system and who are obliged to process these data do not comply with their obligations and act against the law are published on the board’s website in the form of board decisions. In this article, we will examine some of the decisions made by the Board.
- Decision of the Personal Data Protection Board dated 06/02/2020 and numbered 2020/93 on “Complaints regarding correction / deletion of past health data”:
Summary: The persons concerned with the applications made to the Board stated that the medical reports recorded for various reasons in the past and especially the diagnoses of psychiatric diseases posed a problem in their lives and the various exams they had taken and / or planned to take had negative results and / or would result in these records, but these reports / diagnoses did not reflect the truth. It was requested that the personal data be corrected or deleted from the health records. As a result of the evaluation of the Board, considering that the conditions for the processing of personal health data “protection of public health, preventive medicine, carrying out medical diagnosis, treatment and care services, planning and management of health services and financing” are taken into consideration, the recorded health data serve this purpose. It has been concluded that it was processed within the scope of the third paragraph of Article 6 of the Law and that there was no action to be taken within the scope of the Law since the processing conditions in question were not eliminated.
- Decision of the Personal Data Protection Board, dated 30/06/2020 and numbered 2020/508, on “The complaint applications of some lawyers regarding attorney inquiry sites”
Summary: In the relevant decision, it is stated that the identity and communication data belonging to them (attorneys) were obtained illegally without their consent and shared on some lawyer inquiry sites and all the profiles on the said websites and in the institution / organization or domain name associated with these sites. It was stated that an application was made that it should be removed. As a result of the examination and evaluation made by the Board, it was determined that there was no access to the aforementioned websites and no information other than the information published in the provincial bar associations and the websites of the TBB, they had the right to correct and delete these data, and no illegal action was encountered. No violation has occurred in this context.
- Decision of the Personal Data Protection Board dated 03/09/2020 and numbered 2020/667 regarding the “complaint lodged with the Institution due to the express consent of an insurance company for its service to the relevant person”
Summary: In the relevant decision, the applicant applied to an insurance company and wanted to renew the health insurance policy he had arranged for his family; However, it was stated that the data controller wanted to obtain explicit consent from him to renew the policy, and he requested that the data controller be taken on the grounds that this situation was contrary to the Law on the Protection of Personal Data. In this context; The health insurance policy includes health data with special quality personal data, the health data included in the policy cannot be processed within the scope of the clause (3) of Article 6 of the Law, the data processing can only be carried out by obtaining the explicit consent of the relevant person and therefore the request to obtain explicit consent from the relevant person. It has been concluded that there is no violation, as it does not constitute an illegal act.
Impact on implementation: If the service to be provided to the relevant person is directly linked to the processing of special quality data, explicit consent is required by law. Then it is normal that the service cannot be provided unless the person gives express consent and there will be no violation.
- Decision of the Personal Data Protection Board dated 17/09/2020 and numbered 2020/710 on “sending a notification of levy to the relatives of the concerned persons by the Enforcement Offices”
Summary: Investigating the personal information of relatives who are not related to the execution proceedings and who are not in debtor status during the execution proceedings carried out about the persons concerned in the application, determining their address and identity information even though they are not within the scope of the duty of the Enforcement Directorate and in this context, sharing their personal data with their relatives illegally It was stated that it constituted a violation of the Personal Data Protection Law numbered 6698 and the necessary actions were taken about the Enforcement Directorates. There is no legal obstacle in sending the first notification of attachment by the Enforcement Directorates to real persons or legal entities who are notified under Article 89 of the Enforcement and Bankruptcy Law, that the transactions subject to the complaint are carried out on the basis of the ‘explicitly stipulated in the Laws’ within the scope of the clause (2) of Article 5 of the Law. It has been decided that there is no action to be taken with respect to the Law within the scope of the Law.
- Decision of the Personal Data Protection Board dated 01/12/2020 and numbered 2020/915 on “The follow-up of the relevant person working as a civil servant in the municipality by processing biometric data within the organization of the data controller.”
Summary: In the application, with the fingerprint read-out devices, fingerprint information for each personnel is taken and introduced to the system for tracking personnel entries and exits within the organization of the data controller. The person concerned made an application to the data controller with the request to be informed of the deletion of the fingerprint information belonging to the data controller from the recording system, paper, and electronic environment for this application. In the reply given to him, it was stated that it was declared that this information could not be deleted from their system, fingerprint information could not be processed without his approval, and his request to delete his data was not accepted even though he made an official application. As a result of the examination, the Board has decided that the data controller is instructed to provide entry and exit procedures in alternative ways, valid outside the epidemic period, to terminate the application of entry and exit transactions with biometric data and to remove the existing system, that the system in question has been removed and the personal data has been destroyed. Decided to instruct the data controller to send the information and documents to the Board.
Impact on implementation: As mentioned before, processing biometric data for the purpose of follow-up the entry and exit times of workers is against the law. The Board continues its decisions in this direction and once again stated in its decision that alternative methods should be introduced and the practice of entering and exiting with biometric data should be terminated. Regarding this, it was revealed that the termination of the practice was insufficient and the relevant biometric data should be destroyed separately.
- Decision of the Personal Data Protection Board dated 08/12/2020 and numbered 2020/927 regarding the “Request to remove the results associated with the name and surname of the relevant person in the search engine within the scope of the right to be forgotten”
In another application made to the Board, there was inaccurate news about the recruitment of this staff on social media and the university initiated an investigation upon the reactions, the university determined that there was no irregularity as a result of the investigation, applied to the search engine with the request to remove the news, but the search engine said about the URLs stating that it was decided not to take any action and that the relevant person could send the request for removal to the webmaster controlling the site in question. Therefore, the request of the relevant person was not met by the search engine. The news made in this context negatively affected the life of the family relative and himself in the public service. It is requested that the subject contents be subject to technical regulation in a way that they will not be indexed in the search engine. In the evaluation of the Board, it is stated that the news in the aforementioned links is related to the working life of the person concerned and that the person concerned is currently doing the same job, the information does not qualify as personal data of special nature. The news is dated 2020, therefore, the information does not pose a risk to the person and the content is journalistic. On the other hand, the information may cause bias about the person, but this is not demonstrable, there is no legal obligation to publish the information about the person concerned, the information is not published by the person himself, the information is not related to a criminal offense. Therefore, it has decided that the action taken by the data controller regarding the request of the relevant person to remove the published content from the search engine is appropriate, and in this context, there is no action to be taken under the Law regarding the complaint in question.
Impact on implementation: While the Board evaluates within the scope of the right to be forgotten such as, the relevant person has an important role in public life, the subject of the search results is a child, the information is related to the work-life of the person, the information is an insulting, humiliating, slander about the person concerned, the information is special, it is a personal data, the actuality of the information, the fact that the information causes bias about the person, the information poses a risk to the person, the state of the information being published by the person himself, the content of the data processed within the scope of journalism activity, the legal obligation to publish the information. It negatively evaluates the applications for the right to be forgotten that do not meet these conditions.