What Is Included In The Decision Of The Personal Data Protection Board, Dated 17/03/2022 And Numbered 2022/243, “About The Processing Of Personal Data, Due To Sending The Invoice To The Relevant Person On Using The E-Mail Address Of The Related Person Of The Order Placed By A Person With The Same Name On The Internet”

In the complaint made to the Authority, a person with the same name of the person concerned became a member of the data controller providing services over the internet and placed an order.

This person uses the e-mail address of the person concerned when placing the order,

Without checking and confirming the correctness of the e-mail address of the data controller, the subscription process is completed and the invoice for the order is sent to the relevant person.

It has been determined and it has been requested that the necessary action be taken about the data controller within the scope of Law No. 6698.

In the examination made on the subject, the Board decided as follows.

For the “(…)@gmail.com” e-mail address, where a person with the same name as the relevant person accidentally enters the e-mail address of the relevant person without creating a membership, for the relevant person or another person. There is no membership account, the e-mail does not match any data of the relevant person or the identity information of the relevant person is not processed, There is not yet a control mechanism for confirming the e-mail and phone numbers entered during the shopping made with the guest customer login When the order details are examined; The name, surname and “(…)@gmail.com” e-mail address of the person concerned as the sender’s name, surname, an nd e-mail address, as well as the address of a third party as recipient information, which is included in the invoice,

While the data controller should take the necessary measures to confirm whether the e-mail address is used by the shopper, it has been determined that there is no action for this.

The absence of a confirmation mechanism in the said transaction may cause a loss of rights, as well as the fact that all shopping transactions made with a guest login without being a member on the website may also mean that there is a risofoa f data breach. It may contain an identification number, address, telephone, e -mail  and order information, and sending the invoice to an unrelated third party may pave the way for the malicious use of this data by others, as well as the personal data contained in the content. Considering that the information of the sender and receiver included in the invoice is disclosed to the relevant person, it has been decided to pay an administrative fine against the data controller.

DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 10/03/2022 AND Nr. 2022/224

ABOUT SHARING THE PHONE NUMBER OF THE RELATED PERSON WITH THIRD PARTIES BY THE BANK’S CALL CENTER

In the examination made on the subject, the Board decided as follows.

 The card of a third person was found at the Bank ATM by the person concerned.

The data controller has contacted the Bank’s call center. During the interview, the call center officer shared the phone number of the person concerned with the third party, and it was suggested that the card be received from the person concerned. He requested that the person concerned did not consent to this solution proposal and that the call center officer should deliver the card to the security guards at the airport. In the following hours, a message was sent to the relevant person by the cardholder via his personal phone number. It has been understood that the processed data is transmitted to the cardholder even without the explicit consent of the person concerned. In this respect, it was stated that the person concerned was not informed about the processing of his name, surname and telephone number and that he did not expressly consent to the transfer of his data, and it was requested that necessary action be taken against the data controller Bank.

 

 

When express consent is evaluated; After the call center personnel had made statements about ensuring the security of the card beforehand, it was understood that it was not in accordance with a reasonable expectation to deduce that the name, surname and phone number of the person concerned would be shared with the third party of the card holder from the expression “…I will inform the cardholder that you found the card…”. As a result, it has been accepted that the personal data processing activity, which takes place in the form of disclosure of the personal data of the data subject to the third party, does not contain the elements of explicit consent. therefore, it was decided by the data controller that it was concluded that personal data processing activities were carried out in violation of the Law.

 

WHAT ARE THE REGULATIONS IN THE DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 04/03/2022 and Nr. 2022/184?

ABOUT SHARING THE DEBT INFORMATION OF THE RELATED PERSON BY A CREDIT MANAGEMENT COMPANY WITH THIRD PARTIES

It is notified that the title of the data controller receivable management company is sent to the lines registered in the name of the brother and wife of the relevant person and that the debt of the person concerned to a telecommunication company with the said SMS will expire and enforcement proceedings will be started if the debt is not paid;

In the examination made on the subject, the Board decided as follows.

The complaint was filed because personal data were shared with third parties without the consent of the person concerned.

The file number was learned by calling the data controller from the phone number registered in the name of the related person’s brother on a date before the SMS regarding the expiration of the debt,

Considering that a processing condition within the framework of Article 5 of the Law is not valid for recording the telephone numbers calling the data controller as the telephone number of the data subject and sharing the debt information with third parties by calling these telephones, personal data shall be legally enforced within the framework of paragraph (1) of Article 12 of the Law. It has been decided to impose an administrative fine of 50.000 TL on the data controller who has not taken the necessary technical and administrative measures to ensure the appropriate level of security to prevent illegal processing.

 

DECISION OF THE PERSONAL DATA PROTECTION BOARD DATED 24/02/2022 AND Nr. 2022/172

REQUESTING SPECIAL QUALIFIED PERSONAL DATA FROM THE CANDIDATES DURING THE RECRUITMENT PROCESS BY THE liaison OFFICE OF THE DATA SPEAKER LOCATED ABROAD IN TURKEY

  • When the data controller is accepted to work, the liaison office of the data controller asks for a criminal record, health report, lung film report, blood group certificate, photocopy of driver’s license, photocopy of marriage certificate, te and identity card of family members, and these documents are delivered by the person concerned,
  • The liaison office has not obtained the express consent from the person concerned for the processing of the aforementioned special categories of personal data,

In the examination made on the subject, the Board decided as follows.

  • The complainant is the liaison office of the data controller, a legal entity residing abroad.
  • For the performance of this employment contract, the personal data of the person concerned must be processed abroad.

For this, the explicit consent of the person concerned must be obtained. It is accepted that the express consent obtained from the person concerned is by the law.

  • It has been observed that a supporting document indicating that the personal data of the person concerned has been destroyed for both the company headquarters and the liaison office has not been given to the Institution.
  • It has been decided that the document showing that this personal data has been deleted at the company headquarters and liaison office will be forwarded to the person concerned and instructed to inform the Board about this issue.
error: Bu içerik korumalıdır.