The Personal Data Protection Board (“Board”) has published two decisions that would affect the practice in the banking sector, underlining that the processing of the personal data of the bank customers and transferring them to the third parties by exceeding the purpose is against Personal Data Protection Law numbered 6698 (“Law”), on 23 May 2022.
- Summary of Decision No. 2021/1107: The Board evaluated a case where a data breach is caused by the data controller bank based on the failure to correct the credit rating of the data subject and sharing of personal data with third parties. Considering that the wrong processing of the credit rating information of the data subject by the data controller bank and its transfer to the Risk Center constitutes a violation of the principle of “being accurate and up-to-date when necessary”, which is one of the general principles in article 4 of the Law, the Board decided that, the act is contrary to the obligation of “…preventing the unlawful processing of personal data…” in subparagraph (a) of paragraph (1) of article 12 of the Law. Consequently, the Board decided to impose an administrative fine on the data controller within the scope of subparagraph (b) of paragraph (1) of article 18 of the Law, and to remind the data controller that an adequate and appropriate response should be given to the applications of the data subjects in accordance with the procedure determined in the Law and the relevant communiqué, considering the reasons such as the fact that the data controller has a great deal of power in the banking sector and is in contact with a large number of customers and potential customers, can communicate on a variety of issues and can take action on the data subjects on these issues.
- Summary of Decision No. 2021/1104: The Board evaluated a case where a data breach is caused by a bank based on the illegal processing of personal data by sending an SMS to the mobile phone number of the data subject. The Board decided to impose an administrative fine of TRY 50,000 on the data controller who does not fulfill his obligations in paragraph (1) of article 12 of the Law, within the scope of subparagraph (b) of paragraph (1) of article 18 of the Law, considering that the processing of the personal data of the data subject by sending an informative SMS by the bank is not based on any processing condition set forth in article 5 of the Law, despite the bank’s response to the data subject that personal data will not be processed for purposes other than storage, regarding the request for the deletion of the personal data of the data subject. On the other hand, the Board also considered that data subject’s last transaction, the closure of his active products, was on 3 August 2019 and therefore the 10-year period has not passed since the last transaction date, and the reasons for the processing of the personal data of the data subject have not yet been eliminated. Accordingly, the Board found the bank’s failure to comply with the data controller’ of the request for deletion not unlawful and concluded to take no action within the scope of the Law in this regard.