On 15 January, 2021, the Turkish Data Protection Board (“Board”) published its principle decision concerning the unlawful transmission of personal data to third parties through various electronic communication channels.
Following complaints and notifications submitted to the Turkish Personal Data Protection Authority (“Authority”), the Board evaluated the issue of data controllers transmitting documents containing personal data (such as invoices, receipts, reservation documents) to incorrect parties due to incorrect or misleading contact information. The Board also noted that such examples mostly occurred in industries such as e-commerce, transportation, telecommunications and tourism.
The decision makes reference to the general provisions prescribed in Article 4 of the Turkish Data Protection Law (“Data Protection Law”), primarily referencing the principle requiring “personal data being accurate and, when necessary, up to date”. The Board highlights that adherence to this principle is both in the interest of data controllers and necessary for the protection of the fundamental rights and freedoms of data subjects.
In the decision, the Board goes on to affirm that in situations where data controllers reach conclusions regarding data subjects based on the processing of their personal data, said data controllers are under an obligation of active diligence to ensure that the personal data they collect and process is accurate and up to date.
Moreover, reference is made to the obligation in Article 12 of the Data Protection Law, which requires data controllers to impose all technical and administrative measures to ensure that an appropriate level of security is established that will prevent unlawful access to personal data.
As information – particularly contact information – that is not up to date has the potential to cause pecuniary and non-pecuniary damage to data subjects, the Board states that it is not sufficient to verify the source from which personal data is obtained, it is also necessary to take reasonable measures to verify provided contact information so as to be able to eliminate any potential negative consequences. The Board decision lists methods such as sending verification codes or links to the provided contact information so as to ensure that the contact information associated with a data subject account is correct and current.
Due to increasing trends of digitalisation of services, spurred particularly by the necessities of the Covid-19 pandemic, cases of documents and data being sent to wrong addresses have increased. As such instances qualify as personal data being accessed unlawfully or by unauthorized persons, data controllers are faced with having to treat each such incident as a data breach. This decision by the Board also affirms this fact and clearly shows that, going forward, data controllers may face legal sanctions in cases where personal data is transmitted to unauthorized third persons due to erroneous contact information.
Consequently, it is important that data controllers in Turkey – particularly those who are in the position of regularly sending information and/or confirmation communications, such as monthly account balances or order receipts – take concrete steps to establish mechanisms that verify contact information and regularly review the accuracy and current nature of such information.
With thanks to Lara Akca for her assistance on this article.